summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2019-04-02 16:05:14 +0200
committerRemi Collet <remi@remirepo.net>2019-04-02 16:05:14 +0200
commitb24f881bfb8a7ee8b17c9a8168aa8675d761ecf9 (patch)
tree2858a65145bc45008f75d84e173143669fb2fbaf
parentb6d6544f9e4536958fd65a5e1733b049a84d65ba (diff)
- exif:
Fix #77753 Heap-buffer-overflow in php_ifd_get32s Fix #77831 Heap-buffer-overflow in exif_iif_add_value - sqlite3: Added sqlite3.defensive INI directive
-rw-r--r--failed.txt14
-rw-r--r--php-bug77753.patch33
-rw-r--r--php-bug77831.patch232
-rw-r--r--php-news.patch96
-rw-r--r--php-sqlite3-defensive.patch167
-rw-r--r--php.spec17
6 files changed, 549 insertions, 10 deletions
diff --git a/failed.txt b/failed.txt
index 8a55425..7c2375b 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,22 +1,18 @@
-===== 7.0.33-5 (2019-03-05)
+===== 7.0.33-7 (2019-04-02)
$ grep -r 'Tests failed' /var/lib/mock/scl70*/build.log
/var/lib/mock/scl70el6x/build.log:Tests failed : 0
/var/lib/mock/scl70el7x/build.log:Tests failed : 0
-/var/lib/mock/scl70el8x/build.log:Tests failed : 54
+/var/lib/mock/scl70el8x/build.log:Tests failed : 28
/var/lib/mock/scl70fc25x/build.log:Tests failed : 0
/var/lib/mock/scl70fc26x/build.log:Tests failed : 0
/var/lib/mock/scl70fc27x/build.log:Tests failed : 0
-/var/lib/mock/scl70fc28x/build.log:Tests failed : 3
-/var/lib/mock/scl70fc29x/build.log:Tests failed : 4
-/var/lib/mock/scl70fc30x/build.log:Tests failed : 4
+/var/lib/mock/scl70fc28x/build.log:Tests failed : 0
+/var/lib/mock/scl70fc29x/build.log:Tests failed : 1
+/var/lib/mock/scl70fc30x/build.log:Tests failed : 1
-fc28x, fc29x, fc30x:
- Bug #33414 [1] (Comprehensive list of incorrect days returned after strotime() / date() tests) [ext/date/tests/bug33414-1.phpt]
- Bug #33415 [2] (Possibly invalid non-one-hour DST or timezone shifts) [ext/date/tests/bug33415-2.phpt]
- date_modify() function [1] [ext/date/tests/date_modify-1.phpt]
fc29x, fc30x:
TLS server rate-limits client-initiated renegotiation [ext/openssl/tests/stream_server_reneg_limit.phpt]
diff --git a/php-bug77753.patch b/php-bug77753.patch
new file mode 100644
index 0000000..59fc5f0
--- /dev/null
+++ b/php-bug77753.patch
@@ -0,0 +1,33 @@
+Without test as binary patch are not supported
+
+
+
+From 46bda08a639a77da855bcd306d0a0095af169b8e Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 17 Mar 2019 22:54:46 -0700
+Subject: [PATCH] Fix bug #77753 - Heap-buffer-overflow in php_ifd_get32s
+
+(cherry picked from commit f3aefc6d071b807ddacae0a0bc49f09c38e18490)
+---
+ ext/exif/exif.c | 4 ++++
+ ext/exif/tests/bug77753.phpt | 16 ++++++++++++++++
+ ext/exif/tests/bug77753.tiff | Bin 0 -> 873 bytes
+ 3 files changed, 20 insertions(+)
+ create mode 100644 ext/exif/tests/bug77753.phpt
+ create mode 100644 ext/exif/tests/bug77753.tiff
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 57567fb666..cd6b824d38 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -2801,6 +2801,10 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
+ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 2 + 0x%04X*12 = 0x%04X > 0x%04X", NumDirEntries, 2+NumDirEntries*12, value_len);
+ return FALSE;
+ }
++ if ((dir_start - value_ptr) > value_len - (2+NumDirEntries*12)) {
++ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 0x%04X > 0x%04X", (dir_start - value_ptr) + (2+NumDirEntries*12), value_len);
++ return FALSE;
++ }
+
+ for (de=0;de<NumDirEntries;de++) {
+ if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de,
diff --git a/php-bug77831.patch b/php-bug77831.patch
