From 2de8f36a6cd9816e2a2bf4ad32cafa090e6b34c9 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Wed, 15 Feb 2023 11:41:53 +0100
Subject: fix #81744: Password_verify() always return true with some hash

  CVE-2023-0567
fix #81746: 1-byte array overrun in common path resolve code
  CVE-2023-0568
fix DOS vulnerability when parsing multipart request body
  CVE-2023-0662
---
 php-cve-2023-0662.patch | 148 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 148 insertions(+)
 create mode 100644 php-cve-2023-0662.patch

(limited to 'php-cve-2023-0662.patch')

diff --git a/php-cve-2023-0662.patch b/php-cve-2023-0662.patch
new file mode 100644
index 0000000..ac405ec
--- /dev/null
+++ b/php-cve-2023-0662.patch
@@ -0,0 +1,148 @@
+From 951b823876274823f4f6d78004d0e4664fd24504 Mon Sep 17 00:00:00 2001
+From: Jakub Zelenka <bukka@php.net>
+Date: Thu, 19 Jan 2023 14:11:18 +0000
+Subject: [PATCH 5/8] Fix repeated warning for file uploads limit exceeding
+
+(cherry picked from commit 3a2fdef1ae38881110006616ee1f0534b082ca45)
+---
+ main/rfc1867.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/main/rfc1867.c b/main/rfc1867.c
+index fb3035072a..323370fc58 100644
+--- a/main/rfc1867.c
++++ b/main/rfc1867.c
+@@ -925,7 +925,10 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
+ 				skip_upload = 1;
+ 			} else if (upload_cnt <= 0) {
+ 				skip_upload = 1;
+-				sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
++				if (upload_cnt == 0) {
++					--upload_cnt;
++					sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
++				}
+ 			}
+ 
+ 			/* Return with an error if the posted data is garbled */
+-- 
+2.31.1
+
+From 21a325252a52d663533715900f091b0f025a77ab Mon Sep 17 00:00:00 2001
+From: Jakub Zelenka <bukka@php.net>
+Date: Thu, 19 Jan 2023 14:31:25 +0000
+Subject: [PATCH 6/8] Introduce max_multipart_body_parts INI
+
+This fixes GHSA-54hq-v5wp-fqgv DOS vulnerabality by limitting number of
+parsed multipart body parts as currently all parts were always parsed.
+
+(cherry picked from commit 8ec78d28d20c82c75c4747f44c52601cfdb22516)
+---
+ main/main.c    |  1 +
+ main/rfc1867.c | 11 +++++++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/main/main.c b/main/main.c
+index ab55b5b831..66da1881d4 100644
+--- a/main/main.c
++++ b/main/main.c
+@@ -628,6 +628,7 @@ PHP_INI_BEGIN()
+ 	PHP_INI_ENTRY("disable_functions",			"",			PHP_INI_SYSTEM,		NULL)
+ 	PHP_INI_ENTRY("disable_classes",			"",			PHP_INI_SYSTEM,		NULL)
+ 	PHP_INI_ENTRY("max_file_uploads",			"20",			PHP_INI_SYSTEM|PHP_INI_PERDIR,		NULL)
++	PHP_INI_ENTRY("max_multipart_body_parts",	"-1",			PHP_INI_SYSTEM|PHP_INI_PERDIR,		NULL)
+ 
+ 	STD_PHP_INI_BOOLEAN("allow_url_fopen",		"1",		PHP_INI_SYSTEM,		OnUpdateBool,		allow_url_fopen,		php_core_globals,		core_globals)
+ 	STD_PHP_INI_BOOLEAN("allow_url_include",	"0",		PHP_INI_SYSTEM,		OnUpdateBool,		allow_url_include,		php_core_globals,		core_globals)
+diff --git a/main/rfc1867.c b/main/rfc1867.c
+index 323370fc58..ce8f557f23 100644
+--- a/main/rfc1867.c
++++ b/main/rfc1867.c
+@@ -697,6 +697,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
+ 	void *event_extra_data = NULL;
+ 	unsigned int llen = 0;
+ 	int upload_cnt = INI_INT("max_file_uploads");
++	int body_parts_cnt = INI_INT("max_multipart_body_parts");
+ 	const zend_encoding *internal_encoding = zend_multibyte_get_internal_encoding(TSRMLS_C);
+ 	php_rfc1867_getword_t getword;
+ 	php_rfc1867_getword_conf_t getword_conf;
+@@ -718,6 +719,11 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
+ 		return;
+ 	}
+ 
++	if (body_parts_cnt < 0) {
++		body_parts_cnt = PG(max_input_vars) + upload_cnt;
++	}
++	int body_parts_limit = body_parts_cnt;
++
+ 	/* Get the boundary */
+ 	boundary = strstr(content_type_dup, "boundary");
+ 	if (!boundary) {
+@@ -802,6 +808,11 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
+ 			char *pair = NULL;
+ 			int end = 0;
+ 
++			if (--body_parts_cnt < 0) {
++				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Multipart body parts limit exceeded %d. To increase the limit change max_multipart_body_parts in php.ini.", body_parts_limit);
++				goto fileupload_done;
++			}
++
+ 			while (isspace(*cd)) {
+ 				++cd;
+ 			}
+-- 
+2.31.1
+
+From 734b43c5938037a03b6af7212a95813c1c9e729c Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 14 Feb 2023 09:14:47 +0100
+Subject: [PATCH 7/8] NEWS
+
+(cherry picked from commit 472db3ee3a00ac00d36019eee0b3b7362334481c)
+---
+ NEWS | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 5e74b7547a..bcb62b8325 100644
+--- a/NEWS
++++ b/NEWS
+@@ -9,6 +9,10 @@ Backported from 8.0.28
+   . Fixed bug #81746 (1-byte array overrun in common path resolve code).
+     (CVE-2023-0568). (Niels Dossche)
+ 
++- FPM:
++  . Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart
++    request body). (CVE-2023-0662) (Jakub Zelenka)
++
+ Backported from 8.0.27
+ 
+ - PDO/SQLite:
+-- 
+2.31.1
+
+From 72c4e7e7d9039d5b68fb52794acccf740167602a Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 14 Feb 2023 11:47:22 +0100
+Subject: [PATCH 8/8] fix NEWS, not FPM specific
+
+(cherry picked from commit c04f310440a906fc4ca885f4ecf6e3e4cd36edc7)
+---
+ NEWS | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index bcb62b8325..c9e6f7d328 100644
+--- a/NEWS
++++ b/NEWS
+@@ -8,8 +8,6 @@ Backported from 8.0.28
+     (CVE-2023-0567). (Tim Düsterhus)
+   . Fixed bug #81746 (1-byte array overrun in common path resolve code).
+     (CVE-2023-0568). (Niels Dossche)
+-
+-- FPM:
+   . Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart
+     request body). (CVE-2023-0662) (Jakub Zelenka)
+ 
+-- 
+2.31.1
+
-- 
cgit