summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2024-09-26 13:40:35 +0200
committerRemi Collet <remi@php.net>2024-09-26 13:40:35 +0200
commitaa64914647126cbc436872eccf8aed6eda8c182e (patch)
treed8a684ef8abd65c945eda25cb5ef44ab38aa7d72
parent62b12f3195f27b5bcffcbf64a58e2aed778dd56f (diff)
Fix Bypass of CVE-2012-1823, Argument Injection in PHP-CGI
CVE-2024-4577 Fix Bypass of CVE-2024-4577, Parameter Injection Vulnerability CVE-2024-8926 Fix cgi.force_redirect configuration is bypassable due to the environment variable collision CVE-2024-8927 Fix Logs from childrens may be altered CVE-2024-9026 Fix Erroneous parsing of multipart form data CVE-2024-8925 use ICU 74.2
-rw-r--r--failed.txt8
-rw-r--r--php-cve-2024-8925.patch188
-rw-r--r--php-cve-2024-8926.patch209
-rw-r--r--php-cve-2024-8927.patch56
-rw-r--r--php-cve-2024-9026.patch177
-rw-r--r--php80.spec31
6 files changed, 660 insertions, 9 deletions
diff --git a/failed.txt b/failed.txt
index 7eff884..6e6234c 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,4 +1,4 @@
-===== 8.0.30-8 (2024-08-26)
+===== 8.0.30-9 (2024-09-26)
$ grep -ar 'Tests failed' /var/lib/mock/*/build.log
@@ -14,14 +14,14 @@ $ grep -ar 'Tests failed' /var/lib/mock/*/build.log
/var/lib/mock/fc41x80/build.log:Tests failed : 3
-el8
+el8:
3 openssl_error_string() tests [ext/openssl/tests/openssl_error_string_basic.phpt]
3 openssl_open() tests [ext/openssl/tests/openssl_open_basic.phpt]
+all:
3 openssl_private_decrypt() tests [ext/openssl/tests/openssl_private_decrypt_basic.phpt]
fc39, fc40, fc41, el9:
3 openssl_error_string() tests (OpenSSL >= 3.0) [ext/openssl/tests/openssl_error_string_basic_openssl3.phpt]
- 3 openssl_private_decrypt() tests [ext/openssl/tests/openssl_private_decrypt_basic.phpt]
-fc40:
+fc40, fc41:
3 openssl_x509_parse() tests [ext/openssl/tests/openssl_x509_parse_basic.phpt]
diff --git a/php-cve-2024-8925.patch b/php-cve-2024-8925.patch
new file mode 100644
index 0000000..7853deb
--- /dev/null
+++ b/php-cve-2024-8925.patch
@@ -0,0 +1,188 @@
+From 2b0daf421c162376892832588eccdfa9a286ed09 Mon Sep 17 00:00:00 2001
+From: Arnaud Le Blanc <arnaud.lb@gmail.com>
+Date: Mon, 9 Sep 2024 15:22:07 +0200
+Subject: [PATCH 3/8] Fix GHSA-9pqp-7h25-4f32
+
+multipart/form-data boundaries larger than the read buffer result in erroneous
+parsing, which violates data integrity.
+
+Limit boundary size, as allowed by RFC 1521:
+
+ Encapsulation boundaries [...] must be no longer than 70 characters, not
+ counting the two leading hyphens.
+
+We correctly parse payloads with boundaries of length up to
+FILLUNIT-strlen("\r\n--") bytes, so allow this for BC.
