diff options
author | Remi Collet <remi@remirepo.net> | 2020-03-17 08:16:54 +0100 |
---|---|---|
committer | Remi Collet <remi@remirepo.net> | 2020-03-17 08:16:54 +0100 |
commit | 3a162835ac7ba1d2994784d68a0d29bb8fe52576 (patch) | |
tree | 982e3db9396f70d03df283db36b0081af1100d76 | |
parent | 3407e148f90cc766ae72069a2b84ba3649736796 (diff) |
standard:
Fix #79329 get_headers() silently truncates after a null byte
CVE-2020-7066
exif:
Fix #79282 Use-of-uninitialized-value in exif
CVE-2020-7064
use oracle client library version 19.6 (18.5 on EL-6)
-rw-r--r-- | php-bug79282.patch | 113 | ||||
-rw-r--r-- | php-bug79329.patch | 59 | ||||
-rw-r--r-- | php.spec | 17 |
3 files changed, 187 insertions, 2 deletions
diff --git a/php-bug79282.patch b/php-bug79282.patch new file mode 100644 index 0000000..9441159 --- /dev/null +++ b/php-bug79282.patch @@ -0,0 +1,113 @@ +From 5ac3ebcd4f9509d1a7e54f30117227822fbc0648 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 15 Mar 2020 17:26:00 -0700 +Subject: [PATCH] Fixed bug #79282 + +(cherry picked from commit 41f66e2a2cfd611e35be5ac3bf747f0b56161216) +(cherry picked from commit 8577fa5891220dac40d42b2f745fa159dcd871ad) +(cherry picked from commit 59119490c9e2359ea720928b2e71b68e5c20f195) +--- + ext/exif/exif.c | 7 ++++++- + ext/exif/tests/bug79282.phpt | 15 +++++++++++++++ + 2 files changed, 21 insertions(+), 1 deletion(-) + create mode 100644 ext/exif/tests/bug79282.phpt + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index f64a14ed9c..bf2fd61cd1 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -3253,6 +3253,11 @@ static void exif_process_TIFF_in_JPEG(image_info_type *ImageInfo, char *CharBuf, + { + unsigned exif_value_2a, offset_of_ifd; + ++ if (length < 2) { ++ exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Missing TIFF alignment marker"); ++ return; ++ } ++ + /* set the thumbnail stuff to nothing so we can test to see if they get set up */ + if (memcmp(CharBuf, "II", 2) == 0) { + ImageInfo->motorola_intel = 0; +@@ -3405,7 +3410,7 @@ static int exif_scan_JPEG_header(image_info_type *ImageInfo TSRMLS_DC) + return FALSE; + } + +- sn = exif_file_sections_add(ImageInfo, marker, itemlen+1, NULL); ++ sn = exif_file_sections_add(ImageInfo, marker, itemlen, NULL); + Data = ImageInfo->file.list[sn].data; + + /* Store first two pre-read bytes. */ +diff --git a/ext/exif/tests/bug79282.phpt b/ext/exif/tests/bug79282.phpt +new file mode 100644 +index 0000000000..7b7e365657 +--- /dev/null ++++ b/ext/exif/tests/bug79282.phpt +@@ -0,0 +1,15 @@ ++--TEST-- ++Bug #79282: Use-of-uninitialized-value in exif ++--FILE-- ++<?php ++ ++var_dump(exif_read_data('data://image/jpeg;base64,/9jhAAlFeGlmAAAg')); ++ ++?> ++--EXPECTF-- ++Warning: exif_read_data(): Invalid TIFF alignment marker in %s on line %d ++ ++Warning: exif_read_data(): File structure corrupted in %s on line %d ++ ++Warning: exif_read_data(): Invalid JPEG file in %s on line %d ++bool(false) +From 90ca028814e7ba32e58b55f0b4db306f1809af3d Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 15 Mar 2020 17:55:28 -0700 +Subject: [PATCH] Fix test + +(cherry picked from commit 2c081b7e269d0f63cd9d60a40997f18b5cf793be) +(cherry picked from commit ad05ad4dbafc29dd23828760d4bfa2be12ccbb1c) +(cherry picked from commit c1d08859cdac23aeff99953797231f6824d045c5) +--- + ext/exif/tests/bug79282.phpt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/exif/tests/bug79282.phpt b/ext/exif/tests/bug79282.phpt +index 7b7e365657..df91127c9c 100644 +--- a/ext/exif/tests/bug79282.phpt ++++ b/ext/exif/tests/bug79282.phpt +@@ -7,7 +7,7 @@ var_dump(exif_read_data('data://image/jpeg;base64,/9jhAAlFeGlmAAAg')); + + ?> + --EXPECTF-- +-Warning: exif_read_data(): Invalid TIFF alignment marker in %s on line %d ++Warning: exif_read_data(): Missing TIFF alignment marker in %s on line %d + + Warning: exif_read_data(): File structure corrupted in %s on line %d + +From 4a281e20969e209bfdd2c88560ce5f57806d0b31 Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@remirepo.net> +Date: Tue, 17 Mar 2020 07:23:32 +0100 +Subject: [PATCH] fix test + +(cherry picked from commit b42b6d0ff774fdced1155cb0c721d91914d619f5) +(cherry picked from commit 51cc7a6225bbf1f7dfe0ffeb318fb0ff098780f9) +--- + ext/exif/tests/bug79282.phpt | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/ext/exif/tests/bug79282.phpt b/ext/exif/tests/bug79282.phpt +index df91127c9c..142cf28a6c 100644 +--- a/ext/exif/tests/bug79282.phpt ++++ b/ext/exif/tests/bug79282.phpt +@@ -7,9 +7,9 @@ var_dump(exif_read_data('data://image/jpeg;base64,/9jhAAlFeGlmAAAg')); + + ?