new file mode 100644
index 0000000..afef6df
--- /dev/null
+++ b/php-bug77831.patch
@@ -0,0 +1,232 @@
+Without test as binary patch are not supported
+
+
+
+From b325c4632c6a2016109c9f53397ef4356bb47bcf Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 2 Apr 2019 00:12:26 -0700
+Subject: [PATCH] Fixed bug #77831 - Heap-buffer-overflow in exif_iif_add_value
+ in EXIF
+
+(cherry picked from commit 887a7b571407f7a49a5e7cf1e612d21ef83fedb4)
+---
+ NEWS | 4 ++++
+ ext/exif/exif.c | 43 +++++++++++++++++++++++------------
+ ext/exif/tests/bug77831.phpt | 13 +++++++++++
+ ext/exif/tests/bug77831.tiff | Bin 0 -> 49 bytes
+ 4 files changed, 45 insertions(+), 15 deletions(-)
+ create mode 100644 ext/exif/tests/bug77831.phpt
+ create mode 100644 ext/exif/tests/bug77831.tiff
+
+diff --git a/NEWS b/NEWS
+index 4ab4ddb5cd..a49afe2411 100644
+--- a/NEWS
++++ b/NEWS
+@@ -3,6 +3,10 @@ PHP NEWS
+
+ Backported from 7.1.28
+
++- EXIF:
++ . Fixed bug #77753 (Heap-buffer-overflow in php_ifd_get32s). (Stas)
++ . Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value). (Stas)
++
+ - SQLite3:
+ . Added sqlite3.defensive INI directive. (BohwaZ)
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index cd6b824d38..fc6ee852fa 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -1654,10 +1654,10 @@ static int exif_file_sections_free(image_info_type *ImageInfo)
+ /* {{{ exif_iif_add_value
+ Add a value to image_info
+ */
+-static void exif_iif_add_value(image_info_type *image_info, int section_index, char *name, int tag, int format, int length, void* value, int motorola_intel)
++static void exif_iif_add_value(image_info_type *image_info, int section_index, char *name, int tag, int format, int length, void* value, size_t value_len, int motorola_intel)
+ {
+ size_t idex;
+- void *vptr;
++ void *vptr, *vptr_end;
+ image_info_value *info_value;
+ image_info_data *info_data;
+ image_info_data *list;
+@@ -1679,8 +1679,12 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+
+ switch (format) {
+ case TAG_FMT_STRING:
++ if (length > value_len) {
++ exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "length > value_len: %d > %zu", length, value_len);
++ value = NULL;
++ }
+ if (value) {
+- length = php_strnlen(value, length);
++ length = (int)php_strnlen(value, length);
+ info_value->s = estrndup(value, length);
+ info_data->length = length;
+ } else {
+@@ -1702,6 +1706,10 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+ if (!length)
+ break;
+ case TAG_FMT_UNDEFINED:
++ if (length > value_len) {
++ exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "length > value_len: %d > %zu", length, value_len);
++ value = NULL;
++ }
+ if (value) {
+ if (tag == TAG_MAKER_NOTE) {
+ length = (int) php_strnlen(value, length);
+@@ -1732,7 +1740,12 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+ } else {
+ info_value = &info_data->value;
+ }
++ vptr_end = value+value_len;
+ for (idex=0,vptr=value; idex<(size_t)length; idex++,vptr=(char *) vptr + php_tiff_bytes_per_format[format]) {
++ if (vptr_end - vptr < php_tiff_bytes_per_format[format]) {
++ exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "Value too short");
++ break;
++ }
+ if (length>1) {
+ info_value = &info_data->value.list[idex];
+ }
+@@ -1768,7 +1781,7 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+ php_error_docref(NULL, E_WARNING, "Found value of type single");
+ #endif
+ info_value->f = *(float *)value;
+-
++ break;
+ case TAG_FMT_DOUBLE:
+ #ifdef EXIF_DEBUG
+ php_error_docref(NULL, E_WARNING, "Found value of type double");
