summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--failed.txt8
-rw-r--r--php-bug77569.patch106
-rw-r--r--php-bug78599.patch53
-rw-r--r--php-bug78793.patch62
-rw-r--r--php-bug78862.patch68
-rw-r--r--php-bug78863.patch85
-rw-r--r--php-bug78875.patch38
-rw-r--r--php-bug78876.patch74
-rw-r--r--php-bug78878.patch68
-rw-r--r--php-bug78910.patch148
-rw-r--r--php-bug79037.patch93
-rw-r--r--php-bug79082.patch152
-rw-r--r--php-bug79099.patch113
-rw-r--r--php-bug79221.patch86
-rw-r--r--php-bug79282.patch110
-rw-r--r--php-bug79329.patch57
-rw-r--r--php-bug79330.patch31
-rw-r--r--php-bug79465.patch59
-rw-r--r--php-bug79699.patch142
-rw-r--r--php-bug79797.patch52
-rw-r--r--php-bug79877.patch62
-rw-r--r--php-openssl-cert.patch148
-rw-r--r--php.spec152
23 files changed, 1949 insertions, 18 deletions
diff --git a/failed.txt b/failed.txt
index 2782518..ab621e4 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,16 +1,18 @@
-===== 7.0.33-13 (2019-08-28)
+===== 7.0.33-16 (2020-01-21)
$ grep -r 'Tests failed' /var/lib/mock/scl70*/build.log
/var/lib/mock/scl70el6x/build.log:Tests failed : 0
-/var/lib/mock/scl70el7x/build.log:Tests failed : 0
+/var/lib/mock/scl70el7x/build.log:Tests failed : 1
/var/lib/mock/scl70el8x/build.log:Tests failed : 28
/var/lib/mock/scl70fc29x/build.log:Tests failed : 1
/var/lib/mock/scl70fc30x/build.log:Tests failed : 1
/var/lib/mock/scl70fc31x/build.log:Tests failed : 1
-fc29x, fc30x:
+el7x:
+ Bug #75457 (heap-use-after-free in php7.0.25) [ext/pcre/tests/bug75457.phpt]
+fc29x, fc30x, fc31x:
TLS server rate-limits client-initiated renegotiation [ext/openssl/tests/stream_server_reneg_limit.phpt]
diff --git a/php-bug77569.patch b/php-bug77569.patch
new file mode 100644
index 0000000..d030342
--- /dev/null
+++ b/php-bug77569.patch
@@ -0,0 +1,106 @@
+From 2a58d1391f2c46e6404dae42b9b64505f94323da Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Thu, 13 Feb 2020 15:13:26 +0100
+Subject: [PATCH 1/5] Fix #77569: Write Acess Violation in DomImplementation
+
+We must not assume that the zval IS_STRING.
+
+(cherry picked from commit cec8b24c848bab8562c82422f3692c193f0afcdb)
+---
+ NEWS | 6 ++++++
+ ext/dom/document.c | 2 +-
+ ext/dom/tests/bug77569.phpt | 14 ++++++++++++++
+ 3 files changed, 21 insertions(+), 1 deletion(-)
+ create mode 100644 ext/dom/tests/bug77569.phpt
+
+diff --git a/NEWS b/NEWS
+index a1dc8a81c3..5a6549e834 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,12 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 7.2.28
++
++- DOM:
++ . Fixed bug #77569: (Write Acess Violation in DomImplementation). (Nikita,
++ cmb)
++
+ Backported from 7.2.27
+
+ - Mbstring:
+diff --git a/ext/dom/document.c b/ext/dom/document.c
+index a884087f5f..29ef0a8cab 100644
+--- a/ext/dom/document.c
++++ b/ext/dom/document.c
+@@ -341,7 +341,7 @@ int dom_document_encoding_write(dom_object *obj, zval *newval)
+
+ str = zval_get_string(newval);
+
+- handler = xmlFindCharEncodingHandler(Z_STRVAL_P(newval));
++ handler = xmlFindCharEncodingHandler(ZSTR_VAL(str));
+
+ if (handler != NULL) {
+ xmlCharEncCloseFunc(handler);
+diff --git a/ext/dom/tests/bug77569.phpt b/ext/dom/tests/bug77569.phpt
+new file mode 100644
+index 0000000000..f0f3566708
+--- /dev/null
++++ b/ext/dom/tests/bug77569.phpt
+@@ -0,0 +1,14 @@
++--TEST--
++Bug #77569 (Write Acess Violation in DomImplementation)
++--SKIPIF--
++<?php
++if (!extension_loaded('dom')) die('skip dom extension not available');
++?>
++--FILE--
++<?php
++$imp = new DOMImplementation;
++$dom = $imp->createDocument("", "");
++$dom->encoding = null;
++?>
++--EXPECTF--
++Warning: main(): Invalid Document Encoding in %s on line %d
+--
+2.24.1
+
+From 47310971e97b5be294a793bee7415c82f24d72ec Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Fri, 14 Feb 2020 09:21:13 +0100
+Subject: [PATCH 2/5] Fix typo in recent bugfix
+
+(cherry picked from commit 8308196c97418ba4c8381bed0962ae160623027a)
+---
+ NEWS | 2 +-
+ ext/dom/tests/bug77569.phpt | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index 5a6549e834..9467c98e33 100644
+--- a/NEWS
++++ b/NEWS
+@@ -4,7 +4,7 @@ PHP NEWS
+ Backported from 7.2.28
+
+ - DOM:
+- . Fixed bug #77569: (Write Acess Violation in DomImplementation). (Nikita,
++ . Fixed bug #77569: (Write Access Violation in DomImplementation). (Nikita,
+ cmb)
+
+ Backported from 7.2.27
+diff --git a/ext/dom/tests/bug77569.phpt b/ext/dom/tests/bug77569.phpt
+index f0f3566708..9eef2af65a 100644
+--- a/ext/dom/tests/bug77569.phpt
++++ b/ext/dom/tests/bug77569.phpt
+@@ -1,5 +1,5 @@
+ --TEST--
+-Bug #77569 (Write Acess Violation in DomImplementation)
++Bug #77569 (Write Access Violation in DomImplementation)
+ --SKIPIF--
+ <?php
+ if (!extension_loaded('dom')) die('skip dom extension not available');
+--
+2.24.1
+
diff --git a/php-bug78599.patch b/php-bug78599.patch
new file mode 100644
index 0000000..106b080
--- /dev/null
+++ b/php-bug78599.patch
@@ -0,0 +1,53 @@
+From 6e705460ff4f02358b9fb037169c53f4103a21b7 Mon Sep 17 00:00:00 2001
+From: Jakub Zelenka <bukka@php.net>
+Date: Sat, 12 Oct 2019 15:56:16 +0100
+Subject: [PATCH] Fix bug #78599 (env_path_info underflow can lead to RCE)
+ (CVE-2019-11043)
+
+cheery-picked from ab061f95ca966731b1c84cf5b7b20155c0a1c06a
+without the test as tester not available
+---
+ sapi/fpm/fpm/fpm_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sapi/fpm/fpm/fpm_main.c b/sapi/fpm/fpm/fpm_main.c
+index 695839cd9a..88c7c9f118 100644
+--- a/sapi/fpm/fpm/fpm_main.c
++++ b/sapi/fpm/fpm/fpm_main.c
+@@ -1208,8 +1208,8 @@ static void init_request_info(void)
+ path_info = script_path_translated + ptlen;
+ tflag = (slen != 0 && (!orig_path_info || strcmp(orig_path_info, path_info) != 0));
+ } else {
+- path_info = env_path_info ? env_path_info + pilen - slen : NULL;
+- tflag = (orig_path_info != path_info);
++ path_info = (env_path_info && pilen > slen) ? env_path_info + pilen - slen : NULL;
++ tflag = path_info && (orig_path_info != path_info);
+ }
+
+ if (tflag) {
+From 8df4c9426c4810699e9290382d4e60453caa96e2 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 22 Oct 2019 08:41:53 +0200
+Subject: [PATCH] add NEWS entry
+
+---
+ NEWS | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index a3c0c90143..b5a736947b 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,12 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 7.1.33
++
++- FPM:
++ . Fixed bug #78599 (env_path_info underflow in fpm_main.c can lead to RCE).
++ (CVE-2019-11043) (Jakub Zelenka)
++
+ Backported from 7.1.32
+
+ - mbstring:
diff --git a/php-bug78793.patch b/php-bug78793.patch
new file mode 100644
index 0000000..21d7a1d
--- /dev/null
+++ b/php-bug78793.patch
@@ -0,0 +1,62 @@
+From f71d4343a205d820e35a815d298a9bb3e92d49cd Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 16 Dec 2019 01:14:38 -0800
+Subject: [PATCH] Fix bug #78793
+
+(cherry picked from commit c14eb8de974fc8a4d74f3515424c293bc7a40fba)
+---
+ NEWS | 4 ++++
+ ext/exif/exif.c | 5 +++--
+ ext/exif/tests/bug78793.phpt | 12 ++++++++++++
+ 3 files changed, 19 insertions(+), 2 deletions(-)
+ create mode 100644 ext/exif/tests/bug78793.phpt
+
+diff --git a/NEWS b/NEWS
+index 39a2f43818..723cc69be6 100644
+--- a/NEWS
++++ b/NEWS
+@@ -13,6 +13,10 @@ Backported from 7.2.26
+ . Fixed bug #78863 (DirectoryIterator class silently truncates after a null
+ byte). (CVE-2019-11045). (cmb)
+
++- EXIF:
++ . Fixed bug #78793 (Use-after-free in exif parsing under memory sanitizer).
++ (CVE-2019-11050). (Nikita)
++
+ Backported from 7.1.33
+
+ - FPM:
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 3f8dd907dc..a7da928800 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -2820,8 +2820,9 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
+ }
+
+ for (de=0;de<NumDirEntries;de++) {
+- if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de,
+- offset_base, data_len, displacement, section_index, 0, maker_note->tag_table)) {
++ size_t offset = 2 + 12 * de;
++ if (!exif_process_IFD_TAG(ImageInfo, dir_start + offset,
++ offset_base, data_len - offset, displacement, section_index, 0, maker_note->tag_table)) {
+ return FALSE;
+ }
+ }
+diff --git a/ext/exif/tests/bug78793.phpt b/ext/exif/tests/bug78793.phpt
+new file mode 100644
+index 0000000000..033f255ace
+--- /dev/null
++++ b/ext/exif/tests/bug78793.phpt
+@@ -0,0 +1,12 @@
++--TEST--
++Bug #78793: Use-after-free in exif parsing under memory sanitizer
++--FILE--
++<?php
++$f = "ext/exif/tests/bug77950.tiff";
++for ($i = 0; $i < 10; $i++) {
++ @exif_read_data($f);
++}
++?>
++===DONE===
++--EXPECT--
++===DONE===
diff --git a/php-bug78862.patch b/php-bug78862.patch
new file mode 100644
index 0000000..1ecc1f5
--- /dev/null
+++ b/php-bug78862.patch
@@ -0,0 +1,68 @@
+From 76a8b07ed74add68c52ed1a5399416ff267cef88 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 17 Dec 2019 10:53:47 +0100
+Subject: [PATCH] Fix #78862: link() silently truncates after a null byte on
+ Windows
+
+Since link() is supposed to accepts paths (i.e. strings without NUL
+bytes), we must not accept arbitrary strings.
+
+(cherry picked from commit 0e6c0654ed06751ced134515f7629c40bd979d7f)
+---
+ NEWS | 4 ++++
+ ext/standard/link_win32.c | 2 +-
+ .../tests/file/windows_links/bug78862.phpt | 17 +++++++++++++++++
+ 3 files changed, 22 insertions(+), 1 deletion(-)
+ create mode 100644 ext/standard/tests/file/windows_links/bug78862.phpt
+
+diff --git a/NEWS b/NEWS
+index 29fcce8947..02cd502c8c 100644
+--- a/NEWS
++++ b/NEWS
+@@ -7,6 +7,10 @@ Backported from 7.2.26
+ . Fixed bug #78878 (Buffer underflow in bc_shift_addsub). (CVE-2019-11046).
+ (cmb)
+
++- Core:
++ . Fixed bug #78862 (link() silently truncates after a null byte on Windows).