+
+(cherry picked from commit 19b49258d0c5a61398d395d8afde1123e8d161e0)
+---
+ main/rfc1867.c | 7 ++
+ tests/basic/GHSA-9pqp-7h25-4f32.inc | 3 +
+ tests/basic/GHSA-9pqp-7h25-4f32.phpt | 100 +++++++++++++++++++++++++++
+ 3 files changed, 110 insertions(+)
+ create mode 100644 tests/basic/GHSA-9pqp-7h25-4f32.inc
+ create mode 100644 tests/basic/GHSA-9pqp-7h25-4f32.phpt
+
+diff --git a/main/rfc1867.c b/main/rfc1867.c
+index 3086e8da3db..eafe6a67d2e 100644
+--- a/main/rfc1867.c
++++ b/main/rfc1867.c
+@@ -752,6 +752,13 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
+ boundary_len = boundary_end-boundary;
+ }
+
++ /* Boundaries larger than FILLUNIT-strlen("\r\n--") characters lead to
++ * erroneous parsing */
++ if (boundary_len > FILLUNIT-strlen("\r\n--")) {
++ sapi_module.sapi_error(E_WARNING, "Boundary too large in multipart/form-data POST data");
++ return;
++ }
++
+ /* Initialize the buffer */
+ if (!(mbuff = multipart_buffer_new(boundary, boundary_len))) {
+ sapi_module.sapi_error(E_WARNING, "Unable to initialize the input buffer");
+diff --git a/tests/basic/GHSA-9pqp-7h25-4f32.inc b/tests/basic/GHSA-9pqp-7h25-4f32.inc
+new file mode 100644
+index 00000000000..adf72a361a2
+--- /dev/null
++++ b/tests/basic/GHSA-9pqp-7h25-4f32.inc
+@@ -0,0 +1,3 @@
++<?php
++print "Hello world\n";
++var_dump($_POST);
+diff --git a/tests/basic/GHSA-9pqp-7h25-4f32.phpt b/tests/basic/GHSA-9pqp-7h25-4f32.phpt
+new file mode 100644
+index 00000000000..af819163705
+--- /dev/null
++++ b/tests/basic/GHSA-9pqp-7h25-4f32.phpt
+@@ -0,0 +1,100 @@
++--TEST--
++GHSA-9pqp-7h25-4f32
++--SKIPIF--
++<?php
++if (!getenv('TEST_PHP_CGI_EXECUTABLE')) {
++ die("skip php-cgi not available");
++}
++?>
++--FILE--
++<?php
++
++const FILLUNIT = 5 * 1024;
++
++function test($boundaryLen) {
++ printf("Boundary len: %d\n", $boundaryLen);
++
++ $cmd = [
++ getenv('TEST_PHP_CGI_EXECUTABLE'),
++ '-C',
++ '-n',
++ __DIR__ . '/GHSA-9pqp-7h25-4f32.inc',
++ ];
++
++ $boundary = str_repeat('A', $boundaryLen);
++ $body = ""
++ . "--$boundary\r\n"
++ . "Content-Disposition: form-data; name=\"koko\"\r\n"
++ . "\r\n"
++ . "BBB\r\n--" . substr($boundary, 0, -1) . "CCC\r\n"
++ . "--$boundary--\r\n"
++ ;
++
++ $env = array_merge($_ENV, [
++ 'REDIRECT_STATUS' => '1',
++ 'CONTENT_TYPE' => "multipart/form-data; boundary=$boundary",
++ 'CONTENT_LENGTH' => strlen($body),
++ 'REQUEST_METHOD' => 'POST',
++ 'SCRIPT_FILENAME' => __DIR__ . '/GHSA-9pqp-7h25-4f32.inc',
++ ]);
++
++ $spec = [
++ 0 => ['pipe', 'r'],
++ 1 => STDOUT,
++ 2 => STDOUT,
++ ];
++
++ $pipes = [];
++
++ print "Starting...\n";
++
++ $handle = proc_open($cmd, $spec, $pipes, getcwd(), $env);
++
++ fwrite($pipes[0], $body);
++
++ $status = proc_close($handle);
++
++ print "\n";
++}
++
++for ($offset = -1; $offset <= 1; $offset++) {
++ test(FILLUNIT - strlen("\r\n--") + $offset);
++}
++
++?>
++--EXPECTF--
++Boundary len: 5115
++Starting...
++X-Powered-By: %s
++Content-type: text/html; charset=UTF-8
++
++Hello world
++array(1) {
++ ["koko"]=>
++ string(5124) "BBB
++--AAA%sCCC"
++}
++
++Boundary len: 5116
++Starting...
