summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--failed.txt8
-rw-r--r--php-5.6.40-gcc10.patch30
-rw-r--r--php-bug78793.patch62
-rw-r--r--php-bug78862.patch68
-rw-r--r--php-bug78863.patch85
-rw-r--r--php-bug78875.patch69
-rw-r--r--php-bug78878.patch68
-rw-r--r--php-bug78910.patch146
-rw-r--r--php-bug79037.patch93
-rw-r--r--php-bug79082.patch154
-rw-r--r--php-bug79099.patch113
-rw-r--r--php-bug79221.patch86
-rw-r--r--php-bug79282.patch113
-rw-r--r--php-bug79329.patch59
-rw-r--r--php-bug79330.patch58
-rw-r--r--php-bug79465.patch59
-rw-r--r--php-bug79797.patch52
-rw-r--r--php-bug79877.patch84
-rw-r--r--php-openssl-cert.patch147
-rw-r--r--php.spec144
20 files changed, 1681 insertions, 17 deletions
diff --git a/failed.txt b/failed.txt
index b6f9c2a..c04d5d0 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,13 +1,13 @@
-===== 5.6.40-14 (2019-09-22)
+===== 5.6.40-16 (2020-01-21)
$ grep -r 'Tests failed' /var/lib/mock/scl56*/build.log
/var/lib/mock/scl56el6x/build.log:Tests failed : 3
/var/lib/mock/scl56el7x/build.log:Tests failed : 2
/var/lib/mock/scl56el8x/build.log:Tests failed : 28
-/var/lib/mock/scl56fc29x/build.log:Tests failed : 3
/var/lib/mock/scl56fc30x/build.log:Tests failed : 3
/var/lib/mock/scl56fc31x/build.log:Tests failed : 3
+/var/lib/mock/scl56fc32x/build.log:Tests failed : 3
el6x:
@@ -16,9 +16,9 @@ el6x:
3 getmxrr() test [ext/standard/tests/network/getmxrr.phpt]
el7x:
2 Bug #75457 (heap-use-after-free in php7.0.25) [ext/pcre/tests/bug75457.phpt]
-el7x, fc29x, fc30x, fc31x:
+el7x, fc30x, fc31x, fc32x:
openssl_error_string() tests [ext/openssl/tests/openssl_error_string_basic.phpt]
-fc29x, fc30x, fc31x:
+fc30x, fc31x, fc32x:
2 substr_compare() [ext/standard/tests/strings/substr_compare.phpt]
TLS server rate-limits client-initiated renegotiation [ext/openssl/tests/stream_server_reneg_limit.phpt]
diff --git a/php-5.6.40-gcc10.patch b/php-5.6.40-gcc10.patch
new file mode 100644
index 0000000..16beddb
--- /dev/null
+++ b/php-5.6.40-gcc10.patch
@@ -0,0 +1,30 @@
+diff -up ./Zend/zend_dtrace.c.old ./Zend/zend_dtrace.c
+--- ./Zend/zend_dtrace.c.old 2020-02-19 14:06:05.624224596 +0100
++++ ./Zend/zend_dtrace.c 2020-02-19 14:07:50.842731017 +0100
+@@ -23,6 +23,10 @@
+ #include "zend_dtrace.h"
+
+ #ifdef HAVE_DTRACE
++ZEND_API zend_op_array *(*zend_dtrace_compile_file)(zend_file_handle *file_handle, int type TSRMLS_DC);
++ZEND_API void (*zend_dtrace_execute)(zend_op_array *op_array TSRMLS_DC);
++ZEND_API void (*zend_dtrace_execute_internal)(zend_execute_data *execute_data_ptr, zend_fcall_info *fci, int return_value_used TSRMLS_DC);
++
+ /* PHP DTrace probes {{{ */
+ static inline const char *dtrace_get_executed_filename(TSRMLS_D)
+ {
+diff -up ./Zend/zend_dtrace.h.old ./Zend/zend_dtrace.h
+--- ./Zend/zend_dtrace.h.old 2020-02-19 14:06:10.641201059 +0100
++++ ./Zend/zend_dtrace.h 2020-02-19 14:08:17.710604949 +0100
+@@ -30,9 +30,9 @@ extern "C" {
+ #endif
+
+ #ifdef HAVE_DTRACE
+-ZEND_API zend_op_array *(*zend_dtrace_compile_file)(zend_file_handle *file_handle, int type TSRMLS_DC);
+-ZEND_API void (*zend_dtrace_execute)(zend_op_array *op_array TSRMLS_DC);
+-ZEND_API void (*zend_dtrace_execute_internal)(zend_execute_data *execute_data_ptr, zend_fcall_info *fci, int return_value_used TSRMLS_DC);
++ZEND_API extern zend_op_array *(*zend_dtrace_compile_file)(zend_file_handle *file_handle, int type TSRMLS_DC);
++ZEND_API extern void (*zend_dtrace_execute)(zend_op_array *op_array TSRMLS_DC);
++ZEND_API extern void (*zend_dtrace_execute_internal)(zend_execute_data *execute_data_ptr, zend_fcall_info *fci, int return_value_used TSRMLS_DC);
+
+ ZEND_API zend_op_array *dtrace_compile_file(zend_file_handle *file_handle, int type TSRMLS_DC);
+ ZEND_API void dtrace_execute_ex(zend_execute_data *execute_data TSRMLS_DC);
diff --git a/php-bug78793.patch b/php-bug78793.patch
new file mode 100644
index 0000000..378d97a
--- /dev/null
+++ b/php-bug78793.patch
@@ -0,0 +1,62 @@
+From 7dffbc16e459f1c0379eb75a32bdf8a8666c4ca1 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 16 Dec 2019 01:14:38 -0800
+Subject: [PATCH] Fix bug #78793
+
+(cherry picked from commit c14eb8de974fc8a4d74f3515424c293bc7a40fba)
+---
+ NEWS | 4 ++++
+ ext/exif/exif.c | 5 +++--
+ ext/exif/tests/bug78793.phpt | 12 ++++++++++++
+ 3 files changed, 19 insertions(+), 2 deletions(-)
+ create mode 100644 ext/exif/tests/bug78793.phpt
+
+diff --git a/NEWS b/NEWS
+index 5bf9b6a5ee..dae019c976 100644
+--- a/NEWS
++++ b/NEWS
+@@ -13,6 +13,10 @@ Backported from 7.2.26
+ . Fixed bug #78863 (DirectoryIterator class silently truncates after a null
+ byte). (CVE-2019-11045). (cmb)
+
++- EXIF:
++ . Fixed bug #78793 (Use-after-free in exif parsing under memory sanitizer).
++ (CVE-2019-11050). (Nikita)
++
+ Backported from 7.1.33
+
+ - FPM:
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index ec362f7e6d..6a3bb912c3 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -2831,8 +2831,9 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
+ }
+
+ for (de=0;de<NumDirEntries;de++) {
+- if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de,
+- offset_base, data_len, displacement, section_index, 0, maker_note->tag_table TSRMLS_CC)) {
++ size_t offset = 2 + 12 * de;
++ if (!exif_process_IFD_TAG(ImageInfo, dir_start + offset,
++ offset_base, data_len - offset, displacement, section_index, 0, maker_note->tag_table TSRMLS_CC)) {
+ return FALSE;
+ }
+ }
+diff --git a/ext/exif/tests/bug78793.phpt b/ext/exif/tests/bug78793.phpt
+new file mode 100644
+index 0000000000..033f255ace
+--- /dev/null
++++ b/ext/exif/tests/bug78793.phpt
+@@ -0,0 +1,12 @@
++--TEST--
++Bug #78793: Use-after-free in exif parsing under memory sanitizer
++--FILE--
++<?php
++$f = "ext/exif/tests/bug77950.tiff";
++for ($i = 0; $i < 10; $i++) {
++ @exif_read_data($f);
++}
++?>
++===DONE===
++--EXPECT--
++===DONE===
diff --git a/php-bug78862.patch b/php-bug78862.patch
new file mode 100644
index 0000000..e178901
--- /dev/null
+++ b/php-bug78862.patch
@@ -0,0 +1,68 @@
+From 51eb09b2b14711c1d81c075429811c5f2a885be4 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Sat, 23 Nov 2019 13:01:33 +0100
+Subject: [PATCH] Fix #78862: link() silently truncates after a null byte on
+ Windows
+
+Since link() is supposed to accepts paths (i.e. strings without NUL
+bytes), we must not accept arbitrary strings.
+
+(cherry picked from commit 0e6c0654ed06751ced134515f7629c40bd979d7f)
+---
+ NEWS | 4 ++++
+ ext/standard/link_win32.c | 2 +-
+ .../tests/file/windows_links/bug78862.phpt | 17 +++++++++++++++++
+ 3 files changed, 22 insertions(+), 1 deletion(-)
+ create mode 100644 ext/standard/tests/file/windows_links/bug78862.phpt
+
+diff --git a/NEWS b/NEWS
+index 5102c97629..d7f67ea976 100644
+--- a/NEWS
++++ b/NEWS
+@@ -7,6 +7,10 @@ Backported from 7.2.26
+ . Fixed bug #78878 (Buffer underflow in bc_shift_addsub). (CVE-2019-11046).
+ (cmb)
+
++- Core:
++ . Fixed bug #78862 (link() silently truncates after a null byte on Windows).
++ (CVE-2019-11044). (cmb)
++
+ Backported from 7.1.33
+
+ - FPM:
+diff --git a/ext/standard/link_win32.c b/ext/standard/link_win32.c
+index 059201c6b2..4c537dbf69 100644
+--- a/ext/standard/link_win32.c
++++ b/ext/standard/link_win32.c
+@@ -208,7 +208,7 @@ PHP_FUNCTION(link)
+
+ /*First argument to link function is the target and hence should go to frompath
+ Second argument to link function is the link itself and hence should go to topath */
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &frompath, &frompath_len, &topath, &topath_len) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "pp", &frompath, &frompath_len, &topath, &topath_len) == FAILURE) {
+ return;
+ }
+
+diff --git a/ext/standard/tests/file/windows_links/bug78862.phpt b/ext/standard/tests/file/windows_links/bug78862.phpt
+new file mode 100644
+index 0000000000..33b4b49293
+--- /dev/null
++++ b/ext/standard/tests/file/windows_links/bug78862.phpt
+@@ -0,0 +1,17 @@
++--TEST--
++Bug #78862 (link() silently truncates after a null byte on Windows)
++--FILE--
++<?php
++file_put_contents(__DIR__ . '/bug78862.target', 'foo');
++var_dump(link(__DIR__ . "/bug78862.target\0more", __DIR__ . "/bug78862.link\0more"));
++var_dump(file_exists(__DIR__ . '/bug78862.link'));
++?>
++--EXPECTF--
++Warning: link() expects parameter 1 to be a valid path, string given in %s on line %d
++NULL
++bool(false)
++--CLEAN--
++<?php
++unlink(__DIR__ . '/bug78862.target');
++unlink(__DIR__ . '/bug78862.link');
++?>
diff --git a/php-bug78863.patch b/php-bug78863.patch
new file mode 100644
index 0000000..eda23aa
--- /dev/null
+++ b/php-bug78863.patch
@@ -0,0 +1,85 @@
+From 4fe7ea95d92de389bbfa46e155f7dd97b0d4d320 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Mon, 25 Nov 2019 16:56:34 +0100
+Subject: [PATCH] Fix #78863: DirectoryIterator class silently truncates after
+ a null byte
+
+Since the constructor of DirectoryIterator and friends is supposed to
+accepts paths (i.e. strings without NUL bytes), we must not accept
+arbitrary strings.