++ (CVE-2019-11044). (cmb)
++
+ Backported from 7.1.33
+
+ - FPM:
+diff --git a/ext/standard/link_win32.c b/ext/standard/link_win32.c
+index 0068a3edb1..c6133c7ef6 100644
+--- a/ext/standard/link_win32.c
++++ b/ext/standard/link_win32.c
+@@ -208,7 +208,7 @@ PHP_FUNCTION(link)
+
+ /*First argument to link function is the target and hence should go to frompath
+ Second argument to link function is the link itself and hence should go to topath */
+- if (zend_parse_parameters(ZEND_NUM_ARGS(), "ss", &frompath, &frompath_len, &topath, &topath_len) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS(), "pp", &frompath, &frompath_len, &topath, &topath_len) == FAILURE) {
+ return;
+ }
+
+diff --git a/ext/standard/tests/file/windows_links/bug78862.phpt b/ext/standard/tests/file/windows_links/bug78862.phpt
+new file mode 100644
+index 0000000000..33b4b49293
+--- /dev/null
++++ b/ext/standard/tests/file/windows_links/bug78862.phpt
+@@ -0,0 +1,17 @@
++--TEST--
++Bug #78862 (link() silently truncates after a null byte on Windows)
++--FILE--
++<?php
++file_put_contents(__DIR__ . '/bug78862.target', 'foo');
++var_dump(link(__DIR__ . "/bug78862.target\0more", __DIR__ . "/bug78862.link\0more"));
++var_dump(file_exists(__DIR__ . '/bug78862.link'));
++?>
++--EXPECTF--
++Warning: link() expects parameter 1 to be a valid path, string given in %s on line %d
++NULL
++bool(false)
++--CLEAN--
++<?php
++unlink(__DIR__ . '/bug78862.target');
++unlink(__DIR__ . '/bug78862.link');
++?>
diff --git a/php-bug78863.patch b/php-bug78863.patch
new file mode 100644
index 0000000..b218dfc
--- /dev/null
+++ b/php-bug78863.patch
@@ -0,0 +1,85 @@
+From f76bef09fce6c438ecee2d2e6f9804d54709174b Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 17 Dec 2019 11:03:29 +0100
+Subject: [PATCH] Fix #78863: DirectoryIterator class silently truncates after
+ a null byte
+
+Since the constructor of DirectoryIterator and friends is supposed to
+accepts paths (i.e. strings without NUL bytes), we must not accept
+arbitrary strings.
+
+(cherry picked from commit a5a15965da23c8e97657278fc8dfbf1dfb20c016)
+---
+ NEWS | 2 ++
+ ext/spl/spl_directory.c | 4 ++--
+ ext/spl/tests/bug78863.phpt | 31 +++++++++++++++++++++++++++++++
+ 3 files changed, 35 insertions(+), 2 deletions(-)
+ create mode 100644 ext/spl/tests/bug78863.phpt
+
+diff --git a/NEWS b/NEWS
+index 02cd502c8c..39a2f43818 100644
+--- a/NEWS
++++ b/NEWS
+@@ -10,6 +10,8 @@ Backported from 7.2.26
+ - Core:
+ . Fixed bug #78862 (link() silently truncates after a null byte on Windows).
+ (CVE-2019-11044). (cmb)
++ . Fixed bug #78863 (DirectoryIterator class silently truncates after a null
++ byte). (CVE-2019-11045). (cmb)
+
+ Backported from 7.1.33
+
+diff --git a/ext/spl/spl_directory.c b/ext/spl/spl_directory.c
+index 300cf01909..abfce1525a 100644
+--- a/ext/spl/spl_directory.c
++++ b/ext/spl/spl_directory.c
+@@ -684,10 +684,10 @@ void spl_filesystem_object_construct(INTERNAL_FUNCTION_PARAMETERS, zend_long cto
+
+ if (SPL_HAS_FLAG(ctor_flags, DIT_CTOR_FLAGS)) {
+ flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_FILEINFO;
+- parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "s|l", &path, &len, &flags);
++ parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "p|l", &path, &len, &flags);
+ } else {
+ flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_SELF;
+- parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "s", &path, &len);
++ parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "p", &path, &len);
+ }
+ if (SPL_HAS_FLAG(ctor_flags, SPL_FILE_DIR_SKIPDOTS)) {
+ flags |= SPL_FILE_DIR_SKIPDOTS;
+diff --git a/ext/spl/tests/bug78863.phpt b/ext/spl/tests/bug78863.phpt
+new file mode 100644
+index 0000000000..dc88d98dee
+--- /dev/null
++++ b/ext/spl/tests/bug78863.phpt
+@@ -0,0 +1,31 @@
++--TEST--
++Bug #78863 (DirectoryIterator class silently truncates after a null byte)
++--FILE--
++<?php
++$dir = __DIR__ . '/bug78863';
++mkdir($dir);
++touch("$dir/bad");
++mkdir("$dir/sub");
++touch("$dir/sub/good");
++
++$it = new DirectoryIterator(__DIR__ . "/bug78863\0/sub");
++foreach ($it as $fileinfo) {
++ if (!$fileinfo->isDot()) {
++ var_dump($fileinfo->getFilename());
++ }
++}
++?>
++--EXPECTF--
++Fatal error: Uncaught UnexpectedValueException: DirectoryIterator::__construct() expects parameter 1 to be a valid path, string given in %s:%d
++Stack trace:
++#0 %s(%d): DirectoryIterator->__construct('%s')
++#1 {main}
++ thrown in %s on line %d
++--CLEAN--
++<?php
++$dir = __DIR__ . '/bug78863';
++unlink("$dir/sub/good");
++rmdir("$dir/sub");
++unlink("$dir/bad");
++rmdir($dir);
++?>
diff --git a/php-bug78875.patch b/php-bug78875.patch
new file mode 100644
index 0000000..87bc103
--- /dev/null
+++ b/php-bug78875.patch
@@ -0,0 +1,38 @@
+From a8aca370e9ba4d9b402f1c6256653c683c4019a1 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Wed, 18 Mar 2020 10:26:53 +0100
+Subject: [PATCH] Fix #78875: Long filenames cause OOM and temp files are not
+ cleaned
+
+We must not cast `size_t` to `int` (unless the `size_t` value is
+guaranteed to be less than or equal to `INT_MAX`). In this case we can
+declare `array_len` as `size_t` in the first place.
+
+(cherry picked from commit 1c9bd513ac5c7c1d13d7f0dfa7c16a7ad2ce0f87)
+---
+ main/rfc1867.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/main/rfc1867.c b/main/rfc1867.c
+index 5949802d6d..ee07ea557d 100644
+--- a/main/rfc1867.c
++++ b/main/rfc1867.c
+@@ -690,7 +690,8 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
+ char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL;
+ char *lbuf = NULL, *abuf = NULL;
+ zend_string *temp_filename = NULL;
+- int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0, array_len = 0;
++ int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0;
++ size_t array_len = 0;
+ int64_t total_bytes = 0, max_file_size = 0;
+ int skip_upload = 0, anonindex = 0, is_anonymous;
+ HashTable *uploaded_files = NULL;
+@@ -1124,7 +1125,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
+ is_arr_upload = (start_arr = strchr(param,'[')) && (param[strlen(param)-1] == ']');
+
+ if (is_arr_upload) {
+- array_len = (int)strlen(start_arr);
++ array_len = strlen(start_arr);
+ if (array_index) {
+ efree(array_index);
+ }
diff --git a/php-bug78876.patch b/php-bug78876.patch
new file mode 100644
index 0000000..d6333b5
--- /dev/null
+++ b/php-bug78876.patch
@@ -0,0 +1,74 @@
+From 07007c74a4f30407668548bfb8ab67eb48fcb2f3 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Wed, 18 Mar 2020 10:57:42 +0100
+Subject: [PATCH] Fix #78876: Long variables cause OOM and temp files are not
+ cleaned
+
+We use the proper type for size calculations, which is `size_t`.
+
+(cherry picked from commit 3c8582ca4b8e84e5647220b647914876d2c3b124)
+---
+ main/rfc1867.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/main/rfc1867.c b/main/rfc1867.c
+index ee07ea557d..6159284311 100644
+--- a/main/rfc1867.c
++++ b/main/rfc1867.c
+@@ -614,7 +614,7 @@ static void *php_ap_memstr(char *haystack, int haystacklen, char *needle, int ne
+ }
+
+ /* read until a boundary condition */
+-static int multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes, int *end)
++static size_t multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes, int *end)
+ {
+ size_t len, max;
+ char *bound;
+@@ -653,7 +653,7 @@ static int multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes
+ self->buf_begin += len;
+ }
+
+- return (int)len;
++ return len;
+ }
+
+ /*
+@@ -663,7 +663,7 @@ static int multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes
+ static char *multipart_buffer_read_body(multipart_buffer *self, size_t *len)
+ {
+ char buf[FILLUNIT], *out=NULL;
+- int total_bytes=0, read_bytes=0;
++ size_t total_bytes=0, read_bytes=0;
+
+ while((read_bytes = multipart_buffer_read(self, buf, sizeof(buf), NULL))) {
+ out = erealloc(out, total_bytes + read_bytes + 1);
+From c2776813404fbf5d35e3cc7b3d831f449887b0e5 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 11 May 2020 14:28:51 -0700
+Subject: [PATCH] Update NEWS
+
+(cherry picked from commit b4afd21428e09133228fd84bf048157526c2c705)
+(cherry picked from commit f1a89efe27650b62d58fceb77252480b19da6555)
+---
+ NEWS | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 6310d94581..e153539d98 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,14 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 7.2.31
++
++- Core:
++ . Fixed bug #78875 (Long filenames cause OOM and temp files are not cleaned).
++ (CVE-2019-11048) (cmb)
++ . Fixed bug #78876 (Long variables in multipart/form-data cause OOM and temp
++ files are not cleaned). (CVE-2019-11048) (cmb)
++
+ Backported from 7.2.30
+
+ - Standard:
diff --git a/php-bug78878.patch b/php-bug78878.patch
new file mode 100644
index 0000000..7cba243
--- /dev/null
+++ b/php-bug78878.patch
@@ -0,0 +1,68 @@
+From 4bd85120b04621bee88b54f4b4f23fa1386d37ec Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Sat, 30 Nov 2019 12:26:37 +0100
+Subject: [PATCH] Fix #78878: Buffer underflow in bc_shift_addsub
+
+We must not rely on `isdigit()` to detect digits, since we only support
+decimal ASCII digits in the following processing.
+
+(cherry picked from commit eb23c6008753b1cdc5359dead3a096dce46c9018)
+---
+ NEWS | 6 ++++++
+ ext/bcmath/libbcmath/src/str2num.c | 4 ++--
+ ext/bcmath/tests/bug78878.phpt | 13 +++++++++++++
+ 3 files changed, 21 insertions(+), 2 deletions(-)
+ create mode 100644 ext/bcmath/tests/bug78878.phpt
+
+diff --git a/NEWS b/NEWS
+index b5a736947b..29fcce8947 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,12 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 7.2.26
++
++- Bcmath:
++ . Fixed bug #78878 (Buffer underflow in bc_shift_addsub). (CVE-2019-11046).
++ (cmb)
++
+ Backported from 7.1.33
+
+ - FPM:
+diff --git a/ext/bcmath/libbcmath/src/str2num.c b/ext/bcmath/libbcmath/src/str2num.c
+index 62544de80e..76b71a7e93 100644
+--- a/ext/bcmath/libbcmath/src/str2num.c
++++ b/ext/bcmath/libbcmath/src/str2num.c
+@@ -57,9 +57,9 @@ bc_str2num (bc_num *num, char *str, int scale)
+ zero_int = FALSE;
+ if ( (*ptr == '+') || (*ptr == '-')) ptr++; /* Sign */
+ while (*ptr == '0') ptr++; /* Skip leading zeros. */
+- while (isdigit((int)*ptr)) ptr++, digits++; /* digits */
++ while (*ptr >= '0' && *ptr <= '9') ptr++, digits++; /* digits */
+ if (*ptr == '.') ptr++; /* decimal point */
+- while (isdigit((int)*ptr)) ptr++, strscale++; /* digits */
++ while (*ptr >= '0' && *ptr <= '9') ptr++, strscale++; /* digits */
+ if ((*ptr != '\0') || (digits+strscale == 0))
+ {
+ *num = bc_copy_num (BCG(_zero_));
+diff --git a/ext/bcmath/tests/bug78878.phpt b/ext/bcmath/tests/bug78878.phpt
+new file mode 100644
+index 0000000000..2c9d72b946
+--- /dev/null
++++ b/ext/bcmath/tests/bug78878.phpt
+@@ -0,0 +1,13 @@
++--TEST--
++Bug #78878 (Buffer underflow in bc_shift_addsub)
++--SKIPIF--
++<?php
++if (!extension_loaded('bcmath')) die('skip bcmath extension not available');
++?>
++--FILE--
++<?php
++print @bcmul("\xB26483605105519922841849335928742092", bcpowmod(2, 65535, -4e-4));
++?>
++--EXPECT--
++bc math warning: non-zero scale in modulus
++0
diff --git a/php-bug78910.patch b/php-bug78910.patch
new file mode 100644
index 0000000..f164d0a
--- /dev/null
+++ b/php-bug78910.patch
@@ -0,0 +1,148 @@
+From 75149a9a02d3bc44411a6e7ab35aee7110d053f3 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 16 Dec 2019 00:10:39 -0800
+Subject: [PATCH] Fixed bug #78910
+
+(cherry picked from commit d348cfb96f2543565691010ade5e0346338be5a7)
+---
+ NEWS | 2 ++
+ ext/exif/exif.c | 3 ++-
+ ext/exif/tests/bug78910.phpt | 17 +++++++++++++++++
+ 3 files changed, 21 insertions(+), 1 deletion(-)
+ create mode 100644 ext/exif/tests/bug78910.phpt
+
+diff --git a/NEWS b/NEWS
+index 723cc69be6..ba237b8e33 100644
+--- a/NEWS
++++ b/NEWS
+@@ -16,6 +16,8 @@ Backported from 7.2.26
+ - EXIF:
+ . Fixed bug #78793 (Use-after-free in exif parsing under memory sanitizer).
