From 18944c026cb4c71a0e566434abd1fd7f67dc2077 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 26 Nov 2024 16:23:28 +0100 Subject: Fix Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI Interface GHSA-4w77-75f9-2c8w Fix OOB access in ldap_escape CVE-2024-8932 Fix Configuring a proxy in a stream context might allow for CRLF injection in URIs CVE-2024-11234 Fix Single byte overread with convert.quoted-printable-decode filter CVE-2024-11233 --- php-ghsa-4w77-75f9-2c8w.patch | 128 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 128 insertions(+) create mode 100644 php-ghsa-4w77-75f9-2c8w.patch (limited to 'php-ghsa-4w77-75f9-2c8w.patch') diff --git a/php-ghsa-4w77-75f9-2c8w.patch b/php-ghsa-4w77-75f9-2c8w.patch new file mode 100644 index 0000000..3752519 --- /dev/null +++ b/php-ghsa-4w77-75f9-2c8w.patch @@ -0,0 +1,128 @@ +From 66054bd65585277dbe5453e336f875f8f126d589 Mon Sep 17 00:00:00 2001 +From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> +Date: Sat, 9 Nov 2024 15:29:52 +0100 +Subject: [PATCH 5/6] Fix GHSA-4w77-75f9-2c8w + +(cherry picked from commit 7dd336ae838bbf2c62dc47e3c900d657d3534c02) +(cherry picked from commit 462092a48aa0dbad24d9fa8a4a9d418faa14d309) +(cherry picked from commit 56488a8a4ec68e58eecc9e78dd75e41adf56984c) +(cherry picked from commit 6b8357c22f83a93104c2682d5cba9104c8de636d) +(cherry picked from commit b7c951d47acae54aab5ce896b8ec151d661c8fd0) +(cherry picked from commit abd3bf9eb5a1c42fc24b7a0296b09d93ed7d6730) +(cherry picked from commit 81f2819ec08c6c7ff1f4e2caccb51719ace6a27d) +(cherry picked from commit f7ea64028c884c1c41a25b31d5839ff2d34ced86) +--- + sapi/cli/php_cli_server.c | 2 ++ + sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt | 41 +++++++++++++++++++++++++ + 2 files changed, 43 insertions(+) + create mode 100644 sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt + +diff --git a/sapi/cli/php_cli_server.c b/sapi/cli/php_cli_server.c +index 82bd573b56..68c123e9e8 100644 +--- a/sapi/cli/php_cli_server.c ++++ b/sapi/cli/php_cli_server.c +@@ -1873,6 +1873,8 @@ static void php_cli_server_client_populate_request_info(const php_cli_server_cli + request_info->auth_user = request_info->auth_password = request_info->auth_digest = NULL; + if (SUCCESS == zend_hash_find(&client->request.headers, "content-type", sizeof("content-type"), (void**)&val)) { + request_info->content_type = *val; ++ } else { ++ request_info->content_type = NULL; + } + } /* }}} */ + +diff --git a/sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt b/sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt +new file mode 100644 +index 0000000000..44667e8389 +--- /dev/null ++++ b/sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt +@@ -0,0 +1,41 @@ ++--TEST-- ++GHSA-4w77-75f9-2c8w (Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI Interface) ++--INI-- ++allow_url_fopen=1 ++--SKIPIF-- ++ ++--FILE-- ++ [ ++ "method" => "POST", ++ "header" => "Content-Type: application/x-www-form-urlencoded", ++ "content" => "AAAAA", ++ ], ++]; ++$context = stream_context_create($options); ++ ++echo file_get_contents("http://" . PHP_CLI_SERVER_ADDRESS . "/", false, $context); ++ ++$options = [ ++ "http" => [ ++ "method" => "POST", ++ ], ++]; ++$context = stream_context_create($options); ++ ++echo file_get_contents("http://" . PHP_CLI_SERVER_ADDRESS . "/", false, $context); ++?> ++--EXPECT-- ++string(5) "AAAAA" ++string(0) "" +-- +2.47.0 + +From dcb480001bf83a82a745a160d243e7213df10d83 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Fri, 22 Nov 2024 08:58:10 +0100 +Subject: [PATCH 6/6] NEWS for 8.1.31 backports + +(cherry picked from commit 22bdb43da0ecd6e72d63b63aa6c1f3a25d1bca3a) +(cherry picked from commit d8d682d3d6a4d027771806c8fc77128cae078d29) +(cherry picked from commit b97a41a47f77df92771b3c01fbf7cf445c0e7a1b) +(cherry picked from commit 46f3d442aae8d8caca33a4d4ff9c9470568aee80) +(cherry picked from commit 49783ab65131f0af188ea41a74db4af56a41c323) +(cherry picked from commit 861b62921190c2c29205d6029d33a606b7a47831) +(cherry picked from commit d4b0872ce2a907b2a69db720abb5ab939fc13985) +--- + NEWS | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/NEWS b/NEWS +index 957508cd64..24fa47ec2b 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,22 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 8.1.31 ++ ++- CLI: ++ . Fixed bug GHSA-4w77-75f9-2c8w (Heap-Use-After-Free in sapi_read_post_data ++ Processing in CLI SAPI Interface). (nielsdos) ++ ++- LDAP: ++ . Fixed bug GHSA-g665-fm4p-vhff (OOB access in ldap_escape). (CVE-2024-8932) ++ (nielsdos) ++ ++- Streams: ++ . Fixed bug GHSA-c5f2-jwm7-mmq2 (Configuring a proxy in a stream context ++ might allow for CRLF injection in URIs). (CVE-2024-11234) (Jakub Zelenka) ++ . Fixed bug GHSA-r977-prxv-hc43 (Single byte overread with ++ convert.quoted-printable-decode filter). (CVE-2024-11233) (nielsdos) ++ + Backported from 8.1.30 + + - CGI: +-- +2.47.0 + -- cgit