+
+(cherry picked from commit a5a15965da23c8e97657278fc8dfbf1dfb20c016)
+---
+ NEWS | 2 ++
+ ext/spl/spl_directory.c | 4 ++--
+ ext/spl/tests/bug78863.phpt | 31 +++++++++++++++++++++++++++++++
+ 3 files changed, 35 insertions(+), 2 deletions(-)
+ create mode 100644 ext/spl/tests/bug78863.phpt
+
+diff --git a/NEWS b/NEWS
+index d7f67ea976..5bf9b6a5ee 100644
+--- a/NEWS
++++ b/NEWS
+@@ -10,6 +10,8 @@ Backported from 7.2.26
+ - Core:
+ . Fixed bug #78862 (link() silently truncates after a null byte on Windows).
+ (CVE-2019-11044). (cmb)
++ . Fixed bug #78863 (DirectoryIterator class silently truncates after a null
++ byte). (CVE-2019-11045). (cmb)
+
+ Backported from 7.1.33
+
+diff --git a/ext/spl/spl_directory.c b/ext/spl/spl_directory.c
+index fbcf892c3d..3a22357a26 100644
+--- a/ext/spl/spl_directory.c
++++ b/ext/spl/spl_directory.c
+@@ -691,10 +691,10 @@ void spl_filesystem_object_construct(INTERNAL_FUNCTION_PARAMETERS, long ctor_fla
+
+ if (SPL_HAS_FLAG(ctor_flags, DIT_CTOR_FLAGS)) {
+ flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_FILEINFO;
+- parsed = zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &path, &len, &flags);
++ parsed = zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|l", &path, &len, &flags);
+ } else {
+ flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_SELF;
+- parsed = zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &path, &len);
++ parsed = zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &path, &len);
+ }
+ if (SPL_HAS_FLAG(ctor_flags, SPL_FILE_DIR_SKIPDOTS)) {
+ flags |= SPL_FILE_DIR_SKIPDOTS;
+diff --git a/ext/spl/tests/bug78863.phpt b/ext/spl/tests/bug78863.phpt
+new file mode 100644
+index 0000000000..dc88d98dee
+--- /dev/null
++++ b/ext/spl/tests/bug78863.phpt
+@@ -0,0 +1,31 @@
++--TEST--
++Bug #78863 (DirectoryIterator class silently truncates after a null byte)
++--FILE--
++<?php
++$dir = __DIR__ . '/bug78863';
++mkdir($dir);
++touch("$dir/bad");
++mkdir("$dir/sub");
++touch("$dir/sub/good");
++
++$it = new DirectoryIterator(__DIR__ . "/bug78863\0/sub");
++foreach ($it as $fileinfo) {
++ if (!$fileinfo->isDot()) {
++ var_dump($fileinfo->getFilename());
++ }
++}
++?>
++--EXPECTF--
++Fatal error: Uncaught UnexpectedValueException: DirectoryIterator::__construct() expects parameter 1 to be a valid path, string given in %s:%d
++Stack trace:
++#0 %s(%d): DirectoryIterator->__construct('%s')
++#1 {main}
++ thrown in %s on line %d
++--CLEAN--
++<?php
++$dir = __DIR__ . '/bug78863';
++unlink("$dir/sub/good");
++rmdir("$dir/sub");
++unlink("$dir/bad");
++rmdir($dir);
++?>
diff --git a/php-bug78875.patch b/php-bug78875.patch
new file mode 100644
index 0000000..2d8f900
--- /dev/null
+++ b/php-bug78875.patch
@@ -0,0 +1,69 @@
+From a41cbed4532cc4d3d2fd1a8fa1a4ace5bdfcafc9 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Wed, 13 May 2020 09:03:49 +0200
+Subject: [PATCH] Backports from 7.2.31
+
+ Fix #78875: Long filenames cause OOM and temp files are not cleaned
+(from 1c9bd513ac5c7c1d13d7f0dfa7c16a7ad2ce0f87)
+
+ Fix #78876: Long variables cause OOM and temp files are not cleaned
+(from 3c8582ca4b8e84e5647220b647914876d2c3b124)
+---
+ NEWS | 8 ++++++++
+ main/rfc1867.c | 9 +++++----
+ 2 files changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index 281b52fe76..b53c9e28cb 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,14 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 7.2.31
++
++- Core:
++ . Fixed bug #78875 (Long filenames cause OOM and temp files are not cleaned).
++ (CVE-2019-11048) (cmb)
++ . Fixed bug #78876 (Long variables in multipart/form-data cause OOM and temp
++ files are not cleaned). (CVE-2019-11048) (cmb)
++
+ Backported from 7.2.30
+
+ - Standard:
+diff --git a/main/rfc1867.c b/main/rfc1867.c
+index 0ddf0ed8f0..fb3035072a 100644
+--- a/main/rfc1867.c
++++ b/main/rfc1867.c
+@@ -609,9 +609,9 @@ static void *php_ap_memstr(char *haystack, int haystacklen, char *needle, int ne
+ }
+
+ /* read until a boundary condition */
+-static int multipart_buffer_read(multipart_buffer *self, char *buf, int bytes, int *end TSRMLS_DC)
++static unsigned int multipart_buffer_read(multipart_buffer *self, char *buf, unsigned int bytes, int *end TSRMLS_DC)
+ {
+- int len, max;
++ unsigned int len, max;
+ char *bound;
+
+ /* fill buffer if needed */
+@@ -658,7 +658,7 @@ static int multipart_buffer_read(multipart_buffer *self, char *buf, int bytes, i
+ static char *multipart_buffer_read_body(multipart_buffer *self, unsigned int *len TSRMLS_DC)
+ {
+ char buf[FILLUNIT], *out=NULL;
+- int total_bytes=0, read_bytes=0;
++ unsigned int total_bytes=0, read_bytes=0;
+
+ while((read_bytes = multipart_buffer_read(self, buf, sizeof(buf), NULL TSRMLS_CC))) {
+ out = erealloc(out, total_bytes + read_bytes + 1);
+@@ -684,7 +684,8 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
+ {
+ char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL;
+ char *temp_filename = NULL, *lbuf = NULL, *abuf = NULL;
+- int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0, array_len = 0;
++ int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0;
++ unsigned int array_len = 0;
+ int64_t total_bytes = 0, max_file_size = 0;
+ int skip_upload = 0, anonindex = 0, is_anonymous;
+ zval *http_post_files = NULL;
diff --git a/php-bug78878.patch b/php-bug78878.patch
new file mode 100644
index 0000000..7d54bda
--- /dev/null
+++ b/php-bug78878.patch
@@ -0,0 +1,68 @@
+From e6614bec92634d91d2406bf9e997675b52971769 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Sat, 30 Nov 2019 12:26:37 +0100
+Subject: [PATCH] Fix #78878: Buffer underflow in bc_shift_addsub
+
+We must not rely on `isdigit()` to detect digits, since we only support
+decimal ASCII digits in the following processing.
+
+(cherry picked from commit eb23c6008753b1cdc5359dead3a096dce46c9018)
+---
+ NEWS | 6 ++++++
+ ext/bcmath/libbcmath/src/str2num.c | 4 ++--
+ ext/bcmath/tests/bug78878.phpt | 13 +++++++++++++
+ 3 files changed, 21 insertions(+), 2 deletions(-)
+ create mode 100644 ext/bcmath/tests/bug78878.phpt
+
+diff --git a/NEWS b/NEWS
+index 9d7b600cf0..5102c97629 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,12 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 7.2.26
++
++- Bcmath:
++ . Fixed bug #78878 (Buffer underflow in bc_shift_addsub). (CVE-2019-11046).
++ (cmb)
++
+ Backported from 7.1.33
+
+ - FPM:
+diff --git a/ext/bcmath/libbcmath/src/str2num.c b/ext/bcmath/libbcmath/src/str2num.c
+index c484c158e5..a5e7850160 100644
+--- a/ext/bcmath/libbcmath/src/str2num.c
++++ b/ext/bcmath/libbcmath/src/str2num.c
+@@ -57,9 +57,9 @@ bc_str2num (bc_num *num, char *str, int scale TSRMLS_DC)
+ zero_int = FALSE;
+ if ( (*ptr == '+') || (*ptr == '-')) ptr++; /* Sign */
+ while (*ptr == '0') ptr++; /* Skip leading zeros. */
+- while (isdigit((int)*ptr)) ptr++, digits++; /* digits */
++ while (*ptr >= '0' && *ptr <= '9') ptr++, digits++; /* digits */
+ if (*ptr == '.') ptr++; /* decimal point */
+- while (isdigit((int)*ptr)) ptr++, strscale++; /* digits */
++ while (*ptr >= '0' && *ptr <= '9') ptr++, strscale++; /* digits */
+ if ((*ptr != '\0') || (digits+strscale == 0))
+ {
+ *num = bc_copy_num (BCG(_zero_));
+diff --git a/ext/bcmath/tests/bug78878.phpt b/ext/bcmath/tests/bug78878.phpt
+new file mode 100644
+index 0000000000..2c9d72b946
+--- /dev/null
++++ b/ext/bcmath/tests/bug78878.phpt
+@@ -0,0 +1,13 @@
++--TEST--
++Bug #78878 (Buffer underflow in bc_shift_addsub)
++--SKIPIF--
++<?php
++if (!extension_loaded('bcmath')) die('skip bcmath extension not available');
++?>
++--FILE--
++<?php
++print @bcmul("\xB26483605105519922841849335928742092", bcpowmod(2, 65535, -4e-4));
++?>
++--EXPECT--
++bc math warning: non-zero scale in modulus
++0
diff --git a/php-bug78910.patch b/php-bug78910.patch
new file mode 100644
index 0000000..17ec51e
--- /dev/null
+++ b/php-bug78910.patch
@@ -0,0 +1,146 @@
+From b02ca1de8e0e5862df3c2c84358d2da624d39a1b Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 16 Dec 2019 00:10:39 -0800
+Subject: [PATCH] Fixed bug #78910
+
+(cherry picked from commit d348cfb96f2543565691010ade5e0346338be5a7)
+---
+ NEWS | 2 ++
+ ext/exif/exif.c | 3 ++-
+ ext/exif/tests/bug78910.phpt | 17 +++++++++++++++++
+ 3 files changed, 21 insertions(+), 1 deletion(-)
+ create mode 100644 ext/exif/tests/bug78910.phpt
+
+diff --git a/NEWS b/NEWS
+index dae019c976..ee2fe2830b 100644
+--- a/NEWS
++++ b/NEWS
+@@ -16,6 +16,8 @@ Backported from 7.2.26
+ - EXIF:
+ . Fixed bug #78793 (Use-after-free in exif parsing under memory sanitizer).
+ (CVE-2019-11050). (Nikita)
++ . Fixed bug #78910 (Heap-buffer-overflow READ in exif). (CVE-2019-11047).
