summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--php-bug78875.patch69
-rw-r--r--php.spec11
2 files changed, 79 insertions, 1 deletions
diff --git a/php-bug78875.patch b/php-bug78875.patch
new file mode 100644
index 0000000..2d8f900
--- /dev/null
+++ b/php-bug78875.patch
@@ -0,0 +1,69 @@
+From a41cbed4532cc4d3d2fd1a8fa1a4ace5bdfcafc9 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Wed, 13 May 2020 09:03:49 +0200
+Subject: [PATCH] Backports from 7.2.31
+
+ Fix #78875: Long filenames cause OOM and temp files are not cleaned
+(from 1c9bd513ac5c7c1d13d7f0dfa7c16a7ad2ce0f87)
+
+ Fix #78876: Long variables cause OOM and temp files are not cleaned
+(from 3c8582ca4b8e84e5647220b647914876d2c3b124)
+---
+ NEWS | 8 ++++++++
+ main/rfc1867.c | 9 +++++----
+ 2 files changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index 281b52fe76..b53c9e28cb 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,14 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 7.2.31
++
++- Core:
++ . Fixed bug #78875 (Long filenames cause OOM and temp files are not cleaned).
++ (CVE-2019-11048) (cmb)
++ . Fixed bug #78876 (Long variables in multipart/form-data cause OOM and temp
++ files are not cleaned). (CVE-2019-11048) (cmb)
++
+ Backported from 7.2.30
+
+ - Standard:
+diff --git a/main/rfc1867.c b/main/rfc1867.c
+index 0ddf0ed8f0..fb3035072a 100644
+--- a/main/rfc1867.c
++++ b/main/rfc1867.c
+@@ -609,9 +609,9 @@ static void *php_ap_memstr(char *haystack, int haystacklen, char *needle, int ne
+ }
+
+ /* read until a boundary condition */
+-static int multipart_buffer_read(multipart_buffer *self, char *buf, int bytes, int *end TSRMLS_DC)
++static unsigned int multipart_buffer_read(multipart_buffer *self, char *buf, unsigned int bytes, int *end TSRMLS_DC)
+ {
+- int len, max;
++ unsigned int len, max;
+ char *bound;
+
+ /* fill buffer if needed */
+@@ -658,7 +658,7 @@ static int multipart_buffer_read(multipart_buffer *self, char *buf, int bytes, i
+ static char *multipart_buffer_read_body(multipart_buffer *self, unsigned int *len TSRMLS_DC)
+ {
+ char buf[FILLUNIT], *out=NULL;
+- int total_bytes=0, read_bytes=0;
++ unsigned int total_bytes=0, read_bytes=0;
+
+ while((read_bytes = multipart_buffer_read(self, buf, sizeof(buf), NULL TSRMLS_CC))) {
+ out = erealloc(out, total_bytes + read_bytes + 1);
+@@ -684,7 +684,8 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
+ {
+ char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL;
+ char *temp_filename = NULL, *lbuf = NULL, *abuf = NULL;
+- int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0, array_len = 0;
++ int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0;
++ unsigned int array_len = 0;
+ int64_t total_bytes = 0, max_file_size = 0;
+ int skip_upload = 0, anonindex = 0, is_anonymous;
+ zval *http_post_files = NULL;
diff --git a/php.spec b/php.spec
index 0131a92..ceb5e8a 100644
--- a/php.spec
+++ b/php.spec
@@ -146,7 +146,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: %{?scl_prefix}php
Version: 5.6.40
-Release: 20%{?dist}
+Release: 21%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -241,6 +241,7 @@ Patch238: php-bug79282.patch
Patch239: php-bug79329.patch
Patch240: php-bug79330.patch
Patch241: php-bug79465.patch
+Patch242: php-bug78875.patch
# Fixes for tests (300+)
# Factory is droped from system tzdata
@@ -1006,6 +1007,7 @@ sed -e 's/php-devel/%{?scl_prefix}php-devel/' -i scripts/phpize.in
%patch239 -p1 -b .bug79329
%patch240 -p1 -b .bug79330
%patch241 -p1 -b .bug79465
+%patch242 -p1 -b .bug78875
# Fixes for tests
%patch300 -p1 -b .datetests
@@ -1951,6 +1953,13 @@ EOF
%changelog
+* Wed May 13 2020 Remi Collet <remi@remirepo.net> - 5.6.40-21
+- Core:
+ Fix #78875 Long filenames cause OOM and temp files are not cleaned
+ CVE-2019-11048
+ Fix #78876 Long variables in multipart/form-data cause OOM and temp
+ files are not cleaned
+
* Tue Apr 14 2020 Remi Collet <remi@remirepo.net> - 5.6.40-20
- standard:
Fix #79330 shell_exec silently truncates after a null byte