From 2aeb356c75e3a25967de6a68c263bcf77185126d Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Thu, 18 Dec 2025 09:25:40 +0100
Subject: Fix Null byte termination in dns_get_record()

  GHSA-www2-q4fc-65wf
Fix Heap buffer overflow in array_merge()
  CVE-2025-14178
Fix Information Leak of Memory in getimagesize
  CVE-2025-14177
---
 php-ghsa-www2-q4fc-65wf.patch | 256 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 256 insertions(+)
 create mode 100644 php-ghsa-www2-q4fc-65wf.patch

(limited to 'php-ghsa-www2-q4fc-65wf.patch')

diff --git a/php-ghsa-www2-q4fc-65wf.patch b/php-ghsa-www2-q4fc-65wf.patch
new file mode 100644
index 0000000..39b67f4
--- /dev/null
+++ b/php-ghsa-www2-q4fc-65wf.patch
@@ -0,0 +1,256 @@
+From 3e9d47f6cc04c9978bb384e2d487cf28d37889f0 Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
+Date: Sat, 6 Sep 2025 21:55:13 +0200
+Subject: [PATCH 4/5] Fix GHSA-www2-q4fc-65wf
+
+(cherry picked from commit ed70b1ea43a9b7ffa2f53b3e5d6ba403f37ae81c)
+(cherry picked from commit 52c5762a902e8731b7068ded027fbd780f5a1991)
+---
+ ext/standard/basic_functions.c                | 12 ++--
+ ext/standard/dns.c                            |  6 +-
+ ext/standard/dns_win32.c                      |  6 +-
+ .../tests/network/ghsa-www2-q4fc-65wf.phpt    | 71 +++++++++++++++++++
+ ext/standard/tests/network/ip_x86_64.phpt     |  2 +-
+ 5 files changed, 84 insertions(+), 13 deletions(-)
+ create mode 100644 ext/standard/tests/network/ghsa-www2-q4fc-65wf.phpt
+
+diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c
+index 64f27ef5af7..45746335689 100644
+--- a/ext/standard/basic_functions.c
++++ b/ext/standard/basic_functions.c
+@@ -3960,7 +3960,7 @@ PHP_NAMED_FUNCTION(php_inet_pton)
+ 	char buffer[17];
+ 
+ 	ZEND_PARSE_PARAMETERS_START(1, 1)
+-		Z_PARAM_STRING(address, address_len)
++		Z_PARAM_PATH(address, address_len)
+ 	ZEND_PARSE_PARAMETERS_END_EX(RETURN_FALSE);
+ 
+ 	memset(buffer, 0, sizeof(buffer));
+@@ -3998,7 +3998,7 @@ PHP_FUNCTION(ip2long)
+ #endif
+ 
+ 	ZEND_PARSE_PARAMETERS_START(1, 1)
+-		Z_PARAM_STRING(addr, addr_len)
++		Z_PARAM_PATH(addr, addr_len)
+ 	ZEND_PARSE_PARAMETERS_END();
+ 
+ #ifdef HAVE_INET_PTON
+@@ -5714,8 +5714,8 @@ PHP_FUNCTION(getservbyname)
+ 	struct servent *serv;
+ 
+ 	ZEND_PARSE_PARAMETERS_START(2, 2)
+-		Z_PARAM_STRING(name, name_len)
+-		Z_PARAM_STRING(proto, proto_len)
++		Z_PARAM_PATH(name, name_len)
++		Z_PARAM_PATH(proto, proto_len)
+ 	ZEND_PARSE_PARAMETERS_END();
+ 
+ 
+@@ -5759,7 +5759,7 @@ PHP_FUNCTION(getservbyport)
+ 
+ 	ZEND_PARSE_PARAMETERS_START(2, 2)
+ 		Z_PARAM_LONG(port)
+-		Z_PARAM_STRING(proto, proto_len)
++		Z_PARAM_PATH(proto, proto_len)
+ 	ZEND_PARSE_PARAMETERS_END();
+ 
+ 	serv = getservbyport(htons((unsigned short) port), proto);
+@@ -5783,7 +5783,7 @@ PHP_FUNCTION(getprotobyname)
+ 	struct protoent *ent;
+ 
+ 	ZEND_PARSE_PARAMETERS_START(1, 1)
+-		Z_PARAM_STRING(name, name_len)
++		Z_PARAM_PATH(name, name_len)