> + --EXPECTF-- +-Warning: exif_read_data(): Missing TIFF alignment marker in %s on line %d ++Warning: exif_read_data(%s): Missing TIFF alignment marker in %s on line %d + +-Warning: exif_read_data(): File structure corrupted in %s on line %d ++Warning: exif_read_data(%s): File structure corrupted in %s on line %d + +-Warning: exif_read_data(): Invalid JPEG file in %s on line %d ++Warning: exif_read_data(%s): Invalid JPEG file in %s on line %d + bool(false) diff --git a/php-bug79329.patch b/php-bug79329.patch new file mode 100644 index 0000000..a8bf790 --- /dev/null +++ b/php-bug79329.patch @@ -0,0 +1,59 @@ +From c3582855b88cfde8e69734da738803b54c2c2e26 Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@remirepo.net> +Date: Tue, 17 Mar 2020 07:25:12 +0100 +Subject: [PATCH] Fix bug #79329 - get_headers should not accept \0 + +From 0d139c5b94a5f485a66901919e51faddb0371c43 + +(cherry picked from commit b7b9302660a23a67285e204bc3d7fcf6ba7f6533) +(cherry picked from commit b9a1e6bfd762d2bf7fa3c5bbcfbb6dcdfdfa982c) +--- + ext/standard/url.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/standard/url.c b/ext/standard/url.c +index 6ecace53e5..d6e71fa487 100644 +--- a/ext/standard/url.c ++++ b/ext/standard/url.c +@@ -675,7 +675,7 @@ PHP_FUNCTION(get_headers) + HashTable *hashT; + long format = 0; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &url, &url_len, &format) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|l", &url, &url_len, &format) == FAILURE) { + return; + } + context = FG(default_context) ? FG(default_context) : (FG(default_context) = php_stream_context_alloc(TSRMLS_C)); +From f94716859dfa52416754faa226d1bd642373f117 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 15 Mar 2020 19:35:26 -0700 +Subject: [PATCH] [ci skip] Update NEWS + +(cherry picked from commit c8d21d7728109b0f911033c098cfaeb7438ba1d5) +(cherry picked from commit 03471e31c9b467d1d8d944e44fa009ef247e81bd) +(cherry picked from commit 4844343ac37e8e3ca4d995b1d91fc0f9daf03d5f) +--- + NEWS | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/NEWS b/NEWS +index 22e714e837..5085d35e9a 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,16 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 7.2.29 ++ ++- Core: ++ . Fixed bug #79329 (get_headers() silently truncates after a null byte) ++ (CVE-2020-7066) (cmb) ++ ++- EXIF: ++ . Fixed bug #79282 (Use-of-uninitialized-value in exif) (CVE-2020-7064) ++ (Nikita) ++ + Backported from 7.2.28 + + - Phar: @@ -67,7 +67,7 @@ %endif %global oraclelib 18.1 %else -%global oraclever 19.5 +%global oraclever 19.6 %global oraclelib 19.1 %endif @@ -146,7 +146,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: 5.6.40 -Release: 18%{?dist} +Release: 19%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -237,6 +237,8 @@ Patch233: php-bug79099.patch Patch234: php-bug79037.patch Patch236: php-bug79221.patch Patch237: php-bug79082.patch +Patch238: php-bug79282.patch +Patch239: php-bug79329.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -998,6 +1000,8 @@ sed -e 's/php-devel/%{?scl_prefix}php-devel/' -i scripts/phpize.in %patch234 -p1 -b .bug79037 %patch236 -p1 -b .bug79221 %patch237 -p1 -b .bug79082 +%patch238 -p1 -b .bug79282 +%patch239 -p1 -b .bug79329 # Fixes for tests %patch300 -p1 -b .datetests @@ -1943,6 +1947,15 @@ EOF %changelog +* Tue Mar 17 2020 Remi Collet <remi@remirepo.net> - 5.6.40-19 +- standard: + Fix #79329 get_headers() silently truncates after a null byte + CVE-2020-7066 +- exif: + Fix #79282 Use-of-uninitialized-value in exif + CVE-2020-7064 +- use oracle client library version 19.6 (18.5 on EL-6) + * Wed Feb 19 2020 Remi Collet <remi@remirepo.net> - 5.6.40-18.fc32 - add fix for GCC 10 |