+ (CVE-2019-11050). (Nikita)
++ . Fixed bug #78910 (Heap-buffer-overflow READ in exif). (CVE-2019-11047).
++ (Nikita)
+
+ Backported from 7.1.33
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index a7da928800..9e42a62812 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -2748,7 +2748,8 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
+ continue;
+ if (maker_note->model && (!ImageInfo->model || strcmp(maker_note->model, ImageInfo->model)))
+ continue;
+- if (maker_note->id_string && strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len))
++ if (maker_note->id_string && value_len >= maker_note->id_string_len
++ && strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len))
+ continue;
+ break;
+ }
+diff --git a/ext/exif/tests/bug78910.phpt b/ext/exif/tests/bug78910.phpt
+new file mode 100644
+index 0000000000..f5b1c32c1b
+--- /dev/null
++++ b/ext/exif/tests/bug78910.phpt
+@@ -0,0 +1,17 @@
++--TEST--
++Bug #78910: Heap-buffer-overflow READ in exif (OSS-Fuzz #19044)
++--FILE--
++<?php
++
++var_dump(exif_read_data('data:image/jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN'));
++
++?>
++--EXPECTF--
++Notice: exif_read_data(): Read from TIFF: tag(0x927C, MakerNote ): Illegal format code 0x2020, switching to BYTE in %s on line %d
++
++Warning: exif_read_data(): Process tag(x927C=MakerNote ): Illegal format code 0x2020, suppose BYTE in %s on line %d
++
++Warning: exif_read_data(): IFD data too short: 0x0000 offset 0x000C in %s on line %d
++
++Warning: exif_read_data(): Invalid TIFF file in %s on line %d
++bool(false)
+From ec1dc05c2415f55507b5710dbeed9f0623c9b44d Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 17 Dec 2019 15:26:04 +0100
+Subject: [PATCH] Fix tests
+
+---
+ ext/bcmath/tests/bug72093-win32.phpt | 2 +-
+ ext/bcmath/tests/bug75178-win32.phpt | 4 ++--
+ ext/exif/tests/bug76557.phpt | 2 +-
+ ext/exif/tests/bug78910.phpt | 8 ++++----
+ ext/spl/tests/bug54291.phpt | 2 +-
+ 5 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/ext/bcmath/tests/bug72093-win32.phpt b/ext/bcmath/tests/bug72093-win32.phpt
+index a9b2077823..bcea8740b5 100644
+--- a/ext/bcmath/tests/bug72093-win32.phpt
++++ b/ext/bcmath/tests/bug72093-win32.phpt
+@@ -14,5 +14,5 @@ var_dump(bcpowmod(1, 1.2, 1, 1));
+ ?>
+ --EXPECTF--
+ string(1) "1"
+-string(3) "0.0"
+ bc math warning: non-zero scale in exponent
++string(3) "0.0"
+diff --git a/ext/bcmath/tests/bug75178-win32.phpt b/ext/bcmath/tests/bug75178-win32.phpt
+index bae590fb5b..c70e3aa810 100644
+--- a/ext/bcmath/tests/bug75178-win32.phpt
++++ b/ext/bcmath/tests/bug75178-win32.phpt
+@@ -14,8 +14,8 @@ var_dump(bcpowmod('4', '4', '3.1', 3));
+ ?>
+ ===DONE===
+ --EXPECT--
++bc math warning: non-zero scale in base
+ string(5) "1.000"
++bc math warning: non-zero scale in modulus
+ string(5) "1.000"
+ ===DONE===
+-bc math warning: non-zero scale in base
+-bc math warning: non-zero scale in modulus
+diff --git a/ext/exif/tests/bug76557.phpt b/ext/exif/tests/bug76557.phpt
+index 4553b62772..8920de658a 100644
+--- a/ext/exif/tests/bug76557.phpt
++++ b/ext/exif/tests/bug76557.phpt
+@@ -70,7 +70,7 @@ Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal f
+
+ Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+
+-Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal pointer offset(x30303030 + x30303030 = x60606060 > x00EE) in %sbug76557.php on line %d
++Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal pointer offset(x30303030 + x30303030 = x60606060 > %s) in %sbug76557.php on line %d
+
+ Warning: exif_read_data(bug76557.jpg): File structure corrupted in %sbug76557.php on line %d
+
+diff --git a/ext/exif/tests/bug78910.phpt b/ext/exif/tests/bug78910.phpt
+index f5b1c32c1b..7e40b82389 100644
+--- a/ext/exif/tests/bug78910.phpt
++++ b/ext/exif/tests/bug78910.phpt
+@@ -7,11 +7,11 @@ var_dump(exif_read_data('data:image/jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAA
+
+ ?>
+ --EXPECTF--
+-Notice: exif_read_data(): Read from TIFF: tag(0x927C, MakerNote ): Illegal format code 0x2020, switching to BYTE in %s on line %d
++Notice: exif_read_data(jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN): Read from TIFF: tag(0x927C, MakerNote ): Illegal format code 0x2020, switching to BYTE in %s on line %d
+
+-Warning: exif_read_data(): Process tag(x927C=MakerNote ): Illegal format code 0x2020, suppose BYTE in %s on line %d
++Warning: exif_read_data(jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN): Process tag(x927C=MakerNote ): Illegal format code 0x2020, suppose BYTE in %s on line %d
+
+-Warning: exif_read_data(): IFD data too short: 0x0000 offset 0x000C in %s on line %d
++Warning: exif_read_data(jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN): IFD data too short: 0x0000 offset 0x000C in %s on line %d
+
+-Warning: exif_read_data(): Invalid TIFF file in %s on line %d
++Warning: exif_read_data(jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN): Invalid TIFF file in %s on line %d
+ bool(false)
+diff --git a/ext/spl/tests/bug54291.phpt b/ext/spl/tests/bug54291.phpt
+index c0119c4360..5e4a5a0607 100644
+--- a/ext/spl/tests/bug54291.phpt
++++ b/ext/spl/tests/bug54291.phpt
+@@ -5,7 +5,7 @@ Bug #54291 (Crash iterating DirectoryIterator for dir name starting with \0)
+ $dir = new DirectoryIterator("\x00/abc");
+ $dir->isFile();
+ --EXPECTF--
+-Fatal error: Uncaught UnexpectedValueException: Failed to open directory "" in %s:%d
++Fatal error: Uncaught UnexpectedValueException: DirectoryIterator::__construct() expects parameter 1 to be a valid path, string given in %s:%d
+ Stack trace:
+ #0 %s(%d): DirectoryIterator->__construct('\x00/abc')
+ #1 {main}
diff --git a/php-bug79037.patch b/php-bug79037.patch
new file mode 100644
index 0000000..65d9a39
--- /dev/null
+++ b/php-bug79037.patch
@@ -0,0 +1,93 @@
+From 8abd64d9c5999d42b8e93ab21e84911ec4ca751e Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 20 Jan 2020 21:42:44 -0800
+Subject: [PATCH] Fix bug #79037 (global buffer-overflow in
+ `mbfl_filt_conv_big5_wchar`)
+
+(cherry picked from commit 2bcbc95f033c31b00595ed39f79c3a99b4ed0501)
+---
+ ext/mbstring/libmbfl/filters/mbfilter_big5.c | 17 ++++++++++++-----
+ ext/mbstring/tests/bug79037.phpt | 10 ++++++++++
+ 2 files changed, 22 insertions(+), 5 deletions(-)
+ create mode 100644 ext/mbstring/tests/bug79037.phpt
+
+diff --git a/ext/mbstring/libmbfl/filters/mbfilter_big5.c b/ext/mbstring/libmbfl/filters/mbfilter_big5.c
+index 122ff4c778..657eb98aa5 100644
+--- a/ext/mbstring/libmbfl/filters/mbfilter_big5.c
++++ b/ext/mbstring/libmbfl/filters/mbfilter_big5.c
+@@ -138,6 +138,17 @@ static unsigned short cp950_pua_tbl[][4] = {
+ {0xf70f,0xf848,0xc740,0xc8fe},
+ };
+
++static inline int is_in_cp950_pua(int c1, int c) {
++ if ((c1 >= 0xfa && c1 <= 0xfe) || (c1 >= 0x8e && c1 <= 0xa0) ||
++ (c1 >= 0x81 && c1 <= 0x8d) || (c1 >= 0xc7 && c1 <= 0xc8)) {
++ return (c >=0x40 && c <= 0x7e) || (c >= 0xa1 && c <= 0xfe);
++ }
++ if (c1 == 0xc6) {
++ return c >= 0xa1 && c <= 0xfe;
++ }
++ return 0;
++}
++
+ /*
+ * Big5 => wchar
+ */
+@@ -186,11 +197,7 @@ mbfl_filt_conv_big5_wchar(int c, mbfl_convert_filter *filter)
+
+ if (filter->from->no_encoding == mbfl_no_encoding_cp950) {
+ /* PUA for CP950 */
+- if (w <= 0 &&
+- (((c1 >= 0xfa && c1 <= 0xfe) || (c1 >= 0x8e && c1 <= 0xa0) ||
+- (c1 >= 0x81 && c1 <= 0x8d) ||(c1 >= 0xc7 && c1 <= 0xc8))
+- && ((c > 0x39 && c < 0x7f) || (c > 0xa0 && c < 0xff))) ||
+- ((c1 == 0xc6) && (c > 0xa0 && c < 0xff))) {
++ if (w <= 0 && is_in_cp950_pua(c1, c)) {
+ c2 = c1 << 8 | c;
+ for (k = 0; k < sizeof(cp950_pua_tbl)/(sizeof(unsigned short)*4); k++) {
+ if (c2 >= cp950_pua_tbl[k][2] && c2 <= cp950_pua_tbl[k][3]) {
+diff --git a/ext/mbstring/tests/bug79037.phpt b/ext/mbstring/tests/bug79037.phpt
+new file mode 100644
+index 0000000000..94ff01a4a1
+--- /dev/null
++++ b/ext/mbstring/tests/bug79037.phpt
+@@ -0,0 +1,10 @@
++--TEST--
++Bug #79037: global buffer-overflow in `mbfl_filt_conv_big5_wchar`
++--FILE--
++<?php
++
++var_dump(mb_convert_encoding("\x81\x3a", "UTF-8", "CP950"));
++
++?>
++--EXPECT--
++string(1) "?"
+From 2f7a097fb2ad1020a179e596f9ee18b02d0d90ae Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 21 Jan 2020 09:36:28 +0100
+Subject: [PATCH] update NEWS
+
+---
+ NEWS | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index ba237b8e33..a1dc8a81c3 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,15 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 7.2.27
++
++- Mbstring:
++ . Fixed bug #79037 (global buffer-overflow in `mbfl_filt_conv_big5_wchar`).
