From 4de127dc81624b43843bc4d3d31f97bffd992c93 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 21 Jan 2020 11:44:20 +0100 Subject: mbstring: Fix #79037 global buffer-overflow in mbfl_filt_conv_big5_wchar CVE-2020-7060 standard: Fix #79099 OOB read in php_strip_tags_ex CVE-2020-7059 --- failed.txt | 2 +- php-bug79037.patch | 93 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ php-bug79099.patch | 81 +++++++++++++++++++++++++++++++++++++++++++++++ php.spec | 14 +++++++- 4 files changed, 188 insertions(+), 2 deletions(-) create mode 100644 php-bug79037.patch create mode 100644 php-bug79099.patch diff --git a/failed.txt b/failed.txt index 680a705..49b46f3 100644 --- a/failed.txt +++ b/failed.txt @@ -1,4 +1,4 @@ -===== 5.6.40-15 (2019-12-19) +===== 5.6.40-16 (2020-01-21) $ grep -r 'Tests failed' /var/lib/mock/scl56*/build.log diff --git a/php-bug79037.patch b/php-bug79037.patch new file mode 100644 index 0000000..8da4b8d --- /dev/null +++ b/php-bug79037.patch @@ -0,0 +1,93 @@ +From 31b5f3736519f3cb1af875f22f70423934a636d6 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 20 Jan 2020 21:42:44 -0800 +Subject: [PATCH] Fix bug #79037 (global buffer-overflow in + `mbfl_filt_conv_big5_wchar`) + +(cherry picked from commit 2bcbc95f033c31b00595ed39f79c3a99b4ed0501) +--- + ext/mbstring/libmbfl/filters/mbfilter_big5.c | 17 ++++++++++++----- + ext/mbstring/tests/bug79037.phpt | 10 ++++++++++ + 2 files changed, 22 insertions(+), 5 deletions(-) + create mode 100644 ext/mbstring/tests/bug79037.phpt + +diff --git a/ext/mbstring/libmbfl/filters/mbfilter_big5.c b/ext/mbstring/libmbfl/filters/mbfilter_big5.c +index 099f8e6af0..e04d81d220 100644 +--- a/ext/mbstring/libmbfl/filters/mbfilter_big5.c ++++ b/ext/mbstring/libmbfl/filters/mbfilter_big5.c +@@ -138,6 +138,17 @@ static unsigned short cp950_pua_tbl[][4] = { + {0xf70f,0xf848,0xc740,0xc8fe}, + }; + ++static inline int is_in_cp950_pua(int c1, int c) { ++ if ((c1 >= 0xfa && c1 <= 0xfe) || (c1 >= 0x8e && c1 <= 0xa0) || ++ (c1 >= 0x81 && c1 <= 0x8d) || (c1 >= 0xc7 && c1 <= 0xc8)) { ++ return (c >=0x40 && c <= 0x7e) || (c >= 0xa1 && c <= 0xfe); ++ } ++ if (c1 == 0xc6) { ++ return c >= 0xa1 && c <= 0xfe; ++ } ++ return 0; ++} ++ + /* + * Big5 => wchar + */ +@@ -186,11 +197,7 @@ mbfl_filt_conv_big5_wchar(int c, mbfl_convert_filter *filter) + + if (filter->from->no_encoding == mbfl_no_encoding_cp950) { + /* PUA for CP950 */ +- if (w <= 0 && +- (((c1 >= 0xfa && c1 <= 0xfe) || (c1 >= 0x8e && c1 <= 0xa0) || +- (c1 >= 0x81 && c1 <= 0x8d) ||(c1 >= 0xc7 && c1 <= 0xc8)) +- && ((c > 0x39 && c < 0x7f) || (c > 0xa0 && c < 0xff))) || +- ((c1 == 0xc6) && (c > 0xa0 && c < 0xff))) { ++ if (w <= 0 && is_in_cp950_pua(c1, c)) { + c2 = c1 << 8 | c; + for (k = 0; k < sizeof(cp950_pua_tbl)/(sizeof(unsigned short)*4); k++) { + if (c2 >= cp950_pua_tbl[k][2] && c2 <= cp950_pua_tbl[k][3]) { +diff --git a/ext/mbstring/tests/bug79037.phpt b/ext/mbstring/tests/bug79037.phpt +new file mode 100644 +index 0000000000..94ff01a4a1 +--- /dev/null ++++ b/ext/mbstring/tests/bug79037.phpt +@@ -0,0 +1,10 @@ ++--TEST-- ++Bug #79037: global buffer-overflow in `mbfl_filt_conv_big5_wchar` ++--FILE-- ++ ++--EXPECT-- ++string(1) "?" +From f90b183c1ff88efc6e499811dc008a90f32989f0 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Tue, 21 Jan 2020 10:12:44 +0100 +Subject: [PATCH] update NEWS + +--- + NEWS | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/NEWS b/NEWS +index