diff options
author | Remi Collet <remi@remirepo.net> | 2019-12-17 17:23:58 +0100 |
---|---|---|
committer | Remi Collet <remi@remirepo.net> | 2019-12-17 17:23:58 +0100 |
commit | 81d085a88766fd8917eb3a1b1afc8e95049b4822 (patch) | |
tree | 7fa8df4499ad430b14471d41490fe60ab7f4fd07 | |
parent | b1b66396debbf9f9030deda817b31e0a447be549 (diff) |
- bcmath:
Fix #78878 Buffer underflow in bc_shift_addsub
CVE-2019-11046
- core:
Fix #78862 link() silently truncates after a null byte on Windows
CVE-2019-11044
Fix #78863 DirectoryIterator class silently truncates after a null byte
CVE-2019-11045
- exif
Fix #78793 Use-after-free in exif parsing under memory sanitizer
CVE-2019-11050
Fix #78910 Heap-buffer-overflow READ in exif
CVE-2019-11047
- use oracle client library version 19.5 (18.5 on EL-6)
-rw-r--r-- | failed.txt | 2 | ||||
-rw-r--r-- | php-bug78793.patch | 62 | ||||
-rw-r--r-- | php-bug78862.patch | 68 | ||||
-rw-r--r-- | php-bug78863.patch | 85 | ||||
-rw-r--r-- | php-bug78878.patch | 68 | ||||
-rw-r--r-- | php-bug78910.patch | 146 | ||||
-rw-r--r-- | php.spec | 40 |
7 files changed, 463 insertions, 8 deletions
@@ -1,4 +1,4 @@ -===== 5.6.40-14 (2019-09-22) +===== 5.6.40-15 (2019-12-19) $ grep -r 'Tests failed' /var/lib/mock/scl56*/build.log diff --git a/php-bug78793.patch b/php-bug78793.patch new file mode 100644 index 0000000..378d97a --- /dev/null +++ b/php-bug78793.patch @@ -0,0 +1,62 @@ +From 7dffbc16e459f1c0379eb75a32bdf8a8666c4ca1 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 16 Dec 2019 01:14:38 -0800 +Subject: [PATCH] Fix bug #78793 + +(cherry picked from commit c14eb8de974fc8a4d74f3515424c293bc7a40fba) +--- + NEWS | 4 ++++ + ext/exif/exif.c | 5 +++-- + ext/exif/tests/bug78793.phpt | 12 ++++++++++++ + 3 files changed, 19 insertions(+), 2 deletions(-) + create mode 100644 ext/exif/tests/bug78793.phpt + +diff --git a/NEWS b/NEWS +index 5bf9b6a5ee..dae019c976 100644 +--- a/NEWS ++++ b/NEWS +@@ -13,6 +13,10 @@ Backported from 7.2.26 + . Fixed bug #78863 (DirectoryIterator class silently truncates after a null + byte). (CVE-2019-11045). (cmb) + ++- EXIF: ++ . Fixed bug #78793 (Use-after-free in exif parsing under memory sanitizer). ++ (CVE-2019-11050). (Nikita) ++ + Backported from 7.1.33 + + - FPM: +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index ec362f7e6d..6a3bb912c3 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -2831,8 +2831,9 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu + } + + for (de=0;de<NumDirEntries;de++) { +- if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de, +- offset_base, data_len, displacement, section_index, 0, maker_note->tag_table TSRMLS_CC)) { ++ size_t offset = 2 + 12 * de; ++ if (!exif_process_IFD_TAG(ImageInfo, dir_start + offset, ++ offset_base, data_len - offset, displacement, section_index, 0, maker_note->tag_table TSRMLS_CC)) { + return FALSE; + } + } +diff --git a/ext/exif/tests/bug78793.phpt b/ext/exif/tests/bug78793.phpt +new file mode 100644 +index 0000000000..033f255ace +--- /dev/null ++++ b/ext/exif/tests/bug78793.phpt +@@ -0,0 +1,12 @@ ++--TEST-- ++Bug #78793: Use-after-free in exif parsing under memory sanitizer ++--FILE-- ++<?php ++$f = "ext/exif/tests/bug77950.tiff"; ++for ($i = 0; $i < 10; $i++) { ++ @exif_read_data($f); ++} ++?