From 544e29f1e739eb8ab335c130788d46161141d338 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Thu, 7 May 2026 10:15:48 +0200
Subject: Fix XSS within status endpoint

  CVE-2026-6735
Fix Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()
  CVE-2026-7259
Fix SQL injection via NUL bytes in quoted strings
  CVE-2025-14179
Fix Stale SOAP_GLOBAL(ref_map) pointer with Apache Map
  CVE-2026-6722
Fix Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION
  CVE-2026-7261
Fix Broken Apache map value NULL check
  CVE-2026-7262
Fix Signed integer overflow of char array offset
  CVE-2026-7568
Fix Consistently pass unsigned char to ctype.h functions
  CVE-2026-7258
---
 php-cve-2026-7259.patch | 66 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 66 insertions(+)
 create mode 100644 php-cve-2026-7259.patch

(limited to 'php-cve-2026-7259.patch')

diff --git a/php-cve-2026-7259.patch b/php-cve-2026-7259.patch
new file mode 100644
index 0000000..13393af
--- /dev/null
+++ b/php-cve-2026-7259.patch
@@ -0,0 +1,66 @@
+From 785bcb5dd5980a4f3173ab0b80c70a5602bc9339 Mon Sep 17 00:00:00 2001
+From: vi3tL0u1s <luuviethoang.attt@gmail.com>
+Date: Sun, 3 May 2026 20:02:21 +0200
+Subject: [PATCH 05/10] GHSA-wm6j-2649-pv75: [mbstring] Fix null pointer
+ dereference in php_mb_check_encoding() via mb_ereg_search_init()
+
+Fixes GHSA-wm6j-2649-pv75
+Fixes CVE-2026-7259
+
+(cherry picked from commit 79a054eae016c56409432e69aebc8ca908a88838)
+---
+ Zend/tests/GHSA-wm6j-2649-pv75.phpt | 22 ++++++++++++++++++++++
+ ext/mbstring/php_mbregex.c          |  7 ++++++-
+ 2 files changed, 28 insertions(+), 1 deletion(-)
+ create mode 100644 Zend/tests/GHSA-wm6j-2649-pv75.phpt
+
+diff --git a/Zend/tests/GHSA-wm6j-2649-pv75.phpt b/Zend/tests/GHSA-wm6j-2649-pv75.phpt
+new file mode 100644
+index 00000000000..7257af27cb8
+--- /dev/null
++++ b/Zend/tests/GHSA-wm6j-2649-pv75.phpt
+@@ -0,0 +1,22 @@
++--TEST--
++GHSA-wm6j-2649-pv75: Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()
++--CREDITS--
++vi3tL0u1s
++--EXTENSIONS--
++mbstring
++--SKIPIF--
++<?php
++if (!function_exists('mb_regex_encoding')) die('skip No mbregex support');
++?>
++--FILE--
++<?php
++// iso-8859-11 is supported by Oniguruma but not by mbfl
++mb_regex_encoding('iso-8859-11');
++mb_ereg_search_init('x');
++?>
++--EXPECTF--
++Fatal error: Uncaught ValueError: mb_regex_encoding(): Argument #1 ($encoding) must be a valid encoding, "iso-8859-11" given in %s:%d
++Stack trace:
++#0 %s(%d): mb_regex_encoding('iso-8859-11')
++#1 {main}
++  thrown in %s on line %d
+diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
+index 06f65f5c567..0734011f9fb 100644
+--- a/ext/mbstring/php_mbregex.c
++++ b/ext/mbstring/php_mbregex.c
+@@ -409,8 +409,13 @@ int php_mb_regex_set_mbctype(const char *encname)
+ 	if (mbctype == ONIG_ENCODING_UNDEF) {
+ 		return FAILURE;
+ 	}
++	const mbfl_encoding *mbfl_enc = mbfl_name2encoding(encname);
++	if (mbfl_enc == NULL) {
++		/* Encoding supported by Oniguruma but not by mbfl */
++		return FAILURE;
++	}
+ 	MBREX(current_mbctype) = mbctype;
+-	MBREX(current_mbctype_mbfl_encoding) = mbfl_name2encoding(encname);
++	MBREX(current_mbctype_mbfl_encoding) = mbfl_enc;
+ 	return SUCCESS;
+ }
+ /* }}} */
+-- 
+2.54.0
+
-- 
cgit