ee2fe2830b..c387fa8f86 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,15 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 7.2.27 ++ ++- Mbstring: ++ . Fixed bug #79037 (global buffer-overflow in `mbfl_filt_conv_big5_wchar`). ++ (CVE-2020-7060) (Nikita) ++ ++- Standard: ++ . Fixed bug #79099 (OOB read in php_strip_tags_ex). (CVE-2020-7059). (cmb) ++ + Backported from 7.2.26 + + - Bcmath: diff --git a/php-bug79099.patch b/php-bug79099.patch new file mode 100644 index 0000000..67660c3 --- /dev/null +++ b/php-bug79099.patch @@ -0,0 +1,81 @@ +From 9db5a8f58dd26d547cf530beeb41155d97e700f0 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 20 Jan 2020 21:33:17 -0800 +Subject: [PATCH] Fix #79099: OOB read in php_strip_tags_ex + +(cherry picked from commit 0f79b1bf301f455967676b5129240140c5c45b09) +--- + ext/standard/string.c | 6 ++--- + ext/standard/tests/file/bug79099.phpt | 32 +++++++++++++++++++++++++++ + 2 files changed, 35 insertions(+), 3 deletions(-) + create mode 100644 ext/standard/tests/file/bug79099.phpt + +diff --git a/ext/standard/string.c b/ext/standard/string.c +index 569452ca93..9b75adc3b7 100644 +--- a/ext/standard/string.c ++++ b/ext/standard/string.c +@@ -4770,7 +4770,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow, + if (state == 4) { + /* Inside */ + break; +- } else if (state == 2 && *(p-1) != '\\') { ++ } else if (state == 2 && p >= buf + 1 && *(p-1) != '\\') { + if (lc == c) { + lc = '\0'; + } else if (lc != '\\') { +@@ -4797,7 +4797,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow, + + case '!': + /* JavaScript & Other HTML scripting languages */ +- if (state == 1 && *(p-1) == '<') { ++ if (state == 1 && p >= buf + 1 && *(p-1) == '<') { + state = 3; + lc = c; + } else { +@@ -4824,7 +4824,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow, + + case '?': + +- if (state == 1 && *(p-1) == '<') { ++ if (state == 1 && p >= buf + 1 && *(p-1) == '<') { + br=0; + state=2; + break; +diff --git a/ext/standard/tests/file/bug79099.phpt b/ext/standard/tests/file/bug79099.phpt +new file mode 100644 +index 0000000000..7c842f4654 +--- /dev/null ++++ b/ext/standard/tests/file/bug79099.phpt +@@ -0,0 +1,32 @@ ++--TEST-- ++Bug #79099 (OOB read in php_strip_tags_ex) ++--FILE-- ++ ++--EXPECT-- ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" diff --git a/php.spec b/php.spec index 4896ddb..d254dd9 100644 --- a/php.spec +++ b/php.spec @@ -146,7 +146,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: 5.6.40 -Release: 15%{?dist} +Release: 16%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -232,6 +232,8 @@ Patch229: php-bug78862.patch Patch230: php-bug78863.patch Patch231: php-bug78793.patch Patch232: php-bug78910.patch +Patch233: php-bug79099.patch +Patch234: php-bug79037.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -986,6 +988,8 @@ sed -e 's/php-devel/%{?scl_prefix}php-devel/' -i scripts/phpize.in %patch230 -p1 -b .bug78863 %patch231 -p1 -b .bug78793 %patch232 -p1 -b .bug78910 +%patch233 -p1 -b .bug79099 +%patch234 -p1 -b .bug79037 # Fixes for tests %patch300 -p1 -b .datetests @@ -1927,6 +1931,14 @@ EOF %changelog +* Tue Jan 21 2020 Remi Collet - 5.6.40-16 +- mbstring: + Fix #79037 global buffer-overflow in mbfl_filt_conv_big5_wchar + CVE-2020-7060 +- standard: + Fix #79099 OOB read in php_strip_tags_ex + CVE-2020-7059 + * Tue Dec 17 2019 Remi Collet - 5.6.40-15 - bcmath: Fix #78878 Buffer underflow in bc_shift_addsub -- cgit