++X-Powered-By: %s
++Content-type: text/html; charset=UTF-8
++
++Hello world
++array(1) {
++ ["koko"]=>
++ string(5125) "BBB
++--AAA%sCCC"
++}
++
++Boundary len: 5117
++Starting...
++X-Powered-By: %s
++Content-type: text/html; charset=UTF-8
++
++<br />
++<b>Warning</b>: Boundary too large in multipart/form-data POST data in <b>Unknown</b> on line <b>0</b><br />
++Hello world
++array(0) {
++}
++
+--
+2.46.1
+
+From c75683864f6e4188439e8ca2adbb05824918be12 Mon Sep 17 00:00:00 2001
+From: Jakub Zelenka <bukka@php.net>
+Date: Mon, 23 Sep 2024 18:54:31 +0100
+Subject: [PATCH 7/8] Skip GHSA-9pqp-7h25-4f32 test on Windows
+
+(cherry picked from commit c70e25630832fa10d421328eed2b8e1a36af7a64)
+---
+ tests/basic/GHSA-9pqp-7h25-4f32.phpt | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tests/basic/GHSA-9pqp-7h25-4f32.phpt b/tests/basic/GHSA-9pqp-7h25-4f32.phpt
+index af819163705..29bcb6557d5 100644
+--- a/tests/basic/GHSA-9pqp-7h25-4f32.phpt
++++ b/tests/basic/GHSA-9pqp-7h25-4f32.phpt
+@@ -5,6 +5,9 @@ GHSA-9pqp-7h25-4f32
+ if (!getenv('TEST_PHP_CGI_EXECUTABLE')) {
+ die("skip php-cgi not available");
+ }
++if (substr(PHP_OS, 0, 3) == 'WIN') {
++ die("skip not for Windows in CI - probably resource issue");
++}
+ ?>
+ --FILE--
+ <?php
+--
+2.46.1
+
diff --git a/php-cve-2024-8926.patch b/php-cve-2024-8926.patch
new file mode 100644
index 0000000..a7bf110
--- /dev/null
+++ b/php-cve-2024-8926.patch
@@ -0,0 +1,209 @@
+From 9f95e17cc0a9a79da82157e34e3effe1bc395037 Mon Sep 17 00:00:00 2001
+From: Jan Ehrhardt <github@ehrhardt.nl>
+Date: Wed, 5 Jun 2024 20:44:46 +0200
+Subject: [PATCH 1/8] Fix GHSA-3qgc-jrrr-25jv
+
+---
+ sapi/cgi/cgi_main.c | 23 ++++++++++++++-
+ sapi/cgi/tests/ghsa-3qgc-jrrr-25jv.phpt | 38 +++++++++++++++++++++++++
+ 2 files changed, 60 insertions(+), 1 deletion(-)
+ create mode 100644 sapi/cgi/tests/ghsa-3qgc-jrrr-25jv.phpt
+
+diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c
+index 0d52941c5a1..0d3b54ed8b8 100644
+--- a/sapi/cgi/cgi_main.c
++++ b/sapi/cgi/cgi_main.c
+@@ -1798,8 +1798,13 @@ int main(int argc, char *argv[])
+ }
+ }
+
++ /* Apache CGI will pass the query string to the command line if it doesn't contain a '='.
++ * This can create an issue where a malicious request can pass command line arguments to
++ * the executable. Ideally we skip argument parsing when we're in cgi or fastcgi mode,
++ * but that breaks PHP scripts on Linux with a hashbang: `#!/php-cgi -d option=value`.
++ * Therefore, this code only prevents passing arguments if the query string starts with a '-'.