+ 	ZEND_PARSE_PARAMETERS_END();
+ 
+ 	ent = getprotobyname(name);
+diff --git a/ext/standard/dns.c b/ext/standard/dns.c
+index dc85c45e1d7..698ad4f661d 100644
+--- a/ext/standard/dns.c
++++ b/ext/standard/dns.c
+@@ -377,7 +377,7 @@ PHP_FUNCTION(dns_check_record)
+ #endif
+ 
+ 	ZEND_PARSE_PARAMETERS_START(1, 2)
+-		Z_PARAM_STRING(hostname, hostname_len)
++		Z_PARAM_PATH(hostname, hostname_len)
+ 		Z_PARAM_OPTIONAL
+ 		Z_PARAM_STRING(rectype, rectype_len)
+ 	ZEND_PARSE_PARAMETERS_END();
+@@ -825,7 +825,7 @@ PHP_FUNCTION(dns_get_record)
+ 	zend_bool raw = 0;
+ 
+ 	ZEND_PARSE_PARAMETERS_START(1, 5)
+-		Z_PARAM_STRING(hostname, hostname_len)
++		Z_PARAM_PATH(hostname, hostname_len)
+ 		Z_PARAM_OPTIONAL
+ 		Z_PARAM_LONG(type_param)
+ 		Z_PARAM_ZVAL(authns)
+@@ -1065,7 +1065,7 @@ PHP_FUNCTION(dns_get_mx)
+ #endif
+ 
+ 	ZEND_PARSE_PARAMETERS_START(2, 3)
+-		Z_PARAM_STRING(hostname, hostname_len)
++		Z_PARAM_PATH(hostname, hostname_len)
+ 		Z_PARAM_ZVAL(mx_list)
+ 		Z_PARAM_OPTIONAL
+ 		Z_PARAM_ZVAL(weight_list)
+diff --git a/ext/standard/dns_win32.c b/ext/standard/dns_win32.c
+index 466d927ea3e..f5b6e03a128 100644
+--- a/ext/standard/dns_win32.c
++++ b/ext/standard/dns_win32.c
+@@ -50,7 +50,7 @@ PHP_FUNCTION(dns_get_mx) /* {{{ */
+ 	DNS_STATUS      status;                 /* Return value of DnsQuery_A() function */
+ 	PDNS_RECORD     pResult, pRec;          /* Pointer to DNS_RECORD structure */
+ 
+-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "sz|z", &hostname, &hostname_len, &mx_list, &weight_list) == FAILURE) {
++	if (zend_parse_parameters(ZEND_NUM_ARGS(), "pz|z", &hostname, &hostname_len, &mx_list, &weight_list) == FAILURE) {
+ 		return;
+ 	}
+ 
+@@ -104,7 +104,7 @@ PHP_FUNCTION(dns_check_record)
+ 	DNS_STATUS      status;                 /* Return value of DnsQuery_A() function */
+ 	PDNS_RECORD     pResult;          /* Pointer to DNS_RECORD structure */
+ 
+-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|s", &hostname, &hostname_len, &rectype, &rectype_len) == FAILURE) {
++	if (zend_parse_parameters(ZEND_NUM_ARGS(), "p|s", &hostname, &hostname_len, &rectype, &rectype_len) == FAILURE) {
+ 		return;
+ 	}
+ 
+@@ -357,7 +357,7 @@ PHP_FUNCTION(dns_get_record)
+ 	int type, type_to_fetch, first_query = 1, store_results = 1;
+ 	zend_bool raw = 0;
+ 
+-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|lz!z!b",
++	if (zend_parse_parameters(ZEND_NUM_ARGS(), "p|lz!z!b",
+ 			&hostname, &hostname_len, &type_param, &authns, &addtl, &raw) == FAILURE) {
+ 		return;
+ 	}
+diff --git a/ext/standard/tests/network/ghsa-www2-q4fc-65wf.phpt b/ext/standard/tests/network/ghsa-www2-q4fc-65wf.phpt
+new file mode 100644
+index 00000000000..b14c8ca719b
+--- /dev/null
++++ b/ext/standard/tests/network/ghsa-www2-q4fc-65wf.phpt
+@@ -0,0 +1,71 @@
++--TEST--
++GHSA-www2-q4fc-65wf
++--DESCRIPTION--
++This is a ZPP test but *keep* this as it is security-sensitive!