+@@ -1786,9 +1799,9 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+ /* {{{ exif_iif_add_tag
+ Add a tag from IFD to image_info
+ */
+-static void exif_iif_add_tag(image_info_type *image_info, int section_index, char *name, int tag, int format, size_t length, void* value)
++static void exif_iif_add_tag(image_info_type *image_info, int section_index, char *name, int tag, int format, size_t length, void* value, size_t value_len)
+ {
+- exif_iif_add_value(image_info, section_index, name, tag, format, (int)length, value, image_info->motorola_intel);
++ exif_iif_add_value(image_info, section_index, name, tag, format, (int)length, value, value_len, image_info->motorola_intel);
+ }
+ /* }}} */
+
+@@ -2209,7 +2222,7 @@ static void add_assoc_image_info(zval *value, int sub_array, image_info_type *im
+ */
+ static void exif_process_COM (image_info_type *image_info, char *value, size_t length)
+ {
+- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length-2, value+2);
++ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length-2, value+2, length-2);
+ }
+ /* }}} */
+
+@@ -2224,17 +2237,17 @@ static void exif_process_CME (image_info_type *image_info, char *value, size_t l
+ if (length>3) {
+ switch(value[2]) {
+ case 0:
+- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, length, value);
++ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, length, value), length;
+ break;
+ case 1:
+- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length, value);
++ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length, value, length);
+ break;
+ default:
+ php_error_docref(NULL, E_NOTICE, "Undefined JPEG2000 comment encoding");
+ break;
+ }
+ } else {
+- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, 0, NULL);
++ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, 0, NULL, 0);
+ php_error_docref(NULL, E_NOTICE, "JPEG2000 comment section too small");
+ }
+ }
+@@ -2826,7 +2839,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
+ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, char *offset_base, size_t IFDlength, size_t displacement, int section_index, int ReadNextIFD, tag_table_type tag_table)
+ {
+ size_t length;
+- int tag, format, components;
++ unsigned int tag, format, components;
+ char *value_ptr, tagname[64], cbuf[32], *outside=NULL;
+ size_t byte_count, offset_val, fpos, fgot;
+ int64_t byte_count_signed;
+@@ -3137,7 +3150,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
+ }
+ }
+ }
+- exif_iif_add_tag(ImageInfo, section_index, exif_get_tagname(tag, tagname, sizeof(tagname), tag_table), tag, format, components, value_ptr);
++ exif_iif_add_tag(ImageInfo, section_index, exif_get_tagname(tag, tagname, sizeof(tagname), tag_table), tag, format, components, value_ptr, byte_count);
+ EFREE_IF(outside);
+ return TRUE;
+ }
+@@ -3295,10 +3308,10 @@ static void exif_process_APP12(image_info_type *ImageInfo, char *buffer, size_t
+ size_t l1, l2=0;
+
+ if ((l1 = php_strnlen(buffer+2, length-2)) > 0) {
+- exif_iif_add_tag(ImageInfo, SECTION_APP12, "Company", TAG_NONE, TAG_FMT_STRING, l1, buffer+2);
++ exif_iif_add_tag(ImageInfo, SECTION_APP12, "Company", TAG_NONE, TAG_FMT_STRING, l1, buffer+2, l1);
+ if (length > 2+l1+1) {
+ l2 = php_strnlen(buffer+2+l1+1, length-2-l1-1);
+- exif_iif_add_tag(ImageInfo, SECTION_APP12, "Info", TAG_NONE, TAG_FMT_STRING, l2, buffer+2+l1+1);
++ exif_iif_add_tag(ImageInfo, SECTION_APP12, "Info", TAG_NONE, TAG_FMT_STRING, l2, buffer+2+l1+1, l2);
+ }
+ }
+ #ifdef EXIF_DEBUG