++ * Similarly, scripts spawned in subprocesses on Windows may have the same issue. */
+ if((query_string = getenv("QUERY_STRING")) != NULL && strchr(query_string, '=') == NULL) {
+- /* we've got query string that has no = - apache CGI will pass it to command line */
+ unsigned char *p;
+ decoded_query_string = strdup(query_string);
+ php_url_decode(decoded_query_string, strlen(decoded_query_string));
+@@ -1809,6 +1814,22 @@ int main(int argc, char *argv[])
+ if(*p == '-') {
+ skip_getopt = 1;
+ }
++
++ /* On Windows we have to take into account the "best fit" mapping behaviour. */
++#ifdef PHP_WIN32
++ if (*p >= 0x80) {
++ wchar_t wide_buf[1];
++ wide_buf[0] = *p;
++ char char_buf[4];
++ size_t wide_buf_len = sizeof(wide_buf) / sizeof(wide_buf[0]);
++ size_t char_buf_len = sizeof(char_buf) / sizeof(char_buf[0]);
++ if (WideCharToMultiByte(CP_ACP, 0, wide_buf, wide_buf_len, char_buf, char_buf_len, NULL, NULL) == 0
++ || char_buf[0] == '-') {
++ skip_getopt = 1;
++ }
++ }
++#endif
++
+ free(decoded_query_string);
+ }
+
+diff --git a/sapi/cgi/tests/ghsa-3qgc-jrrr-25jv.phpt b/sapi/cgi/tests/ghsa-3qgc-jrrr-25jv.phpt
+new file mode 100644
+index 00000000000..fd2fcdfbf89
+--- /dev/null
++++ b/sapi/cgi/tests/ghsa-3qgc-jrrr-25jv.phpt
+@@ -0,0 +1,38 @@
++--TEST--
++GHSA-3qgc-jrrr-25jv
++--SKIPIF--
++<?php
++include 'skipif.inc';
++if (PHP_OS_FAMILY !== "Windows") die("skip Only for Windows");
++
++$codepage = trim(shell_exec("powershell Get-ItemPropertyValue HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Nls\\CodePage ACP"));
++if ($codepage !== '932' && $codepage !== '936' && $codepage !== '950') die("skip Wrong codepage");
++?>
++--FILE--
++<?php
++include 'include.inc';
++
++$filename = __DIR__."/GHSA-3qgc-jrrr-25jv_tmp.php";
++$script = '<?php echo "hello "; echo "world"; ?>';
++file_put_contents($filename, $script);
++
++$php = get_cgi_path();
++reset_env_vars();
++
++putenv("SERVER_NAME=Test");
++putenv("SCRIPT_FILENAME=$filename");
++putenv("QUERY_STRING=%ads");
++putenv("REDIRECT_STATUS=1");
++
++passthru("$php -s");
++
++?>
++--CLEAN--
++<?php
++@unlink(__DIR__."/GHSA-3qgc-jrrr-25jv_tmp.php");
++?>
++--EXPECTF--
++X-Powered-By: PHP/%s
++Content-type: %s
++
++hello world
+--
+2.46.1
+
+From dc40d2d7960dd35f0178ff52c1f8590b7b1a08b2 Mon Sep 17 00:00:00 2001
+From: Jan Ehrhardt <github@ehrhardt.nl>
+Date: Sun, 9 Jun 2024 20:10:36 +0200
+Subject: [PATCH 2/8] NEWS: Add backports from 8.1.29
+
+---
+ NEWS | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 7a9b6bdae18..79133f558af 100644
+--- a/NEWS
++++ b/NEWS
+@@ -3,10 +3,18 @@ PHP NEWS
+
+ Backported from 8.1.29
+
++- CGI:
++ . Fixed bug GHSA-3qgc-jrrr-25jv (Bypass of CVE-2012-1823, Argument Injection
++ in PHP-CGI). (CVE-2024-4577) (nielsdos)
++
+ - Filter:
+ . Fixed bug GHSA-w8qr-v226-r27w (Filter bypass in filter_var FILTER_VALIDATE_URL).
+ (CVE-2024-5458) (nielsdos)
+
++- Standard:
++ . Fixed bug GHSA-9fcc-425m-g385 (Bypass of CVE-2024-1874).
