From bb9fd7b5f28fe92e098d9782dab18f6e52bf0713 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Thu, 2 Jul 2026 10:12:42 +0200 Subject: Fix Memory corruption in openssl_encrypt with AES-WRAP-PAD --- failed.txt | 2 +- php-gh22187.patch | 122 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ php.spec | 8 +++- 3 files changed, 130 insertions(+), 2 deletions(-) create mode 100644 php-gh22187.patch diff --git a/failed.txt b/failed.txt index b0f41a8..3cfbc01 100644 --- a/failed.txt +++ b/failed.txt @@ -1,4 +1,4 @@ -===== 7.0.33-46 (2026-05-13) +===== 7.0.33-47 (2026-07-02) $ grep -r 'Tests failed' /var/lib/mock/scl70*/build.log diff --git a/php-gh22187.patch b/php-gh22187.patch new file mode 100644 index 0000000..7a41072 --- /dev/null +++ b/php-gh22187.patch @@ -0,0 +1,122 @@ +From 4eeb25a7ae8f91e517b760423b50a5a5ef9e98fb Mon Sep 17 00:00:00 2001 +From: David Carlier +Date: Fri, 29 May 2026 21:44:14 +0100 +Subject: [PATCH] ext/openssl: openssl_encrypt() zend mm heap overflow on + AES-WRAP-PAD mode. + +Fix #22186 + +close GH-22187 + +(cherry picked from commit cbc0489126a7682796aad1e5fb4e51de74af162c) +(cherry picked from commit 95e9851111d249e43948b76663cff1baeb5e758d) +(cherry picked from commit 2a73e91a9f9136fbbfcc9177573b6af71e3d5dce) +(cherry picked from commit e058b01e1bd23421a425cffae9f458b0fa8db222) +(cherry picked from commit 09cccab30d53614bb826e4390ad23ad7451b6d6c) +(cherry picked from commit f15d1e26160a8175474160907eb6ab7e10090fa0) +(cherry picked from commit 58c39c2f8402261fd4e8ffd327c37adc53a9c861) +--- + NEWS | 6 ++++++ + ext/openssl/openssl.c | 22 ++++++++++++++++++++++ + ext/openssl/tests/gh22186.phpt | 32 ++++++++++++++++++++++++++++++++ + 3 files changed, 60 insertions(+) + create mode 100644 ext/openssl/tests/gh22186.phpt + +diff --git a/NEWS b/NEWS +index b5014af12e..a6fcc89ccd 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,12 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 8.2.32 ++ ++- OpenSSL: ++ . Fixed bug GH-22187 (Memory corruption (zend_mm_heap corrupted) in ++ openssl_encrypt with AES-WRAP-PAD). (David Carlier) ++ + Backported from 8.2.31 + + - FPM: +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index 5fbb55b5df..151fddd9ff 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -5728,6 +5728,17 @@ PHP_FUNCTION(openssl_encrypt) + free_iv = php_openssl_validate_iv(&iv, &iv_len, max_iv_len); + + outlen = data_len + EVP_CIPHER_block_size(cipher_type); ++#ifdef EVP_CIPH_WRAP_MODE ++ if ((EVP_CIPHER_mode(cipher_type)) == EVP_CIPH_WRAP_MODE) { ++ /* ++ * RFC 5649 wrap-with-padding rounds the input up to the block size ++ * and prepends an integrity block, we reserve one extra block. ++ * See EVP_EncryptUpdate(3): wrap mode may write up to ++ * inl + cipher_block_size bytes. ++ */ ++ outlen += EVP_CIPHER_block_size(cipher_type); ++ } ++#endif + outbuf = zend_string_alloc(outlen, 0); + + EVP_EncryptInit(cipher_ctx, cipher_type, NULL, NULL); +@@ -5832,6 +5843,17 @@ PHP_FUNCTION(openssl_decrypt) + free_iv = php_openssl_validate_iv(&iv, &iv_len, EVP_CIPHER_iv_length(cipher_type)); + + outlen = data_len + EVP_CIPHER_block_size(cipher_type); ++#ifdef EVP_CIPH_WRAP_MODE ++ if ((EVP_CIPHER_mode(cipher_type)) == EVP_CIPH_WRAP_MODE) { ++ /* ++ * RFC 5649 wrap-with-padding rounds the input up to the block size ++ * and prepends an integrity block, we reserve one extra block. ++ * See EVP_EncryptUpdate(3): wrap mode may write up to ++ * inl + cipher_block_size bytes. ++ */ ++ outlen += EVP_CIPHER_block_size(cipher_type); ++ } ++#endif + outbuf = zend_string_alloc(outlen, 0); + + EVP_DecryptInit(cipher_ctx, cipher_type, NULL, NULL); +diff --git a/ext/openssl/tests/gh22186.phpt b/ext/openssl/tests/gh22186.phpt +new file mode 100644 +index 0000000000..8f28e6c45b +--- /dev/null ++++ b/ext/openssl/tests/gh22186.phpt +@@ -0,0 +1,32 @@ ++--TEST-- ++GH-22186 (Heap buffer overflow in openssl_encrypt with AES-WRAP-PAD) ++--EXTENSIONS-- ++openssl ++--SKIPIF-- ++ ++--FILE-- ++ ++--EXPECT-- ++done +-- +2.54.0 + diff --git a/php.spec b/php.spec index 228aad7..684e353 100644 --- a/php.spec +++ b/php.spec @@ -136,7 +136,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: %{upver}%{?rcver:~%{rcver}} -Release: 46%{?dist} +Release: 47%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -285,6 +285,8 @@ Patch278: php-cve-2026-7261.patch Patch279: php-cve-2026-7262.patch Patch280: php-cve-2026-6735.patch Patch281: php-cve-2026-7568.patch +# from 8.2.32 +Patch282: php-gh22187.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -1113,6 +1115,7 @@ sed -e 's/php-devel/%{?scl_prefix}php-devel/' -i scripts/phpize.in %patch -P279 -p1 -b .cve7262 %patch -P280 -p1 -b .cve6735 %patch -P281 -p1 -b .cve7268 +%patch -P282 -p1 -b .gh22187 # Fixes for tests %patch -P300 -p1 -b .datetests @@ -2068,6 +2071,9 @@ EOF %changelog +* Thu Jul 2 2026 Remi Collet - 7.0.33-47 +- Fix Memory corruption in openssl_encrypt with AES-WRAP-PAD + * Tue May 12 2026 Remi Collet - 7.0.33-46 - Fix XSS within status endpoint CVE-2026-6735 -- cgit