> ++===DONE=== ++--EXPECT-- ++===DONE=== diff --git a/php-bug78862.patch b/php-bug78862.patch new file mode 100644 index 0000000..e178901 --- /dev/null +++ b/php-bug78862.patch @@ -0,0 +1,68 @@ +From 51eb09b2b14711c1d81c075429811c5f2a885be4 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" <cmbecker69@gmx.de> +Date: Sat, 23 Nov 2019 13:01:33 +0100 +Subject: [PATCH] Fix #78862: link() silently truncates after a null byte on + Windows + +Since link() is supposed to accepts paths (i.e. strings without NUL +bytes), we must not accept arbitrary strings. + +(cherry picked from commit 0e6c0654ed06751ced134515f7629c40bd979d7f) +--- + NEWS | 4 ++++ + ext/standard/link_win32.c | 2 +- + .../tests/file/windows_links/bug78862.phpt | 17 +++++++++++++++++ + 3 files changed, 22 insertions(+), 1 deletion(-) + create mode 100644 ext/standard/tests/file/windows_links/bug78862.phpt + +diff --git a/NEWS b/NEWS +index 5102c97629..d7f67ea976 100644 +--- a/NEWS ++++ b/NEWS +@@ -7,6 +7,10 @@ Backported from 7.2.26 + . Fixed bug #78878 (Buffer underflow in bc_shift_addsub). (CVE-2019-11046). + (cmb) + ++- Core: ++ . Fixed bug #78862 (link() silently truncates after a null byte on Windows). ++ (CVE-2019-11044). (cmb) ++ + Backported from 7.1.33 + + - FPM: +diff --git a/ext/standard/link_win32.c b/ext/standard/link_win32.c +index 059201c6b2..4c537dbf69 100644 +--- a/ext/standard/link_win32.c ++++ b/ext/standard/link_win32.c +@@ -208,7 +208,7 @@ PHP_FUNCTION(link) + + /*First argument to link function is the target and hence should go to frompath + Second argument to link function is the link itself and hence should go to topath */ +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &frompath, &frompath_len, &topath, &topath_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "pp", &frompath, &frompath_len, &topath, &topath_len) == FAILURE) { + return; + } + +diff --git a/ext/standard/tests/file/windows_links/bug78862.phpt b/ext/standard/tests/file/windows_links/bug78862.phpt +new file mode 100644 +index 0000000000..33b4b49293 +--- /dev/null ++++ b/ext/standard/tests/file/windows_links/bug78862.phpt +@@ -0,0 +1,17 @@ ++--TEST-- ++Bug #78862 (link() silently truncates after a null byte on Windows) ++--FILE-- ++<?php ++file_put_contents(__DIR__ . '/bug78862.target', 'foo'); ++var_dump(link(__DIR__ . "/bug78862.target\0more", __DIR__ . "/bug78862.link\0more")); ++var_dump(file_exists(__DIR__ . '/bug78862.link')); ++?> ++--EXPECTF-- ++Warning: link() expects parameter 1 to be a valid path, string given in %s on line %d ++NULL ++bool(false) ++--CLEAN-- ++<?php ++unlink(__DIR__ . '/bug78862.target'); ++unlink(__DIR__ . '/bug78862.link'); ++?> diff --git a/php-bug78863.patch b/php-bug78863.patch new file mode 100644 index 0000000..eda23aa --- /dev/null +++ b/php-bug78863.patch @@ -0,0 +1,85 @@ +From 4fe7ea95d92de389bbfa46e155f7dd97b0d4d320 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" <cmbecker69@gmx.de> +Date: Mon, 25 Nov 2019 16:56:34 +0100 +Subject: [PATCH] Fix #78863: DirectoryIterator class silently truncates after + a null byte + +Since the constructor of DirectoryIterator and friends is supposed to +accepts paths (i.e. strings without NUL bytes), we must not accept +arbitrary strings. + +(cherry picked from commit a5a15965da23c8e97657278fc8dfbf1dfb20c016) +--- + NEWS | 2 ++ + ext/spl/spl_directory.c | 4 ++-- + ext/spl/tests/bug78863.phpt | 31 +++++++++++++++++++++++++++++++ + 3 files changed, 35 insertions(+), 2 deletions(-) + create mode 100644 ext/spl/tests/bug78863.phpt + +diff --git a/NEWS b/NEWS +index d7f67ea976..5bf9b6a5ee 100644 +--- a/NEWS ++++ b/NEWS +@@ -10,6 +10,8 @@ Backported from 7.2.26 + - Core: + . Fixed bug #78862 (link() silently truncates after a null byte on Windows). + (CVE-2019-11044). (cmb) ++ . Fixed bug #78863 (DirectoryIterator class silently truncates after a null ++ byte). (CVE-2019-11045). (cmb) + + Backported from 7.1.33 + +diff --git a/ext/spl/spl_directory.c b/ext/spl/spl_directory.c +index fbcf892c3d..3a22357a26 100644 +--- a/ext/spl/spl_directory.c ++++ b/ext/spl/spl_directory.c +@@ -691,10 +691,10 @@ void spl_filesystem_object_construct(INTERNAL_FUNCTION_PARAMETERS, long ctor_fla + + if (SPL_HAS_FLAG(ctor_flags, DIT_CTOR_FLAGS)) { + flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_FILEINFO; +- parsed = zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &path, &len, &flags); ++ parsed = zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|l", &path, &len, &flags); + } else { + flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_SELF; +- parsed = zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &path, &len); ++ parsed = zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &path, &len); + } + if (SPL_HAS_FLAG(ctor_flags, SPL_FILE_DIR_SKIPDOTS)) { + flags |= SPL_FILE_DIR_SKIPDOTS; +diff --git a/ext/spl/tests/bug78863.phpt b/ext/spl/tests/bug78863.phpt +new file mode 100644 +index 0000000000..dc88d98dee +--- /dev/null ++++ b/ext/spl/tests/bug78863.phpt +@@ -0,0 +1,31 @@ ++--TEST-- ++Bug #78863 (DirectoryIterator class silently truncates after a null byte) ++--FILE-- ++<?php ++$dir = __DIR__ . '/bug78863'; ++mkdir($dir); ++touch("$dir/bad"); ++mkdir("$dir/sub"); ++touch("$dir/sub/good"); ++ ++$it = new DirectoryIterator(__DIR__ . "/bug78863\0/sub"); ++foreach ($it as $fileinfo) { ++ if (!$fileinfo->isDot()) { ++ var_dump($fileinfo->getFilename()); ++ } ++} ++?> ++--EXPECTF-- ++Fatal error: Uncaught UnexpectedValueException: DirectoryIterator::__construct() expects parameter 1 to be a valid path, string given in %s:%d ++Stack trace: ++#0 %s(%d): DirectoryIterator->__construct('%s') ++#1 {main} ++ thrown in %s on line %d ++--CLEAN-- ++<?php ++$dir = __DIR__ . '/bug78863'; ++unlink("$dir/sub/good"); ++rmdir("$dir/sub"); ++unlink("$dir/bad"); ++rmdir($dir); ++?> diff --git a/php-bug78878.patch b/php-bug78878.patch new file mode 100644 index 0000000..7d54bda --- /dev/null +++ b/php-bug78878.patch @@ -0,0 +1,68 @@ +From e6614bec92634d91d2406bf9e997675b52971769 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" <cmbecker69@gmx.de> +Date: Sat, 30 Nov 2019 12:26:37 +0100 +Subject: [PATCH] Fix #78878: Buffer underflow in bc_shift_addsub + +We must not rely on `isdigit()` to detect digits, since we only support +decimal ASCII digits in the following processing. + +(cherry picked from commit eb23c6008753b1cdc5359dead3a096dce46c9018) +--- + NEWS | 6 ++++++ + ext/bcmath/libbcmath/src/str2num.c | 4 ++-- + ext/bcmath/tests/bug78878.phpt | 13 +++++++++++++ + 3 files changed, 21 insertions(+), 2 deletions(-) + create mode 100644 ext/bcmath/tests/bug78878.phpt + +diff --git a/NEWS b/NEWS +index 9d7b600cf0..5102c97629 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,12 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 7.2.26 ++ ++- Bcmath: ++ . Fixed bug #78878 (Buffer underflow in bc_shift_addsub). (CVE-2019-11046). ++ (cmb) ++ + Backported from 7.1.33 + + - FPM: +diff --git a/ext/bcmath/libbcmath/src/str2num.c b/ext/bcmath/libbcmath/src/str2num.c +index c484c158e5..a5e7850160 100644 +--- a/ext/bcmath/libbcmath/src/str2num.c ++++ b/ext/bcmath/libbcmath/src/str2num.c +@@ -57,9 +57,9 @@ bc_str2num (bc_num *num, char *str, int scale TSRMLS_DC) + zero_int = FALSE; + if ( (*ptr == '+') || (*ptr == '-')) ptr++; /* Sign */ + while (*ptr == '0') ptr++; /* Skip leading zeros. */ +- while (isdigit((int)*ptr)) ptr++, digits++; /* digits */ ++ while (*ptr >= '0' && *ptr <= '9') ptr++, digits++; /* digits */ + if (*ptr == '.') ptr++; /* decimal point */ +- while (isdigit((int)*ptr)) ptr++, strscale++; /* digits */ ++ while (*ptr >= '0' && *ptr <= '9') ptr++, strscale++; /* digits */ + if ((*ptr != '\0') || (digits+strscale == 0)) + { + *num = bc_copy_num (BCG(_zero_)); +diff --git a/ext/bcmath/tests/bug78878.phpt b/ext/bcmath/tests/bug78878.phpt +new file mode 100644 +index 0000000000..2c9d72b946 +--- /dev/null ++++ b/ext/bcmath/tests/bug78878.phpt +@@ -0,0 +1,13 @@ ++--TEST-- ++Bug #78878 (Buffer underflow in bc_shift_addsub) ++--SKIPIF-- ++<?php ++if (!extension_loaded('bcmath')) die('skip bcmath extension not available'); ++?> ++--FILE-- ++<?php ++print @bcmul("\xB26483605105519922841849335928742092", bcpowmod(2, 65535, -4e-4)); ++?> ++--EXPECT-- ++bc math warning: non-zero scale in modulus ++0 diff --git a/php-bug78910.patch b/php-bug78910.patch new file mode 100644 index 0000000..17ec51e --- /dev/null +++ b/php-bug78910.patch @@ -0,0 +1,146 @@ +From b02ca1de8e0e5862df3c2c84358d2da624d39a1b Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 16 Dec 2019 00:10:39 -0800 +Subject: [PATCH] Fixed bug #78910 + +(cherry picked from commit d348cfb96f2543565691010ade5e0346338be5a7) +--- + NEWS | 2 ++ + ext/exif/exif.c | 3 ++- + ext/exif/tests/bug78910.phpt | 17 +++++++++++++++++ + 3 files changed, 21 insertions(+), 1 deletion(-) + create mode 100644 ext/exif/tests/bug78910.phpt + +diff --git a/NEWS b/NEWS +index dae019c976..ee2fe2830b 100644 +--- a/NEWS ++++ b/NEWS +@@ -16,6 +16,8 @@ Backported from 7.2.26 + - EXIF: + . Fixed bug #78793 (Use-after-free in exif parsing under memory sanitizer). + (CVE-2019-11050). (Nikita) ++ . Fixed bug #78910 (Heap-buffer-overflow READ in exif). (CVE-2019-11047). ++ (Nikita) + + Backported from 7.1.33 + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index 6a3bb912c3..f64a14ed9c 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -2759,7 +2759,8 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu + continue; + if (maker_note->model && (!ImageInfo->model || strcmp(maker_note->model, ImageInfo->model))) + continue; +- if (maker_note->id_string && strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len)) ++ if (maker_note->id_string && value_len >= maker_note->id_string_len ++ && strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len)) + continue; + break; + } +diff --git a/ext/exif/tests/bug78910.phpt b/ext/exif/tests/bug78910.phpt +new file mode 100644 +index 0000000000..f5b1c32c1b +--- /dev/null ++++ b/ext/exif/tests/bug78910.phpt +@@ -0,0 +1,17 @@ ++--TEST-- ++Bug #78910: Heap-buffer-overflow READ in exif (OSS-Fuzz #19044) ++--FILE-- ++<?php ++ ++var_dump(exif_read_data('data:image/jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN')); ++ ++?