++ (CVE-2024-5585) (nielsdos)
++
+ Backported from 8.1.28
+
+ - Standard:
+--
+2.46.1
+
+From 2d2552e092b6ff32cd823692d512f126ee629842 Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
+Date: Fri, 14 Jun 2024 19:49:22 +0200
+Subject: [PATCH 4/8] Fix GHSA-p99j-rfp4-xqvq
+
+It's no use trying to work around whatever the operating system and Apache
+do because we'll be fighting that until eternity.
+Change the skip_getopt condition such that when we're running in
+CGI or FastCGI mode we always skip the argument parsing.
+This is a BC break, but this seems to be the only way to get rid of this
+class of issues.
+
+(cherry picked from commit abcfd980bfa03298792fd3aba051c78d52f10642)
+---
+ sapi/cgi/cgi_main.c | 26 ++++++++------------------
+ 1 file changed, 8 insertions(+), 18 deletions(-)
+
+diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c
+index 0d3b54ed8b8..6e148874e4f 100644
+--- a/sapi/cgi/cgi_main.c
++++ b/sapi/cgi/cgi_main.c
+@@ -1748,7 +1748,6 @@ int main(int argc, char *argv[])
+ int status = 0;
+ #endif
+ char *query_string;
+- char *decoded_query_string;
+ int skip_getopt = 0;
+
+ #if defined(SIGPIPE) && defined(SIG_IGN)
+@@ -1803,10 +1802,15 @@ int main(int argc, char *argv[])
+ * the executable. Ideally we skip argument parsing when we're in cgi or fastcgi mode,
+ * but that breaks PHP scripts on Linux with a hashbang: `#!/php-cgi -d option=value`.
+ * Therefore, this code only prevents passing arguments if the query string starts with a '-'.
+- * Similarly, scripts spawned in subprocesses on Windows may have the same issue. */
++ * Similarly, scripts spawned in subprocesses on Windows may have the same issue.
++ * However, Windows has lots of conversion rules and command line parsing rules that
++ * are too difficult and dangerous to reliably emulate. */
+ if((query_string = getenv("QUERY_STRING")) != NULL && strchr(query_string, '=') == NULL) {
++#ifdef PHP_WIN32
++ skip_getopt = cgi || fastcgi;
++#else
+ unsigned char *p;
+- decoded_query_string = strdup(query_string);
++ char *decoded_query_string = strdup(query_string);
+ php_url_decode(decoded_query_string, strlen(decoded_query_string));
+ for (p = (unsigned char *)decoded_query_string; *p && *p <= ' '; p++) {
+ /* skip all leading spaces */
+@@ -1815,22 +1819,8 @@ int main(int argc, char *argv[])
+ skip_getopt = 1;
+ }
+
+- /* On Windows we have to take into account the "best fit" mapping behaviour. */
+-#ifdef PHP_WIN32
+- if (*p >= 0x80) {
+- wchar_t wide_buf[1];
+- wide_buf[0] = *p;
+- char char_buf[4];
+- size_t wide_buf_len = sizeof(wide_buf) / sizeof(wide_buf[0]);
+- size_t char_buf_len = sizeof(char_buf) / sizeof(char_buf[0]);
+- if (WideCharToMultiByte(CP_ACP, 0, wide_buf, wide_buf_len, char_buf, char_buf_len, NULL, NULL) == 0
+- || char_buf[0] == '-') {
+- skip_getopt = 1;
+- }
+- }
+-#endif
+-
+ free(decoded_query_string);
++#endif
+ }
+
+ while (!skip_getopt && (c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 0, 2)) != -1) {
+--
+2.46.1
+
diff --git a/php-cve-2024-8927.patch b/php-cve-2024-8927.patch
new file mode 100644
index 0000000..b53e1ed
--- /dev/null
+++ b/php-cve-2024-8927.patch
@@ -0,0 +1,56 @@
+From 8aa748ee0657cdee8d883ba50d04b68bc450f686 Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
+Date: Tue, 18 Jun 2024 21:28:26 +0200
+Subject: [PATCH 5/8] Fix GHSA-94p6-54jq-9mwp
+
+Apache only generates REDIRECT_STATUS, so explicitly check for that
+if the server name is Apache, don't allow other variable names.