+@@ -4099,7 +4112,7 @@ PHP_FUNCTION(exif_read_data)
+ if (ImageInfo.Thumbnail.size) {
+ if (read_thumbnail) {
+ /* not exif_iif_add_str : this is a buffer */
+- exif_iif_add_tag(&ImageInfo, SECTION_THUMBNAIL, "THUMBNAIL", TAG_NONE, TAG_FMT_UNDEFINED, ImageInfo.Thumbnail.size, ImageInfo.Thumbnail.data);
++ exif_iif_add_tag(&ImageInfo, SECTION_THUMBNAIL, "THUMBNAIL", TAG_NONE, TAG_FMT_UNDEFINED, ImageInfo.Thumbnail.size, ImageInfo.Thumbnail.data, ImageInfo.Thumbnail.size);
+ }
+ if (!ImageInfo.Thumbnail.width || !ImageInfo.Thumbnail.height) {
+ /* try to evaluate if thumbnail data is present */
+From 1f9f1ad6e55d784fd0c6842c3925117247858b8e Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 2 Apr 2019 11:03:40 +0200
+Subject: [PATCH] fix paste issue
+
+---
+ ext/exif/exif.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index fc6ee852fa..a1c49e937d 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -2237,7 +2237,7 @@ static void exif_process_CME (image_info_type *image_info, char *value, size_t l
+ if (length>3) {
+ switch(value[2]) {
+ case 0:
+- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, length, value), length;
++ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, length, value, length);
+ break;
+ case 1:
+ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length, value, length);
+From e96f513c13926f2e027949c343a93c534f155b6e Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 2 Apr 2019 10:37:40 +0200
+Subject: [PATCH] Pointer arithmetic on void pointers is illegal
+
+We quick-fix this by casting to char*; it might be more appropriate to
+use char pointers in the first place.
+
+(cherry picked from commit 01a4de5c5821f67daeff487ef9b3047ce7b47c4c)
+---
+ ext/exif/exif.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index a1c49e937d..0e490abd1b 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -1740,9 +1740,9 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+ } else {
+ info_value = &info_data->value;
+ }
+- vptr_end = value+value_len;
++ vptr_end = (char *) value + value_len;
+ for (idex=0,vptr=value; idex<(size_t)length; idex++,vptr=(char *) vptr + php_tiff_bytes_per_format[format]) {
+- if (vptr_end - vptr < php_tiff_bytes_per_format[format]) {
++ if ((char *) vptr_end - (char *) vptr < php_tiff_bytes_per_format[format]) {
+ exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "Value too short");
+ break;
+ }
diff --git a/php-news.patch b/php-news.patch
new file mode 100644
index 0000000..eb02c6c
--- /dev/null
+++ b/php-news.patch
@@ -0,0 +1,96 @@
+From 2701c18b3f5edcff2b08839c9e18b93b77ec7a81 Mon Sep 17 00:00:00 2001
+From: Anatol Belski <ab@php.net>
+Date: Thu, 7 Mar 2019 16:30:16 +0100
+Subject: [PATCH] Update NEWS
+
+---
+ NEWS | 46 ++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 46 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 5b0aeb597b..bdefc0ede2 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,5 +1,51 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
++
++Backported from 7.2.27
++
++- Core:
++ . Fixed bug #77630 (rename() across the device may allow unwanted access during
++ processing). (Stas)
++
++- EXIF:
++ . Fixed bug #77509 (Uninitialized read in exif_process_IFD_in_TIFF). (Stas)
++ . Fixed bug #77540 (Invalid Read on exif_process_SOFn). (Stas)
++ . Fixed bug #77563 (Uninitialized read in exif_process_IFD_in_MAKERNOTE). (Stas)
++ . Fixed bug #77659 (Uninitialized read in exif_process_IFD_in_MAKERNOTE). (Stas)
++
++- PHAR:
++ . Fixed bug #77396 (Null Pointer Dereference in phar_create_or_parse_filename).