++ (CVE-2020-7060) (Nikita)
++
++- Standard:
++ . Fixed bug #79099 (OOB read in php_strip_tags_ex). (CVE-2020-7059). (cmb)
++
+ Backported from 7.2.26
+
+ - Bcmath:
diff --git a/php-bug79082.patch b/php-bug79082.patch
new file mode 100644
index 0000000..384ecd7
--- /dev/null
+++ b/php-bug79082.patch
@@ -0,0 +1,152 @@
+From a4173e5e7a7f0f927c7bd8fcaffbc0d2caa914d9 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 15 Feb 2020 22:17:14 -0800
+Subject: [PATCH 4/5] Fix bug #79082 - Files added to tar with
+ Phar::buildFromIterator have all-access permissions
+
+(cherry picked from commit e5c95234d87fcb8f6b7569a96a89d1e1544749a6)
+---
+ ext/phar/phar_object.c | 11 +++++
+ ext/phar/tests/bug79082.phpt | 52 ++++++++++++++++++++
+ ext/phar/tests/test79082/test79082-testfile | 1 +
+ ext/phar/tests/test79082/test79082-testfile2 | 1 +
+ 4 files changed, 65 insertions(+)
+ create mode 100644 ext/phar/tests/bug79082.phpt
+ create mode 100644 ext/phar/tests/test79082/test79082-testfile
+ create mode 100644 ext/phar/tests/test79082/test79082-testfile2
+
+diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
+index d4ad4e0dcf..8a0d369287 100644
+--- a/ext/phar/phar_object.c
++++ b/ext/phar/phar_object.c
+@@ -1451,6 +1451,7 @@ static int phar_build(zend_object_iterator *iter, void *puser) /* {{{ */
+ char *str_key;
+ zend_class_entry *ce = p_obj->c;
+ phar_archive_object *phar_obj = p_obj->p;
++ php_stream_statbuf ssb;
+
+ value = iter->funcs->get_current_data(iter);
+
+@@ -1745,6 +1746,16 @@ after_open_fp:
+ php_stream_copy_to_stream_ex(fp, p_obj->fp, PHP_STREAM_COPY_ALL, &contents_len);
+ data->internal_file->uncompressed_filesize = data->internal_file->compressed_filesize =
+ php_stream_tell(p_obj->fp) - data->internal_file->offset;
++ if (php_stream_stat(fp, &ssb) != -1) {
++ data->internal_file->flags = ssb.sb.st_mode & PHAR_ENT_PERM_MASK ;
++ } else {
++#ifndef _WIN32
++ mode_t mask;
++ mask = umask(0);
++ umask(mask);
++ data->internal_file->flags &= ~mask;
++#endif
++ }
+ }
+
+ if (close_fp) {
+diff --git a/ext/phar/tests/bug79082.phpt b/ext/phar/tests/bug79082.phpt
+new file mode 100644
+index 0000000000..ca453d1b57
+--- /dev/null
++++ b/ext/phar/tests/bug79082.phpt
+@@ -0,0 +1,52 @@
++--TEST--
++Phar: Bug #79082: Files added to tar with Phar::buildFromIterator have all-access permissions
++--SKIPIF--
++<?php
++if (!extension_loaded("phar")) die("skip");
++if (defined("PHP_WINDOWS_VERSION_MAJOR")) die("skip not for Windows")
++?>
++--FILE--
++<?php
++umask(022);
++var_dump(decoct(umask()));
++chmod(__DIR__ . '/test79082/test79082-testfile', 0644);
++chmod(__DIR__ . '/test79082/test79082-testfile2', 0400);
++
++foreach([Phar::TAR => 'tar', Phar::ZIP => 'zip'] as $mode => $ext) {
++ clearstatcache();
++ $phar = new PharData(__DIR__ . '/test79082.' . $ext, null, null, $mode);
++ $phar->buildFromIterator(new \RecursiveDirectoryIterator(__DIR__ . '/test79082', \FilesystemIterator::SKIP_DOTS), __DIR__ . '/test79082');
++ $phar->extractTo(__DIR__);
++ var_dump(decoct(stat(__DIR__ . '/test79082-testfile')['mode']));
++ var_dump(decoct(stat(__DIR__ . '/test79082-testfile2')['mode']));
++ unlink(__DIR__ . '/test79082-testfile');
++ unlink(__DIR__ . '/test79082-testfile2');
++}
++foreach([Phar::TAR => 'tar', Phar::ZIP => 'zip'] as $mode => $ext) {
++ clearstatcache();
++ $phar = new PharData(__DIR__ . '/test79082-d.' . $ext, null, null, $mode);
++ $phar->buildFromDirectory(__DIR__ . '/test79082');
++ $phar->extractTo(__DIR__);
++ var_dump(decoct(stat(__DIR__ . '/test79082-testfile')['mode']));
++ var_dump(decoct(stat(__DIR__ . '/test79082-testfile2')['mode']));
++ unlink(__DIR__ . '/test79082-testfile');
++ unlink(__DIR__ . '/test79082-testfile2');
++}
++?>
++--CLEAN--
++<?
++unlink(__DIR__ . '/test79082.tar');
++unlink(__DIR__ . '/test79082.zip');
++unlink(__DIR__ . '/test79082-d.tar');
++unlink(__DIR__ . '/test79082-d.zip');
++?>
++--EXPECT--
++string(2) "22"
++string(6) "100644"
++string(6) "100400"
++string(6) "100644"
++string(6) "100400"
++string(6) "100644"
++string(6) "100400"
++string(6) "100644"
++string(6) "100400"
+diff --git a/ext/phar/tests/test79082/test79082-testfile b/ext/phar/tests/test79082/test79082-testfile
+new file mode 100644
+index 0000000000..9daeafb986
+--- /dev/null
++++ b/ext/phar/tests/test79082/test79082-testfile
+@@ -0,0 +1 @@
++test
+diff --git a/ext/phar/tests/test79082/test79082-testfile2 b/ext/phar/tests/test79082/test79082-testfile2
+new file mode 100644
+index 0000000000..9daeafb986
+--- /dev/null
++++ b/ext/phar/tests/test79082/test79082-testfile2
+@@ -0,0 +1 @@
++test
+--
+2.24.1
+
+From 9e5dbc9e3c6d970868d112175a286ceddc648aff Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 18 Feb 2020 06:35:00 +0100
+Subject: [PATCH 5/5] NEWS
+
+---
+ NEWS | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 9467c98e33..853e9b5341 100644
+--- a/NEWS
++++ b/NEWS
+@@ -7,6 +7,14 @@ Backported from 7.2.28
+ . Fixed bug #77569: (Write Access Violation in DomImplementation). (Nikita,
+ cmb)
+
++- Phar:
++ . Fixed bug #79082 (Files added to tar with Phar::buildFromIterator have
++ all-access permissions). (CVE-2020-7063) (stas)
++
++- Session:
++ . Fixed bug #79221 (Null Pointer Dereference in PHP Session Upload Progress).
++ (CVE-2020-7062) (stas)
++
+ Backported from 7.2.27
+
+ - Mbstring:
+--
+2.24.1
+
diff --git a/php-bug79099.patch b/php-bug79099.patch
new file mode 100644
index 0000000..3de1998
--- /dev/null
+++ b/php-bug79099.patch
@@ -0,0 +1,113 @@
+From 89084ce9e34ed38403f8cbb5d67e6299f1b1ab60 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 20 Jan 2020 21:33:17 -0800
+Subject: [PATCH] Fix #79099: OOB read in php_strip_tags_ex
+
+(cherry picked from commit 0f79b1bf301f455967676b5129240140c5c45b09)
+---
+ ext/standard/string.c | 6 ++---
+ ext/standard/tests/file/bug79099.phpt | 32 +++++++++++++++++++++++++++
+ 2 files changed, 35 insertions(+), 3 deletions(-)
+ create mode 100644 ext/standard/tests/file/bug79099.phpt
+
+diff --git a/ext/standard/string.c b/ext/standard/string.c
+index a8b39ee615..c4b5e031ed 100644
+--- a/ext/standard/string.c
++++ b/ext/standard/string.c
+@@ -4757,7 +4757,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, int *stateptr, const cha
+ if (state == 4) {
+ /* Inside <!-- comment --> */
+ break;
+- } else if (state == 2 && *(p-1) != '\\') {
++ } else if (state == 2 && p >= buf + 1 && *(p-1) != '\\') {
+ if (lc == c) {
+ lc = '\0';
+ } else if (lc != '\\') {
+@@ -4784,7 +4784,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, int *stateptr, const cha
+
+ case '!':
+ /* JavaScript & Other HTML scripting languages */
+- if (state == 1 && *(p-1) == '<') {
++ if (state == 1 && p >= buf + 1 && *(p-1) == '<') {
+ state = 3;
+ lc = c;
+ } else {
+@@ -4811,7 +4811,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, int *stateptr, const cha
+
+ case '?':
+
+- if (state == 1 && *(p-1) == '<') {
++ if (state == 1 && p >= buf + 1 && *(p-1) == '<') {
+ br=0;
+ state=2;
+ break;
+diff --git a/ext/standard/tests/file/bug79099.phpt b/ext/standard/tests/file/bug79099.phpt
+new file mode 100644
+index 0000000000..7c842f4654
+--- /dev/null
++++ b/ext/standard/tests/file/bug79099.phpt
+@@ -0,0 +1,32 @@
++--TEST--
++Bug #79099 (OOB read in php_strip_tags_ex)
++--FILE--
++<?php
++$stream = fopen('php://memory', 'w+');
++fputs($stream, "<?\n\"\n");
++rewind($stream);
++var_dump(fgetss($stream));
++var_dump(fgetss($stream));
++fclose($stream);
++
++$stream = fopen('php://memory', 'w+');
++fputs($stream, "<\0\n!\n");
++rewind($stream);
++var_dump(fgetss($stream));
++var_dump(fgetss($stream));
++fclose($stream);
++
++$stream = fopen('php://memory', 'w+');
++fputs($stream, "<\0\n?\n");
++rewind($stream);
++var_dump(fgetss($stream));
++var_dump(fgetss($stream));
++fclose($stream);
++?>
++--EXPECT--
++string(0) ""
++string(0) ""
++string(0) ""
++string(0) ""
++string(0) ""
++string(0) ""
+From 740b58637d71aade0a748117b7fbe9a21a1fab70 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Wed, 22 Jan 2020 22:36:53 -0800
+Subject: [PATCH] More checks for php_strip_tags_ex
+
+(cherry picked from commit 2dc170e25d86a725fefd4c08f2bd8378820b28f5)
+---
+ ext/standard/string.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ext/standard/string.c b/ext/standard/string.c
+index c4b5e031ed..7c044af0fd 100644
+--- a/ext/standard/string.c
++++ b/ext/standard/string.c
+@@ -4707,7 +4707,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, int *stateptr, const cha
+ switch (state) {
+ case 1: /* HTML/XML */
+ lc = '>';
+- if (is_xml && *(p -1) == '-') {
++ if (is_xml && p >= buf + 1 && *(p-1) == '-') {
+ break;
+ }
+ in_q = state = is_xml = 0;
+@@ -4728,7 +4728,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, int *stateptr, const cha
+ break;
+
+ case 2: /* PHP */
+- if (!br && lc != '\"' && *(p-1) == '?') {
++ if (!br && lc != '\"' && p >= buf + 1 && *(p-1) == '?') {
+ in_q = state = 0;
+ tp = tbuf;
+ }
diff --git a/php-bug79221.patch b/php-bug79221.patch
new file mode 100644
index 0000000..3b1c372
--- /dev/null
+++ b/php-bug79221.patch
@@ -0,0 +1,86 @@
+From 28397333d0b510c7759ee272fb7521f9d9358e9b Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 15 Feb 2020 20:52:19 -0800
+Subject: [PATCH 3/5] Fix bug #79221 - Null Pointer Dereference in PHP Session
+ Upload Progress
+
+(cherry picked from commit d76f7c6c636b8240e06a1fa29eebb98ad005008a)
+---
+ ext/session/session.c | 8 +++---
+ ext/session/tests/bug79221.phpt | 45 +++++++++++++++++++++++++++++++++
+ 2 files changed, 50 insertions(+), 3 deletions(-)
+ create mode 100644 ext/session/tests/bug79221.phpt
+
+diff --git a/ext/session/session.c b/ext/session/session.c
+index daea59c4ff..4d397c3bca 100644
+--- a/ext/session/session.c
++++ b/ext/session/session.c
+@@ -3108,9 +3108,11 @@ static int php_session_rfc1867_callback(unsigned int event, void *event_data, vo
+ if (PS(rfc1867_cleanup)) {
+ php_session_rfc1867_cleanup(progress);
+ } else {
+- add_assoc_bool_ex(&progress->data, "done", sizeof("done") - 1, 1);
+- Z_LVAL_P(progress->post_bytes_processed) = data->post_bytes_processed;
+- php_session_rfc1867_update(progress, 1);
++ if (!Z_ISUNDEF(progress->data)) {
++ add_assoc_bool_ex(&progress->data, "done", sizeof("done") - 1, 1);
++ Z_LVAL_P(progress->post_bytes_processed) = data->post_bytes_processed;
++ php_session_rfc1867_update(progress, 1);
++ }
+ }
+ php_rshutdown_session_globals();
+ }
+diff --git a/ext/session/tests/bug79221.phpt b/ext/session/tests/bug79221.phpt
+new file mode 100644
+index 0000000000..b0972c4697
+--- /dev/null
++++ b/ext/session/tests/bug79221.phpt
+@@ -0,0 +1,45 @@
++--TEST--
++Null Pointer Dereference in PHP Session Upload Progress
++--INI--
++error_reporting=0
++file_uploads=1
++upload_max_filesize=1024
++session.save_path=
++session.name=PHPSESSID
++session.serialize_handler=php
++session.use_strict_mode=0
++session.use_cookies=1
++session.use_only_cookies=0
++session.upload_progress.enabled=1
++session.upload_progress.cleanup=0
++session.upload_progress.prefix=upload_progress_
++session.upload_progress.name=PHP_SESSION_UPLOAD_PROGRESS
++session.upload_progress.freq=1%
++session.upload_progress.min_freq=0.000000001
++--COOKIE--
++PHPSESSID=session-upload
++--POST_RAW--
++Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
++-----------------------------20896060251896012921717172737
