From 54c47c5cbf037ce982bf1868f79051c8af88bad3 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 12 Mar 2019 11:05:11 +0100 Subject: Fix #77396 Null Pointer Dereference in phar_create_or_parse_filename Fix #77586 - phar_tar_writeheaders_int() buffer overflow - spl: Fix #77431 openFile() silently truncates after a null byte - security fix synced with https://github.com/Microsoft/php-src/ --- php-bug77630.patch | 36 ++++++++++++++++-------------------- 1 file changed, 16 insertions(+), 20 deletions(-) (limited to 'php-bug77630.patch') diff --git a/php-bug77630.patch b/php-bug77630.patch index bc3f645..71cbf12 100644 --- a/php-bug77630.patch +++ b/php-bug77630.patch @@ -1,8 +1,4 @@ -Backported to 5.6 from 7.1 by remi - - - -From e3133e4db70476fb7adfdedb738483e2255ce0e1 Mon Sep 17 00:00:00 2001 +From 0c78ce21f96537dbea40c1d4f7467617600d266b Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sat, 2 Mar 2019 23:42:53 -0800 Subject: [PATCH] Fix bug #77630 - safer rename() procedure @@ -11,15 +7,17 @@ In order to rename safer, we do the following: - set umask to 077 (unfortunately, not TS, so excluding ZTS) - chown() first, to set proper group before allowing group access - chmod() after, even if chown() fails + +(cherry picked from commit e3133e4db70476fb7adfdedb738483e2255ce0e1) --- - main/streams/plain_wrapper.c | 51 ++++++++++++++++++++++++------------ - 1 file changed, 34 insertions(+), 17 deletions(-) + main/streams/plain_wrapper.c | 48 ++++++++++++++++++++++++------------ + 1 file changed, 32 insertions(+), 16 deletions(-) diff --git a/main/streams/plain_wrapper.c b/main/streams/plain_wrapper.c -index af890a9aa3bb..7fdf906e6fad 100644 +index f472bad4b9..3e114a64ea 100644 --- a/main/streams/plain_wrapper.c +++ b/main/streams/plain_wrapper.c -@@ -1126,34 +1126,51 @@ static int php_plain_files_rename(php_st +@@ -1126,34 +1126,50 @@ static int php_plain_files_rename(php_stream_wrapper *wrapper, const char *url_f # ifdef EXDEV if (errno == EXDEV) { struct stat sb; @@ -33,11 +31,6 @@ index af890a9aa3bb..7fdf906e6fad 100644 + success = 1; # if !defined(TSRM_WIN32) && !defined(NETWARE) - if (VCWD_CHMOD(url_to, sb.st_mode)) { -- if (errno == EPERM) { -- php_error_docref2(NULL TSRMLS_CC, url_from, url_to, E_WARNING, "%s", strerror(errno)); -- VCWD_UNLINK(url_from); -- return 1; -- } + /* + * Try to set user and permission info on the target. + * If we're not root, then some of these may fail. @@ -46,21 +39,24 @@ index af890a9aa3bb..7fdf906e6fad 100644 + * access to the file in the meantime. + */ + if (VCWD_CHOWN(url_to, sb.st_uid, sb.st_gid)) { - php_error_docref2(NULL TSRMLS_CC, url_from, url_to, E_WARNING, "%s", strerror(errno)); -- return 0; -+ if (errno != EPERM) { ++ php_error_docref2(NULL TSRMLS_CC, url_from, url_to, E_WARNING, "%s", strerror(errno)); + if (errno == EPERM) { +- php_error_docref2(NULL TSRMLS_CC, url_from, url_to, E_WARNING, "%s", strerror(errno)); +- VCWD_UNLINK(url_from); +- return 1; + success = 0; -+ } + } +- php_error_docref2(NULL TSRMLS_CC, url_from, url_to, E_WARNING, "%s", strerror(errno)); +- return 0; } - if (VCWD_CHOWN(url_to, sb.st_uid, sb.st_gid)) { - if (errno == EPERM) { -+ + if (success) { + if (VCWD_CHMOD(url_to, sb.st_mode)) { php_error_docref2(NULL TSRMLS_CC, url_from, url_to, E_WARNING, "%s", strerror(errno)); - VCWD_UNLINK(url_from); - return 1; -+ if (errno != EPERM) { ++ if (errno == EPERM) { + success = 0; + } } -- cgit