From e5b6444eef61226b5305c149a2f3da552ba3e771 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 28 May 2019 09:34:16 +0200 Subject: - iconv: Fix #78069 Out-of-bounds read in iconv.c:_php_iconv_mime_decode() CVE-2019-11039 - exif: Fix #77988 Heap-buffer-overflow on php_jpg_get16 CVE-2019-11040 - sqlite3: Fix #77967 Bypassing open_basedir restrictions via file uris --- failed.txt | 2 +- php-bug77967.patch | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ php-bug77988.patch | 59 +++++++++++++++++++++++++++++++++++++++++++++ php-bug78069.patch | 36 +++++++++++++++++++++++++++ php.spec | 20 +++++++++++++-- 5 files changed, 185 insertions(+), 3 deletions(-) create mode 100644 php-bug77967.patch create mode 100644 php-bug77988.patch create mode 100644 php-bug78069.patch diff --git a/failed.txt b/failed.txt index e455e82..101a7ad 100644 --- a/failed.txt +++ b/failed.txt @@ -1,4 +1,4 @@ -===== 7.0.33-8 (2019-04-30) +===== 7.0.33-9 (2019-05-28) $ grep -r 'Tests failed' /var/lib/mock/scl70*/build.log diff --git a/php-bug77967.patch b/php-bug77967.patch new file mode 100644 index 0000000..8d80aee --- /dev/null +++ b/php-bug77967.patch @@ -0,0 +1,71 @@ +From c7d9dee3b911ad6417a6c94dc91f7af7607b313e Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 27 May 2019 18:04:00 -0700 +Subject: [PATCH] Fix bug #77967 - Bypassing open_basedir restrictions via file + uris + +(cherry picked from commit c34895e837b50213c2bb201c612904342d2bd216) +--- + NEWS | 15 +++++++++------ + ext/sqlite3/sqlite3.c | 9 +++++++++ + 2 files changed, 18 insertions(+), 6 deletions(-) + +diff --git a/NEWS b/NEWS +index b6e18aa242..ede58a694e 100644 +--- a/NEWS ++++ b/NEWS +@@ -4,16 +4,19 @@ PHP NEWS + Backported from 7.1.30 + + - EXIF: +- . Fixed bug #77988 (heap-buffer-overflow on php_jpg_get16). +- (CVE-2019-11040) (Stas) ++ . Fixed bug #77988 (heap-buffer-overflow on php_jpg_get16). ++ (CVE-2019-11040) (Stas) + + - GD: + . Fixed bug #77973 (Uninitialized read in gdImageCreateFromXbm). +- (CVE-2019-11038) (cmb) ++ (CVE-2019-11038) (cmb) + + - Iconv: + . Fixed bug #78069 (Out-of-bounds read in iconv.c:_php_iconv_mime_decode() +- due to integer overflow). (CVE-2019-11039). (maris dot adam) ++ due to integer overflow). (CVE-2019-11039). (maris dot adam) ++ ++- SQLite: ++ . Fixed bug #77967 (Bypassing open_basedir restrictions via file uris). (Stas) + + Backported from 7.1.29 + +@@ -26,8 +29,8 @@ Backported from 7.1.28 + - EXIF: + . Fixed bug #77753 (Heap-buffer-overflow in php_ifd_get32s). (CVE-2019-11034) + (Stas) +- . Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value). +- (CVE-2019-11035) (Stas) ++ . Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value). ++ (CVE-2019-11035) (Stas) + + - SQLite3: + . Added sqlite3.defensive INI directive. (BohwaZ) +diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c +index 5e6d9dd792..1753b27907 100644 +--- a/ext/sqlite3/sqlite3.c ++++ b/ext/sqlite3/sqlite3.c +@@ -2054,6 +2054,15 @@ static int php_sqlite3_authorizer(void *autharg, int access_type, const char *ar + } + #endif + ++ if (strncmp(arg3, "file:", 5) == 0) { ++ /* starts with "file:" */ ++ if (!arg3[5]) { ++ return SQLITE_DENY; ++ } ++ if (php_check_open_basedir(arg3 + 5)) { ++ return SQLITE_DENY; ++ } ++ } + if (php_check_open_basedir(arg3)) { + return SQLITE_DENY; + } diff --git a/php-bug77988.patch b/php-bug77988.patch new file mode 100644 index 0000000..77dbc10 --- /dev/null +++ b/php-bug77988.patch @@ -0,0 +1,59 @@ +Without test as binary patch not supported + + + + +From 205b94a281839a91d805af27b997331e76029a4b Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 27 May 2019 17:16:29 -0700 +Subject: [PATCH] Fix bug #77988 - heap-buffer-overflow on php_jpg_get16 + +(cherry picked from commit 73ff4193be24192c894dc0502d06e2b2db35eefb) +--- + NEWS | 16 +++++++++++++++- + ext/exif/exif.c | 2 ++ + ext/exif/tests/bug77988.jpg | Bin 0 -> 1202 bytes + ext/exif/tests/bug77988.phpt | 11 +++++++++++ + 4 files changed, 28 insertions(+), 1 deletion(-) + create mode 100644 ext/exif/tests/bug77988.jpg + create mode 