+Furthermore, redirect.so and Netscape no longer exist, so
+remove those entries as we can't check their server name anymore.
+
+We now also check for the configuration override *first* such that it
+always take precedence. This would allow for a mitigation path if
+something like this happens in the future.
+
+(cherry picked from commit 48808d98f4fc2a05193cdcc1aedd6c66816450f1)
+---
+ sapi/cgi/cgi_main.c | 23 +++++++++++------------
+ 1 file changed, 11 insertions(+), 12 deletions(-)
+
+diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c
+index 6e148874e4f..5879d0e0f93 100644
+--- a/sapi/cgi/cgi_main.c
++++ b/sapi/cgi/cgi_main.c
+@@ -1910,18 +1910,17 @@ int main(int argc, char *argv[])
+
+ /* check force_cgi after startup, so we have proper output */
+ if (cgi && CGIG(force_redirect)) {
+- /* Apache will generate REDIRECT_STATUS,
+- * Netscape and redirect.so will generate HTTP_REDIRECT_STATUS.
+- * redirect.so and installation instructions available from
+- * http://www.koehntopp.de/php.
+- * -- kk@netuse.de
+- */
+- if (!getenv("REDIRECT_STATUS") &&
+- !getenv ("HTTP_REDIRECT_STATUS") &&
+- /* this is to allow a different env var to be configured
+- * in case some server does something different than above */
+- (!CGIG(redirect_status_env) || !getenv(CGIG(redirect_status_env)))
+- ) {
++ /* This is to allow a different environment variable to be configured
++ * in case the we cannot auto-detect which environment variable to use.
++ * Checking this first to allow user overrides in case the environment
++ * variable can be set by an untrusted party. */
++ const char *redirect_status_env = CGIG(redirect_status_env);
++ if (!redirect_status_env) {
++ /* Apache will generate REDIRECT_STATUS. */
++ redirect_status_env = "REDIRECT_STATUS";
++ }
++
++ if (!getenv(redirect_status_env)) {
+ zend_try {
+ SG(sapi_headers).http_response_code = 400;
+ PUTS("<b>Security Alert!</b> The PHP CGI cannot be accessed directly.\n\n\
+--
+2.46.1
+
diff --git a/php-cve-2024-9026.patch b/php-cve-2024-9026.patch
new file mode 100644
index 0000000..1372cc0
--- /dev/null
+++ b/php-cve-2024-9026.patch
@@ -0,0 +1,177 @@
+From 22f4d3504d7613ce78bb96aa53cbfe7d672fa036 Mon Sep 17 00:00:00 2001
+From: Jakub Zelenka <bukka@php.net>
+Date: Thu, 12 Sep 2024 13:11:11 +0100
+Subject: [PATCH 6/8] Fix GHSA-865w-9rf3-2wh5: FPM: Logs from childrens may be
+ altered
+
+(cherry picked from commit 1f8e16172c7961045c2b0f34ba7613e3f21cdee8)
+---
+ sapi/fpm/fpm/fpm_stdio.c | 2 +-
+ .../log-bwp-msg-flush-split-sep-pos-end.phpt | 47 +++++++++++++++++++
+ ...log-bwp-msg-flush-split-sep-pos-start.phpt | 47 +++++++++++++++++++
+ 3 files changed, 95 insertions(+), 1 deletion(-)
+ create mode 100644 sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-end.phpt
+ create mode 100644 sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-start.phpt
+
+diff --git a/sapi/fpm/fpm/fpm_stdio.c b/sapi/fpm/fpm/fpm_stdio.c
+index d75f9158cda..7983d6217b2 100644
+--- a/sapi/fpm/fpm/fpm_stdio.c
++++ b/sapi/fpm/fpm/fpm_stdio.c
+@@ -228,7 +228,7 @@ stdio_read:
+ if ((sizeof(FPM_STDIO_CMD_FLUSH) - cmd_pos) <= in_buf &&
+ !memcmp(buf, &FPM_STDIO_CMD_FLUSH[cmd_pos], sizeof(FPM_STDIO_CMD_FLUSH) - cmd_pos)) {
+ zlog_stream_finish(log_stream);
+- start = cmd_pos;
++ start = sizeof(FPM_STDIO_CMD_FLUSH) - cmd_pos;
+ } else {
+ zlog_stream_str(log_stream, &FPM_STDIO_CMD_FLUSH[0], cmd_pos);
+ }
+diff --git a/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-end.phpt b/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-end.phpt