++ (Nikita)
+
+ Backported from 7.1.33
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 6a3bb912c3..f64a14ed9c 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -2759,7 +2759,8 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
+ continue;
+ if (maker_note->model && (!ImageInfo->model || strcmp(maker_note->model, ImageInfo->model)))
+ continue;
+- if (maker_note->id_string && strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len))
++ if (maker_note->id_string && value_len >= maker_note->id_string_len
++ && strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len))
+ continue;
+ break;
+ }
+diff --git a/ext/exif/tests/bug78910.phpt b/ext/exif/tests/bug78910.phpt
+new file mode 100644
+index 0000000000..f5b1c32c1b
+--- /dev/null
++++ b/ext/exif/tests/bug78910.phpt
+@@ -0,0 +1,17 @@
++--TEST--
++Bug #78910: Heap-buffer-overflow READ in exif (OSS-Fuzz #19044)
++--FILE--
++<?php
++
++var_dump(exif_read_data('data:image/jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN'));
++
++?>
++--EXPECTF--
++Notice: exif_read_data(): Read from TIFF: tag(0x927C, MakerNote ): Illegal format code 0x2020, switching to BYTE in %s on line %d
++
++Warning: exif_read_data(): Process tag(x927C=MakerNote ): Illegal format code 0x2020, suppose BYTE in %s on line %d
++
++Warning: exif_read_data(): IFD data too short: 0x0000 offset 0x000C in %s on line %d
++
++Warning: exif_read_data(): Invalid TIFF file in %s on line %d
++bool(false)
+From 10c1c8cb32eb507e045414392b6f51d3512e6cb0 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 17 Dec 2019 15:24:23 +0100
+Subject: [PATCH] Fix tests
+
+---
+ ext/bcmath/tests/bug78878.phpt | 3 +--
+ ext/exif/tests/bug76557.phpt | 2 +-
+ ext/exif/tests/bug78910.phpt | 8 ++++----
+ ext/spl/tests/bug54291.phpt | 2 +-
+ ext/spl/tests/bug78863.phpt | 2 +-
+ 5 files changed, 8 insertions(+), 9 deletions(-)
+
+diff --git a/ext/bcmath/tests/bug78878.phpt b/ext/bcmath/tests/bug78878.phpt
+index 2c9d72b946..3337270aad 100644
+--- a/ext/bcmath/tests/bug78878.phpt
++++ b/ext/bcmath/tests/bug78878.phpt
+@@ -9,5 +9,4 @@ if (!extension_loaded('bcmath')) die('skip bcmath extension not available');
+ print @bcmul("\xB26483605105519922841849335928742092", bcpowmod(2, 65535, -4e-4));
+ ?>
+ --EXPECT--
+-bc math warning: non-zero scale in modulus
+-0
++0bc math warning: non-zero scale in modulus
+diff --git a/ext/exif/tests/bug76557.phpt b/ext/exif/tests/bug76557.phpt
+index 4553b62772..8920de658a 100644
+--- a/ext/exif/tests/bug76557.phpt
++++ b/ext/exif/tests/bug76557.phpt
+@@ -70,7 +70,7 @@ Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal f
+
+ Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+-Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal pointer offset(x30303030 + x30303030 = x60606060 > x00EE) in %sbug76557.php on line %d
++Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal pointer offset(x30303030 + x30303030 = x60606060 > %s) in %sbug76557.php on line %d
+
+ Warning: exif_read_data(bug76557.jpg): File structure corrupted in %sbug76557.php on line %d
+
+diff --git a/ext/exif/tests/bug78910.phpt b/ext/exif/tests/bug78910.phpt
+index f5b1c32c1b..7e40b82389 100644
+--- a/ext/exif/tests/bug78910.phpt
++++ b/ext/exif/tests/bug78910.phpt
+@@ -7,11 +7,11 @@ var_dump(exif_read_data('data:image/jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAA
+
+ ?>
+ --EXPECTF--
+-Notice: exif_read_data(): Read from TIFF: tag(0x927C, MakerNote ): Illegal format code 0x2020, switching to BYTE in %s on line %d
++Notice: exif_read_data(jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN): Read from TIFF: tag(0x927C, MakerNote ): Illegal format code 0x2020, switching to BYTE in %s on line %d
+
+-Warning: exif_read_data(): Process tag(x927C=MakerNote ): Illegal format code 0x2020, suppose BYTE in %s on line %d
++Warning: exif_read_data(jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN): Process tag(x927C=MakerNote ): Illegal format code 0x2020, suppose BYTE in %s on line %d
+
+-Warning: exif_read_data(): IFD data too short: 0x0000 offset 0x000C in %s on line %d
++Warning: exif_read_data(jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN): IFD data too short: 0x0000 offset 0x000C in %s on line %d
+
+-Warning: exif_read_data(): Invalid TIFF file in %s on line %d
++Warning: exif_read_data(jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN): Invalid TIFF file in %s on line %d
+ bool(false)
+diff --git a/ext/spl/tests/bug54291.phpt b/ext/spl/tests/bug54291.phpt
+index 9314b6b9ff..510963c688 100644
+--- a/ext/spl/tests/bug54291.phpt
++++ b/ext/spl/tests/bug54291.phpt
+@@ -5,7 +5,7 @@ Bug #54291 (Crash iterating DirectoryIterator for dir name starting with \0)
+ $dir = new DirectoryIterator("\x00/abc");
+ $dir->isFile();
+ --EXPECTF--
+-Fatal error: Uncaught exception 'UnexpectedValueException' with message 'Failed to open directory ""' in %s:%d
++Fatal error: Uncaught exception 'UnexpectedValueException' with message 'DirectoryIterator::__construct() expects parameter 1 to be a valid path, string given' in %s:%d
+ Stack trace:
+ #0 %s(%d): DirectoryIterator->__construct('\x00/abc')
+ #1 {main}
+diff --git a/ext/spl/tests/bug78863.phpt b/ext/spl/tests/bug78863.phpt
+index dc88d98dee..53a1110bc6 100644
+--- a/ext/spl/tests/bug78863.phpt
++++ b/ext/spl/tests/bug78863.phpt
+@@ -16,7 +16,7 @@ foreach ($it as $fileinfo) {
+ }
+ ?>
+ --EXPECTF--
+-Fatal error: Uncaught UnexpectedValueException: DirectoryIterator::__construct() expects parameter 1 to be a valid path, string given in %s:%d
++Fatal error: Uncaught exception 'UnexpectedValueException' with message 'DirectoryIterator::__construct() expects parameter 1 to be a valid path, string given' in %s:%d
+ Stack trace:
+ #0 %s(%d): DirectoryIterator->__construct('%s')
+ #1 {main}
diff --git a/php-bug79037.patch b/php-bug79037.patch
new file mode 100644
index 0000000..8da4b8d
--- /dev/null
+++ b/php-bug79037.patch
@@ -0,0 +1,93 @@
+From 31b5f3736519f3cb1af875f22f70423934a636d6 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 20 Jan 2020 21:42:44 -0800
+Subject: [PATCH] Fix bug #79037 (global buffer-overflow in
+ `mbfl_filt_conv_big5_wchar`)
+
+(cherry picked from commit 2bcbc95f033c31b00595ed39f79c3a99b4ed0501)
+---
+ ext/mbstring/libmbfl/filters/mbfilter_big5.c | 17 ++++++++++++-----
+ ext/mbstring/tests/bug79037.phpt | 10 ++++++++++
+ 2 files changed, 22 insertions(+), 5 deletions(-)
+ create mode 100644 ext/mbstring/tests/bug79037.phpt
+
+diff --git a/ext/mbstring/libmbfl/filters/mbfilter_big5.c b/ext/mbstring/libmbfl/filters/mbfilter_big5.c
+index 099f8e6af0..e04d81d220 100644
+--- a/ext/mbstring/libmbfl/filters/mbfilter_big5.c
++++ b/ext/mbstring/libmbfl/filters/mbfilter_big5.c
+@@ -138,6 +138,17 @@ static unsigned short cp950_pua_tbl[][4] = {
+ {0xf70f,0xf848,0xc740,0xc8fe},
+ };
+
++static inline int is_in_cp950_pua(int c1, int c) {
++ if ((c1 >= 0xfa && c1 <= 0xfe) || (c1 >= 0x8e && c1 <= 0xa0) ||
++ (c1 >= 0x81 && c1 <= 0x8d) || (c1 >= 0xc7 && c1 <= 0xc8)) {
++ return (c >=0x40 && c <= 0x7e) || (c >= 0xa1 && c <= 0xfe);
++ }
++ if (c1 == 0xc6) {
++ return c >= 0xa1 && c <= 0xfe;
++ }
++ return 0;
++}
++
+ /*
+ * Big5 => wchar
+ */
+@@ -186,11 +197,7 @@ mbfl_filt_conv_big5_wchar(int c, mbfl_convert_filter *filter)
+
+ if (filter->from->no_encoding == mbfl_no_encoding_cp950) {
+ /* PUA for CP950 */
+- if (w <= 0 &&
+- (((c1 >= 0xfa && c1 <= 0xfe) || (c1 >= 0x8e && c1 <= 0xa0) ||
+- (c1 >= 0x81 && c1 <= 0x8d) ||(c1 >= 0xc7 && c1 <= 0xc8))
+- && ((c > 0x39 && c < 0x7f) || (c > 0xa0 && c < 0xff))) ||
+- ((c1 == 0xc6) && (c > 0xa0 && c < 0xff))) {
++ if (w <= 0 && is_in_cp950_pua(c1, c)) {
+ c2 = c1 << 8 | c;
+ for (k = 0; k < sizeof(cp950_pua_tbl)/(sizeof(unsigned short)*4); k++) {
+ if (c2 >= cp950_pua_tbl[k][2] && c2 <= cp950_pua_tbl[k][3]) {
+diff --git a/ext/mbstring/tests/bug79037.phpt b/ext/mbstring/tests/bug79037.phpt
+new file mode 100644
+index 0000000000..94ff01a4a1
+--- /dev/null
++++ b/ext/mbstring/tests/bug79037.phpt
+@@ -0,0 +1,10 @@
++--TEST--
++Bug #79037: global buffer-overflow in `mbfl_filt_conv_big5_wchar`
++--FILE--
++<?php
++
++var_dump(mb_convert_encoding("\x81\x3a", "UTF-8", "CP950"));
++
++?>
++--EXPECT--
++string(1) "?"
+From f90b183c1ff88efc6e499811dc008a90f32989f0 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 21 Jan 2020 10:12:44 +0100
+Subject: [PATCH] update NEWS
+
+---
+ NEWS | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index ee2fe2830b..c387fa8f86 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,15 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 7.2.27
++
++- Mbstring:
++ . Fixed bug #79037 (global buffer-overflow in `mbfl_filt_conv_big5_wchar`).
