From aa7fdad894779a9af589ccdab7cdf657100ef4b7 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Mon, 10 Dec 2018 17:28:25 +0100 Subject: Fix #77231 Segfault when using convert.quoted-printable-encode filter Fix #77020 null pointer dereference in imap_mail CVE-2018-19935 Fix #77153 imap_open allows to run arbitrary shell commands via mailbox parameter CVE-2018-19158 --- bug77020.patch | 51 ++++++++++++++++++++++++ bug77153.patch | 124 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ bug77231.patch | 46 +++++++++++++++++++++ php.spec | 19 ++++++++- 4 files changed, 238 insertions(+), 2 deletions(-) create mode 100644 bug77020.patch create mode 100644 bug77153.patch create mode 100644 bug77231.patch diff --git a/bug77020.patch b/bug77020.patch new file mode 100644 index 0000000..c4a080c --- /dev/null +++ b/bug77020.patch @@ -0,0 +1,51 @@ +Backported for 5.4/5.5, from 5.6, by Remi + + +From 7edc639b9ff1c3576773d79d016abbeed1f93846 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 11 Nov 2018 10:04:01 -0800 +Subject: [PATCH] Fix #77020: null pointer dereference in imap_mail + +If an empty $message is passed to imap_mail(), we must not set message +to NULL, since _php_imap_mail() is not supposed to handle NULL pointers +(opposed to pointers to NUL). +--- + NEWS | 1 + + ext/imap/php_imap.c | 1 - + ext/imap/tests/bug77020.phpt | 15 +++++++++++++++ + 3 files changed, 16 insertions(+), 1 deletion(-) + create mode 100644 ext/imap/tests/bug77020.phpt + +diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c +index a23e84c08521..b30440f000f3 100644 +--- a/ext/imap/php_imap.c ++++ b/ext/imap/php_imap.c +@@ -4088,7 +4088,6 @@ PHP_FUNCTION(imap_mail) + if (!message_len) { + /* this is not really an error, so it is allowed. */ + php_error_docref(NULL TSRMLS_CC, E_WARNING, "No message string in mail command"); +- message = NULL; + } + + if (_php_imap_mail(to, subject, message, headers, cc, bcc, rpath TSRMLS_CC)) { +diff --git a/ext/imap/tests/bug77020.phpt b/ext/imap/tests/bug77020.phpt +new file mode 100644 +index 000000000000..8a65232eec6d +--- /dev/null ++++ b/ext/imap/tests/bug77020.phpt +@@ -0,0 +1,15 @@ ++--TEST-- ++Bug #77020 (null pointer dereference in imap_mail) ++--SKIPIF-- ++ ++--FILE-- ++ ++===DONE=== ++--EXPECTF-- ++Warning: imap_mail(): No message string in mail command in %s on line %d ++%s ++===DONE=== diff --git a/bug77153.patch b/bug77153.patch new file mode 100644 index 0000000..7caf8f9 --- /dev/null +++ b/bug77153.patch @@ -0,0 +1,124 @@ +Backported for 5.4/5.5, from 5.6, by Remi + + +From e5bfea64c81ae34816479bb05d17cdffe45adddb Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 18 Nov 2018 17:10:43 -0800 +Subject: [PATCH] Disable rsh/ssh functionality in imap by default (bug #77153) + +--- + NEWS | 4 ++++ + UPGRADING | 7 +++++++ + ext/imap/php_imap.c | 17 +++++++++++++++++ + ext/imap/php_imap.h | 1 + + ext/imap/tests/bug77153.phpt | 24 ++++++++++++++++++++++++ + 5 files changed, 53 insertions(+) + create mode 100644 ext/imap/tests/bug77153.phpt + +diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c +index 00eae89a963b..f6feebe9f769 100644 +--- a/ext/imap/php_imap.c ++++ b/ext/imap/php_imap.c +@@ -562,6 +562,15 @@ static const zend_module_dep imap_deps[] = { + }; + /* }}} */ + ++ ++/* {{{ PHP_INI ++ */ ++PHP_INI_BEGIN() ++STD_PHP_INI_BOOLEAN("imap.enable_insecure_rsh", "0", PHP_INI_SYSTEM, OnUpdateBool, enable_rsh, zend_imap_globals, imap_globals) ++PHP_INI_END() ++/* }}} */ ++ ++ + /* {{{ imap_module_entry + */ + zend_module_entry imap_module_entry = { +@@ -835,6 +844,8 @@ PHP_MINIT_FUNCTION(imap) + { + unsigned long sa_all = SA_MESSAGES | SA_RECENT | SA_UNSEEN | SA_UIDNEXT | SA_UIDVALIDITY; + ++ REGISTER_INI_ENTRIES(); ++ + #ifndef PHP_WIN32 + mail_link(&unixdriver); /* link in the unix driver */ + mail_link(&mhdriver); /* link in the mh driver */ +@@ -1052,6 +1063,12 @@ PHP_MINIT_FUNCTION(imap) + GC_TEXTS texts + */ + ++ if (!IMAPG(enable_rsh)) { ++ /* disable SSH and RSH, see https://bugs.php.net/bug.php?id=77153 */ ++ mail_parameters (NIL, SET_RSHTIMEOUT, 0); ++ mail_parameters (NIL, SET_SSHTIMEOUT, 0); ++ } ++ + le_imap = zend_register_list_destructors_ex(mail_close_it, NULL, "imap", module_number); + return SUCCESS; + } +diff --git a/ext/imap/php_imap.h b/ext/imap/php_imap.h +index 3a1d048cd3e2..0c3ce78d4855 