++ (bishop)
++ . Fixed bug #77586 (phar_tar_writeheaders_int() buffer overflow). (bishop)
++
++- SPL:
++ . Fixed bug #77431 (openFile() silently truncates after a null byte). (cmb)
++
++Backported from 7.2.26
++
++- GD:
++ . Fixed bug #77269 (efree() on uninitialized Heap data in imagescale leads to
++ use-after-free). (cmb)
++ . Fixed bug #77270 (imagecolormatch Out Of Bounds Write on Heap). (cmb)
++
++- Mbstring:
++ . Fixed bug #77370 (Buffer overflow on mb regex functions - fetch_token). (Stas)
++ . Fixed bug #77371 (heap buffer overflow in mb regex functions
++ - compile_string_node). (Stas)
++ . Fixed bug #77381 (heap buffer overflow in multibyte match_at). (Stas)
++ . Fixed bug #77382 (heap buffer overflow due to incorrect length in
++ expand_case_fold_string). (Stas)
++ . Fixed bug #77385 (buffer overflow in fetch_token). (Stas)
++ . Fixed bug #77394 (Buffer overflow in multibyte case folding - unicode). (Stas)
++ . Fixed bug #77418 (Heap overflow in utf32be_mbc_to_code). (Stas)
++
++- Phar:
++ . Fixed bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext). (Stas)
++
++- Xmlrpc:
++ . Fixed bug #77242 (heap out of bounds read in xmlrpc_decode()). (cmb)
++ . Fixed bug #77380 (Global out of bounds read in xmlrpc base64 code). (Stas)
++
+ 06 Dec 2018 PHP 7.0.33
+
+ - Core:
+From bffa56dcaafe01686d2b975f7a2e9f740d25e0bb Mon Sep 17 00:00:00 2001
+From: Anatol Belski <ab@php.net>
+Date: Thu, 7 Mar 2019 16:31:43 +0100
+Subject: [PATCH] Fix version in NEWS
+
+---
+ NEWS | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index bdefc0ede2..d21699c54b 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,7 +1,7 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
+-Backported from 7.2.27
++Backported from 7.1.27
+
+ - Core:
+ . Fixed bug #77630 (rename() across the device may allow unwanted access during
+@@ -21,7 +21,7 @@ Backported from 7.2.27
+ - SPL:
+ . Fixed bug #77431 (openFile() silently truncates after a null byte). (cmb)
+
+-Backported from 7.2.26
++Backported from 7.1.26
+
+ - GD:
+ . Fixed bug #77269 (efree() on uninitialized Heap data in imagescale leads to
diff --git a/php-sqlite3-defensive.patch b/php-sqlite3-defensive.patch
new file mode 100644
index 0000000..5a14fcb
--- /dev/null
+++ b/php-sqlite3-defensive.patch
@@ -0,0 +1,167 @@
+From afc129d7f5cd54edf8614c71318a9b3506d79848 Mon Sep 17 00:00:00 2001
+From: bohwaz <github.bohwaz@miam.kd2.org>
+Date: Sun, 16 Dec 2018 22:52:37 +0100
+Subject: [PATCH] SQLite3: add DEFENSIVE config for SQLite >= 3.26.0 as a
+ mitigation strategy against potential security flaws
+
+(cherry picked from commit 58c25bf679125a2da354db58ddc6b0cf6d10ee00)
+---
+ NEWS | 5 +++
+ ext/sqlite3/php_sqlite3.h | 1 +
+ ext/sqlite3/sqlite3.c | 9 ++++++
