summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2019-05-28 10:58:49 +0200
committerRemi Collet <remi@remirepo.net>2019-05-28 10:58:49 +0200
commit03c41d47591db8caa2b4657e3616a66a687f1432 (patch)
tree5eb3d8347d6807490ca222e5064b2887630607bb
parente27446552a1fcf0039aa1dede7035f31b9769439 (diff)
- iconv:
Fix #78069 Out-of-bounds read in iconv.c:_php_iconv_mime_decode() CVE-2019-11039 - exif: Fix #77988 Heap-buffer-overflow on php_jpg_get16 CVE-2019-11040 - sqlite3: Fix #77967 Bypassing open_basedir restrictions via file uris
-rw-r--r--failed.txt2
-rw-r--r--php-bug77967.patch57
-rw-r--r--php-bug77988.patch59
-rw-r--r--php-bug78069.patch36
-rw-r--r--php.spec18
5 files changed, 170 insertions, 2 deletions
diff --git a/failed.txt b/failed.txt
index 88a7585..eba41aa 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,4 +1,4 @@
-===== 5.6.40-8 (2019-04-30)
+===== 5.6.40-9 (2019-05-28)
$ grep -r 'Tests failed' /var/lib/mock/scl56*/build.log
diff --git a/php-bug77967.patch b/php-bug77967.patch
new file mode 100644
index 0000000..dad8585
--- /dev/null
+++ b/php-bug77967.patch
@@ -0,0 +1,57 @@
+From 7de8c0284cd9e237eb8a1faa9b41af1d3ef32ea9 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 27 May 2019 18:04:00 -0700
+Subject: [PATCH] Fix bug #77967 - Bypassing open_basedir restrictions via file
+ uris
+
+(cherry picked from commit c34895e837b50213c2bb201c612904342d2bd216)
+---
+ NEWS | 7 +++++--
+ ext/sqlite3/sqlite3.c | 9 +++++++++
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index 9345c039a2..cff9517ed5 100644
+--- a/NEWS
++++ b/NEWS
+@@ -15,6 +15,9 @@ Backported from 7.1.30
+ . Fixed bug #78069 (Out-of-bounds read in iconv.c:_php_iconv_mime_decode()
+ due to integer overflow). (CVE-2019-11039). (maris dot adam)
+
++- SQLite:
++ . Fixed bug #77967 (Bypassing open_basedir restrictions via file uris). (Stas)
++
+ Backported from 7.1.29
+
+ - EXIF
+@@ -26,8 +29,8 @@ Backported from 7.1.28
+ - EXIF:
+ . Fixed bug #77753 (Heap-buffer-overflow in php_ifd_get32s). (CVE-2019-11034)
+ (Stas)
+- . Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value).
+- (CVE-2019-11035) (Stas)
++ . Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value).
++ (CVE-2019-11035) (Stas)
+
+ - SQLite3:
+ . Added sqlite3.defensive INI directive. (BohwaZ)
+diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c
+index 761b777d06..7bf873ff69 100644
+--- a/ext/sqlite3/sqlite3.c
++++ b/ext/sqlite3/sqlite3.c
+@@ -2062,6 +2062,15 @@ static int php_sqlite3_authorizer(void *autharg, int access_type, const char *ar
+ }
+ #endif
+
++ if (strncmp(arg3, "file:", 5) == 0) {
++ /* starts with "file:" */
++ if (!arg3[5]) {
++ return SQLITE_DENY;
++ }
++ if (php_check_open_basedir(arg3 + 5 TSRMLS_CC)) {
++ return SQLITE_DENY;
++ }
++ }
+ if (php_check_open_basedir(arg3 TSRMLS_CC)) {
+ return SQLITE_DENY;
+ }
diff --git a/php-bug77988.patch b/php-bug77988.patch
new file mode 100644
index 0000000..bd7fa14
--- /dev/null
+++ b/php-bug77988.patch
@@ -0,0 +1,59 @@
+Without test as binary patch not supported
+
+
+
+
+From 9e0574adfd9566ed6308291e4917b095a238fa79 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 27 May 2019 17:16:29 -0700
+Subject: [PATCH] Fix bug #77988 - heap-buffer-overflow on php_jpg_get16
+
+(cherry picked from commit 73ff4193be24192c894dc0502d06e2b2db35eefb)
+---
+ NEWS | 14 ++++++++++++++
+ ext/exif/exif.c | 2 ++
+ ext/exif/tests/bug77988.jpg | Bin 0 -> 1202 bytes
+ ext/exif/tests/bug77988.phpt | 11 +++++++++++
+ 4 files changed, 27 insertions(+)
+ create mode 100644 ext/exif/tests/bug77988.jpg
+ create mode 100644 ext/exif/tests/bug77988.phpt
+
+diff --git a/NEWS b/NEWS
+index 1bb6b57584..9345c039a2 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,20 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 7.1.30
++
++- EXIF:
++ . Fixed bug #77988 (heap-buffer-overflow on php_jpg_get16).