+new file mode 100644
+index 00000000000..52826320080
+--- /dev/null
++++ b/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-end.phpt
+@@ -0,0 +1,47 @@
++--TEST--
++FPM: Buffered worker output plain log with msg with flush split position towards separator end
++--SKIPIF--
++<?php include "skipif.inc"; ?>
++--FILE--
++<?php
++
++require_once "tester.inc";
++
++$cfg = <<<EOT
++[global]
++error_log = {{FILE:LOG}}
++[unconfined]
++listen = {{ADDR}}
++pm = dynamic
++pm.max_children = 5
++pm.start_servers = 1
++pm.min_spare_servers = 1
++pm.max_spare_servers = 3
++catch_workers_output = yes
++decorate_workers_output = no
++EOT;
++
++$code = <<<EOT
++<?php
++file_put_contents('php://stderr', str_repeat('a', 1013) . "Quarkslab\0fscf\0Quarkslab");
++EOT;
++
++$tester = new FPM\Tester($cfg, $code);
++$tester->start();
++$tester->expectLogStartNotices();
++$tester->request()->expectEmptyBody();
++$tester->expectLogLine(str_repeat('a', 1013) . "Quarkslab", decorated: false);
++$tester->expectLogLine("Quarkslab", decorated: false);
++$tester->terminate();
++$tester->expectLogTerminatingNotices();
++$tester->close();
++
++?>
++Done
++--EXPECT--
++Done
++--CLEAN--
++<?php
++require_once "tester.inc";
++FPM\Tester::clean();
++?>
+diff --git a/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-start.phpt b/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-start.phpt
+new file mode 100644
+index 00000000000..34905938553
+--- /dev/null
++++ b/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-start.phpt
+@@ -0,0 +1,47 @@
++--TEST--
++FPM: Buffered worker output plain log with msg with flush split position towards separator start
++--SKIPIF--
++<?php include "skipif.inc"; ?>
++--FILE--
++<?php
++
++require_once "tester.inc";
++
++$cfg = <<<EOT
++[global]
++error_log = {{FILE:LOG}}
++[unconfined]
++listen = {{ADDR}}
++pm = dynamic
++pm.max_children = 5
++pm.start_servers = 1
++pm.min_spare_servers = 1
++pm.max_spare_servers = 3
++catch_workers_output = yes
++decorate_workers_output = no
++EOT;
++
++$code = <<<EOT
++<?php
++file_put_contents('php://stderr', str_repeat('a', 1009) . "Quarkslab\0fscf\0Quarkslab");
++EOT;
++
++$tester = new FPM\Tester($cfg, $code);
++$tester->start();
++$tester->expectLogStartNotices();
++$tester->request()->expectEmptyBody();
++$tester->expectLogLine(str_repeat('a', 1009) . "Quarkslab", decorated: false);
++$tester->expectLogLine("Quarkslab", decorated: false);
++$tester->terminate();
++$tester->expectLogTerminatingNotices();
++$tester->close();
++
++?>
++Done
++--EXPECT--
++Done
++--CLEAN--
++<?php
++require_once "tester.inc";
++FPM\Tester::clean();
++?>
+--
+2.46.1
+
+From af3fb385e7b328ab89db26ec712d89c7096f0743 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Thu, 26 Sep 2024 11:50:54 +0200
+Subject: [PATCH 8/8] NEWS for 8.1.30 backports
+
+---
+ NEWS | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 79133f558af..bad0a719aae 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,23 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 8.1.30
++
++- CGI:
++ . Fixed bug GHSA-p99j-rfp4-xqvq (Bypass of CVE-2024-4577, Parameter Injection
++ Vulnerability). (CVE-2024-8926) (nielsdos)
++ . Fixed bug GHSA-94p6-54jq-9mwp (cgi.force_redirect configuration is
++ bypassable due to the environment variable collision). (CVE-2024-8927)
++ (nielsdos)
++
++- FPM:
++ . Fixed bug GHSA-865w-9rf3-2wh5 (Logs from childrens may be altered).
