From 551f96862bcde0240976c067e36ed67a6977ad8f Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 17 Mar 2020 08:44:47 +0100 Subject: standard: Fix #79329 get_headers() silently truncates after a null byte CVE-2020-7066 exif: Fix #79282 Use-of-uninitialized-value in exif CVE-2020-7064 use oracle client library version 19.6 (18.5 on EL-6) --- php-bug79282.patch | 110 +++++++++++++++++++++++++++++++++++++++++++++++++++++ php-bug79329.patch | 57 +++++++++++++++++++++++++++ php.spec | 17 ++++++++- 3 files changed, 182 insertions(+), 2 deletions(-) create mode 100644 php-bug79282.patch create mode 100644 php-bug79329.patch diff --git a/php-bug79282.patch b/php-bug79282.patch new file mode 100644 index 0000000..a026939 --- /dev/null +++ b/php-bug79282.patch @@ -0,0 +1,110 @@ +From 59119490c9e2359ea720928b2e71b68e5c20f195 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 15 Mar 2020 17:26:00 -0700 +Subject: [PATCH] Fixed bug #79282 + +(cherry picked from commit 41f66e2a2cfd611e35be5ac3bf747f0b56161216) +(cherry picked from commit 8577fa5891220dac40d42b2f745fa159dcd871ad) +--- + ext/exif/exif.c | 7 ++++++- + ext/exif/tests/bug79282.phpt | 15 +++++++++++++++ + 2 files changed, 21 insertions(+), 1 deletion(-) + create mode 100644 ext/exif/tests/bug79282.phpt + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index 9e42a62812..4c38f17593 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -3242,6 +3242,11 @@ static void exif_process_TIFF_in_JPEG(image_info_type *ImageInfo, char *CharBuf, + { + unsigned exif_value_2a, offset_of_ifd; + ++ if (length < 2) { ++ exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Missing TIFF alignment marker"); ++ return; ++ } ++ + /* set the thumbnail stuff to nothing so we can test to see if they get set up */ + if (memcmp(CharBuf, "II", 2) == 0) { + ImageInfo->motorola_intel = 0; +@@ -3394,7 +3399,7 @@ static int exif_scan_JPEG_header(image_info_type *ImageInfo) + return FALSE; + } + +- sn = exif_file_sections_add(ImageInfo, marker, itemlen+1, NULL); ++ sn = exif_file_sections_add(ImageInfo, marker, itemlen, NULL); + Data = ImageInfo->file.list[sn].data; + + /* Store first two pre-read bytes. */ +diff --git a/ext/exif/tests/bug79282.phpt b/ext/exif/tests/bug79282.phpt +new file mode 100644 +index 0000000000..7b7e365657 +--- /dev/null ++++ b/ext/exif/tests/bug79282.phpt +@@ -0,0 +1,15 @@ ++--TEST-- ++Bug #79282: Use-of-uninitialized-value in exif ++--FILE-- ++ ++--EXPECTF-- ++Warning: exif_read_data(): Invalid TIFF alignment marker in %s on line %d ++ ++Warning: exif_read_data(): File structure corrupted in %s on line %d ++ ++Warning: exif_read_data(): Invalid JPEG file in %s on line %d ++bool(false) +From c1d08859cdac23aeff99953797231f6824d045c5 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 15 Mar 2020 17:55:28 -0700 +Subject: [PATCH] Fix test + +(cherry picked from commit 2c081b7e269d0f63cd9d60a40997f18b5cf793be) +(cherry picked from commit ad05ad4dbafc29dd23828760d4bfa2be12ccbb1c) +--- + ext/exif/tests/bug79282.phpt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/exif/tests/bug79282.phpt b/ext/exif/tests/bug79282.phpt +index 7b7e365657..df91127c9c 100644 +--- a/ext/exif/tests/bug79282.phpt ++++ b/ext/exif/tests/bug79282.phpt +@@ -7,7 +7,7 @@ var_dump(exif_read_data('data://image/jpeg;base64,/9jhAAlFeGlmAAAg')); + + ?> + --EXPECTF-- +-Warning: exif_read_data(): Invalid TIFF alignment marker in %s on line %d ++Warning: exif_read_data(): Missing TIFF alignment marker in %s on line %d + + Warning: exif_read_data(): File structure corrupted in %s on line %d + +From 51cc7a6225bbf1f7dfe0ffeb318fb0ff098780f9 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Tue, 17 Mar 2020 07:23:32 +0100 +Subject: [PATCH] fix test + +(cherry picked from commit b42b6d0ff774fdced1155cb0c721d91914d619f5) +--- + ext/exif/tests/bug79282.phpt | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/ext/exif/tests/bug79282.phpt b/ext/exif/tests/bug79282.phpt +index df91127c9c..142cf28a6c 100644 +--- a/ext/exif/tests/bug79282.phpt ++++ b/ext/exif/tests/bug79282.phpt +@@ -7,9 +7,9 @@ var_dump(exif_read_data('data://image/jpeg;base64,/9jhAAlFeGlmAAAg')); + + ?