summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2022-09-27 20:37:14 +0200
committerRemi Collet <remi@php.net>2022-09-27 20:37:14 +0200
commitbc8ed5c45a99129a8d77f53054bf47553c37db48 (patch)
treedaddee96f8901a95eb0b6a9583fbaf978b3535e7
parentba09fa0473cc2f090fda511c1a78adee8a3fab66 (diff)
phar: fix #81726 DOS when using quine gzip file. CVE-2022-31628
core: fix #81727 Don't mangle HTTP variable names that clash with ones that have a specific semantic meaning. CVE-2022-31629 use oracle client library version 21.7
-rw-r--r--php-bug81726.patch59
-rw-r--r--php.spec4
2 files changed, 61 insertions, 2 deletions
diff --git a/php-bug81726.patch b/php-bug81726.patch
index 031fded..8984aa9 100644
--- a/php-bug81726.patch
+++ b/php-bug81726.patch
@@ -86,3 +86,62 @@ index 583ed453e6..c9928ecdcd 100644
continue;
}
+From f80e21336cc4dc37b6dc8808fec05a584c39d403 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 27 Sep 2022 17:43:40 +0200
+Subject: [PATCH] Fix regression introduced by fixing bug 81726
+
+When a tar phar is created, `phar_open_from_fp()` is also called, but
+since the file has just been created, none of the format checks can
+succeed, so we continue to loop, but must not check again for the
+format. Therefore, we bring back the old `test` variable.
+
+Closes GH-9620.
+
+(cherry picked from commit 432bf196d59bcb661fcf9cb7029cea9b43f490af)
+---
+ ext/phar/phar.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/ext/phar/phar.c b/ext/phar/phar.c
+index c9928ecdcd..f55e5fd4d8 100644
+--- a/ext/phar/phar.c
++++ b/ext/phar/phar.c
+@@ -1584,7 +1584,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a
+ const char zip_magic[] = "PK\x03\x04";
+ const char gz_magic[] = "\x1f\x8b\x08";
+ const char bz_magic[] = "BZh";
+- char *pos;
++ char *pos, test = '\0';
+ int recursion_count = 3; // arbitrary limit to avoid too deep or even infinite recursion
+ const int window_size = 1024;
+ char buffer[1024 + sizeof(token)]; /* a 1024 byte window + the size of the halt_compiler token (moving window) */
+@@ -1613,7 +1613,8 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a
+ MAPPHAR_ALLOC_FAIL("internal corruption of phar \"%s\" (truncated entry)")
+ }
+
+- if (recursion_count) {
++ if (!test && recursion_count) {
++ test = '\1';
+ pos = buffer+tokenlen;
+ if (!memcmp(pos, gz_magic, 3)) {
+ char err = 0;
+@@ -1673,6 +1674,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a
+ compression = PHAR_FILE_COMPRESSED_GZ;
+
+ /* now, start over */
++ test = '\0';
+ if (!--recursion_count) {
+ MAPPHAR_ALLOC_FAIL("unable to decompress gzipped phar archive \"%s\"");
+ break;
+@@ -1714,6 +1716,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a
+ compression = PHAR_FILE_COMPRESSED_BZ2;
+
+ /* now, start over */
++ test = '\0';
+ if (!--recursion_count) {
+ MAPPHAR_ALLOC_FAIL("unable to decompress bzipped phar archive \"%s\"");
+ break;
+--
+2.37.3
+
diff --git a/php.spec b/php.spec
index 95c65da..4ac7599 100644
--- a/php.spec
+++ b/php.spec
@@ -127,7 +127,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: %{?scl_prefix}php
Version: %{upver}%{?rcver:~%{rcver}}
-Release: 34%{?dist}
+Release: 35%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -2009,7 +2009,7 @@ EOF
%changelog
-* Tue Sep 27 2022 Remi Collet <remi@remirepo.net> - 7.0.33-34
+* Tue Sep 27 2022 Remi Collet <remi@remirepo.net> - 7.0.33-35
- phar: fix #81726 DOS when using quine gzip file. CVE-2022-31628
- core: fix #81727 Don't mangle HTTP variable names that clash with ones
that have a specific semantic meaning. CVE-2022-31629