diff options
| -rw-r--r-- | failed.txt | 11 | ||||
| -rw-r--r-- | php-bug75457.patch | 86 | ||||
| -rw-r--r-- | php-bug78380.patch | 78 | ||||
| -rw-r--r-- | php.spec | 12 |
4 files changed, 181 insertions, 6 deletions
@@ -1,22 +1,23 @@ -===== 5.6.40-12 (2019-07-30) +===== 5.6.40-13 (2019-08-28) $ grep -r 'Tests failed' /var/lib/mock/scl56*/build.log /var/lib/mock/scl56el6x/build.log:Tests failed : 3 -/var/lib/mock/scl56el7x/build.log:Tests failed : 0 +/var/lib/mock/scl56el7x/build.log:Tests failed : 1 /var/lib/mock/scl56el8x/build.log:Tests failed : 28 -/var/lib/mock/scl56fc28x/build.log:Tests failed : 1 /var/lib/mock/scl56fc29x/build.log:Tests failed : 3 /var/lib/mock/scl56fc30x/build.log:Tests failed : 3 +/var/lib/mock/scl56fc31x/build.log:Tests failed : 3 el6x: 3 Bug #65538: SSL context "cafile" disallows URL stream wrappers [ext/openssl/tests/bug65538_002.phpt] 3 gethostbyname() function - basic return valid ip address test [ext/standard/tests/network/gethostbyname_error004.phpt] 3 getmxrr() test [ext/standard/tests/network/getmxrr.phpt] -fc28x, fc29x, fc30x: +el7x: + 2 Bug #75457 (heap-use-after-free in php7.0.25) [ext/pcre/tests/bug75457.phpt] +fc29x, fc30x, fc31x: 2 substr_compare() [ext/standard/tests/strings/substr_compare.phpt] -fc29x, fc30x: openssl_error_string() tests [ext/openssl/tests/openssl_error_string_basic.phpt] TLS server rate-limits client-initiated renegotiation [ext/openssl/tests/stream_server_reneg_limit.phpt] diff --git a/php-bug75457.patch b/php-bug75457.patch new file mode 100644 index 0000000..88a1061 --- /dev/null +++ b/php-bug75457.patch @@ -0,0 +1,86 @@ +From 582128d6b5acdef94752cc4ea4a049497067bb38 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" <cmbecker69@gmx.de> +Date: Fri, 16 Aug 2019 14:29:19 +0200 +Subject: [PATCH 1/3] Fix #75457: heap-use-after-free in php7.0.25 + +Backport <https://vcs.pcre.org/pcre?view=revision&revision=1638>. + +(cherry picked from commit 7bf1f9d561826c4a3ed748e55bb756375cdf28b9) +--- + ext/pcre/pcrelib/pcre_compile.c | 11 ++++++++++- + ext/pcre/tests/bug75457.phpt | 10 ++++++++++ + 2 files changed, 20 insertions(+), 1 deletion(-) + create mode 100644 ext/pcre/tests/bug75457.phpt + +diff --git a/ext/pcre/pcrelib/pcre_compile.c b/ext/pcre/pcrelib/pcre_compile.c +index c9171cbee9..1d37671635 100644 +--- a/ext/pcre/pcrelib/pcre_compile.c ++++ b/ext/pcre/pcrelib/pcre_compile.c +@@ -485,7 +485,7 @@ static const char error_texts[] = + "lookbehind assertion is not fixed length\0" + "malformed number or name after (?(\0" + "conditional group contains more than two branches\0" +- "assertion expected after (?(\0" ++ "assertion expected after (?( or (?(?C)\0" + "(?R or (?[+-]digits must be followed by )\0" + /* 30 */ + "unknown POSIX class name\0" +@@ -6734,6 +6734,15 @@ for (;; ptr++) + for (i = 3;; i++) if (!IS_DIGIT(ptr[i])) break; + if (ptr[i] == CHAR_RIGHT_PARENTHESIS) + tempptr += i + 1; ++ ++ /* tempptr should now be pointing to the opening parenthesis of the ++ assertion condition. */ ++ ++ if (*tempptr != CHAR_LEFT_PARENTHESIS) ++ { ++ *errorcodeptr = ERR28; ++ goto FAILED; ++ } + } + + /* For conditions that are assertions, check the syntax, and then exit +diff --git a/ext/pcre/tests/bug75457.phpt b/ext/pcre/tests/bug75457.phpt +new file mode 100644 +index 0000000000..c7ce9ed0f9 +--- /dev/null ++++ b/ext/pcre/tests/bug75457.phpt +@@ -0,0 +1,10 @@ ++--TEST-- ++Bug #75457 (heap-use-after-free in php7.0.25) ++--FILE-- ++<?php ++$pattern = "/(((?(?C)0?=))(?!()0|.(?0)0)())/"; ++var_dump(preg_match($pattern, "hello")); ++?> ++--EXPECTF-- ++Warning: preg_match(): Compilation failed: assertion expected after (?( or (?(?C) at offset 4 in %sbug75457.php on line %d ++bool(false) +-- +2.20.1 + +From b781eb2900cc0d74e385e704711a0002a9ecc8cb Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@remirepo.net> +Date: Wed, 28 Aug 2019 14:34:48 +0200 +Subject: [PATCH] relax test, offset may be different on various system lib + versions + +--- + ext/pcre/tests/bug75457.phpt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/pcre/tests/bug75457.phpt b/ext/pcre/tests/bug75457.phpt +index c7ce9ed0f9..571a4bde77 100644 +--- a/ext/pcre/tests/bug75457.phpt ++++ b/ext/pcre/tests/bug75457.phpt +@@ -6,5 +6,5 @@ $pattern = "/(((?