> ++--EXPECTF-- ++Notice: exif_read_data(): Read from TIFF: tag(0x927C, MakerNote ): Illegal format code 0x2020, switching to BYTE in %s on line %d ++ ++Warning: exif_read_data(): Process tag(x927C=MakerNote ): Illegal format code 0x2020, suppose BYTE in %s on line %d ++ ++Warning: exif_read_data(): IFD data too short: 0x0000 offset 0x000C in %s on line %d ++ ++Warning: exif_read_data(): Invalid TIFF file in %s on line %d ++bool(false) +From 10c1c8cb32eb507e045414392b6f51d3512e6cb0 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" <cmbecker69@gmx.de> +Date: Tue, 17 Dec 2019 15:24:23 +0100 +Subject: [PATCH] Fix tests + +--- + ext/bcmath/tests/bug78878.phpt | 3 +-- + ext/exif/tests/bug76557.phpt | 2 +- + ext/exif/tests/bug78910.phpt | 8 ++++---- + ext/spl/tests/bug54291.phpt | 2 +- + ext/spl/tests/bug78863.phpt | 2 +- + 5 files changed, 8 insertions(+), 9 deletions(-) + +diff --git a/ext/bcmath/tests/bug78878.phpt b/ext/bcmath/tests/bug78878.phpt +index 2c9d72b946..3337270aad 100644 +--- a/ext/bcmath/tests/bug78878.phpt ++++ b/ext/bcmath/tests/bug78878.phpt +@@ -9,5 +9,4 @@ if (!extension_loaded('bcmath')) die('skip bcmath extension not available'); + print @bcmul("\xB26483605105519922841849335928742092", bcpowmod(2, 65535, -4e-4)); + ?> + --EXPECT-- +-bc math warning: non-zero scale in modulus +-0 ++0bc math warning: non-zero scale in modulus +diff --git a/ext/exif/tests/bug76557.phpt b/ext/exif/tests/bug76557.phpt +index 4553b62772..8920de658a 100644 +--- a/ext/exif/tests/bug76557.phpt ++++ b/ext/exif/tests/bug76557.phpt +@@ -70,7 +70,7 @@ Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal f + + Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +-Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal pointer offset(x30303030 + x30303030 = x60606060 > x00EE) in %sbug76557.php on line %d ++Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal pointer offset(x30303030 + x30303030 = x60606060 > %s) in %sbug76557.php on line %d + + Warning: exif_read_data(bug76557.jpg): File structure corrupted in %sbug76557.php on line %d + +diff --git a/ext/exif/tests/bug78910.phpt b/ext/exif/tests/bug78910.phpt +index f5b1c32c1b..7e40b82389 100644 +--- a/ext/exif/tests/bug78910.phpt ++++ b/ext/exif/tests/bug78910.phpt +@@ -7,11 +7,11 @@ var_dump(exif_read_data('data:image/jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAA + + ?> + --EXPECTF-- +-Notice: exif_read_data(): Read from TIFF: tag(0x927C, MakerNote ): Illegal format code 0x2020, switching to BYTE in %s on line %d ++Notice: exif_read_data(jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN): Read from TIFF: tag(0x927C, MakerNote ): Illegal format code 0x2020, switching to BYTE in %s on line %d + +-Warning: exif_read_data(): Process tag(x927C=MakerNote ): Illegal format code 0x2020, suppose BYTE in %s on line %d ++Warning: exif_read_data(jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN): Process tag(x927C=MakerNote ): Illegal format code 0x2020, suppose BYTE in %s on line %d + +-Warning: exif_read_data(): IFD data too short: 0x0000 offset 0x000C in %s on line %d ++Warning: exif_read_data(jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN): IFD data too short: 0x0000 offset 0x000C in %s on line %d + +-Warning: exif_read_data(): Invalid TIFF file in %s on line %d ++Warning: exif_read_data(jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN): Invalid TIFF file in %s on line %d + bool(false) +diff --git a/ext/spl/tests/bug54291.phpt b/ext/spl/tests/bug54291.phpt +index 9314b6b9ff..510963c688 100644 +--- a/ext/spl/tests/bug54291.phpt ++++ b/ext/spl/tests/bug54291.phpt +@@ -5,7 +5,7 @@ Bug #54291 (Crash iterating DirectoryIterator for dir name starting with \0) + $dir = new