++Content-Disposition: form-data; name="PHPSESSID"
++
++session-upload
++-----------------------------20896060251896012921717172737
++Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS"
++
++ryat
++-----------------------------20896060251896012921717172737
++Content-Disposition: form-data; file="file"; ryat="filename"
++
++1
++-----------------------------20896060251896012921717172737--
++--FILE--
++<?php
++
++session_start();
++var_dump($_SESSION);
++session_destroy();
++
++--EXPECTF--
++array(0) {
++}
+--
+2.24.1
+
diff --git a/php-bug79282.patch b/php-bug79282.patch
new file mode 100644
index 0000000..a026939
--- /dev/null
+++ b/php-bug79282.patch
@@ -0,0 +1,110 @@
+From 59119490c9e2359ea720928b2e71b68e5c20f195 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 15 Mar 2020 17:26:00 -0700
+Subject: [PATCH] Fixed bug #79282
+
+(cherry picked from commit 41f66e2a2cfd611e35be5ac3bf747f0b56161216)
+(cherry picked from commit 8577fa5891220dac40d42b2f745fa159dcd871ad)
+---
+ ext/exif/exif.c | 7 ++++++-
+ ext/exif/tests/bug79282.phpt | 15 +++++++++++++++
+ 2 files changed, 21 insertions(+), 1 deletion(-)
+ create mode 100644 ext/exif/tests/bug79282.phpt
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 9e42a62812..4c38f17593 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -3242,6 +3242,11 @@ static void exif_process_TIFF_in_JPEG(image_info_type *ImageInfo, char *CharBuf,
+ {
+ unsigned exif_value_2a, offset_of_ifd;
+
++ if (length < 2) {
++ exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Missing TIFF alignment marker");
++ return;
++ }
++
+ /* set the thumbnail stuff to nothing so we can test to see if they get set up */
+ if (memcmp(CharBuf, "II", 2) == 0) {
+ ImageInfo->motorola_intel = 0;
+@@ -3394,7 +3399,7 @@ static int exif_scan_JPEG_header(image_info_type *ImageInfo)
+ return FALSE;
+ }
+
+- sn = exif_file_sections_add(ImageInfo, marker, itemlen+1, NULL);
++ sn = exif_file_sections_add(ImageInfo, marker, itemlen, NULL);
+ Data = ImageInfo->file.list[sn].data;
+
+ /* Store first two pre-read bytes. */
+diff --git a/ext/exif/tests/bug79282.phpt b/ext/exif/tests/bug79282.phpt
+new file mode 100644
+index 0000000000..7b7e365657
+--- /dev/null
++++ b/ext/exif/tests/bug79282.phpt
+@@ -0,0 +1,15 @@
++--TEST--
++Bug #79282: Use-of-uninitialized-value in exif
++--FILE--
++<?php
++
++var_dump(exif_read_data('data://image/jpeg;base64,/9jhAAlFeGlmAAAg'));
++
++?>
++--EXPECTF--
++Warning: exif_read_data(): Invalid TIFF alignment marker in %s on line %d
++
++Warning: exif_read_data(): File structure corrupted in %s on line %d
++
++Warning: exif_read_data(): Invalid JPEG file in %s on line %d
++bool(false)
+From c1d08859cdac23aeff99953797231f6824d045c5 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 15 Mar 2020 17:55:28 -0700
+Subject: [PATCH] Fix test
+
+(cherry picked from commit 2c081b7e269d0f63cd9d60a40997f18b5cf793be)
+(cherry picked from commit ad05ad4dbafc29dd23828760d4bfa2be12ccbb1c)
+---
+ ext/exif/tests/bug79282.phpt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/exif/tests/bug79282.phpt b/ext/exif/tests/bug79282.phpt
+index 7b7e365657..df91127c9c 100644
+--- a/ext/exif/tests/bug79282.phpt
++++ b/ext/exif/tests/bug79282.phpt
+@@ -7,7 +7,7 @@ var_dump(exif_read_data('data://image/jpeg;base64,/9jhAAlFeGlmAAAg'));
+
+ ?>
+ --EXPECTF--
+-Warning: exif_read_data(): Invalid TIFF alignment marker in %s on line %d
++Warning: exif_read_data(): Missing TIFF alignment marker in %s on line %d
+
+ Warning: exif_read_data(): File structure corrupted in %s on line %d
+
+From 51cc7a6225bbf1f7dfe0ffeb318fb0ff098780f9 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 17 Mar 2020 07:23:32 +0100
+Subject: [PATCH] fix test
+
+(cherry picked from commit b42b6d0ff774fdced1155cb0c721d91914d619f5)
+---
+ ext/exif/tests/bug79282.phpt | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/ext/exif/tests/bug79282.phpt b/ext/exif/tests/bug79282.phpt
+index df91127c9c..142cf28a6c 100644
+--- a/ext/exif/tests/bug79282.phpt
++++ b/ext/exif/tests/bug79282.phpt
+@@ -7,9 +7,9 @@ var_dump(exif_read_data('data://image/jpeg;base64,/9jhAAlFeGlmAAAg'));
+
+ ?>
+ --EXPECTF--
+-Warning: exif_read_data(): Missing TIFF alignment marker in %s on line %d
++Warning: exif_read_data(%s): Missing TIFF alignment marker in %s on line %d
+
+-Warning: exif_read_data(): File structure corrupted in %s on line %d
++Warning: exif_read_data(%s): File structure corrupted in %s on line %d
+
+-Warning: exif_read_data(): Invalid JPEG file in %s on line %d
++Warning: exif_read_data(%s): Invalid JPEG file in %s on line %d
+ bool(false)
diff --git a/php-bug79329.patch b/php-bug79329.patch
new file mode 100644
index 0000000..0101c68
--- /dev/null
+++ b/php-bug79329.patch
@@ -0,0 +1,57 @@
+From b9a1e6bfd762d2bf7fa3c5bbcfbb6dcdfdfa982c Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 17 Mar 2020 07:25:12 +0100
+Subject: [PATCH] Fix bug #79329 - get_headers should not accept \0
+
+From 0d139c5b94a5f485a66901919e51faddb0371c43
+
+(cherry picked from commit b7b9302660a23a67285e204bc3d7fcf6ba7f6533)
+---
+ ext/standard/url.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/standard/url.c b/ext/standard/url.c
+index 9c42afbdea..2990bd96f6 100644
+--- a/ext/standard/url.c
++++ b/ext/standard/url.c
+@@ -659,7 +659,7 @@ PHP_FUNCTION(get_headers)
+ HashTable *hashT;
+ zend_long format = 0;
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|l", &url, &url_len, &format) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS(), "p|l", &url, &url_len, &format) == FAILURE) {
+ return;
+ }
+ context = FG(default_context) ? FG(default_context) : (FG(default_context) = php_stream_context_alloc());
+From 4844343ac37e8e3ca4d995b1d91fc0f9daf03d5f Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 15 Mar 2020 19:35:26 -0700
+Subject: [PATCH] [ci skip] Update NEWS
+
+(cherry picked from commit c8d21d7728109b0f911033c098cfaeb7438ba1d5)
+(cherry picked from commit 03471e31c9b467d1d8d944e44fa009ef247e81bd)
+---
+ NEWS | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 853e9b5341..f2f1d2ed2a 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,16 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 7.2.29
++
++- Core:
++ . Fixed bug #79329 (get_headers() silently truncates after a null byte)
++ (CVE-2020-7066) (cmb)
++
++- EXIF:
++ . Fixed bug #79282 (Use-of-uninitialized-value in exif) (CVE-2020-7064)
++ (Nikita)
++
+ Backported from 7.2.28
+
+ - DOM:
diff --git a/php-bug79330.patch b/php-bug79330.patch
new file mode 100644
index 0000000..a041f0f
--- /dev/null
+++ b/php-bug79330.patch
@@ -0,0 +1,31 @@
+From d35cb9cdee586a9668ca1d9a72ffdb4f0902b2ba Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 13 Apr 2020 21:00:44 -0700
+Subject: [PATCH] Fix bug #79330 - make all execution modes consistent in
+ rejecting \0
+
+(cherry picked from commit 14fcc813948254b84f382ff537247d8a7e5e0e62)
+---
+ ext/standard/exec.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/ext/standard/exec.c b/ext/standard/exec.c
+index d6f0cbfeb2..e486f52a3d 100644
+--- a/ext/standard/exec.c
++++ b/ext/standard/exec.c
+@@ -524,6 +524,15 @@ PHP_FUNCTION(shell_exec)
+ return;
+ }
+
++ if (!command_len) {
++ php_error_docref(NULL, E_WARNING, "Cannot execute a blank command");
++ RETURN_FALSE;
++ }
++ if (strlen(command) != command_len) {
++ php_error_docref(NULL, E_WARNING, "NULL byte detected. Possible attack");
++ RETURN_FALSE;
++ }
++
+ #ifdef PHP_WIN32
+ if ((in=VCWD_POPEN(command, "rt"))==NULL) {
+ #else
diff --git a/php-bug79465.patch b/php-bug79465.patch
new file mode 100644
index 0000000..87477e4
--- /dev/null
+++ b/php-bug79465.patch
@@ -0,0 +1,59 @@
+From 865342c94703cc5a1d0890b51b47a300c0d297ec Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 13 Apr 2020 21:07:04 -0700
+Subject: [PATCH] Fix bug #79465 - use unsigneds as indexes.
+
+(cherry picked from commit 9d6bf8221b05f86ce5875832f0f646c4c1f218be)
+---
+ ext/standard/url.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ext/standard/url.c b/ext/standard/url.c
+index 2990bd96f6..a9cc06b1c0 100644
+--- a/ext/standard/url.c
++++ b/ext/standard/url.c
+@@ -540,7 +540,7 @@ PHPAPI size_t php_url_decode(char *str, size_t len)
+ #ifndef CHARSET_EBCDIC
+ *dest = (char) php_htoi(data + 1);
+ #else
+- *dest = os_toebcdic[(char) php_htoi(data + 1)];
++ *dest = os_toebcdic[(unsigned char) php_htoi(data + 1)];
+ #endif
+ data += 2;
+ len -= 2;
+@@ -632,7 +632,7 @@ PHPAPI size_t php_raw_url_decode(char *str, size_t len)
+ #ifndef CHARSET_EBCDIC
+ *dest = (char) php_htoi(data + 1);
+ #else
+- *dest = os_toebcdic[(char) php_htoi(data + 1)];
++ *dest = os_toebcdic[(unsigned char) php_htoi(data + 1)];
+ #endif
+ data += 2;
+ len -= 2;
+From a83b195cb02e3b42c2fa9e0387922acba4fc7cce Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 14 Apr 2020 08:02:28 +0200
+Subject: [PATCH] NEWS
+
+(cherry picked from commit bd4a5ebe653f36ea7705fbc95a6ec4842d7f86fc)
+---
+ NEWS | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index f2f1d2ed2a..6310d94581 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,12 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 7.2.30
++
++- Standard:
++ . Fixed bug #79330 (shell_exec silently truncates after a null byte). (stas)
++ . Fixed bug #79465 (OOB Read in urldecode). (CVE-2020-7067) (stas)
++
+ Backported from 7.2.29
+
+ - Core:
diff --git a/php-bug79699.patch b/php-bug79699.patch
new file mode 100644
index 0000000..b37cbbf
--- /dev/null
+++ b/php-bug79699.patch
@@ -0,0 +1,142 @@
+From 33a0a05b0995907eb1b2b922676ab765ac6fcac2 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 20 Sep 2020 18:08:55 -0700
+Subject: [PATCH] Do not decode cookie names anymore
+
+(cherry picked from commit 6559fe912661ca5ce5f0eeeb591d928451428ed0)
+---
+ main/php_variables.c | 8 ++++++--
+ tests/basic/022.phpt | 10 +++++++---
+ tests/basic/023.phpt | 4 +++-
+ tests/basic/bug79699.phpt | 22 ++++++++++++++++++++++
+ 4 files changed, 38 insertions(+), 6 deletions(-)
+ create mode 100644 tests/basic/bug79699.phpt
+
+diff --git a/main/php_variables.c b/main/php_variables.c
+index d3cfb7f737..50ecc663bd 100644
+--- a/main/php_variables.c
++++ b/main/php_variables.c
+@@ -464,7 +464,9 @@ SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data)
+ size_t new_val_len;
+
+ *val++ = '\0';
+- php_url_decode(var, strlen(var));
++ if (arg != PARSE_COOKIE) {
++ php_url_decode(var, strlen(var));
++ }
+ val_len = php_url_decode(val, strlen(val));
+ val = estrndup(val, val_len);
+ if (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len)) {
+@@ -475,7 +477,9 @@ SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data)
+ size_t val_len;
+ size_t new_val_len;
+
+- php_url_decode(var, strlen(var));
++ if (arg != PARSE_COOKIE) {
++ php_url_decode(var, strlen(var));
++ }
+ val_len = 0;
+ val = estrndup("", val_len);
+ if (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len)) {
+diff --git a/tests/basic/022.phpt b/tests/basic/022.phpt
+index 0ab70d4be7..bd1db13701 100644
+--- a/tests/basic/022.phpt
++++ b/tests/basic/022.phpt
+@@ -10,7 +10,7 @@ cookie1=val1 ; cookie2=val2%20; cookie3=val 3.; cookie 4= value 4 %3B; cookie1=
+ var_dump($_COOKIE);
+ ?>
+ --EXPECT--
+-array(10) {
++array(12) {
+ ["cookie1"]=>
+ string(6) "val1 "
+ ["cookie2"]=>
+@@ -19,11 +19,15 @@ array(10) {
+ string(6) "val 3."