+ ext/sqlite3/tests/sqlite3_defensive.phpt | 40 ++++++++++++++++++++++++
+ php.ini-development | 11 +++++++
+ php.ini-production | 11 +++++++
+ 6 files changed, 77 insertions(+)
+ create mode 100644 ext/sqlite3/tests/sqlite3_defensive.phpt
+
+diff --git a/NEWS b/NEWS
+index d21699c54b..4ab4ddb5cd 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,11 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 7.1.28
++
++- SQLite3:
++ . Added sqlite3.defensive INI directive. (BohwaZ)
++
+ Backported from 7.1.27
+
+ - Core:
+diff --git a/ext/sqlite3/php_sqlite3.h b/ext/sqlite3/php_sqlite3.h
+index c6bf4af07e..047b63d95f 100644
+--- a/ext/sqlite3/php_sqlite3.h
++++ b/ext/sqlite3/php_sqlite3.h
+@@ -28,6 +28,7 @@ extern zend_module_entry sqlite3_module_entry;
+
+ ZEND_BEGIN_MODULE_GLOBALS(sqlite3)
+ char *extension_dir;
++ int dbconfig_defensive;
+ ZEND_END_MODULE_GLOBALS(sqlite3)
+
+ #ifdef ZTS
+diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c
+index a22f455331..5e6d9dd792 100644
+--- a/ext/sqlite3/sqlite3.c
++++ b/ext/sqlite3/sqlite3.c
+@@ -81,6 +81,9 @@ static void php_sqlite3_error(php_sqlite3_db_object *db_obj, char *format, ...)
+ */
+ PHP_INI_BEGIN()
+ STD_PHP_INI_ENTRY("sqlite3.extension_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, extension_dir, zend_sqlite3_globals, sqlite3_globals)
++#if SQLITE_VERSION_NUMBER >= 3026000
++ STD_PHP_INI_ENTRY("sqlite3.defensive", "1", PHP_INI_SYSTEM, OnUpdateBool, dbconfig_defensive, zend_sqlite3_globals, sqlite3_globals)
++#endif
+ PHP_INI_END()
+ /* }}} */
+
+@@ -178,6 +181,12 @@ PHP_METHOD(sqlite3, open)
+ sqlite3_set_authorizer(db_obj->db, php_sqlite3_authorizer, NULL);
+ }
+
++#if SQLITE_VERSION_NUMBER >= 3026000
++ if (SQLITE3G(dbconfig_defensive)) {
++ sqlite3_db_config(db_obj->db, SQLITE_DBCONFIG_DEFENSIVE, 1, NULL);
++ }
++#endif
++
+ if (fullpath != filename) {
+ efree(fullpath);
+ }
+diff --git a/ext/sqlite3/tests/sqlite3_defensive.phpt b/ext/sqlite3/tests/sqlite3_defensive.phpt
+new file mode 100644
+index 0000000000..064d87b50a
+--- /dev/null
++++ b/ext/sqlite3/tests/sqlite3_defensive.phpt
+@@ -0,0 +1,40 @@
++--TEST--
++SQLite3 defensive mode ini setting
++--SKIPIF--
++<?php require_once(__DIR__ . '/skipif.inc');
++
++if (SQLite3::version()['versionNumber'] < 3026000) {
++ die("skip: sqlite3 library version < 3.26: no support for defensive mode");
++}
++
++?>
++--INI--
++sqlite3.defensive=On
++--FILE--
++<?php
++
++$db = new SQLite3(':memory:');
++var_dump($db->exec('CREATE TABLE test (a, b);'));
++
++// This does not generate an error!
++var_dump($db->exec('PRAGMA writable_schema = ON;'));
++var_dump($db->querySingle('PRAGMA writable_schema;'));
++
++// Should be 1
++var_dump($db->querySingle('SELECT COUNT(*) FROM sqlite_master;'));
++
++// Should generate an error!