> + --EXPECTF-- +-Warning: exif_read_data(): Missing TIFF alignment marker in %s on line %d ++Warning: exif_read_data(%s): Missing TIFF alignment marker in %s on line %d + +-Warning: exif_read_data(): File structure corrupted in %s on line %d ++Warning: exif_read_data(%s): File structure corrupted in %s on line %d + +-Warning: exif_read_data(): Invalid JPEG file in %s on line %d ++Warning: exif_read_data(%s): Invalid JPEG file in %s on line %d + bool(false) diff --git a/php-bug79329.patch b/php-bug79329.patch new file mode 100644 index 0000000..0101c68 --- /dev/null +++ b/php-bug79329.patch @@ -0,0 +1,57 @@ +From b9a1e6bfd762d2bf7fa3c5bbcfbb6dcdfdfa982c Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Tue, 17 Mar 2020 07:25:12 +0100 +Subject: [PATCH] Fix bug #79329 - get_headers should not accept \0 + +From 0d139c5b94a5f485a66901919e51faddb0371c43 + +(cherry picked from commit b7b9302660a23a67285e204bc3d7fcf6ba7f6533) +--- + ext/standard/url.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/standard/url.c b/ext/standard/url.c +index 9c42afbdea..2990bd96f6 100644 +--- a/ext/standard/url.c ++++ b/ext/standard/url.c +@@ -659,7 +659,7 @@ PHP_FUNCTION(get_headers) + HashTable *hashT; + zend_long format = 0; + +- if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|l", &url, &url_len, &format) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS(), "p|l", &url, &url_len, &format) == FAILURE) { + return; + } + context = FG(default_context) ? FG(default_context) : (FG(default_context) = php_stream_context_alloc()); +From 4844343ac37e8e3ca4d995b1d91fc0f9daf03d5f Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 15 Mar 2020 19:35:26 -0700 +Subject: [PATCH] [ci skip] Update NEWS + +(cherry picked from commit c8d21d7728109b0f911033c098cfaeb7438ba1d5) +(cherry picked from commit 03471e31c9b467d1d8d944e44fa009ef247e81bd) +--- + NEWS | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/NEWS b/NEWS +index 853e9b5341..f2f1d2ed2a 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,16 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 7.2.29 ++ ++- Core: ++ . Fixed bug #79329 (get_headers() silently truncates after a null byte) ++ (CVE-2020-7066) (cmb) ++ ++- EXIF: ++ . Fixed bug #79282 (Use-of-uninitialized-value in exif) (CVE-2020-7064) ++ (Nikita) ++ + Backported from 7.2.28 + + - DOM: diff --git a/php.spec b/php.spec index fa99981..268c1af 100644 --- a/php.spec +++ b/php.spec @@ -63,7 +63,7 @@ %endif %global oraclelib 18.1 %else -%global oraclever 19.5 +%global oraclever 19.6 %global oraclelib 19.1 %endif @@ -141,7 +141,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: %{upver}%{?rcver:~%{rcver}} -Release: 18%{?dist} +Release: 19%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -243,6 +243,8 @@ Patch234: php-bug79037.patch Patch235: php-bug77569.patch Patch236: php-bug79221.patch Patch237: php-bug79082.patch +Patch238: php-bug79282.patch +Patch239: php-bug79329.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -1023,6 +1025,8 @@ sed -e 's/php-devel/%{?scl_prefix}php-devel/' -i scripts/phpize.in %patch235 -p1 -b .bug77569 %patch236 -p1 -b .bug79221 %patch237 -p1 -b .bug79082 +%patch238 -p1 -b .bug79282 +%patch239 -p1 -b .bug79329 : --------------------------- #exit 1 @@ -1975,6 +1979,15 @@ EOF %changelog +* Tue Mar 17 2020 Remi Collet - 5.6.40-19 +- standard: + Fix #79329 get_headers() silently truncates after a null byte + CVE-2020-7066 +- exif: + Fix #79282 Use-of-uninitialized-value in exif + CVE-2020-7064 +- use oracle client library version 19.6 (18.5 on EL-6) + * Tue Feb 18 2020 Remi Collet - 7.0.33-18 - dom: Fix #77569 Write Access Violation in DomImplementation -- cgit