100644 ext/exif/tests/bug77988.phpt + +diff --git a/NEWS b/NEWS +index ebcd60c4be..b6e18aa242 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,20 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 7.1.30 ++ ++- EXIF: ++ . Fixed bug #77988 (heap-buffer-overflow on php_jpg_get16). ++ (CVE-2019-11040) (Stas) ++ ++- GD: ++ . Fixed bug #77973 (Uninitialized read in gdImageCreateFromXbm). ++ (CVE-2019-11038) (cmb) ++ ++- Iconv: ++ . Fixed bug #78069 (Out-of-bounds read in iconv.c:_php_iconv_mime_decode() ++ due to integer overflow). (CVE-2019-11039). (maris dot adam) ++ + Backported from 7.1.29 + + - EXIF +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index a9df95d554..dd7d268bbd 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -3525,6 +3525,8 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo) + if (c == 0xFF) + return FALSE; + marker = c; ++ if (pos>=ImageInfo->Thumbnail.size) ++ return FALSE; + length = php_jpg_get16(data+pos); + if (length > ImageInfo->Thumbnail.size || pos >= ImageInfo->Thumbnail.size - length) { + return FALSE; + diff --git a/php-bug78069.patch b/php-bug78069.patch new file mode 100644 index 0000000..2e816c9 --- /dev/null +++ b/php-bug78069.patch @@ -0,0 +1,36 @@ +Without test as binary patch not supported + + + + +From 17d5e269dabc704c1cf24ebb03056142e28c9bfe Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 27 May 2019 16:32:42 -0700 +Subject: [PATCH] Fix bug #78069 - Out-of-bounds read in + iconv.c:_php_iconv_mime_decode() due to integer overflow + +(cherry picked from commit 7cf7148a8f8f4f55fb04de2a517d740bb6253eac) +--- + ext/iconv/iconv.c | 4 +++- + ext/iconv/tests/bug78069.data | Bin 0 -> 107 bytes + ext/iconv/tests/bug78069.phpt | 15 +++++++++++++++ + 3 files changed, 18 insertions(+), 1 deletion(-) + create mode 100644 ext/iconv/tests/bug78069.data + create mode 100644 ext/iconv/tests/bug78069.phpt + +diff --git a/ext/iconv/iconv.c b/ext/iconv/iconv.c +index ea619aa227..06145348f2 100644 +--- a/ext/iconv/iconv.c ++++ b/ext/iconv/iconv.c +@@ -1645,7 +1645,9 @@ static php_iconv_err_t _php_iconv_mime_decode(smart_str *pretval, const char *st + * we can do at this point. */ + if (*(p1 + 1) == '=') { + ++p1; +- --str_left; ++ if (str_left > 1) { ++ --str_left; ++ } + } + + err = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl); + diff --git a/php.spec b/php.spec index c8813b9..55ae4d5 100644 --- a/php.spec +++ b/php.spec @@ -131,7 +131,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: %{upver}%{?rcver:~%{rcver}} -Release: 8%{?dist} +Release: 9%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -215,6 +215,9 @@ Patch215: php-sqlite3-defensive.patch Patch216: php-bug77753.patch Patch217: php-bug77831.patch Patch218: php-bug77950.patch +Patch219: php-bug78069.patch +Patch220: php-bug77988.patch +Patch221: php-bug77967.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -828,7 +831,7 @@ Provides: %{?scl_prefix}php-pdo_dblib, %{?scl_prefix}php-pdo_dblib%{?_isa} %description pdo-dblib The %{?scl_prefix}php-pdo-dblib package contains a dynamic shared object that implements the PHP Data Objects (PDO) interface to enable access from -PHP to Microsoft SQL Server and Sybase databases through the FreeTDS libary. +PHP to Microsoft SQL Server and Sybase databases through the FreeTDS library. %endif %package pspell @@ -974,6 +977,9 @@ support for JavaScript Object Notation (JSON) to PHP. %patch216 -p1 -b .bug77753 %patch217 -p1 -b .bug77831 %patch218 -p1 -b .bug77950 +%patch219 -p1 -b .bug78069 +%patch220 -p1 -b .bug77988 +%patch221 -p1 -b .bug77967 : --------------------------- #exit 1 @@ -1929,6 +1935,16 @@ EOF %changelog +* Tue May 28 2019 Remi Collet - 7.0.33-9 +- iconv: + Fix #78069 Out-of-bounds read in iconv.c:_php_iconv_mime_decode() + CVE-2019-11039 +- exif: + Fix #77988 Heap-buffer-overflow on php_jpg_get16 + CVE-2019-11040 +- sqlite3: + Fix #77967 Bypassing open_basedir restrictions via file uris + * Tue Apr 30 2019 Remi Collet - 7.0.33-8 - exif: Fix #77950 Heap-buffer-overflow in _estrndup via exif_process_IFD_TAG -- cgit