++ (CVE-2024-9026) (Jakub Zelenka)
++
++- SAPI:
++ . Fixed bug GHSA-9pqp-7h25-4f32 (Erroneous parsing of multipart form data).
++ (CVE-2024-8925) (Arnaud)
++
+ Backported from 8.1.29
+
+ - CGI:
+--
+2.46.1
+
diff --git a/php80.spec b/php80.spec
index 119c71c..cb3b4f9 100644
--- a/php80.spec
+++ b/php80.spec
@@ -120,7 +120,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: php
Version: %{upver}%{?rcver:~%{rcver}}
-Release: 8%{?dist}
+Release: 9%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -200,6 +200,10 @@ Patch91: php-7.2.0-oci8conf.patch
Patch200: php-cve-2024-2756.patch
Patch201: php-cve-2024-3096.patch
Patch202: php-cve-2024-5458.patch
+Patch203: php-cve-2024-8925.patch
+Patch204: php-cve-2024-8926.patch
+Patch205: php-cve-2024-8927.patch
+Patch206: php-cve-2024-9026.patch
# Fixes for tests (300+)
# Factory is droped from system tzdata
@@ -1049,9 +1053,9 @@ Summary: Internationalization extension for PHP applications
# All files licensed under PHP version 3.01
License: PHP
Requires: php-common%{?_isa} = %{version}-%{release}
-BuildRequires: pkgconfig(icu-i18n) >= 73
-BuildRequires: pkgconfig(icu-io) >= 73
-BuildRequires: pkgconfig(icu-uc) >= 73
+BuildRequires: pkgconfig(icu-i18n) >= 74
+BuildRequires: pkgconfig(icu-io) >= 74
+BuildRequires: pkgconfig(icu-uc) >= 74
%if 0%{?rhel} == 7
Obsoletes: php53-intl, php53u-intl, php54-intl, php54w-intl, php55u-intl, php55w-intl, php56u-intl, php56w-intl
Obsoletes: php70u-intl, php70w-intl, php71u-intl, php71w-intl, php72u-intl, php72w-intl
@@ -1225,6 +1229,10 @@ rm ext/openssl/tests/p12_with_extra_certs.p12
%patch -P200 -p1 -b .cve2756
%patch -P201 -p1 -b .cve3096
%patch -P202 -p1 -b .cve5458
+%patch -P203 -p1 -b .cve8925
+%patch -P204 -p1 -b .cve8926
+%patch -P205 -p1 -b .cve8927
+%patch -P206 -p1 -b .cve9026
# Fixes for tests related to tzdata
%patch -P300 -p1 -b .datetests
@@ -2230,7 +2238,20 @@ EOF
%changelog
-* Wed Jul 31 2024 Remi Collet <remi@remirepo.net> - 8.0.30-8
+* Thu Sep 26 2024 Remi Collet <remi@remirepo.net> - 8.0.30-9
+- Fix Bypass of CVE-2012-1823, Argument Injection in PHP-CGI
+ CVE-2024-4577
+- Fix Bypass of CVE-2024-4577, Parameter Injection Vulnerability
+ CVE-2024-8926
+- Fix cgi.force_redirect configuration is bypassable due to the environment variable collision
+ CVE-2024-8927
+- Fix Logs from childrens may be altered
+ CVE-2024-9026
+- Fix Erroneous parsing of multipart form data
+ CVE-2024-8925
+- use ICU 74.2
+
+* Mon Aug 26 2024 Remi Collet <remi@remirepo.net> - 8.0.30-8
- add backport for https://bugs.php.net/79589
error:14095126:SSL routines:ssl3_read_n:unexpected eof while reading