+ ["cookie_4"]=>
+ string(10) " value 4 ;"
++ ["%20cookie1"]=>
++ string(6) "ignore"
++ ["+cookie1"]=>
++ string(6) "ignore"
+ ["cookie__5"]=>
+ string(7) " value"
+- ["cookie_6"]=>
++ ["cookie%206"]=>
+ string(3) ""
+- ["cookie_7"]=>
++ ["cookie+7"]=>
+ string(0) ""
+ ["$cookie_8"]=>
+ string(0) ""
+diff --git a/tests/basic/023.phpt b/tests/basic/023.phpt
+index ca5f1dcfbb..0e2e0ac669 100644
+--- a/tests/basic/023.phpt
++++ b/tests/basic/023.phpt
+@@ -10,9 +10,11 @@ c o o k i e=value; c o o k i e= v a l u e ;;c%20o+o k+i%20e=v;name="value","valu
+ var_dump($_COOKIE);
+ ?>
+ --EXPECT--
+-array(3) {
++array(4) {
+ ["c_o_o_k_i_e"]=>
+ string(5) "value"
++ ["c%20o+o_k+i%20e"]=>
++ string(1) "v"
+ ["name"]=>
+ string(24) ""value","value",UEhQIQ=="
+ ["UEhQIQ"]=>
+diff --git a/tests/basic/bug79699.phpt b/tests/basic/bug79699.phpt
+new file mode 100644
+index 0000000000..fc3d3fedb0
+--- /dev/null
++++ b/tests/basic/bug79699.phpt
+@@ -0,0 +1,22 @@
++--TEST--
++Cookies Security Bug
++--INI--
++max_input_vars=1000
++filter.default=unsafe_raw
++--COOKIE--
++__%48ost-evil=evil; __Host-evil=good; %66oo=baz;foo=bar
++--FILE--
++<?php
++var_dump($_COOKIE);
++?>
++--EXPECT--
++array(4) {
++ ["__%48ost-evil"]=>
++ string(4) "evil"
++ ["__Host-evil"]=>
++ string(4) "good"
++ ["%66oo"]=>
++ string(3) "baz"
++ ["foo"]=>
++ string(3) "bar"
++}
+From 4248ab3d8ef089f23b93cdf979ce7a5690f8bf9d Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 29 Sep 2020 09:11:38 +0200
+Subject: [PATCH] NEWS
+
+---
+ NEWS | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index d826960c11..47848d24b7 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,12 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 7.2.34
++
++- Core:
++ . Fixed bug #79699 (PHP parses encoded cookie names so malicious `__Host-`
++ cookies can be sent). (CVE-2020-7070) (Stas)
++
+ Backported from 7.2.33
+
+ - Core:
diff --git a/php-bug79797.patch b/php-bug79797.patch
new file mode 100644
index 0000000..c386b13
--- /dev/null
+++ b/php-bug79797.patch
@@ -0,0 +1,52 @@
+Partial, without binary part
+
+
+
+From bd3395d35b2bbed0f6716c33cff217b00eddc2eb Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 14 Jul 2020 17:04:24 +0200
+Subject: [PATCH] Fix #79797: Use of freed hash key in the phar_parse_zipfile
+ function
+
+We must not use heap memory after we freed it.
+
+(cherry picked from commit 7355ab81763a3d6a04ac11660e6a16d58838d187)
+---
+ NEWS | 6 ++++++
+ ext/phar/tests/bug79797.phar | Bin 0 -> 274 bytes
+ ext/phar/tests/bug79797.phpt | 14 ++++++++++++++
+ ext/phar/zip.c | 2 +-
+ 4 files changed, 21 insertions(+), 1 deletion(-)
+ create mode 100644 ext/phar/tests/bug79797.phar
+ create mode 100644 ext/phar/tests/bug79797.phpt
+
+diff --git a/NEWS b/NEWS
+index e153539d98..2655a1747f 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,12 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 7.2.33
++
++- Phar:
++ . Fixed bug #79797 (Use of freed hash key in the phar_parse_zipfile
++ function). (CVE-2020-7068) (cmb)
++
+ Backported from 7.2.31
+
+ - Core:
+diff --git a/ext/phar/zip.c b/ext/phar/zip.c
+index 1c05fbd80f..f9b43a5487 100644
+--- a/ext/phar/zip.c
++++ b/ext/phar/zip.c
+@@ -704,7 +704,7 @@ int phar_parse_zipfile(php_stream *fp, char *fname, int fname_len, char *alias,
+ efree(actual_alias);
+ }
+
+- zend_hash_str_add_ptr(&(PHAR_G(phar_alias_map)), actual_alias, mydata->alias_len, mydata);
++ zend_hash_str_add_ptr(&(PHAR_G(phar_alias_map)), mydata->alias, mydata->alias_len, mydata);
+ } else {
+ phar_archive_data *fd_ptr;
+
diff --git a/php-bug79877.patch b/php-bug79877.patch
new file mode 100644
index 0000000..932edb2
--- /dev/null
+++ b/php-bug79877.patch
@@ -0,0 +1,62 @@
+From 849eea1e486b64530235f03a91079337851f2d85 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 21 Jul 2020 11:07:43 +0200
+Subject: [PATCH] Fix #79877: getimagesize function silently truncates after a
+ null byte
+
+We have to check for NUL bytes if `getimagesize()` has been called.
+
+(cherry picked from commit ff577b04c0d250473a0ef46f8e332960fec3ca2c)
+---
+ NEWS | 4 ++++
+ ext/standard/image.c | 5 +++++
+ ext/standard/tests/image/bug79877.phpt | 9 +++++++++
+ 3 files changed, 18 insertions(+)
+ create mode 100644 ext/standard/tests/image/bug79877.phpt
+
+diff --git a/NEWS b/NEWS
+index 2655a1747f..d826960c11 100644
+--- a/NEWS
++++ b/NEWS
+@@ -3,6 +3,10 @@ PHP NEWS
+
+ Backported from 7.2.33
+
++- Core:
++ . Fixed bug #79877 (getimagesize function silently truncates after a null
++ byte) (cmb)
++
+ - Phar:
+ . Fixed bug #79797 (Use of freed hash key in the phar_parse_zipfile
+ function). (CVE-2020-7068) (cmb)
+diff --git a/ext/standard/image.c b/ext/standard/image.c
+index 2074d289df..c2f40923ad 100644
+--- a/ext/standard/image.c
++++ b/ext/standard/image.c
+@@ -1403,6 +1403,11 @@ static void php_getimagesize_from_any(INTERNAL_FUNCTION_PARAMETERS, int mode) {
+ return;
+ }
+
++ if (mode == FROM_PATH && CHECK_NULL_PATH(input, input_len)) {
++ php_error_docref(NULL, E_WARNING, "Invalid path");
++ return;
++ }
++
+ if (argc == 2) {
+ zval_dtor(info);
+ array_init(info);
+diff --git a/ext/standard/tests/image/bug79877.phpt b/ext/standard/tests/image/bug79877.phpt
+new file mode 100644
+index 0000000000..92e93e59e5
+--- /dev/null
++++ b/ext/standard/tests/image/bug79877.phpt
+@@ -0,0 +1,9 @@
++--TEST--
++Bug #79877 (getimagesize function silently truncates after a null byte)
++--FILE--
++<?php
++var_dump(getimagesize("/tmp/a.png\0xx"));
++?>
++--EXPECTF--
++Warning: getimagesize(): Invalid path in %s on line %d
++NULL
diff --git a/php-openssl-cert.patch b/php-openssl-cert.patch
index adea20c..771645d 100644
--- a/php-openssl-cert.patch
+++ b/php-openssl-cert.patch
@@ -1,3 +1,7 @@
+Without binary patch
+
+
+
From f51062523d03911cc141507112e3ce14b41f73a2 Mon Sep 17 00:00:00 2001
From: Alexander Kurilo <alex@kurilo.me>
Date: Mon, 31 Dec 2018 12:19:36 +0300
@@ -201,3 +205,147 @@ index 39d62b29c901..3bca7cb640c6 100644
]);
var_dump(stream_socket_client($serverUri, $errno, $errstr, 2, $clientFlags, $clientCtx));
CODE;
+From 4c49896e965358ecbceb95f0afbb26a0d03f8221 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 18 Feb 2020 09:53:18 +0100
+Subject: [PATCH] renew certs for openssl tests
+
+---
+ ext/openssl/tests/bug54992-ca.pem | 54 +++++++++---------
+ ext/openssl/tests/bug54992.pem | 28 ++++-----
+ ext/openssl/tests/bug65538.phar | Bin 11278 -> 11278 bytes
+ .../tests/openssl_peer_fingerprint_basic.phpt | 4 +-
+ 4 files changed, 43 insertions(+), 43 deletions(-)
+
+diff --git a/ext/openssl/tests/bug54992-ca.pem b/ext/openssl/tests/bug54992-ca.pem
+index 743a11e8fd..266f08c907 100644
+--- a/ext/openssl/tests/bug54992-ca.pem
++++ b/ext/openssl/tests/bug54992-ca.pem
+@@ -1,35 +1,35 @@
+ -----BEGIN CERTIFICATE-----
+-MIIGAzCCA+ugAwIBAgIUZ7ZvvfVqSEf1EswMT9LfMIPc/U8wDQYJKoZIhvcNAQEL
++MIIGAzCCA+ugAwIBAgIUZOucIjT7OfT7rQQu4W5rghLGMYEwDQYJKoZIhvcNAQEL
+ BQAwgZAxCzAJBgNVBAYTAlBUMQ8wDQYDVQQIDAZMaXNib2ExDzANBgNVBAcMBkxp
+ c2JvYTEXMBUGA1UECgwOUEhQIEZvdW5kYXRpb24xHjAcBgNVBAMMFVJvb3QgQ0Eg
+ Zm9yIFBIUCBUZXN0czEmMCQGCSqGSIb3DQEJARYXaW50ZXJuYWxzQGxpc3RzLnBo
+-cC5uZXQwHhcNMTgxMjMxMDg0NDU3WhcNMjAwMjA0MDg0NDU3WjCBkDELMAkGA1UE
++cC5uZXQwHhcNMjAwMjE4MDg1MDM0WhcNMjEwMzI0MDg1MDM0WjCBkDELMAkGA1UE
+ BhMCUFQxDzANBgNVBAgMBkxpc2JvYTEPMA0GA1UEBwwGTGlzYm9hMRcwFQYDVQQK
+ DA5QSFAgRm91bmRhdGlvbjEeMBwGA1UEAwwVUm9vdCBDQSBmb3IgUEhQIFRlc3Rz
+ MSYwJAYJKoZIhvcNAQkBFhdpbnRlcm5hbHNAbGlzdHMucGhwLm5ldDCCAiIwDQYJ
+-KoZIhvcNAQEBBQADggIPADCCAgoCggIBAPVThsunmhda5hbNi+pXD3WF9ijryB9H