++ (CVE-2020-7060) (Nikita)
++
++- Standard:
++ . Fixed bug #79099 (OOB read in php_strip_tags_ex). (CVE-2020-7059). (cmb)
++
+ Backported from 7.2.26
+
+ - Bcmath:
diff --git a/php-bug79082.patch b/php-bug79082.patch
new file mode 100644
index 0000000..6df2de1
--- /dev/null
+++ b/php-bug79082.patch
@@ -0,0 +1,154 @@
+From ed163ca242932e7f60467fb32ec00166f4318a40 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 15 Feb 2020 22:17:14 -0800
+Subject: [PATCH 2/3] Fix bug #79082 - Files added to tar with
+ Phar::buildFromIterator have all-access permissions
+
+(cherry picked from commit e5c95234d87fcb8f6b7569a96a89d1e1544749a6)
+---
+ ext/phar/phar_object.c | 11 +++++
+ ext/phar/tests/bug79082.phpt | 52 ++++++++++++++++++++
+ ext/phar/tests/test79082/test79082-testfile | 1 +
+ ext/phar/tests/test79082/test79082-testfile2 | 1 +
+ 4 files changed, 65 insertions(+)
+ create mode 100644 ext/phar/tests/bug79082.phpt
+ create mode 100644 ext/phar/tests/test79082/test79082-testfile
+ create mode 100644 ext/phar/tests/test79082/test79082-testfile2
+
+diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
+index d69837218f..5722828c37 100644
+--- a/ext/phar/phar_object.c
++++ b/ext/phar/phar_object.c
+@@ -1427,6 +1427,7 @@ static int phar_build(zend_object_iterator *iter, void *puser TSRMLS_DC) /* {{{
+ zend_class_entry *ce = p_obj->c;
+ phar_archive_object *phar_obj = p_obj->p;
+ char *str = "[stream]";
++ php_stream_statbuf ssb;
+
+ iter->funcs->get_current_data(iter, &value TSRMLS_CC);
+
+@@ -1709,6 +1710,16 @@ after_open_fp:
+ php_stream_copy_to_stream_ex(fp, p_obj->fp, PHP_STREAM_COPY_ALL, &contents_len);
+ data->internal_file->uncompressed_filesize = data->internal_file->compressed_filesize =
+ php_stream_tell(p_obj->fp) - data->internal_file->offset;
++ if (php_stream_stat(fp, &ssb) != -1) {
++ data->internal_file->flags = ssb.sb.st_mode & PHAR_ENT_PERM_MASK ;
++ } else {
++#ifndef _WIN32
++ mode_t mask;
++ mask = umask(0);
++ umask(mask);
++ data->internal_file->flags &= ~mask;
++#endif
++ }
+ }
+
+ if (close_fp) {
+diff --git a/ext/phar/tests/bug79082.phpt b/ext/phar/tests/bug79082.phpt
+new file mode 100644
+index 0000000000..ca453d1b57
+--- /dev/null
++++ b/ext/phar/tests/bug79082.phpt
+@@ -0,0 +1,52 @@
++--TEST--
++Phar: Bug #79082: Files added to tar with Phar::buildFromIterator have all-access permissions
++--SKIPIF--
++<?php
++if (!extension_loaded("phar")) die("skip");
++if (defined("PHP_WINDOWS_VERSION_MAJOR")) die("skip not for Windows")
++?>
++--FILE--
++<?php
++umask(022);
++var_dump(decoct(umask()));
++chmod(__DIR__ . '/test79082/test79082-testfile', 0644);
++chmod(__DIR__ . '/test79082/test79082-testfile2', 0400);
++
++foreach([Phar::TAR => 'tar', Phar::ZIP => 'zip'] as $mode => $ext) {
++ clearstatcache();
++ $phar = new PharData(__DIR__ . '/test79082.' . $ext, null, null, $mode);
++ $phar->buildFromIterator(new \RecursiveDirectoryIterator(__DIR__ . '/test79082', \FilesystemIterator::SKIP_DOTS), __DIR__ . '/test79082');
++ $phar->extractTo(__DIR__);
++ var_dump(decoct(stat(__DIR__ . '/test79082-testfile')['mode']));
++ var_dump(decoct(stat(__DIR__ . '/test79082-testfile2')['mode']));
++ unlink(__DIR__ . '/test79082-testfile');
++ unlink(__DIR__ . '/test79082-testfile2');
++}
++foreach([Phar::TAR => 'tar', Phar::ZIP => 'zip'] as $mode => $ext) {
++ clearstatcache();
++ $phar = new PharData(__DIR__ . '/test79082-d.' . $ext, null, null, $mode);
++ $phar->buildFromDirectory(__DIR__ . '/test79082');
++ $phar->extractTo(__DIR__);
++ var_dump(decoct(stat(__DIR__ . '/test79082-testfile')['mode']));
++ var_dump(decoct(stat(__DIR__ . '/test79082-testfile2')['mode']));
++ unlink(__DIR__ . '/test79082-testfile');
++ unlink(__DIR__ . '/test79082-testfile2');
++}
++?>
++--CLEAN--
++<?
++unlink(__DIR__ . '/test79082.tar');
++unlink(__DIR__ . '/test79082.zip');
++unlink(__DIR__ . '/test79082-d.tar');
++unlink(__DIR__ . '/test79082-d.zip');
++?>
++--EXPECT--
++string(2) "22"
++string(6) "100644"
++string(6) "100400"
++string(6) "100644"
++string(6) "100400"
++string(6) "100644"
++string(6) "100400"
++string(6) "100644"
++string(6) "100400"
+diff --git a/ext/phar/tests/test79082/test79082-testfile b/ext/phar/tests/test79082/test79082-testfile
+new file mode 100644
+index 0000000000..9daeafb986
+--- /dev/null
++++ b/ext/phar/tests/test79082/test79082-testfile
+@@ -0,0 +1 @@
++test
+diff --git a/ext/phar/tests/test79082/test79082-testfile2 b/ext/phar/tests/test79082/test79082-testfile2
+new file mode 100644
+index 0000000000..9daeafb986
+--- /dev/null
++++ b/ext/phar/tests/test79082/test79082-testfile2
+@@ -0,0 +1 @@
++test
+--
+2.24.1
+
+From dbac37b3ea68d8a0ba7e4e519e1386bbe8eff400 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 18 Feb 2020 06:36:07 +0100
+Subject: [PATCH 3/3] NEWS
+
+---
+ NEWS | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index c387fa8f86..22e714e837 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,16 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 7.2.28
++
++- Phar:
++ . Fixed bug #79082 (Files added to tar with Phar::buildFromIterator have
++ all-access permissions). (CVE-2020-7063) (stas)
++
++- Session:
++ . Fixed bug #79221 (Null Pointer Dereference in PHP Session Upload Progress).
++ (CVE-2020-7062) (stas)
++
+ Backported from 7.2.27
+
+ - Mbstring:
+--
+2.24.1
+
diff --git a/php-bug79099.patch b/php-bug79099.patch
new file mode 100644
index 0000000..4997c77
--- /dev/null
+++ b/php-bug79099.patch
@@ -0,0 +1,113 @@
+From 9db5a8f58dd26d547cf530beeb41155d97e700f0 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 20 Jan 2020 21:33:17 -0800
+Subject: [PATCH] Fix #79099: OOB read in php_strip_tags_ex
+
+(cherry picked from commit 0f79b1bf301f455967676b5129240140c5c45b09)
+---
+ ext/standard/string.c | 6 ++---
+ ext/standard/tests/file/bug79099.phpt | 32 +++++++++++++++++++++++++++
+ 2 files changed, 35 insertions(+), 3 deletions(-)
+ create mode 100644 ext/standard/tests/file/bug79099.phpt
+
+diff --git a/ext/standard/string.c b/ext/standard/string.c
+index 569452ca93..9b75adc3b7 100644
+--- a/ext/standard/string.c
++++ b/ext/standard/string.c
+@@ -4770,7 +4770,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
+ if (state == 4) {
+ /* Inside <!-- comment --> */
+ break;
+- } else if (state == 2 && *(p-1) != '\\') {
++ } else if (state == 2 && p >= buf + 1 && *(p-1) != '\\') {
+ if (lc == c) {
+ lc = '\0';
+ } else if (lc != '\\') {
+@@ -4797,7 +4797,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
+
+ case '!':
+ /* JavaScript & Other HTML scripting languages */
+- if (state == 1 && *(p-1) == '<') {
++ if (state == 1 && p >= buf + 1 && *(p-1) == '<') {
+ state = 3;
+ lc = c;
+ } else {
+@@ -4824,7 +4824,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
+
+ case '?':
+
+- if (state == 1 && *(p-1) == '<') {
++ if (state == 1 && p >= buf + 1 && *(p-1) == '<') {
+ br=0;
+ state=2;
+ break;
+diff --git a/ext/standard/tests/file/bug79099.phpt b/ext/standard/tests/file/bug79099.phpt
+new file mode 100644
+index 0000000000..7c842f4654
+--- /dev/null
++++ b/ext/standard/tests/file/bug79099.phpt
+@@ -0,0 +1,32 @@
++--TEST--
++Bug #79099 (OOB read in php_strip_tags_ex)
++--FILE--
++<?php
++$stream = fopen('php://memory', 'w+');
++fputs($stream, "<?\n\"\n");
++rewind($stream);
++var_dump(fgetss($stream));
++var_dump(fgetss($stream));
++fclose($stream);
++
++$stream = fopen('php://memory', 'w+');
++fputs($stream, "<\0\n!\n");
++rewind($stream);
++var_dump(fgetss($stream));
++var_dump(fgetss($stream));
++fclose($stream);
++
++$stream = fopen('php://memory', 'w+');
++fputs($stream, "<\0\n?\n");
++rewind($stream);
++var_dump(fgetss($stream));
++var_dump(fgetss($stream));
++fclose($stream);
++?>
++--EXPECT--
++string(0) ""
++string(0) ""
++string(0) ""
++string(0) ""
++string(0) ""
++string(0) ""
+From 0ec0b030131845d8d84f79151727a1b13a78166c Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Wed, 22 Jan 2020 22:36:53 -0800
+Subject: [PATCH] More checks for php_strip_tags_ex
+
+(cherry picked from commit 2dc170e25d86a725fefd4c08f2bd8378820b28f5)
+---
+ ext/standard/string.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ext/standard/string.c b/ext/standard/string.c
+index 9b75adc3b7..4687b20221 100644
+--- a/ext/standard/string.c
++++ b/ext/standard/string.c
+@@ -4720,7 +4720,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
+ switch (state) {
+ case 1: /* HTML/XML */
+ lc = '>';
+- if (is_xml && *(p -1) == '-') {
++ if (is_xml && p >= buf + 1 && *(p-1) == '-') {
+ break;
+ }
+ in_q = state = is_xml = 0;
+@@ -4741,7 +4741,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
+ break;
+
+ case 2: /* PHP */
+- if (!br && lc != '\"' && *(p-1) == '?') {
++ if (!br && lc != '\"' && p >= buf + 1 && *(p-1) == '?') {
+ in_q = state = 0;
+ tp = tbuf;
+ }
diff --git a/php-bug79221.patch b/php-bug79221.patch
new file mode 100644
index 0000000..5940baf
--- /dev/null
+++ b/php-bug79221.patch
@@ -0,0 +1,86 @@
+From a8b5510a30a5e8761e841c799a472c6f25560698 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 15 Feb 2020 20:52:19 -0800
+Subject: [PATCH 1/3] Fix bug #79221 - Null Pointer Dereference in PHP Session
+ Upload Progress
+
+(cherry picked from commit d76f7c6c636b8240e06a1fa29eebb98ad005008a)
+---
+ ext/session/session.c | 8 +++---
+ ext/session/tests/bug79221.phpt | 45 +++++++++++++++++++++++++++++++++
+ 2 files changed, 50 insertions(+), 3 deletions(-)
+ create mode 100644 ext/session/tests/bug79221.phpt
+
+diff --git a/ext/session/session.c b/ext/session/session.c
+index b2d02361df..d759fcabbf 100644
+--- a/ext/session/session.c
++++ b/ext/session/session.c
+@@ -2820,9 +2820,11 @@ static int php_session_rfc1867_callback(unsigned int event, void *event_data, vo
+ if (PS(rfc1867_cleanup)) {
+ php_session_rfc1867_cleanup(progress TSRMLS_CC);
+ } else {
+- add_assoc_bool_ex(progress->data, "done", sizeof("done"), 1);
+- Z_LVAL_P(progress->post_bytes_processed) = data->post_bytes_processed;
+- php_session_rfc1867_update(progress, 1 TSRMLS_CC);
++ if (progress->data) {
++ add_assoc_bool_ex(progress->data, "done", sizeof("done"), 1);
++ Z_LVAL_P(progress->post_bytes_processed) = data->post_bytes_processed;
++ php_session_rfc1867_update(progress, 1 TSRMLS_CC);
++ }
+ }
+ php_rshutdown_session_globals(TSRMLS_C);
+ }
+diff --git a/ext/session/tests/bug79221.phpt b/ext/session/tests/bug79221.phpt
+new file mode 100644
+index 0000000000..b0972c4697
+--- /dev/null
++++ b/ext/session/tests/bug79221.phpt
+@@ -0,0 +1,45 @@
++--TEST--
++Null Pointer Dereference in PHP Session Upload Progress
++--INI--
++error_reporting=0
++file_uploads=1
++upload_max_filesize=1024
++session.save_path=
++session.name=PHPSESSID
++session.serialize_handler=php
++session.use_strict_mode=0
++session.use_cookies=1
++session.use_only_cookies=0
++session.upload_progress.enabled=1
++session.upload_progress.cleanup=0
++session.upload_progress.prefix=upload_progress_
++session.upload_progress.name=PHP_SESSION_UPLOAD_PROGRESS
++session.upload_progress.freq=1%
++session.upload_progress.min_freq=0.000000001
++--COOKIE--
++PHPSESSID=session-upload
++--POST_RAW--
++Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
++-----------------------------20896060251896012921717172737
++Content-Disposition: form-data; name="PHPSESSID"
++
++session-upload
++-----------------------------20896060251896012921717172737
++Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS"
++
++ryat
++-----------------------------20896060251896012921717172737
++Content-Disposition: form-data; file="file"; ryat="filename"
++
++1
++-----------------------------20896060251896012921717172737--
++--FILE--
++<?php
++
++session_start();
++var_dump($_SESSION);
++session_destroy();
++
++--EXPECTF--
++array(0) {
++}
+--
+2.24.1
+
diff --git a/php-bug79282.patch b/php-bug79282.patch
new file mode 100644
index 0000000..9441159
--- /dev/null
+++ b/php-bug79282.patch
@@ -0,0 +1,113 @@
+From 5ac3ebcd4f9509d1a7e54f30117227822fbc0648 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 15 Mar 2020 17:26:00 -0700
+Subject: [PATCH] Fixed bug #79282
+
+(cherry picked from commit 41f66e2a2cfd611e35be5ac3bf747f0b56161216)
+(cherry picked from commit 8577fa5891220dac40d42b2f745fa159dcd871ad)
+(cherry picked from commit 59119490c9e2359ea720928b2e71b68e5c20f195)
+---
+ ext/exif/exif.c | 7 ++++++-
+ ext/exif/tests/bug79282.phpt | 15 +++++++++++++++
+ 2 files changed, 21 insertions(+), 1 deletion(-)
+ create mode 100644 ext/exif/tests/bug79282.phpt
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index f64a14ed9c..bf2fd61cd1 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -3253,6 +3253,11 @@ static void exif_process_TIFF_in_JPEG(image_info_type *ImageInfo, char *CharBuf,
+ {
+ unsigned exif_value_2a, offset_of_ifd;
+
++ if (length < 2) {
++ exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Missing TIFF alignment marker");
++ return;
++ }
++
+ /* set the thumbnail stuff to nothing so we can test to see if they get set up */
+ if (memcmp(CharBuf, "II", 2) == 0) {
+ ImageInfo->motorola_intel = 0;
+@@ -3405,7 +3410,7 @@ static int exif_scan_JPEG_header(image_info_type *ImageInfo TSRMLS_DC)
+ return FALSE;
+ }
+
+- sn = exif_file_sections_add(ImageInfo, marker, itemlen+1, NULL);
++ sn = exif_file_sections_add(ImageInfo, marker, itemlen, NULL);
+ Data = ImageInfo->file.list[sn].data;
+
+ /* Store first two pre-read bytes. */
+diff --git a/ext/exif/tests/bug79282.phpt b/ext/exif/tests/bug79282.phpt
+new file mode 100644
+index 0000000000..7b7e365657
+--- /dev/null
++++ b/ext/exif/tests/bug79282.phpt
+@@ -0,0 +1,15 @@
++--TEST--
++Bug #79282: Use-of-uninitialized-value in exif
++--FILE--
++<?php
++
++var_dump(exif_read_data('data://image/jpeg;base64,/9jhAAlFeGlmAAAg'));
++
++?>
++--EXPECTF--
++Warning: exif_read_data(): Invalid TIFF alignment marker in %s on line %d
++
++Warning: exif_read_data(): File structure corrupted in %s on line %d
++
++Warning: exif_read_data(): Invalid JPEG file in %s on line %d
++bool(false)
+From 90ca028814e7ba32e58b55f0b4db306f1809af3d Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 15 Mar 2020 17:55:28 -0700
+Subject: [PATCH] Fix test
+
+(cherry picked from commit 2c081b7e269d0f63cd9d60a40997f18b5cf793be)
+(cherry picked from commit ad05ad4dbafc29dd23828760d4bfa2be12ccbb1c)
+(cherry picked from commit c1d08859cdac23aeff99953797231f6824d045c5)
+---
+ ext/exif/tests/bug79282.phpt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/exif/tests/bug79282.phpt b/ext/exif/tests/bug79282.phpt
+index 7b7e365657..df91127c9c 100644
+--- a/ext/exif/tests/bug79282.phpt
++++ b/ext/exif/tests/bug79282.phpt
+@@ -7,7 +7,7 @@ var_dump(exif_read_data('data://image/jpeg;base64,/9jhAAlFeGlmAAAg'));
+
+ ?>
+ --EXPECTF--
+-Warning: exif_read_data(): Invalid TIFF alignment marker in %s on line %d
++Warning: exif_read_data(): Missing TIFF alignment marker in %s on line %d
+
+ Warning: exif_read_data(): File structure corrupted in %s on line %d
+
+From 4a281e20969e209bfdd2c88560ce5f57806d0b31 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 17 Mar 2020 07:23:32 +0100
+Subject: [PATCH] fix test
+
+(cherry picked from commit b42b6d0ff774fdced1155cb0c721d91914d619f5)
+(cherry picked from commit 51cc7a6225bbf1f7dfe0ffeb318fb0ff098780f9)
+---
+ ext/exif/tests/bug79282.phpt | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/ext/exif/tests/bug79282.phpt b/ext/exif/tests/bug79282.phpt
+index df91127c9c..142cf28a6c 100644
+--- a/ext/exif/tests/bug79282.phpt
++++ b/ext/exif/tests/bug79282.phpt
+@@ -7,9 +7,9 @@ var_dump(exif_read_data('data://image/jpeg;base64,/9jhAAlFeGlmAAAg'));
+
+ ?>
+ --EXPECTF--
+-Warning: exif_read_data(): Missing TIFF alignment marker in %s on line %d
++Warning: exif_read_data(%s): Missing TIFF alignment marker in %s on line %d
+
+-Warning: exif_read_data(): File structure corrupted in %s on line %d
++Warning: exif_read_data(%s): File structure corrupted in %s on line %d
+
+-Warning: exif_read_data(): Invalid JPEG file in %s on line %d
++Warning: exif_read_data(%s): Invalid JPEG file in %s on line %d
+ bool(false)
diff --git a/php-bug79329.patch b/php-bug79329.patch
new file mode 100644
index 0000000..a8bf790
--- /dev/null
+++ b/php-bug79329.patch
@@ -0,0 +1,59 @@
+From c3582855b88cfde8e69734da738803b54c2c2e26 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 17 Mar 2020 07:25:12 +0100
+Subject: [PATCH] Fix bug #79329 - get_headers should not accept \0
+
+From 0d139c5b94a5f485a66901919e51faddb0371c43
+
+(cherry picked from commit b7b9302660a23a67285e204bc3d7fcf6ba7f6533)
+(cherry picked from commit b9a1e6bfd762d2bf7fa3c5bbcfbb6dcdfdfa982c)
+---
+ ext/standard/url.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/standard/url.c b/ext/standard/url.c
+index 6ecace53e5..d6e71fa487 100644
+--- a/ext/standard/url.c
++++ b/ext/standard/url.c
+@@ -675,7 +675,7 @@ PHP_FUNCTION(get_headers)
+ HashTable *hashT;
+ long format = 0;
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &url, &url_len, &format) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|l", &url, &url_len, &format) == FAILURE) {
+ return;
+ }
+ context = FG(default_context) ? FG(default_context) : (FG(default_context) = php_stream_context_alloc(TSRMLS_C));
+From f94716859dfa52416754faa226d1bd642373f117 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 15 Mar 2020 19:35:26 -0700
+Subject: [PATCH] [ci skip] Update NEWS
+
+(cherry picked from commit c8d21d7728109b0f911033c098cfaeb7438ba1d5)
+(cherry picked from commit 03471e31c9b467d1d8d944e44fa009ef247e81bd)
+(cherry picked from commit 4844343ac37e8e3ca4d995b1d91fc0f9daf03d5f)
+---
+ NEWS | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 22e714e837..5085d35e9a 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,16 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 7.2.29
++
++- Core:
++ . Fixed bug #79329 (get_headers() silently truncates after a null byte)
++ (CVE-2020-7066) (cmb)
++
++- EXIF:
++ . Fixed bug #79282 (Use-of-uninitialized-value in exif) (CVE-2020-7064)
++ (Nikita)
++
+ Backported from 7.2.28
+
+ - Phar:
diff --git a/php-bug79330.patch b/php-bug79330.patch
new file mode 100644
index 0000000..2c112ef
--- /dev/null
+++ b/php-bug79330.patch
@@ -0,0 +1,58 @@
+From 258ad37fe3f91cf862c2870d18d53e5cdb3b3752 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 13 Apr 2020 21:00:44 -0700
+Subject: [PATCH] Fix bug #79330 - make all execution modes consistent in
+ rejecting \0
+
+(cherry picked from commit 14fcc813948254b84f382ff537247d8a7e5e0e62)
+---
+ ext/standard/exec.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/ext/standard/exec.c b/ext/standard/exec.c
+index 88a6b4ab79..a586b786ee 100644
+--- a/ext/standard/exec.c
++++ b/ext/standard/exec.c
+@@ -537,6 +537,15 @@ PHP_FUNCTION(shell_exec)
+ return;
+ }
+
++ if (!command_len) {
++ php_error_docref(NULL, E_WARNING, "Cannot execute a blank command");
++ RETURN_FALSE;
++ }
++ if (strlen(command) != command_len) {
++ php_error_docref(NULL, E_WARNING, "NULL byte detected. Possible attack");
++ RETURN_FALSE;
++ }
++
+ #ifdef PHP_WIN32
+ if ((in=VCWD_POPEN(command, "rt"))==NULL) {
+ #else
+From 6117c162636bfd7e981f7531dc4d48e358e62be4 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 14 Apr 2020 08:15:07 +0200
+Subject: [PATCH] ZTS
+
+---
+ ext/standard/exec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ext/standard/exec.c b/ext/standard/exec.c
+index a586b786ee..40eca2b2c6 100644
+--- a/ext/standard/exec.c
++++ b/ext/standard/exec.c
+@@ -538,11 +538,11 @@ PHP_FUNCTION(shell_exec)
+ }
+
+ if (!command_len) {
+- php_error_docref(NULL, E_WARNING, "Cannot execute a blank command");
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot execute a blank command");
+ RETURN_FALSE;
+ }
+ if (strlen(command) != command_len) {
+- php_error_docref(NULL, E_WARNING, "NULL byte detected. Possible attack");
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "NULL byte detected. Possible attack");
+ RETURN_FALSE;
+ }
+
diff --git a/php-bug79465.patch b/php-bug79465.patch
new file mode 100644
index 0000000..6bdf194
--- /dev/null
+++ b/php-bug79465.patch
@@ -0,0 +1,59 @@
+From 26770fed5530c46a68653e868be0a266c42c33e8 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 13 Apr 2020 21:07:04 -0700
+Subject: [PATCH] Fix bug #79465 - use unsigneds as indexes.
+
+(cherry picked from commit 9d6bf8221b05f86ce5875832f0f646c4c1f218be)
+---
+ ext/standard/url.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ext/standard/url.c b/ext/standard/url.c
+index d6e71fa487..0278bd47e8 100644
+--- a/ext/standard/url.c
++++ b/ext/standard/url.c
+@@ -545,7 +545,7 @@ PHPAPI int php_url_decode(char *str, int len)
+ #ifndef CHARSET_EBCDIC
+ *dest = (char) php_htoi(data + 1);
+ #else
+- *dest = os_toebcdic[(char) php_htoi(data + 1)];
++ *dest = os_toebcdic[(unsigned char) php_htoi(data + 1)];
+ #endif
+ data += 2;
+ len -= 2;
+@@ -647,7 +647,7 @@ PHPAPI int php_raw_url_decode(char *str, int len)
+ #ifndef CHARSET_EBCDIC
+ *dest = (char) php_htoi(data + 1);
+ #else
+- *dest = os_toebcdic[(char) php_htoi(data + 1)];
++ *dest = os_toebcdic[(unsigned char) php_htoi(data + 1)];
+ #endif
+ data += 2;
+ len -= 2;
+From c1f77159cfd61479bc22cf41d7964673c31b222a Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 14 Apr 2020 08:02:28 +0200
+Subject: [PATCH] NEWS
+
+(cherry picked from commit bd4a5ebe653f36ea7705fbc95a6ec4842d7f86fc)
+---
+ NEWS | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 5085d35e9a..281b52fe76 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,12 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 7.2.30
++
++- Standard:
++ . Fixed bug #79330 (shell_exec silently truncates after a null byte). (stas)
++ . Fixed bug #79465 (OOB Read in urldecode). (CVE-2020-7067) (stas)
++
+ Backported from 7.2.29
+
+ - Core:
diff --git a/php-bug79797.patch b/php-bug79797.patch
new file mode 100644
index 0000000..f29d1cf
--- /dev/null
+++ b/php-bug79797.patch
@@ -0,0 +1,52 @@
+Partial, without binary part
+
+
+
+From d7980cd5ef5862d9a01a0f34ee44bec07be88096 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 14 Jul 2020 17:04:24 +0200
+Subject: [PATCH] Fix #79797: Use of freed hash key in the phar_parse_zipfile
+ function
+
+We must not use heap memory after we freed it.