++--FILE--
++<?php
++try {
++    dns_check_record("\0");
++} catch (ValueError $e) {
++    echo $e->getMessage(), "\n";
++}
++try {
++    dns_get_mx("\0", $out);
++} catch (ValueError $e) {
++    echo $e->getMessage(), "\n";
++}
++try {
++    dns_get_record("\0");
++} catch (ValueError $e) {
++    echo $e->getMessage(), "\n";
++}
++try {
++    getprotobyname("\0");
++} catch (ValueError $e) {
++    echo $e->getMessage(), "\n";
++}
++try {
++    getservbyname("\0", "tcp");
++} catch (ValueError $e) {
++    echo $e->getMessage(), "\n";
++}
++try {
++    getservbyname("x", "tcp\0");
++} catch (ValueError $e) {
++    echo $e->getMessage(), "\n";
++}
++try {
++    getservbyport(0, "tcp\0");
++} catch (ValueError $e) {
++    echo $e->getMessage(), "\n";
++}
++try {
++    inet_pton("\0");
++} catch (ValueError $e) {
++    echo $e->getMessage(), "\n";
++}
++try {
++    ip2long("\0");
++} catch (ValueError $e) {
++    echo $e->getMessage(), "\n";
++}
++?>
++--EXPECTF--
++Warning: dns_check_record() expects parameter 1 to be a valid path, string given in %s
++
++Warning: dns_get_mx() expects parameter 1 to be a valid path, string given in %s
++
++Warning: dns_get_record() expects parameter 1 to be a valid path, string given in %s
++
++Warning: getprotobyname() expects parameter 1 to be a valid path, string given in %s
++
++Warning: getservbyname() expects parameter 1 to be a valid path, string given in %s
++
++Warning: getservbyname() expects parameter 2 to be a valid path, string given in %s
++
++Warning: getservbyport() expects parameter 2 to be a valid path, string given in %s
++
++Warning: inet_pton() expects parameter 1 to be a valid path, string given in %s
++
++Warning: ip2long() expects parameter 1 to be a valid path, string given in %s
++
+diff --git a/ext/standard/tests/network/ip_x86_64.phpt b/ext/standard/tests/network/ip_x86_64.phpt
+index 3c530b83713..2158e289bae 100644
+--- a/ext/standard/tests/network/ip_x86_64.phpt
++++ b/ext/standard/tests/network/ip_x86_64.phpt
+@@ -54,7 +54,7 @@ bool(false)
+ bool(false)
+ int(1869573999)
+ 
+-Warning: ip2long() expects parameter 1 to be string, array given in %sip_x86_64.php on line %d
++Warning: ip2long() expects parameter 1 to be a valid path, array given in %sip_x86_64.php on line %d
+ NULL
+ 
+ Warning: long2ip() expects exactly 1 parameter, 0 given in %sip_x86_64.php on line %d
+-- 
+2.52.0
+
+From f2cb8ad2342a7b58b8e467ed60233bb9be30f42e Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Thu, 18 Dec 2025 07:17:43 +0100
+Subject: [PATCH 5/5] NEWS from 8.1.34
+
+(cherry picked from commit 52b3bdaa74078e4ea8abd9696cdbdc35a8091446)
+---
+ NEWS | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index a9dd716c003..f212d40b2e9 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,16 @@
+ PHP                                                                        NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+ 
++Backported from 8.1.34
++
++- Standard:
++  . Fixed GHSA-www2-q4fc-65wf (Null byte termination in dns_get_record()).
++    (ndossche)
++  . Fixed GHSA-h96m-rvf9-jgm2 (Heap buffer overflow in array_merge()).
++    (CVE-2025-14178) (ndossche)
++  . Fixed GHSA-3237-qqm7-mfv7 (Information Leak of Memory in getimagesize).
++    (CVE-2025-14177) (ndossche)
++
+ Backported from 8.1.33
+ 
+ - PGSQL:
+-- 
+2.52.0
+
-- 
cgit