+-JDnIbPW/vMffWcQgtiRzc+6aCykBygnhnN91NNRpxOsoLCb7OjUMM0TjhSE9DxKD
+-aVLRoDcs5VSaddQjq3AwdkU6ek9InUOeDuZ8gatrpWlEyuQPwwnMAfR9NkcTajuF
+-hGO0BlqkHg98GckQD0N5x6CrrDJt6RE6hf9gUZSGSWdPTiETBQUN8LTuxo/ybFSN
+-hcpVNCF+r3eozATbSU8YvQU52RmPIZWHHmYb7KtMO3TEX4LnLJUOefUK4qk+ZJ0s
+-f4JfnY7RhBlZGh2kIyE5jwqz8/KzKtxrutNaupdTFZO8nX09QSgmDCxVWVclrPaG
+-q2ZFYpeauTy71pTm8DjF7PwQI/+PUrBdFIX0V6uxqUEG0pvPdb8zenVbaK4Jh39u
+-w0V5tH/rbtd7zZX4vl3bmKo1Wk0SQxd83iXitxLiJnWNOsmrJcM/Hx91kE10+/ly
+-zgL/w5A9HSA616kfPdNzny0laH1TXVLJsnyyV3DyfnU4O6VI0JG3WjhgRdMkgobn
+-GvGJ2ZsZAxds9lBtT2y+gw5BU+jkSilPk3jM9MA7Kmyci93U9xxMuDNzyUzfcnXR
+-UIq99dZWeMMy1LT3buZXrAWu1WRgPdQtDKcQHDIQaIkxlWsT8q2q/wIirb6fwxlw
+-vXkFp+aEP35BAgMBAAGjUzBRMB0GA1UdDgQWBBR37F1+W1gcCp8bhZaFFi9JKQhu
+-tTAfBgNVHSMEGDAWgBR37F1+W1gcCp8bhZaFFi9JKQhutTAPBgNVHRMBAf8EBTAD
+-AQH/MA0GCSqGSIb3DQEBCwUAA4ICAQAYHqpISUI/x8UW33i35rYkFYNvXBMQDc8J
+-v4G2eqEBNCOVmHg6P//lq1F2jrtAEr/saESN1uS1Q80sUsthlVsceV1z1isdpugG
+-kMbfHxLe0QpthnP3PEChQw30TPB22BThuGVkteNSZKTCPGdzjSTPq2kOR6PCBZRd
+-r0r/TW3lT/Ng3KgjT6g7E3ZUpAeFEQMlmNYr/eEOL7K+1jzQrbCLmXbs6rmtffr7
+-n4p+wMPMPaSRqQoQ86ff9GPzxWuAQGlytVoiS5Xt3jotd/RWlOy0YQ2QSzOQvFUW
+-4te5lwdOvOFnJTo43U3DqASqMcaazvIsN41zVlOyOyKEr9oZERju6FU1aZmuZtHQ
+-wMCmXVj/Swj67Zp9tG+vVQenbEk314+8c2nenuOIFP1F2C/NG3vMLIpENRGxpmAm
+-s5gIT6mXvJ4JCwWYc75zucOr2KVkDmEziJh/pARuOrOAPdc6NjKku8HBC9UI96+x
+-Db4hG2SqXUzShkFX/px7vlCADvgO3FDk2aiyW02PFsItob2O6OB98VGsU26hgRO/
+-Czz/jbjWTPHNOt6/fcL0m7XLwlJ+K9gRArY15DeJGumcHEq/Vd/Z8iPQKKdzgF4O
+-9XFZvu+VHP82AS5TeiYHCddFJyzktQYcNu5/OBuxzO83d7rpqrLFETTEOL4cN8O7
+-LJ7Q89hYAQ==
++KoZIhvcNAQEBBQADggIPADCCAgoCggIBANDtiwpbgpWNthaPNRpgjvNagqaq1EjS
++19CNFq1+w5jRI8K130RvAWkDwnDcr70RSuNKhbJ2dEool3sUi8puNdvWLa8p95k9
++wg1HtCICixxIdLoYAzprkBJw7QUu/XH9SJeJRkYL7EUFoSDnQF9kbW1qMxZBRlFI
++JEacK1crUBGekudu1DjHCM6dumyObrH4FYZtDdKHLu3PVTO299J7ILsHlAJ31qOG
++zK96yBkjRomru/+Yr9ZjT915slvg19+PGLRSRLMXoolw+WEk5gc00/AsGqXQpavN
++njDu9uw+33Eimrj8KnVsCh9cBQFmrCdqOdJmv8VwD63lcYLruAXkfHIUgdyeVMVT
++Q8O+bgGQWaUrxRED4pJ932TicC23BhiZ/78/nyLwry473mHSIw4Y3M6kGSmEOs+3
++fDcsF8waqOeGXbgdOUjBTu92io+lGsCnUZBRe7sOus6aKHYDE1aBDeGtO4oALS+V
++kNrbCh/VpRIwO9Ah4PvxweqW0ZdloW3TRIXRgRxmGJ9NFe1Rkvv7FB7i2l8IeAKS
++ckuew31vxP6LgGUe5j/qt6xv6GOysefOCAAoHHeNEH+ZSlD1tiglvMVhsUmY9Rit
++XEnB+X8FtOAM3SFiX5tsgB6n4hRKue5WkZywnbkPx7sDu4LQCA00i55dzjP/39M0
++yPnsQrJfOnj5AgMBAAGjUzBRMB0GA1UdDgQWBBSHvApjxItCycV/u9J4Z3b6UAP7
++jzAfBgNVHSMEGDAWgBSHvApjxItCycV/u9J4Z3b6UAP7jzAPBgNVHRMBAf8EBTAD
++AQH/MA0GCSqGSIb3DQEBCwUAA4ICAQB6ffwQmqI9Rq3qiPspJiFLsAT9Um8A/kd0
++unYdMyBRl9T0llGXBeN3YYrJLVAd01UAOSSDV3Cf8L2J2zvKRT8YbC3/LxB/RLIM
++/eHVMGSxpy0S5U8HVChbYGEx/zC9p71HwL31Xj+NfOW1nFbEEPqSbGRmou+X2twZ
++Omwz4Vm4MEpIQLRdgV5bLMN1SETH3TGwdMmTE2S8iKrqeDGB8NEl2LcDvbHAvPNw
++KjitZRiicU99KzSSiGh7dsG/d9JsZqtCSmD+a2PesoUPSPsCaInLQG3aGkApt8Gl
++TtFTxJo9QW7YWxFr9Efb2eU6UIilPSsVj8tvIfS1PRTTJrOlBpJDI6TL5YYtFuw3
++Ij27ILbXSwqUM5MIDYoRDxschNiMRhkRjmnebir2KQdvbt43rW8czwooOzTkd1Bi
++RCAbUCAh1TqVu4vLGcoA8/Rf/1n4M8Zdgq19yfInmU4xs7kaiVvnnAxLSF1TmJl6
++8FCN7ONvHNNXciRkzIxw5Yn6GODa/e8Fzvaza/vkSvW4ry4Hu7T6ze10SuHagN3R
++wwBGBlEI5FEyEKFsTZeHdDMoYzv7Ls4OXZzAo7B/Lwa4OTql7ApVw7MwHEplN3SS
++1Qn4YhhmwJqiGvTGQZSA1gv6Ua/HPHjs1y1fSz+uRukUqlBemDhllmVjWHKJetOv
+++FMLf6DmBw==
+ -----END CERTIFICATE-----
+diff --git a/ext/openssl/tests/bug54992.pem b/ext/openssl/tests/bug54992.pem
+index f207c30448..a04c68cfa0 100644
+--- a/ext/openssl/tests/bug54992.pem
++++ b/ext/openssl/tests/bug54992.pem
+@@ -1,26 +1,26 @@
+ -----BEGIN CERTIFICATE-----
+-MIID7jCCAdYCFDw0rvm7q8y5HfispK5A2I2+RBqHMA0GCSqGSIb3DQEBCwUAMIGQ
++MIID7jCCAdYCFF2eDgBNSufPjQA1YmkSEu4tWGvTMA0GCSqGSIb3DQEBCwUAMIGQ
+ MQswCQYDVQQGEwJQVDEPMA0GA1UECAwGTGlzYm9hMQ8wDQYDVQQHDAZMaXNib2Ex
+ FzAVBgNVBAoMDlBIUCBGb3VuZGF0aW9uMR4wHAYDVQQDDBVSb290IENBIGZvciBQ
+ SFAgVGVzdHMxJjAkBgkqhkiG9w0BCQEWF2ludGVybmFsc0BsaXN0cy5waHAubmV0
+-MB4XDTE4MTIzMTA4NDY0M1oXDTIwMDIwNDA4NDY0M1owWjEXMBUGA1UEAxMOYnVn
++MB4XDTIwMDIxODA4NTA0N1oXDTIxMDMyNDA4NTA0N1owWjEXMBUGA1UEAxMOYnVn
+ NTQ5OTIubG9jYWwxCzAJBgNVBAYTAlBUMQ8wDQYDVQQHEwZMaXNib2ExDzANBgNV
+ BAgTBkxpc2JvYTEQMA4GA1UEChMHcGhwLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOB
+ jQAwgYkCgYEAtUAVQKTgpUPgtFOJ3w3kDJETS45tWeT96kUg1NeYLKW+jNbFhxPo
+ PJv7XhfemCaqh2tbq1cdYW906Wp1L+eNQvdTYA2IQG4EQBUlmfyIakOIMsN/RizV
+ kF09vlNQwTpaMpqTv7wB8vvwbxb9jbC2ZhQUBEg6PIn18dSstbM9FZ0CAwEAATAN
+-BgkqhkiG9w0BAQsFAAOCAgEAKtSMguV5ZQ2KpdZ9MAFa+GiHL0APb58OrvwNK4BF
+-6032UZLOWnsBZlo85WGLNnIT/GNzKKr7n9jHeuZcBVOFQLsebahSlfJZs9FPatlI
+-9Md1tRzVoTKohjG86HeFhhL+gZQ69SdIcK40wpH1qNv7KyMGA8gnx6rRKbOxZqsx
+-pkA/wS7CTqP9/DeOxh/MZPg7N/GZXW1QOz+SE537E9iyiRsbldNYFtwn5iaVfjpr
+-xz09wYYW3HJpR+QKPCfJ79JxDhuMHMoUOpIy8vGFnt5zVTcFLa378Sy3vCT1Qwvt
+-tTavFGHby4A7OqT6xu+9GTW37OaiV91UelLLV0+MoR4XiMVMX76mvqzmKCp6L9ae
+-7RYHrrCtNxkYUKUSkOEc2VHnT+sENkJIZu7zzN7/QNlc0yE9Rtsmgy4QAxo2m9u0
+-pUZLAulZ1lS7g/sr7/8Pp17RDvJiJh+oAPyVYZ7OoLF1IoHDHcZI0bqcqhDhiHZs
+-PXYqyMCxyYzHFOAOgvbrEkmp8z/E8ATVwdUbAYN1dMrYHre1P4HFEtJh2QiGG2KE
+-4jheuNhH1R25AizbwYbD33Kdp7ltCgBlfYqjl771SlgY45QYs0mUdc1Pv39SGIwf
+-ZUm7mOWjaTBdYANrkvGM5NNT9kESjKkWykyTg4UF5rHV6nlyexR4b3fjabroi4BS
+-v6w=
++BgkqhkiG9w0BAQsFAAOCAgEAEhDpl41vWZF9lGSlxz5uwIGguibrbeBYn/1PYpw4
++jF0i/DxNWYmAh/9vM/ClXhL9rVtHev88eO6goIDjiU2W59ksffxxw0Xno6XOgElb
++8sdWBF4wLKiCuZrAYJ+N+CWKWkWFgsdBEHGktBk/UIh7Aw2LjVneMMj8lIgpDw9l
++PfMZ1SAajBEh5D4TrM6TR3ImT2x0t4Rb1LOrfdn34eHHp/K1wpsZfDwzQKXF1RNb
++XqQwzsB5kEMdOBC1ykOXcLqiUPxMakiVAfnt8w1UCdCB3TH63HkxATqoqZLXFYRX
++JZRLkAUvoqdDNVP2gOYRewInWJL+EaRNt3P5DR8tEgCOUyw0UYgpI7KDHV5cL3MB
++JKeLXmQu0o9ZviPk3saEdmhnSaPCGcVoF5E1vnSudcla7wz65U0w+bEX94DxGad/
++CrsGVS0VbdTV6lPQgcbP/IP4sxBUqZvpDlr20XzgsgdwCBgGwcJ47Y1zDQh17sAe
++rZxhtxHG6PJbCwdj7z9FNgsMPmfFXoqcLFyN+N3vbGMpOaO6KCoylmFvNSQCwFrm
++y/V+z5fQFe42trqLr04DEVw7rzGN6I8vyGPu7267FNDO5bdwuJ0FVjB88IW2mcRw
++S52CzP5H7wavwVsKQ9iZTsBWYwxiU2YCwjhx0v5WWZAnQfjjzA5vvFokWhrWDvca
++auw=
+ -----END CERTIFICATE-----
+ -----BEGIN RSA PRIVATE KEY-----
+ MIICXgIBAAKBgQC1QBVApOClQ+C0U4nfDeQMkRNLjm1Z5P3qRSDU15gspb6M1sWH
+diff --git a/ext/openssl/tests/openssl_peer_fingerprint_basic.phpt b/ext/openssl/tests/openssl_peer_fingerprint_basic.phpt
+index 3bca7cb640..49ecaac7e6 100644
+--- a/ext/openssl/tests/openssl_peer_fingerprint_basic.phpt
++++ b/ext/openssl/tests/openssl_peer_fingerprint_basic.phpt
+@@ -36,13 +36,13 @@ $clientCode = <<<'CODE'
+ // openssl x509 -noout -fingerprint -md5 -inform pem -in ext/openssl/tests/bug54992.pem | cut -d '=' -f 2 | tr -d ':' | tr 'A-F' 'a-f'
+ // Currently it's 4edbbaf40a6a4b6af22b6d6d9818378f
+ // One below is intentionally broken (compare the last character):
+- stream_context_set_option($clientCtx, 'ssl', 'peer_fingerprint', '4edbbaf40a6a4b6af22b6d6d98183780');
++ stream_context_set_option($clientCtx, 'ssl', 'peer_fingerprint', '9aa2c02d62358f2fa0db575806e37799');
+ var_dump(stream_socket_client($serverUri, $errno, $errstr, 2, $clientFlags, $clientCtx));
+
+ // Run the following to get actual sha256 (from sources root):
+ // openssl x509 -noout -fingerprint -sha256 -inform pem -in ext/openssl/tests/bug54992.pem | cut -d '=' -f 2 | tr -d ':' | tr 'A-F' 'a-f'
+ stream_context_set_option($clientCtx, 'ssl', 'peer_fingerprint', [
+- 'sha256' => 'b1d480a2f83594fa243d26378cf611f334d369e59558d87e3de1abe8f36cb997',
++ 'sha256' => '62e70554daabf366ba9ada30d3af794ec421368e79b68f64dc9ed546d834ae7d',
+ ]);
+ var_dump(stream_socket_client($serverUri, $errno, $errstr, 2, $clientFlags, $clientCtx));
+ CODE;
diff --git a/php.spec b/php.spec
index 5f07455..da48921 100644
--- a/php.spec
+++ b/php.spec
@@ -56,10 +56,19 @@
%global mysql_sock %(mysql_config --socket 2>/dev/null || echo /var/lib/mysql/mysql.sock)