+
+(cherry picked from commit 7355ab81763a3d6a04ac11660e6a16d58838d187)
+---
+ NEWS | 6 ++++++
+ ext/phar/tests/bug79797.phar | Bin 0 -> 274 bytes
+ ext/phar/tests/bug79797.phpt | 14 ++++++++++++++
+ ext/phar/zip.c | 2 +-
+ 4 files changed, 21 insertions(+), 1 deletion(-)
+ create mode 100644 ext/phar/tests/bug79797.phar
+ create mode 100644 ext/phar/tests/bug79797.phpt
+
+diff --git a/NEWS b/NEWS
+index b53c9e28cb..501283aabe 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,12 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 7.2.33
++
++- Phar:
++ . Fixed bug #79797 (Use of freed hash key in the phar_parse_zipfile
++ function). (CVE-2020-7068) (cmb)
++
+ Backported from 7.2.31
+
+ - Core:
+diff --git a/ext/phar/zip.c b/ext/phar/zip.c
+index ed156a2d00..3ab02ab35a 100644
+--- a/ext/phar/zip.c
++++ b/ext/phar/zip.c
+@@ -682,7 +682,7 @@ int phar_parse_zipfile(php_stream *fp, char *fname, int fname_len, char *alias,
+ efree(actual_alias);
+ }
+
+- zend_hash_add(&(PHAR_GLOBALS->phar_alias_map), actual_alias, mydata->alias_len, (void*)&mydata, sizeof(phar_archive_data*), NULL);
++ zend_hash_add(&(PHAR_GLOBALS->phar_alias_map), mydata->alias, mydata->alias_len, (void*)&mydata, sizeof(phar_archive_data*), NULL);
+ } else {
+ phar_archive_data **fd_ptr;
+
diff --git a/php-bug79877.patch b/php-bug79877.patch
new file mode 100644
index 0000000..d10daa6
--- /dev/null
+++ b/php-bug79877.patch
@@ -0,0 +1,84 @@
+From 5389b1e6bb048369715aba73473625d760a39e89 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 21 Jul 2020 11:07:43 +0200
+Subject: [PATCH] Fix #79877: getimagesize function silently truncates after a
+ null byte
+
+We have to check for NUL bytes if `getimagesize()` has been called.
+
+(cherry picked from commit ff577b04c0d250473a0ef46f8e332960fec3ca2c)
+---
+ NEWS | 4 ++++
+ ext/standard/image.c | 5 +++++
+ ext/standard/tests/image/bug79877.phpt | 9 +++++++++
+ 3 files changed, 18 insertions(+)
+ create mode 100644 ext/standard/tests/image/bug79877.phpt
+
+diff --git a/NEWS b/NEWS
+index 501283aabe..cf34011622 100644
+--- a/NEWS
++++ b/NEWS
+@@ -3,6 +3,10 @@ PHP NEWS
+
+ Backported from 7.2.33
+
++- Core:
++ . Fixed bug #79877 (getimagesize function silently truncates after a null
++ byte) (cmb)
++
+ - Phar:
+ . Fixed bug #79797 (Use of freed hash key in the phar_parse_zipfile
+ function). (CVE-2020-7068) (cmb)
+diff --git a/ext/standard/image.c b/ext/standard/image.c
+index d58d543abd..f663e7c0c2 100644
+--- a/ext/standard/image.c
++++ b/ext/standard/image.c
+@@ -1398,6 +1398,11 @@ static void php_getimagesize_from_any(INTERNAL_FUNCTION_PARAMETERS, int mode) {
+ return;
+ }
+
++ if (mode == FROM_PATH && CHECK_NULL_PATH(input, input_len)) {
++ php_error_docref(NULL, E_WARNING, "Invalid path");
++ return;
++ }
++
+ if (argc == 2) {
+ zval_dtor(*info);
+ array_init(*info);
+diff --git a/ext/standard/tests/image/bug79877.phpt b/ext/standard/tests/image/bug79877.phpt
+new file mode 100644
+index 0000000000..92e93e59e5
+--- /dev/null
++++ b/ext/standard/tests/image/bug79877.phpt
+@@ -0,0 +1,9 @@
++--TEST--
++Bug #79877 (getimagesize function silently truncates after a null byte)
++--FILE--
++<?php
++var_dump(getimagesize("/tmp/a.png\0xx"));
++?>
++--EXPECTF--
++Warning: getimagesize(): Invalid path in %s on line %d
++NULL
+From bcec8f78b57189a654524b737562d1da235c6553 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 4 Aug 2020 07:40:22 +0200
+Subject: [PATCH] ZTS fix
+
+---
+ ext/standard/image.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/standard/image.c b/ext/standard/image.c
+index f663e7c0c2..db64b3a48e 100644
+--- a/ext/standard/image.c
++++ b/ext/standard/image.c
+@@ -1399,7 +1399,7 @@ static void php_getimagesize_from_any(INTERNAL_FUNCTION_PARAMETERS, int mode) {
+ }
+
+ if (mode == FROM_PATH && CHECK_NULL_PATH(input, input_len)) {
+- php_error_docref(NULL, E_WARNING, "Invalid path");
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path");
+ return;
+ }
+
diff --git a/php-openssl-cert.patch b/php-openssl-cert.patch
new file mode 100644
index 0000000..e373c6c
--- /dev/null
+++ b/php-openssl-cert.patch
@@ -0,0 +1,147 @@
+Without binary patch
+
+
+From a5c09a204ec5716095f4cdfe1041563e7a8454f9 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 18 Feb 2020 09:57:50 +0100
+Subject: [PATCH] renew certs for openssl tests
+
+---
+ ext/openssl/tests/bug54992-ca.pem | 54 +++++++++---------
+ ext/openssl/tests/bug54992.pem | 28 ++++-----
+ ext/openssl/tests/bug65538.phar | Bin 11278 -> 11278 bytes
+ .../tests/openssl_peer_fingerprint_basic.phpt | 4 +-
+ 4 files changed, 43 insertions(+), 43 deletions(-)
+
+diff --git a/ext/openssl/tests/bug54992-ca.pem b/ext/openssl/tests/bug54992-ca.pem
+index 743a11e8fd..dd075405a7 100644
+--- a/ext/openssl/tests/bug54992-ca.pem
++++ b/ext/openssl/tests/bug54992-ca.pem
+@@ -1,35 +1,35 @@
+ -----BEGIN CERTIFICATE-----
+-MIIGAzCCA+ugAwIBAgIUZ7ZvvfVqSEf1EswMT9LfMIPc/U8wDQYJKoZIhvcNAQEL
++MIIGAzCCA+ugAwIBAgIUYS9Vq4aNK1hL5reofVRkM3ioENEwDQYJKoZIhvcNAQEL
+ BQAwgZAxCzAJBgNVBAYTAlBUMQ8wDQYDVQQIDAZMaXNib2ExDzANBgNVBAcMBkxp
+ c2JvYTEXMBUGA1UECgwOUEhQIEZvdW5kYXRpb24xHjAcBgNVBAMMFVJvb3QgQ0Eg
+ Zm9yIFBIUCBUZXN0czEmMCQGCSqGSIb3DQEJARYXaW50ZXJuYWxzQGxpc3RzLnBo
+-cC5uZXQwHhcNMTgxMjMxMDg0NDU3WhcNMjAwMjA0MDg0NDU3WjCBkDELMAkGA1UE
++cC5uZXQwHhcNMjAwMjE4MDg1NTQ5WhcNMjEwMzI0MDg1NTQ5WjCBkDELMAkGA1UE
+ BhMCUFQxDzANBgNVBAgMBkxpc2JvYTEPMA0GA1UEBwwGTGlzYm9hMRcwFQYDVQQK
+ DA5QSFAgRm91bmRhdGlvbjEeMBwGA1UEAwwVUm9vdCBDQSBmb3IgUEhQIFRlc3Rz
+ MSYwJAYJKoZIhvcNAQkBFhdpbnRlcm5hbHNAbGlzdHMucGhwLm5ldDCCAiIwDQYJ
+-KoZIhvcNAQEBBQADggIPADCCAgoCggIBAPVThsunmhda5hbNi+pXD3WF9ijryB9H
+-JDnIbPW/vMffWcQgtiRzc+6aCykBygnhnN91NNRpxOsoLCb7OjUMM0TjhSE9DxKD
+-aVLRoDcs5VSaddQjq3AwdkU6ek9InUOeDuZ8gatrpWlEyuQPwwnMAfR9NkcTajuF
+-hGO0BlqkHg98GckQD0N5x6CrrDJt6RE6hf9gUZSGSWdPTiETBQUN8LTuxo/ybFSN
+-hcpVNCF+r3eozATbSU8YvQU52RmPIZWHHmYb7KtMO3TEX4LnLJUOefUK4qk+ZJ0s
+-f4JfnY7RhBlZGh2kIyE5jwqz8/KzKtxrutNaupdTFZO8nX09QSgmDCxVWVclrPaG
+-q2ZFYpeauTy71pTm8DjF7PwQI/+PUrBdFIX0V6uxqUEG0pvPdb8zenVbaK4Jh39u
+-w0V5tH/rbtd7zZX4vl3bmKo1Wk0SQxd83iXitxLiJnWNOsmrJcM/Hx91kE10+/ly
+-zgL/w5A9HSA616kfPdNzny0laH1TXVLJsnyyV3DyfnU4O6VI0JG3WjhgRdMkgobn
+-GvGJ2ZsZAxds9lBtT2y+gw5BU+jkSilPk3jM9MA7Kmyci93U9xxMuDNzyUzfcnXR
+-UIq99dZWeMMy1LT3buZXrAWu1WRgPdQtDKcQHDIQaIkxlWsT8q2q/wIirb6fwxlw
+-vXkFp+aEP35BAgMBAAGjUzBRMB0GA1UdDgQWBBR37F1+W1gcCp8bhZaFFi9JKQhu
+-tTAfBgNVHSMEGDAWgBR37F1+W1gcCp8bhZaFFi9JKQhutTAPBgNVHRMBAf8EBTAD
+-AQH/MA0GCSqGSIb3DQEBCwUAA4ICAQAYHqpISUI/x8UW33i35rYkFYNvXBMQDc8J
+-v4G2eqEBNCOVmHg6P//lq1F2jrtAEr/saESN1uS1Q80sUsthlVsceV1z1isdpugG
+-kMbfHxLe0QpthnP3PEChQw30TPB22BThuGVkteNSZKTCPGdzjSTPq2kOR6PCBZRd
+-r0r/TW3lT/Ng3KgjT6g7E3ZUpAeFEQMlmNYr/eEOL7K+1jzQrbCLmXbs6rmtffr7
+-n4p+wMPMPaSRqQoQ86ff9GPzxWuAQGlytVoiS5Xt3jotd/RWlOy0YQ2QSzOQvFUW
+-4te5lwdOvOFnJTo43U3DqASqMcaazvIsN41zVlOyOyKEr9oZERju6FU1aZmuZtHQ
+-wMCmXVj/Swj67Zp9tG+vVQenbEk314+8c2nenuOIFP1F2C/NG3vMLIpENRGxpmAm
+-s5gIT6mXvJ4JCwWYc75zucOr2KVkDmEziJh/pARuOrOAPdc6NjKku8HBC9UI96+x
+-Db4hG2SqXUzShkFX/px7vlCADvgO3FDk2aiyW02PFsItob2O6OB98VGsU26hgRO/