(?C)0?=))(?!()0|.(?0)0)())/"; + var_dump(preg_match($pattern, "hello")); + ?> + --EXPECTF-- +-Warning: preg_match(): Compilation failed: assertion expected after (?( or (?(?C) at offset 4 in %sbug75457.php on line %d ++Warning: preg_match(): Compilation failed: assertion expected after (?( or (?(?C) at offset %d in %sbug75457.php on line %d + bool(false) +-- +2.20.1 + diff --git a/php-bug78380.patch b/php-bug78380.patch new file mode 100644 index 0000000..4d7db35 --- /dev/null +++ b/php-bug78380.patch @@ -0,0 +1,78 @@ +From 8cc1b123b05c51442b9a4fc4ea61d7719ee96e0e Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sat, 24 Aug 2019 23:11:45 -0700 +Subject: [PATCH 2/3] Fix CVE-2019-13224: don't allow different encodings for + onig_new_deluxe() + +Backport from https://github.com/kkos/oniguruma/commit/0f7f61ed1b7b697e283e37bd2d731d0bd57adb55 + +(cherry picked from commit 1258303e66d8dede4f02347334b9f6576e98a21b) +--- + ext/mbstring/oniguruma/regext.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/ext/mbstring/oniguruma/regext.c b/ext/mbstring/oniguruma/regext.c +index b1b957b40c..b108e638c6 100644 +--- a/ext/mbstring/oniguruma/regext.c ++++ b/ext/mbstring/oniguruma/regext.c +@@ -29,6 +29,7 @@ + + #include "regint.h" + ++#if 0 + static void + conv_ext0be32(const UChar* s, const UChar* end, UChar* conv) + { +@@ -158,6 +159,7 @@ conv_encoding(OnigEncoding from, OnigEncoding to, const UChar* s, const UChar* e + + return ONIGERR_NOT_SUPPORTED_ENCODING_COMBINATION; + } ++#endif + + extern int + onig_new_deluxe(regex_t** reg, const UChar* pattern, const UChar* pattern_end, +@@ -169,9 +171,7 @@ onig_new_deluxe(regex_t** reg, const UChar* pattern, const UChar* pattern_end, + if (IS_NOT_NULL(einfo)) einfo->par = (UChar* )NULL; + + if (ci->pattern_enc != ci->target_enc) { +- r = conv_encoding(ci->pattern_enc, ci->target_enc, pattern, pattern_end, +- &cpat, &cpat_end); +- if (r) return r; ++ return ONIGERR_NOT_SUPPORTED_ENCODING_COMBINATION; + } + else { + cpat = (UChar* )pattern; +-- +2.20.1 + +From b0aa68eade0d15274465136a6d6b84edd8ab6e4b Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@remirepo.net> +Date: Wed, 28 Aug 2019 14:06:50 +0200 +Subject: [PATCH 3/3] NEWS + +--- + NEWS | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/NEWS b/NEWS +index 5039cdf59d..cb7919bafc 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,14 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 7.1.32 ++ ++- mbstring: ++ . Fixed CVE-2019-13224 (don't allow different encodings for onig_new_deluxe) (stas) ++ ++- pcre: ++ . Fixed bug #75457 (heap use-after-free in pcrelib) (cmb) ++ + Backported from 7.1.31 + + - EXIF: +-- +2.20.1 + @@ -142,7 +142,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: 5.6.40 -Release: 12%{?dist} +Release: 13%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -220,6 +220,8 @@ Patch221: php-bug77967.patch Patch222: php-bug78222.patch Patch223: php-bug78256.patch Patch224: php-bug77919.patch +Patch225: php-bug75457.patch +Patch226: php-bug78380.patch # Fixes for tests (300+) @@ -967,6 +969,8 @@ sed -e 's/php-devel/%{?scl_prefix}php-devel/' -i scripts/phpize.in %patch222 -p1 -b .bug78222 %patch223 -p1 -b .bug78256 %patch224 -p1 -b .bug77919 +%patch225 -p1 -b .bug75457 +%patch226 -p1 -b .bug78380 # Fixes for tests %patch300 -p1 -b .datetests @@ -1912,6 +1916,12 @@ EOF %changelog +* Wed Aug 28 2019 Remi Collet <remi@remirepo.net> - 5.6.40-13 +- mbstring: + Fix CVE-2019-13224 don't allow different encodings for onig_new_deluxe +- pcre: + Fix #75457 heap use-after-free in pcrelib + * Tue Jul 30 2019 Remi Collet <remi@remirepo.net> - 5.6.40-12 - exif: Fix #78256 heap-buffer-overflow on exif_process_user_comment |