From 544e29f1e739eb8ab335c130788d46161141d338 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Thu, 7 May 2026 10:15:48 +0200 Subject: Fix XSS within status endpoint CVE-2026-6735 Fix Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init() CVE-2026-7259 Fix SQL injection via NUL bytes in quoted strings CVE-2025-14179 Fix Stale SOAP_GLOBAL(ref_map) pointer with Apache Map CVE-2026-6722 Fix Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION CVE-2026-7261 Fix Broken Apache map value NULL check CVE-2026-7262 Fix Signed integer overflow of char array offset CVE-2026-7568 Fix Consistently pass unsigned char to ctype.h functions CVE-2026-7258 --- php-cve-2026-7261.patch | 111 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 111 insertions(+) create mode 100644 php-cve-2026-7261.patch (limited to 'php-cve-2026-7261.patch') diff --git a/php-cve-2026-7261.patch b/php-cve-2026-7261.patch new file mode 100644 index 0000000..aa5c835 --- /dev/null +++ b/php-cve-2026-7261.patch @@ -0,0 +1,111 @@ +From 5dd8dd8493d49bb6fcd810a6e9d2ffb6fdc15714 Mon Sep 17 00:00:00 2001 +From: Ilija Tovilo +Date: Sun, 3 May 2026 19:57:16 +0200 +Subject: [PATCH 02/10] GHSA-m33r-qmcv-p97q: [soap] Fix use-after-free after + header parsing failure with SOAP_PERSISTENCE_SESSION + +Fixes GHSA-m33r-qmcv-p97q +Fixes CVE-2026-7261 + +(cherry picked from commit db2a7f9348fd5dda5fd162061786a664c417bf5b) +--- + ext/soap/soap.c | 12 ++++- + ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt | 58 +++++++++++++++++++++++++ + 2 files changed, 68 insertions(+), 2 deletions(-) + create mode 100644 ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt + +diff --git a/ext/soap/soap.c b/ext/soap/soap.c +index 3bc713ca76b..bb8b664af58 100644 +--- a/ext/soap/soap.c ++++ b/ext/soap/soap.c +@@ -1477,13 +1477,21 @@ PHP_METHOD(SoapServer, handle) + php_output_discard(); + soap_server_fault_ex(function, &h->retval, h); + zend_string_release(fn_name); +- if (service->type == SOAP_CLASS && soap_obj) {zval_ptr_dtor(soap_obj);} ++ if (service->type == SOAP_CLASS && soap_obj) { ++ if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION) { ++ zval_ptr_dtor(soap_obj); ++ } ++ } + goto fail; + } else if (EG(exception)) { + php_output_discard(); + _soap_server_exception(service, function, ZEND_THIS); + zend_string_release(fn_name); +- if (service->type == SOAP_CLASS && soap_obj) {zval_ptr_dtor(soap_obj);} ++ if (service->type == SOAP_CLASS && soap_obj) { ++ if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION) { ++ zval_ptr_dtor(soap_obj); ++ } ++ } + goto fail; + } + } else if (h->mustUnderstand) { +diff --git a/ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt b/ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt +new file mode 100644 +index 00000000000..bcf441ccd18 +--- /dev/null ++++ b/ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt +@@ -0,0 +1,58 @@ ++--TEST-- ++GHSA-m33r-qmcv-p97q: Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION ++--CREDITS-- ++Ilia Alshanetsky (iliaal) ++--EXTENSIONS-- ++soap ++session ++--FILE-- ++ 'urn:a']); ++$srv->setClass(Handler::class); ++$srv->setPersistence(SOAP_PERSISTENCE_SESSION); ++ ++$srv->handle(<< ++ ++ ++ ++ ++ ++ ++ ++ ++XML); ++ ++$srv->handle(<< ++ ++ ++ ++ ++ ++ ++ ++ ++XML); ++ ++?> ++--EXPECT-- ++ ++SOAP-ENV:Serverdenied ++ ++SOAP-ENV:Serverdenied +-- +2.54.0 + -- cgit