+-Czz/jbjWTPHNOt6/fcL0m7XLwlJ+K9gRArY15DeJGumcHEq/Vd/Z8iPQKKdzgF4O
+-9XFZvu+VHP82AS5TeiYHCddFJyzktQYcNu5/OBuxzO83d7rpqrLFETTEOL4cN8O7
+-LJ7Q89hYAQ==
++KoZIhvcNAQEBBQADggIPADCCAgoCggIBALlJlfDasmObBQiQSsyDVRu0uwVmFFZ7
++fqFVHUMeKpWv0Y3dH5FtpBoMOh41XYI7E1Ex9UTNIYsRedESzEm1DIBsKHHODRsj
++gJVH3jxAEmDPaNQJ0x4zlNmmd7Zz74lo/eJ+oc2rLiJd3NVKCXEWtu2mO5FN/x3Z
++vG+QXkT04tGvwLn4oAdiU4zlf0ttO5xY5GjUXhT6XfZyveceLb4QFowtCTmS1IFf
++eUoybHvjCYyNm9m1B/x297VV73rDvWx7+ptkwG46L5UeG/lrLhnStzM1dxSlENUL
++OGmjFfk00jrRnftat8x31lAa0cFYXudkHpMLxFHprRgsQL+1URjl0nyVT2MLmcit
++kfIMXjRaScJsj+KgW1pymVlIO2qf16Wk4wLubW8/AkSmmSv9ilJeppn7Qh/OuZyj
++epsFX19VdERg42yI0/QIs4cgCvgddlnGuJBDGU5BVFPDYc2BevRvd/x48bDFHJ4w
++dhNrMa9jGDSc8niZ/spK4lE6d7JqFUHuQa2jL8PG5+NcYaftJQAlJt25ze1Km7QO
++pJgRNdEqOp8hcJmfgYbQxGb6s74nMTp+iKOjMLNf1n37QxTPYfKTWP4xnKiva9aA
++jGUMADNgtlFSZt5JaTnEk9m33Nh4FN/siX01+rX4FQ2csIIAQ42Xu/+PRUUYHqXe
++/xGgOhZE9YgZAgMBAAGjUzBRMB0GA1UdDgQWBBSr92+pGtY4Fc5beZWCSzf5FGf9
++mTAfBgNVHSMEGDAWgBSr92+pGtY4Fc5beZWCSzf5FGf9mTAPBgNVHRMBAf8EBTAD
++AQH/MA0GCSqGSIb3DQEBCwUAA4ICAQCwHTpBGbcnCZc+Y0DLN1mxPOKgcrIHUDQt
++kFaRt901sK9fxhjeOmtcMOxDsVg23BKZ7A+sGkRDa0pxtwqZzrk4r96htJB0mV2y
++zskRjDg8UEjgm2BFFc1ikqHOcidJ0WG6/LSpzR9w6QhAtMpbWLrfS0yIfr9MKywS
++7rOt82USg9Ca8qQxosIUkkatugVjJIjaBbVSREHtaRyDjGqVvB8P6EwESB2Ymltm
+++S6LDv0b6NNQyeOLp2fp8JcJmQh5liqcIp0yDVJI8oEppHHkFcROmq/w0cm0Ct/C
++XW+Us2nW5/tVdhm0X2HHN8IItmZEDdM2+AVDoYyKKy13twnClc/0imYoK0I+ARUv
++mF85OmJhODaYhsU8gXwTfnghI4b9Hg++jSRl+jwrvaxwBI+tDGrRCvWCr1T/xVrg
++G8w3MmtIY9MaEyiutK24TeYuR3bMlJqHaQaufm9YTT5vp5MjumUpC4FPM+2JQa1y
++wdAUWyBqHhJF5X4AdVFxcAOHqah1hoky9sUARYd50z85/PhgKH/P2zO5F37NwYSR
++n+DIZDP4AKZ6QEPL8QlteT0EPacZSucwNheSboHFJmT39gGntxSw1hdNcwQ5yaa6
++QMhMfo/w9/i2Yg55RBd5RZCWPb2IlA5RC3qbjPNMC8XrEvhSHOcWTXsfccYgXGeO
++XHgucRqlJg==
+ -----END CERTIFICATE-----
+diff --git a/ext/openssl/tests/bug54992.pem b/ext/openssl/tests/bug54992.pem
+index f207c30448..148d06deea 100644
+--- a/ext/openssl/tests/bug54992.pem
++++ b/ext/openssl/tests/bug54992.pem
+@@ -1,26 +1,26 @@
+ -----BEGIN CERTIFICATE-----
+-MIID7jCCAdYCFDw0rvm7q8y5HfispK5A2I2+RBqHMA0GCSqGSIb3DQEBCwUAMIGQ
++MIID7jCCAdYCFEG0vY25vkfkH6Jllbh6eAIsffxMMA0GCSqGSIb3DQEBCwUAMIGQ
+ MQswCQYDVQQGEwJQVDEPMA0GA1UECAwGTGlzYm9hMQ8wDQYDVQQHDAZMaXNib2Ex
+ FzAVBgNVBAoMDlBIUCBGb3VuZGF0aW9uMR4wHAYDVQQDDBVSb290IENBIGZvciBQ
+ SFAgVGVzdHMxJjAkBgkqhkiG9w0BCQEWF2ludGVybmFsc0BsaXN0cy5waHAubmV0
+-MB4XDTE4MTIzMTA4NDY0M1oXDTIwMDIwNDA4NDY0M1owWjEXMBUGA1UEAxMOYnVn
++MB4XDTIwMDIxODA4NTYwMVoXDTIxMDMyNDA4NTYwMVowWjEXMBUGA1UEAxMOYnVn
+ NTQ5OTIubG9jYWwxCzAJBgNVBAYTAlBUMQ8wDQYDVQQHEwZMaXNib2ExDzANBgNV
+ BAgTBkxpc2JvYTEQMA4GA1UEChMHcGhwLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOB
+ jQAwgYkCgYEAtUAVQKTgpUPgtFOJ3w3kDJETS45tWeT96kUg1NeYLKW+jNbFhxPo
+ PJv7XhfemCaqh2tbq1cdYW906Wp1L+eNQvdTYA2IQG4EQBUlmfyIakOIMsN/RizV
+ kF09vlNQwTpaMpqTv7wB8vvwbxb9jbC2ZhQUBEg6PIn18dSstbM9FZ0CAwEAATAN
+-BgkqhkiG9w0BAQsFAAOCAgEAKtSMguV5ZQ2KpdZ9MAFa+GiHL0APb58OrvwNK4BF
+-6032UZLOWnsBZlo85WGLNnIT/GNzKKr7n9jHeuZcBVOFQLsebahSlfJZs9FPatlI
+-9Md1tRzVoTKohjG86HeFhhL+gZQ69SdIcK40wpH1qNv7KyMGA8gnx6rRKbOxZqsx
+-pkA/wS7CTqP9/DeOxh/MZPg7N/GZXW1QOz+SE537E9iyiRsbldNYFtwn5iaVfjpr
+-xz09wYYW3HJpR+QKPCfJ79JxDhuMHMoUOpIy8vGFnt5zVTcFLa378Sy3vCT1Qwvt
+-tTavFGHby4A7OqT6xu+9GTW37OaiV91UelLLV0+MoR4XiMVMX76mvqzmKCp6L9ae
+-7RYHrrCtNxkYUKUSkOEc2VHnT+sENkJIZu7zzN7/QNlc0yE9Rtsmgy4QAxo2m9u0
+-pUZLAulZ1lS7g/sr7/8Pp17RDvJiJh+oAPyVYZ7OoLF1IoHDHcZI0bqcqhDhiHZs
+-PXYqyMCxyYzHFOAOgvbrEkmp8z/E8ATVwdUbAYN1dMrYHre1P4HFEtJh2QiGG2KE
+-4jheuNhH1R25AizbwYbD33Kdp7ltCgBlfYqjl771SlgY45QYs0mUdc1Pv39SGIwf
+-ZUm7mOWjaTBdYANrkvGM5NNT9kESjKkWykyTg4UF5rHV6nlyexR4b3fjabroi4BS
+-v6w=
++BgkqhkiG9w0BAQsFAAOCAgEAmcDl/X+0murSKko+Arl6RFfOB+fpuGeKtS9UAZcH
++w/v7kCvBeRTKs+/BAWbdu3MPXFw4dqvHn+2De/7Fx5yN/KznZnn/aFkGaBWcevQC
++qdGxf9/4SoB+x0fGDuEuZZ/TGiT4V0l7xhx9HBsud5HYt9vFnJDEgSoxlOFDoR13
++6Jefe5kOnHX0dvPuJuZcXquV+5llTYp6clUQkcA8NOuegFEOoM/J5GAYfgHeRtrB
++vjbpIKgIixBUbOwPsrmb3btitPFDT7a1FWNtHmOb1Ij6r+ga6J60Iefr1AfMwnd5
++D6W3E4ztEL9N4RK+uBz5zRk1usFEHw+TaCA4x9xVUXdY8r6ei1xnO9nwA9C1062F
++EVy/HpyxZlrdzFsLWHEWyOnshCdozU14dlkNgc9LImKsMJ+T18GkrF5KtN6NB4tc
++8Zeo7usEWHkwlacKGOr0V3gflU6EfPkQHEsSBSvbzuJ2pej17mqVqdzaRsGliRsC
++P/2cEcxtmoig7rTrS0sBVXLgqxpwBNLEfOKkWVAzBpR86gfGNnJbt3GMPLxma2oP
++tfTUMW4OuUR2GsszDwMmkmNhc7EduJyhcu3BwHChmIW/kbbz32aAFTQnDGO/Dj0G
++f/cROxREv3wCOMZsk56JezZ4F1nWZYcQ2m6xrzyN6DBzc13dQ3Wq9lTJ2vZM8i5E
++jp0=
+ -----END CERTIFICATE-----
+ -----BEGIN RSA PRIVATE KEY-----
+ MIICXgIBAAKBgQC1QBVApOClQ+C0U4nfDeQMkRNLjm1Z5P3qRSDU15gspb6M1sWH
+diff --git a/ext/openssl/tests/openssl_peer_fingerprint_basic.phpt b/ext/openssl/tests/openssl_peer_fingerprint_basic.phpt
+index 3bca7cb640..015c2918d2 100644
+--- a/ext/openssl/tests/openssl_peer_fingerprint_basic.phpt
++++ b/ext/openssl/tests/openssl_peer_fingerprint_basic.phpt
+@@ -36,13 +36,13 @@ $clientCode = <<<'CODE'
+ // openssl x509 -noout -fingerprint -md5 -inform pem -in ext/openssl/tests/bug54992.pem | cut -d '=' -f 2 | tr -d ':' | tr 'A-F' 'a-f'
+ // Currently it's 4edbbaf40a6a4b6af22b6d6d9818378f
+ // One below is intentionally broken (compare the last character):
+- stream_context_set_option($clientCtx, 'ssl', 'peer_fingerprint', '4edbbaf40a6a4b6af22b6d6d98183780');
++ stream_context_set_option($clientCtx, 'ssl', 'peer_fingerprint', '8054dab6e0412bdd8190226fd213d190');
+ var_dump(stream_socket_client($serverUri, $errno, $errstr, 2, $clientFlags, $clientCtx));
+
+ // Run the following to get actual sha256 (from sources root):
+ // openssl x509 -noout -fingerprint -sha256 -inform pem -in ext/openssl/tests/bug54992.pem | cut -d '=' -f 2 | tr -d ':' | tr 'A-F' 'a-f'
+ stream_context_set_option($clientCtx, 'ssl', 'peer_fingerprint', [
+- 'sha256' => 'b1d480a2f83594fa243d26378cf611f334d369e59558d87e3de1abe8f36cb997',
++ 'sha256' => '06941b4f4f00523f6c81b69ad4424b3506320285a8b1bd084c112435a12ff487',
+ ]);
+ var_dump(stream_socket_client($serverUri, $errno, $errstr, 2, $clientFlags, $clientCtx));
+ CODE;
diff --git a/php.spec b/php.spec
index 38285a0..c42059f 100644
--- a/php.spec
+++ b/php.spec
@@ -30,7 +30,7 @@
%global oci8ver 2.0.12
# Use for first build of PHP (before pecl/zip and pecl/jsonc)
-%global php_bootstrap 0
+%bcond_with bootstrap
# Adds -z now to the linker flags
%global _hardened_build 1
@@ -60,10 +60,19 @@
%global mysql_sock %(mysql_config --socket 2>/dev/null || echo /var/lib/mysql/mysql.sock)
%if 0%{?rhel} == 6
+%ifarch x86_64
+%global oraclever 18.5
+%else
%global oraclever 18.3
+%endif
%global oraclelib 18.1
+
+%else
+%ifarch x86_64
+%global oraclever 19.8
%else
-%global oraclever 19.3
+%global oraclever 19.6
+%endif
%global oraclelib 19.1
%endif
@@ -71,7 +80,7 @@
%global with_lsws 1
# Regression tests take a long time, you can skip 'em with this
-%if %{php_bootstrap}
+%if %{with bootstrap}
%global runselftest 0
%else
%{!?runselftest: %global runselftest 1}
@@ -142,7 +151,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: %{?scl_prefix}php
Version: 5.6.40
-Release: 14%{?dist}
+Release: 22%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -180,6 +189,7 @@ Patch7: php-5.3.0-recode.patch