100644 +--- a/ext/imap/php_imap.h ++++ b/ext/imap/php_imap.h +@@ -214,6 +214,7 @@ ZEND_BEGIN_MODULE_GLOBALS(imap) + #endif + /* php_stream for php_mail_gets() */ + php_stream *gets_stream; ++ zend_bool enable_rsh; + ZEND_END_MODULE_GLOBALS(imap) + + #ifdef ZTS +diff --git a/ext/imap/tests/bug77153.phpt b/ext/imap/tests/bug77153.phpt +new file mode 100644 +index 000000000000..63590aee1dde +--- /dev/null ++++ b/ext/imap/tests/bug77153.phpt +@@ -0,0 +1,24 @@ ++--TEST-- ++Bug #77153 (imap_open allows to run arbitrary shell commands via mailbox parameter) ++--SKIPIF-- ++ ++--FILE-- ++ " . __DIR__ . '/__bug'; ++$payloadb64 = base64_encode($payload); ++$server = "x -oProxyCommand=echo\t$payloadb64|base64\t-d|sh}"; ++@imap_open('{'.$server.':143/imap}INBOX', '', ''); ++// clean ++imap_errors(); ++var_dump(file_exists(__DIR__ . '/__bug')); ++?> ++--EXPECT-- ++bool(false) ++--CLEAN-- ++ +\ No newline at end of file +From d8765852e0400ee2ce8ae9e2177c42731d4539d8 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Wed, 28 Nov 2018 15:45:51 -0800 +Subject: [PATCH] Add DISPLAY_INI_ENTRIES for imap + +--- + ext/imap/php_imap.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c +index f6feebe9f769..a23e84c08521 100644 +--- a/ext/imap/php_imap.c ++++ b/ext/imap/php_imap.c +@@ -1155,6 +1155,8 @@ PHP_MINFO_FUNCTION(imap) + php_info_print_table_row(2, "Kerberos Support", "enabled"); + #endif + php_info_print_table_end(); ++ ++ DISPLAY_INI_ENTRIES(); + } + /* }}} */ + diff --git a/bug77231.patch b/bug77231.patch new file mode 100644 index 0000000..e805ade --- /dev/null +++ b/bug77231.patch @@ -0,0 +1,46 @@ +Backported for 5.4/5.5, from 5.6, by Remi + + +From 78bffa72c1ad8936eae51270f93be17a9c58cfc1 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 3 Dec 2018 02:12:11 -0800 +Subject: [PATCH] Fix null pointer deref in qprint-encode filter (bug #77231) + +--- + NEWS | 4 ++++ + ext/standard/filters.c | 2 +- + ext/standard/tests/filters/bug77231.phpt | 11 +++++++++++ + 3 files changed, 16 insertions(+), 1 deletion(-) + create mode 100644 ext/standard/tests/filters/bug77231.phpt + +diff --git a/ext/standard/filters.c b/ext/standard/filters.c +index dc7b0d86dcd3..9718a45be25e 100644 +--- a/ext/standard/filters.c ++++ b/ext/standard/filters.c +@@ -928,7 +928,7 @@ static php_conv_err_t php_conv_qprint_encode_convert(php_conv_qprint_encode *ins + line_ccnt--; + CONSUME_CHAR(ps, icnt, lb_ptr, lb_cnt); + } else { +- if (line_ccnt < 4) { ++ if (line_ccnt < 4 && inst->lbchars != NULL) { + if (ocnt < inst->lbchars_len + 1) { + err = PHP_CONV_ERR_TOO_BIG; + break; +diff --git a/ext/standard/tests/filters/bug77231.phpt b/ext/standard/tests/filters/bug77231.phpt +new file mode 100644 +index 000000000000..17967ee80fc5 +--- /dev/null ++++ b/ext/standard/tests/filters/bug77231.phpt +@@ -0,0 +1,11 @@ ++--TEST-- ++Bug #77231 (Segfault when using convert.quoted-printable-encode filter) ++--FILE-- ++ ++--EXPECT-- ++array(1) { ++ [0]=> ++ string(74) "=BFAAAAAAAAFAAAAAAAAAAAAAA=FF=FF=FF=FF=FF=FF=FF=FFAAAAAAAAAAAAAAAAAAAAAAAA" ++} +\ No newline at end of file diff --git a/php.spec b/php.spec index b072c74..47fc910 100644 --- a/php.spec +++ b/php.spec @@ -140,7 +140,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: 5.5.38 -Release: 9%{?dist} +Release: 10%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -250,6 +250,9 @@ Patch154: bug69090.patch Patch155: bug73549.patch Patch156: bug75981.patch Patch157: bug76582.patch +Patch158: bug77153.patch +Patch159: bug77020.patch +Patch160: bug77231.patch # Security fixes (200+) @@ -999,7 +1002,11 @@ support for using the enchant library to PHP. %patch154 -p1 -b .bug69090 %patch155 -p1 -b .bug73549 %patch156 -p1 -b .bug75981 -%patch157 -p1 -b .bug75981 +%patch157 -p1 -b .bug76582 +%patch158 -p1 -b .bug77153 +%patch159 -p1 -b .bug77020 +%patch160 -p1 -b .bug77231 + : ------------------------ # Fixes for tests @@ -1911,6 +1918,14 @@ EOF %changelog +* Mon Dec 10 2018 Remi Collet - 5.5.38-10 +- Fix #77231 Segfault when using convert.quoted-printable-encode filter +- Fix #77020 null pointer dereference in imap_mail + CVE-2018-19935 +- Fix #77153 imap_open allows to run arbitrary shell commands via + mailbox parameter + CVE-2018-19158 + * Fri Sep 14 2018 Remi Collet - 5.5.38-9 - fix #76582: XSS due to the header Transfer-Encoding: chunked -- cgit