++var_dump($db->querySingle('DELETE FROM sqlite_master;'));
++
++// Should still be 1
++var_dump($db->querySingle('SELECT COUNT(*) FROM sqlite_master;'));
++?>
++--EXPECTF--
++bool(true)
++bool(true)
++int(1)
++int(1)
++
++Warning: SQLite3::querySingle(): Unable to prepare statement: 1, table sqlite_master may not be modified in %s on line %d
++bool(false)
++int(1)
+\ No newline at end of file
+diff --git a/php.ini-development b/php.ini-development
+index 50b9dbc37e..0a5be60f6b 100644
+--- a/php.ini-development
++++ b/php.ini-development
+@@ -969,8 +969,19 @@ cli_server.color = On
+ ;intl.use_exceptions = 0
+
+ [sqlite3]
++; Directory pointing to SQLite3 extensions
++; http://php.net/sqlite3.extension-dir
+ ;sqlite3.extension_dir =
+
++; SQLite defensive mode flag (only available from SQLite 3.26+)
++; When the defensive flag is enabled, language features that allow ordinary
++; SQL to deliberately corrupt the database file are disabled. This forbids
++; writing directly to the schema, shadow tables (eg. FTS data tables), or
++; the sqlite_dbpage virtual table.
++; https://www.sqlite.org/c3ref/c_dbconfig_defensive.html
++; (for older SQLite versions, this flag has no use)
++sqlite3.defensive = 1
++
+ [Pcre]
+ ;PCRE library backtracking limit.
+ ; http://php.net/pcre.backtrack-limit
+diff --git a/php.ini-production b/php.ini-production
+index 52a11fce3f..c05428fdbc 100644
+--- a/php.ini-production
++++ b/php.ini-production
+@@ -969,8 +969,19 @@ cli_server.color = On
+ ;intl.use_exceptions = 0
+
+ [sqlite3]
++; Directory pointing to SQLite3 extensions
++; http://php.net/sqlite3.extension-dir
+ ;sqlite3.extension_dir =
+
++; SQLite defensive mode flag (only available from SQLite 3.26+)
++; When the defensive flag is enabled, language features that allow ordinary
++; SQL to deliberately corrupt the database file are disabled. This forbids
++; writing directly to the schema, shadow tables (eg. FTS data tables), or
++; the sqlite_dbpage virtual table.
++; https://www.sqlite.org/c3ref/c_dbconfig_defensive.html
++; (for older SQLite versions, this flag has no use)
++sqlite3.defensive = 1
++
+ [Pcre]
+ ;PCRE library backtracking limit.
+ ; http://php.net/pcre.backtrack-limit
diff --git a/php.spec b/php.spec
index fce341e..7d251a2 100644
--- a/php.spec
+++ b/php.spec
@@ -131,7 +131,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: %{?scl_prefix}php
Version: %{upver}%{?rcver:~%{rcver}}
-Release: 6%{?dist}
+Release: 7%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -210,6 +210,10 @@ Patch210: php-bug77540.patch
Patch211: php-bug77563.patch
Patch212: php-bug77586.patch
Patch213: php-bug77630.patch
+Patch214: php-news.patch
+Patch215: php-sqlite3-defensive.patch
+Patch216: php-bug77753.patch
+Patch217: php-bug77831.patch
# Fixes for tests (300+)
# Factory is droped from system tzdata
@@ -964,6 +968,10 @@ support for JavaScript Object Notation (JSON) to PHP.
%patch211 -p1 -b .bug77563
%patch212 -p1 -b .bug77586
%patch213 -p1 -b .bug77630
+%patch214 -p1 -b .backport
+%patch215 -p1 -b .sqlite3.defensive
+%patch216 -p1 -b .bug77753
+%patch217 -p1 -b .bug77831
: ---------------------------
#exit 1
@@ -1919,6 +1927,13 @@ EOF
%changelog
+* Tue Apr 2 2019 Remi Collet <remi@remirepo.net> - 7.0.33-7
+- exif:
+ Fix #77753 Heap-buffer-overflow in php_ifd_get32s
+ Fix #77831 Heap-buffer-overflow in exif_iif_add_value
+- sqlite3:
+ Added sqlite3.defensive INI directive
+
* Fri Mar 15 2019 Remi Collet <remi@remirepo.net> - 7.0.33-6
- Fix #76846 Segfault in shutdown function after memory limit error