From c1b1b58666af10e584c5e6560f4d227cc806005b Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 5 Mar 2019 08:04:59 +0100 Subject: Fix #77630 rename() across the device may allow unwanted access during processing --- php-bug77630.patch | 86 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ php.spec | 8 ++++- 2 files changed, 93 insertions(+), 1 deletion(-) create mode 100644 php-bug77630.patch diff --git a/php-bug77630.patch b/php-bug77630.patch new file mode 100644 index 0000000..208bbb6 --- /dev/null +++ b/php-bug77630.patch @@ -0,0 +1,86 @@ +From e3133e4db70476fb7adfdedb738483e2255ce0e1 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sat, 2 Mar 2019 23:42:53 -0800 +Subject: [PATCH] Fix bug #77630 - safer rename() procedure + +In order to rename safer, we do the following: +- set umask to 077 (unfortunately, not TS, so excluding ZTS) +- chown() first, to set proper group before allowing group access +- chmod() after, even if chown() fails +--- + main/streams/plain_wrapper.c | 51 ++++++++++++++++++++++++------------ + 1 file changed, 34 insertions(+), 17 deletions(-) + +diff --git a/main/streams/plain_wrapper.c b/main/streams/plain_wrapper.c +index af890a9aa3bb..7fdf906e6fad 100644 +--- a/main/streams/plain_wrapper.c ++++ b/main/streams/plain_wrapper.c +@@ -1160,34 +1160,51 @@ static int php_plain_files_rename(php_stream_wrapper *wrapper, const char *url_f + # ifdef EXDEV + if (errno == EXDEV) { + zend_stat_t sb; ++# if !defined(ZTS) && !defined(TSRM_WIN32) && !defined(NETWARE) ++ /* not sure what to do in ZTS case, umask is not thread-safe */ ++ int oldmask = umask(077); ++# endif ++ int success = 0; + if (php_copy_file(url_from, url_to) == SUCCESS) { + if (VCWD_STAT(url_from, &sb) == 0) { ++ success = 1; + # if !defined(TSRM_WIN32) && !defined(NETWARE) +- if (VCWD_CHMOD(url_to, sb.st_mode)) { +- if (errno == EPERM) { +- php_error_docref2(NULL, url_from, url_to, E_WARNING, "%s", strerror(errno)); +- VCWD_UNLINK(url_from); +- return 1; +- } ++ /* ++ * Try to set user and permission info on the target. ++ * If we're not root, then some of these may fail. ++ * We try chown first, to set proper group info, relying ++ * on the system environment to have proper umask to not allow ++ * access to the file in the meantime. ++ */ ++ if (VCWD_CHOWN(url_to, sb.st_uid, sb.st_gid)) { + php_error_docref2(NULL, url_from, url_to, E_WARNING, "%s", strerror(errno)); +- return 0; ++ if (errno != EPERM) { ++ success = 0; ++ } + } +- if (VCWD_CHOWN(url_to, sb.st_uid, sb.st_gid)) { +- if (errno == EPERM) { ++ ++ if (success) { ++ if (VCWD_CHMOD(url_to, sb.st_mode)) { + php_error_docref2(NULL, url_from, url_to, E_WARNING, "%s", strerror(errno)); +- VCWD_UNLINK(url_from); +- return 1; ++ if (errno != EPERM) { ++ success = 0; ++ } + } +- php_error_docref2(NULL, url_from, url_to, E_WARNING, "%s", strerror(errno)); +- return 0; + } + # endif +- VCWD_UNLINK(url_from); +- return 1; ++ if (success) { ++ VCWD_UNLINK(url_from); ++ } ++ } else { ++ php_error_docref2(NULL, url_from, url_to, E_WARNING, "%s", strerror(errno)); + } ++ } else { ++ php_error_docref2(NULL, url_from, url_to, E_WARNING, "%s", strerror(errno)); + } +- php_error_docref2(NULL, url_from, url_to, E_WARNING, "%s", strerror(errno)); +- return 0; ++# if !defined(ZTS) && !defined(TSRM_WIN32) && !defined(NETWARE) ++ umask(oldmask); ++# endif ++ return success; + } + # endif + #endif diff --git a/php.spec b/php.spec index 4da7878..487ce62 100644 --- a/php.spec +++ b/php.spec @@ -131,7 +131,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: %{upver}%{?rcver:~%{rcver}} -Release: 4%{?dist} +Release: 5%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -208,6 +208,7 @@ Patch209: php-bug77431.patch Patch210: php-bug77540.patch Patch211: php-bug77563.patch Patch212: php-bug77586.patch +Patch213: php-bug77630.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -954,6 +955,7 @@ support for JavaScript Object Notation (JSON) to PHP. %patch210 -p1 -b .bug77540 %patch211 -p1 -b .bug77563 %patch212 -p1 -b .bug77586 +%patch213 -p1 -b .bug77630 : --------------------------- #exit 1 @@ -1906,6 +1908,10 @@ EOF %changelog +* Tue Mar 5 2019 Remi Collet - 7.0.33-5 +- Fix #77630 rename() across the device may allow unwanted access + during processing + * Mon Mar 4 2019 Remi Collet - 7.0.33-4 - exif: Fix #77509 Uninitialized read in exif_process_IFD_in_TIFF -- cgit