Patch8: php-5.6.17-libdb.patch
Patch9: php-5.5.30-curl.patch
Patch10: php-5.6.37-icu62.patch
+Patch11: php-5.6.40-gcc10.patch
# Functional changes
Patch40: php-5.4.0-dlopen.patch
@@ -223,6 +233,22 @@ Patch224: php-bug77919.patch
Patch225: php-bug75457.patch
Patch226: php-bug78380.patch
Patch227: php-bug78599.patch
+Patch228: php-bug78878.patch
+Patch229: php-bug78862.patch
+Patch230: php-bug78863.patch
+Patch231: php-bug78793.patch
+Patch232: php-bug78910.patch
+Patch233: php-bug79099.patch
+Patch234: php-bug79037.patch
+Patch236: php-bug79221.patch
+Patch237: php-bug79082.patch
+Patch238: php-bug79282.patch
+Patch239: php-bug79329.patch
+Patch240: php-bug79330.patch
+Patch241: php-bug79465.patch
+Patch242: php-bug78875.patch
+Patch243: php-bug79797.patch
+Patch244: php-bug79877.patch
# Fixes for tests (300+)
# Factory is droped from system tzdata
@@ -230,6 +256,8 @@ Patch227: php-bug78599.patch
Patch300: php-5.6.30-datetests.patch
# Revert changes for pcre < 8.34
Patch301: php-5.6.0-oldpcre.patch
+# Renew openssl certs
+Patch302: php-openssl-cert.patch
# WIP
@@ -419,13 +447,13 @@ Provides: %{?scl_prefix}php-sockets, %{?scl_prefix}php-sockets%{?_isa}
Provides: %{?scl_prefix}php-spl, %{?scl_prefix}php-spl%{?_isa}
Provides: %{?scl_prefix}php-standard = %{version}, %{?scl_prefix}php-standard%{?_isa} = %{version}
Provides: %{?scl_prefix}php-tokenizer, %{?scl_prefix}php-tokenizer%{?_isa}
-%if ! %{php_bootstrap}
+%if %{without bootstrap}
Requires: %{?scl_prefix}php-pecl-jsonc%{?_isa}
%endif
%if %{with_zip}
Provides: %{?scl_prefix}php-zip, %{?scl_prefix}php-zip%{?_isa}
%else
-%if ! %{php_bootstrap}
+%if %{without bootstrap}
Requires: %{?scl_prefix}php-pecl-zip%{?_isa}
%endif
%endif
@@ -455,7 +483,7 @@ Requires: openssl-devel%{?_isa}
Requires: pcre-devel%{?_isa} >= 8.20
%endif
Requires: zlib-devel%{?_isa}
-%if ! %{php_bootstrap}
+%if %{without bootstrap}
Requires: %{?scl_prefix}php-pecl-jsonc-devel%{?_isa}
%endif
@@ -912,6 +940,9 @@ support for using the enchant library to PHP.
%prep
+%if %{with bootstrap}
+: BOOTSTRAP BUILD
+%endif
: Building %{name}-%{version}-%{release} with systemd=%{with_systemd} imap=%{with_imap} interbase=%{with_interbase} mcrypt=%{with_mcrypt} freetds=%{with_freetds} sqlite3=%{with_sqlite3} tidy=%{with_tidy} zip=%{with_zip}
%setup -q -n php-%{version}%{?rcver}
@@ -928,9 +959,10 @@ support for using the enchant library to PHP.
%if 0%{?rhel}
%patch9 -p1 -b .curltls
%endif
-%if 0%{?fedora} >= 29 || 0%{?rhel} >= 8
+%if 0%{?fedora} >= 29 || 0%{?rhel} >= 7
%patch10 -p1 -b .icu62
%endif
+%patch11 -p1 -b .gcc10
%patch40 -p1 -b .dlopen
%patch41 -p1 -b .dtrace
@@ -972,6 +1004,22 @@ sed -e 's/php-devel/%{?scl_prefix}php-devel/' -i scripts/phpize.in
%patch225 -p1 -b .bug75457
%patch226 -p1 -b .bug78380
%patch227 -p1 -b .bug78599
+%patch228 -p1 -b .bug78878
+%patch229 -p1 -b .bug78862
+%patch230 -p1 -b .bug78863
+%patch231 -p1 -b .bug78793
+%patch232 -p1 -b .bug78910
+%patch233 -p1 -b .bug79099
+%patch234 -p1 -b .bug79037
+%patch236 -p1 -b .bug79221
+%patch237 -p1 -b .bug79082
+%patch238 -p1 -b .bug79282
+%patch239 -p1 -b .bug79329
+%patch240 -p1 -b .bug79330
+%patch241 -p1 -b .bug79465
+%patch242 -p1 -b .bug78875
+%patch243 -p1 -b .bug79797
+%patch244 -p1 -b .bug79877
# Fixes for tests
%patch300 -p1 -b .datetests
@@ -981,6 +1029,9 @@ if ! pkg-config libpcre --atleast-version 8.34 ; then
%patch301 -p1 -b .pcre834
fi
%endif
+# New openssl certs
+%patch302 -p1 -b .renewcert
+rm ext/openssl/tests/bug65538_003.phpt
# WIP patch
@@ -1112,6 +1163,12 @@ sed -e 's:%{_root_sysconfdir}:%{_sysconfdir}:' \
%build
+# This package fails to build with LTO due to undefined symbols. LTO
+# was disabled in OpenSuSE as well, but with no real explanation why
+# beyond the undefined symbols. It really shold be investigated further.
+# Disable LTO
+%define _lto_cflags %{nil}
+
# aclocal workaround - to be improved
cat `aclocal --print-ac-dir`/{libtool,ltoptions,ltsugar,ltversion,lt~obsolete}.m4 >>aclocal.m4
@@ -1350,6 +1407,7 @@ cd build-apache
# Run tests, using the CLI SAPI
export NO_INTERACTION=1 REPORT_EXIT_STATUS=1 MALLOC_CHECK_=2
export SKIP_ONLINE_TESTS=1
+export SKIP_SLOW_TESTS=1
unset TZ LANG LC_ALL
if ! make test; then
set +x
@@ -1735,13 +1793,9 @@ cat << EOF
WARNING : PHP 5.6 have reached its "End of Life" in
January 2019. Even, if this package includes some of
- the important security fix, backported from 7.1, the
+ the important security fix, backported from 7.2, the
UPGRADE to a maintained version is very strongly RECOMMENDED.
-%if %{?fedora}%{!?fedora:99} < 28
- WARNING : Fedora %{fedora} is now EOL :
- You should consider upgrading to a supported release
-%endif
=====================================================================
EOF
@@ -1917,6 +1971,70 @@ EOF
%changelog
+* Tue Aug 4 2020 Remi Collet <remi@remirepo.net> - 5.6.40-22
+- Core:
+ Fix #79877 getimagesize function silently truncates after a null byte
+- Phar:
+ Fix #79797 use of freed hash key in the phar_parse_zipfile function
+ CVE-2020-7068
+
+* Wed May 13 2020 Remi Collet <remi@remirepo.net> - 5.6.40-21
+- Core:
+ Fix #78875 Long filenames cause OOM and temp files are not cleaned
+ CVE-2019-11048
+ Fix #78876 Long variables in multipart/form-data cause OOM and temp
+ files are not cleaned
+
+* Tue Apr 14 2020 Remi Collet <remi@remirepo.net> - 5.6.40-20
+- standard:
+ Fix #79330 shell_exec silently truncates after a null byte
+ Fix #79465 OOB Read in urldecode
+ CVE-2020-7067
+
+* Tue Mar 17 2020 Remi Collet <remi@remirepo.net> - 5.6.40-19
+- standard:
+ Fix #79329 get_headers() silently truncates after a null byte
+ CVE-2020-7066
+- exif:
+ Fix #79282 Use-of-uninitialized-value in exif
+ CVE-2020-7064
+- use oracle client library version 19.6 (18.5 on EL-6)
+
+* Wed Feb 19 2020 Remi Collet <remi@remirepo.net> - 5.6.40-18.fc32
+- add fix for GCC 10
+
+* Tue Feb 18 2020 Remi Collet <remi@remirepo.net> - 5.6.40-18
+- phar:
+ Fix #79082 Files added to tar with Phar::buildFromIterator have all-access permissions
+ CVE-2020-7063
+- session:
+ Fix #79221 Null Pointer Dereference in PHP Session Upload Progress
+ CVE-2020-7062
+
+* Thu Jan 23 2020 Remi Collet <remi@remirepo.net> - 5.6.40-17
+- mbstring:
+ Fix #79037 global buffer-overflow in mbfl_filt_conv_big5_wchar
+ CVE-2020-7060
+- standard:
+ Fix #79099 OOB read in php_strip_tags_ex
+ CVE-2020-7059
+
+* Tue Dec 17 2019 Remi Collet <remi@remirepo.net> - 5.6.40-15
+- bcmath:
+ Fix #78878 Buffer underflow in bc_shift_addsub
+ CVE-2019-11046
+- core:
+ Fix #78862 link() silently truncates after a null byte on Windows
+ CVE-2019-11044
+ Fix #78863 DirectoryIterator class silently truncates after a null byte
+ CVE-2019-11045
+- exif
+ Fix #78793 Use-after-free in exif parsing under memory sanitizer
+ CVE-2019-11050
+ Fix #78910 Heap-buffer-overflow READ in exif
+ CVE-2019-11047
+- use oracle client library version 19.5 (18.5 on EL-6)
+
* Tue Oct 22 2019 Remi Collet <remi@remirepo.net> - 5.6.40-14
- FPM:
Fix CVE-2019-11043 env_path_info underflow in fpm_main.c