++ (CVE-2019-11040) (Stas)
++
++- GD:
++ . Fixed bug #77973 (Uninitialized read in gdImageCreateFromXbm).
++ (CVE-2019-11038) (cmb)
++
++- Iconv:
++ . Fixed bug #78069 (Out-of-bounds read in iconv.c:_php_iconv_mime_decode()
++ due to integer overflow). (CVE-2019-11039). (maris dot adam)
++
+ Backported from 7.1.29
+
+ - EXIF
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 15e091b6c5..b6c31773ab 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -3536,6 +3536,8 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo TSRMLS_DC)
+ if (c == 0xFF)
+ return FALSE;
+ marker = c;
++ if (pos>=ImageInfo->Thumbnail.size)
++ return FALSE;
+ length = php_jpg_get16(data+pos);
+ if (length > ImageInfo->Thumbnail.size || pos >= ImageInfo->Thumbnail.size - length) {
+ return FALSE;
+
diff --git a/php-bug78069.patch b/php-bug78069.patch
new file mode 100644
index 0000000..583db1d
--- /dev/null
+++ b/php-bug78069.patch
@@ -0,0 +1,36 @@
+Without test as binary patch not supported
+
+
+
+
+From aabd02d6dd1eab180486cff933dc8d08d4297e38 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 27 May 2019 16:32:42 -0700
+Subject: [PATCH] Fix bug #78069 - Out-of-bounds read in
+ iconv.c:_php_iconv_mime_decode() due to integer overflow
+
+(cherry picked from commit 7cf7148a8f8f4f55fb04de2a517d740bb6253eac)
+---
+ ext/iconv/iconv.c | 4 +++-
+ ext/iconv/tests/bug78069.data | Bin 0 -> 107 bytes
+ ext/iconv/tests/bug78069.phpt | 15 +++++++++++++++
+ 3 files changed, 18 insertions(+), 1 deletion(-)
+ create mode 100644 ext/iconv/tests/bug78069.data
+ create mode 100644 ext/iconv/tests/bug78069.phpt
+
+diff --git a/ext/iconv/iconv.c b/ext/iconv/iconv.c
+index 335dbd17e9..bbc4b0f5e3 100644
+--- a/ext/iconv/iconv.c
++++ b/ext/iconv/iconv.c
+@@ -1645,7 +1645,9 @@ static php_iconv_err_t _php_iconv_mime_decode(smart_str *pretval, const char *st
+ * we can do at this point. */
+ if (*(p1 + 1) == '=') {
+ ++p1;
+- --str_left;
++ if (str_left > 1) {
++ --str_left;
++ }
+ }
+
+ err = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl);
+
diff --git a/php.spec b/php.spec
index 7d1737b..69f62e3 100644
--- a/php.spec
+++ b/php.spec
@@ -136,7 +136,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: %{?scl_prefix}php
Version: 5.6.40
-Release: 8%{?dist}
+Release: 9%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -208,6 +208,9 @@ Patch215: php-sqlite3-defensive.patch
Patch216: php-bug77753.patch
Patch217: php-bug77831.patch
Patch218: php-bug77950.patch
+Patch219: php-bug78069.patch
+Patch220: php-bug77988.patch
+Patch221: php-bug77967.patch
# Fixes for tests (300+)
@@ -948,6 +951,9 @@ support for using the enchant library to PHP.
%patch216 -p1 -b .bug77753
%patch217 -p1 -b .bug77831
%patch218 -p1 -b .bug77950
+%patch219 -p1 -b .bug78069
+%patch220 -p1 -b .bug77988
+%patch221 -p1 -b .bug77967
# Fixes for tests
%patch300 -p1 -b .datetests
@@ -1893,6 +1899,16 @@ EOF
%changelog
+* Tue May 28 2019 Remi Collet <remi@remirepo.net> - 5.6.40-9
+- iconv:
+ Fix #78069 Out-of-bounds read in iconv.c:_php_iconv_mime_decode()
+ CVE-2019-11039
+- exif:
+ Fix #77988 Heap-buffer-overflow on php_jpg_get16
+ CVE-2019-11040
+- sqlite3:
+ Fix #77967 Bypassing open_basedir restrictions via file uris
+
* Tue Apr 30 2019 Remi Collet <remi@remirepo.net> - 5.6.40-8
- exif:
Fix #77950 Heap-buffer-overflow in _estrndup via exif_process_IFD_TAG