%if 0%{?rhel} == 6
+%ifarch x86_64
+%global oraclever 18.5
+%else
%global oraclever 18.3
+%endif
%global oraclelib 18.1
+
+%else
+%ifarch x86_64
+%global oraclever 19.8
%else
-%global oraclever 19.3
+%global oraclever 19.6
+%endif
%global oraclelib 19.1
%endif
@@ -77,12 +86,7 @@
# Optional components; pass "--with mssql" etc to rpmbuild.
%global with_oci8 %{?_with_oci8:1}%{!?_with_oci8:0}
%global with_imap 1
-# until firebird available in EPEL
-%if 0%{?rhel} == 8
-%global with_interbase 0
-%else
%global with_interbase 1
-%endif
%global with_mcrypt 1
%global with_freetds 1
%global with_tidy 1
@@ -137,7 +141,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: %{?scl_prefix}php
Version: %{upver}%{?rcver:~%{rcver}}
-Release: 13%{?dist}
+Release: 23%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -198,7 +202,6 @@ Patch91: php-5.6.3-oci8conf.patch
# Upstream fixes (100+)
Patch100: https://github.com/php/php-src/commit/be50a72715c141befe6f34ece660745da894aaf3.patch
Patch101: https://github.com/php/php-src/commit/2ef8809ef3beb5f58b81dcff49bdcde4d2cb8426.patch
-Patch102: php-openssl-cert.patch
Patch103: php-bug76846.patch
# Security fixes (200+)
@@ -229,12 +232,34 @@ Patch223: php-bug78256.patch
Patch224: php-bug77919.patch
Patch225: php-bug75457.patch
Patch226: php-bug78380.patch
+Patch227: php-bug78599.patch
+Patch228: php-bug78878.patch
+Patch229: php-bug78862.patch
+Patch230: php-bug78863.patch
+Patch231: php-bug78793.patch
+Patch232: php-bug78910.patch
+Patch233: php-bug79099.patch
+Patch234: php-bug79037.patch
+Patch235: php-bug77569.patch
+Patch236: php-bug79221.patch
+Patch237: php-bug79082.patch
+Patch238: php-bug79282.patch
+Patch239: php-bug79329.patch
+Patch240: php-bug79330.patch
+Patch241: php-bug79465.patch
+Patch242: php-bug78875.patch
+Patch243: php-bug78876.patch
+Patch244: php-bug79797.patch
+Patch245: php-bug79877.patch
+Patch246: php-bug79699.patch
# Fixes for tests (300+)
# Factory is droped from system tzdata
Patch300: php-7.0.10-datetests.patch
# Revert changes for pcre < 8.34
Patch301: php-7.0.0-oldpcre.patch
+# Renew openssl certs
+Patch302: php-openssl-cert.patch
# WIP
@@ -945,7 +970,7 @@ support for JavaScript Object Notation (JSON) to PHP.
%if 0%{?rhel}
%patch9 -p1 -b .curltls
%endif
-%if 0%{?fedora} >= 29 || 0%{?rhel} >= 8
+%if 0%{?fedora} >= 29 || 0%{?rhel} >= 7
%patch10 -p1 -b .icu62
%endif
@@ -966,7 +991,6 @@ sed -e 's/php-devel/%{?scl_prefix}php-devel/' -i scripts/phpize.in
# upstream patches
%patch100 -p1 -b .up1
%patch101 -p1 -b .up2
-%patch102 -p1 -b .up3
%patch103 -p1 -b .bug76846
# security patches
@@ -997,6 +1021,26 @@ sed -e 's/php-devel/%{?scl_prefix}php-devel/' -i scripts/phpize.in
%patch224 -p1 -b .bug77919
%patch225 -p1 -b .bug75457
%patch226 -p1 -b .bug78380
+%patch227 -p1 -b .bug78599
+%patch228 -p1 -b .bug78878
+%patch229 -p1 -b .bug78862
+%patch230 -p1 -b .bug78863
+%patch231 -p1 -b .bug78793
+%patch232 -p1 -b .bug78910
+%patch233 -p1 -b .bug79099
+%patch234 -p1 -b .bug79037
+%patch235 -p1 -b .bug77569
+%patch236 -p1 -b .bug79221
+%patch237 -p1 -b .bug79082
+%patch238 -p1 -b .bug79282
+%patch239 -p1 -b .bug79329
+%patch240 -p1 -b .bug79330
+%patch241 -p1 -b .bug79465
+%patch242 -p1 -b .bug78875
+%patch243 -p1 -b .bug78876
+%patch244 -p1 -b .bug79797
+%patch245 -p1 -b .bug79877
+%patch246 -p1 -b .bug79699
: ---------------------------
#exit 1
@@ -1008,6 +1052,9 @@ if ! pkg-config libpcre --atleast-version 8.34 ; then
%patch301 -p1 -b .pcre834
fi
%endif
+# New openssl certs
+%patch302 -p1 -b .renewcert
+rm ext/openssl/tests/bug65538_003.phpt
# WIP patch
@@ -1145,6 +1192,12 @@ exit 1
%build
+# This package fails to build with LTO due to undefined symbols. LTO
+# was disabled in OpenSuSE as well, but with no real explanation why
+# beyond the undefined symbols. It really shold be investigated further.
+# Disable LTO
+%define _lto_cflags %{nil}
+
# aclocal workaround - to be improved
cat $(aclocal --print-ac-dir)/{libtool,ltoptions,ltsugar,ltversion,lt~obsolete}.m4 >>aclocal.m4
@@ -1389,6 +1442,7 @@ cd build-apache
# Run tests, using the CLI SAPI
export NO_INTERACTION=1 REPORT_EXIT_STATUS=1 MALLOC_CHECK_=2
export SKIP_ONLINE_TESTS=1
+export SKIP_SLOW_TESTS=1
unset TZ LANG LC_ALL
if ! make test; then
set +x
@@ -1761,13 +1815,9 @@ cat << EOF
WARNING : PHP 7.0 have reached its "End of Life" in
December 2018. Even, if this package includes some of
- the important security fix, backported from 7.1, the
+ the important security fix, backported from 7.2, the
UPGRADE to a maintained version is very strongly RECOMMENDED.
-%if %{?fedora}%{!?fedora:99} < 28
- WARNING : Fedora %{fedora} is now EOL :
- You should consider upgrading to a supported release
-%endif
=====================================================================
EOF
@@ -1949,6 +1999,78 @@ EOF
%changelog
+* Tue Sep 29 2020 Remi Collet <remi@remirepo.net> - 7.0.33-23
+- Core:
+ Fix #79699 PHP parses encoded cookie names so malicious `__Host-` cookies can be sent
+ CVE-2020-7070
+
+* Tue Aug 4 2020 Remi Collet <remi@remirepo.net> - 7.0.33-22
+- Core:
+ Fix #79877 getimagesize function silently truncates after a null byte
+- Phar:
+ Fix #79797 use of freed hash key in the phar_parse_zipfile function
+ CVE-2020-7068
+
+* Tue May 12 2020 Remi Collet <remi@remirepo.net> - 7.0.33-21
+- Core:
+ Fix #78875 Long filenames cause OOM and temp files are not cleaned
+ CVE-2019-11048
+ Fix #78876 Long variables in multipart/form-data cause OOM and temp
+ files are not cleaned
+
+* Tue Apr 14 2020 Remi Collet <remi@remirepo.net> - 7.0.33-20
+- standard:
+ Fix #79330 shell_exec silently truncates after a null byte
+ Fix #79465 OOB Read in urldecode
+ CVE-2020-7067
+
+* Tue Mar 17 2020 Remi Collet <remi@remirepo.net> - 7.0.33-19
+- standard:
+ Fix #79329 get_headers() silently truncates after a null byte
+ CVE-2020-7066
+- exif:
+ Fix #79282 Use-of-uninitialized-value in exif
+ CVE-2020-7064
+- use oracle client library version 19.6 (18.5 on EL-6)
+
+* Tue Feb 18 2020 Remi Collet <remi@remirepo.net> - 7.0.33-18
+- dom:
+ Fix #77569 Write Access Violation in DomImplementation
+- phar:
+ Fix #79082 Files added to tar with Phar::buildFromIterator have all-access permissions
+ CVE-2020-7063
+- session:
+ Fix #79221 Null Pointer Dereference in PHP Session Upload Progress
+ CVE-2020-7062
+
+* Thu Jan 23 2020 Remi Collet <remi@remirepo.net> - 7.0.33-17
+- mbstring:
+ Fix #79037 global buffer-overflow in mbfl_filt_conv_big5_wchar
+ CVE-2020-7060
+- standard:
+ Fix #79099 OOB read in php_strip_tags_ex
+ CVE-2020-7059
+
+* Tue Dec 17 2019 Remi Collet <remi@remirepo.net> - 7.0.33-15
+- bcmath:
+ Fix #78878 Buffer underflow in bc_shift_addsub
+ CVE-2019-11046
+- core:
+ Fix #78862 link() silently truncates after a null byte on Windows
+ CVE-2019-11044
+ Fix #78863 DirectoryIterator class silently truncates after a null byte
+ CVE-2019-11045
+- exif
+ Fix #78793 Use-after-free in exif parsing under memory sanitizer
+ CVE-2019-11050
+ Fix #78910 Heap-buffer-overflow READ in exif
+ CVE-2019-11047
+- use oracle client library version 19.5 (18.5 on EL-6)
+
+* Tue Oct 22 2019 Remi Collet <remi@remirepo.net> - 7.0.33-14
+- FPM:
+ Fix CVE-2019-11043 env_path_info underflow in fpm_main.c
+
* Wed Aug 28 2019 Remi Collet <remi@remirepo.net> - 7.0.33-13
- mbstring:
Fix CVE-2019-13224 don't allow different encodings for onig_new_deluxe