DirectoryIterator("\x00/abc"); + $dir->isFile(); + --EXPECTF-- +-Fatal error: Uncaught exception 'UnexpectedValueException' with message 'Failed to open directory ""' in %s:%d ++Fatal error: Uncaught exception 'UnexpectedValueException' with message 'DirectoryIterator::__construct() expects parameter 1 to be a valid path, string given' in %s:%d + Stack trace: + #0 %s(%d): DirectoryIterator->__construct('\x00/abc') + #1 {main} +diff --git a/ext/spl/tests/bug78863.phpt b/ext/spl/tests/bug78863.phpt +index dc88d98dee..53a1110bc6 100644 +--- a/ext/spl/tests/bug78863.phpt ++++ b/ext/spl/tests/bug78863.phpt +@@ -16,7 +16,7 @@ foreach ($it as $fileinfo) { + } + ?> + --EXPECTF-- +-Fatal error: Uncaught UnexpectedValueException: DirectoryIterator::__construct() expects parameter 1 to be a valid path, string given in %s:%d ++Fatal error: Uncaught exception 'UnexpectedValueException' with message 'DirectoryIterator::__construct() expects parameter 1 to be a valid path, string given' in %s:%d + Stack trace: + #0 %s(%d): DirectoryIterator->__construct('%s') + #1 {main} @@ -60,10 +60,14 @@ %global mysql_sock %(mysql_config --socket 2>/dev/null || echo /var/lib/mysql/mysql.sock) %if 0%{?rhel} == 6 +%ifarch x86_64 +%global oraclever 18.5 +%else %global oraclever 18.3 +%endif %global oraclelib 18.1 %else -%global oraclever 19.3 +%global oraclever 19.5 %global oraclelib 19.1 %endif @@ -142,7 +146,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: 5.6.40 -Release: 14%{?dist} +Release: 15%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -223,6 +227,11 @@ Patch224: php-bug77919.patch Patch225: php-bug75457.patch Patch226: php-bug78380.patch Patch227: php-bug78599.patch +Patch228: php-bug78878.patch +Patch229: php-bug78862.patch +Patch230: php-bug78863.patch +Patch231: php-bug78793.patch +Patch232: php-bug78910.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -972,6 +981,11 @@ sed -e 's/php-devel/%{?scl_prefix}php-devel/' -i scripts/phpize.in %patch225 -p1 -b .bug75457 %patch226 -p1 -b .bug78380 %patch227 -p1 -b .bug78599 +%patch228 -p1 -b .bug78878 +%patch229 -p1 -b .bug78862 +%patch230 -p1 -b .bug78863 +%patch231 -p1 -b .bug78793 +%patch232 -p1 -b .bug78910 # Fixes for tests %patch300 -p1 -b .datetests @@ -1735,13 +1749,9 @@ cat << EOF WARNING : PHP 5.6 have reached its "End of Life" in January 2019. Even, if this package includes some of - the important security fix, backported from 7.1, the + the important security fix, backported from 7.2, the UPGRADE to a maintained version is very strongly RECOMMENDED. -%if %{?fedora}%{!?fedora:99} < 28 - WARNING : Fedora %{fedora} is now EOL : - You should consider upgrading to a supported release -%endif ===================================================================== EOF @@ -1917,6 +1927,22 @@ EOF %changelog +* Tue Dec 17 2019 Remi Collet <remi@remirepo.net> - 5.6.40-15 +- bcmath: + Fix #78878 Buffer underflow in bc_shift_addsub + CVE-2019-11046 +- core: + Fix #78862 link() silently truncates after a null byte on Windows + CVE-2019-11044 + Fix #78863 DirectoryIterator class silently truncates after a null byte + CVE-2019-11045 +- exif + Fix #78793 Use-after-free in exif parsing under memory sanitizer + CVE-2019-11050 + Fix #78910 Heap-buffer-overflow READ in exif + CVE-2019-11047 +- use oracle client library version 19.5 (18.5 on EL-6) + * Tue Oct 22 2019 Remi Collet <remi@remirepo.net> - 5.6.40-14 - FPM: Fix CVE-2019-11043 env_path_info underflow in fpm_main.c |