From 11b950e90bcd9f0f3a7906cd3f2ae0c2e323f860 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Wed, 13 May 2026 16:31:07 +0200 Subject: Fix XSS within status endpoint CVE-2026-6735 Fix Stale SOAP_GLOBAL(ref_map) pointer with Apache Map CVE-2026-6722 Fix Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION CVE-2026-7261 Fix Broken Apache map value NULL check CVE-2026-7262 Fix Signed integer overflow of char array offset CVE-2026-7568 --- php-cve-2026-7568.patch | 90 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 90 insertions(+) create mode 100644 php-cve-2026-7568.patch (limited to 'php-cve-2026-7568.patch') diff --git a/php-cve-2026-7568.patch b/php-cve-2026-7568.patch new file mode 100644 index 0000000..f3e7186 --- /dev/null +++ b/php-cve-2026-7568.patch @@ -0,0 +1,90 @@ +From 99eec43bb407d42855eaa9ff6af64df1ee2c20dc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= +Date: Sun, 3 May 2026 20:02:57 +0200 +Subject: [PATCH 4/6] GHSA-96wq-48vp-hh57: [metaphone] Fix signed integer + overflow of char array offset + +Fixes GHSA-96wq-48vp-hh57 +Fixes CVE-2026-7568 + +(cherry picked from commit 47def8ce1db1fdbffcfc1f5bb11877a0e22d4b32) +(cherry picked from commit e4fc187a011d91f26178f6dfbccdb07041b99153) +(cherry picked from commit 53de456406a6db5a8bcded8a4b242789ae5b2690) +(cherry picked from commit 909c2acc64d72bd57123b30e711c02aef0c08d14) + +[skip ci] Adjust credits for GHSA-96wq-48vp-hh57.phpt + +As requested by the reporter. + +(cherry picked from commit fee84dd8c7699e4e7f9b2e864a393ee5a372f974) +(cherry picked from commit 101e93900888ef43d42ec0e33866bca3824f51a8) +(cherry picked from commit 41134d0746a524d7265b67d3d8d0fd433fd7479a) +(cherry picked from commit b40b656c0fe8080f9cd097bf77b7a3681ea3e7a0) +(cherry picked from commit 9e4b7c856c57deda7b7887da7978328ec8b57187) +(cherry picked from commit b7702525bc4a540eb36f392a13461971a1bac31a) +(cherry picked from commit b6affc4bc51768aec7ad8737f4486597939b0bd4) +--- + ext/standard/metaphone.c | 8 ++++---- + ext/standard/tests/GHSA-96wq-48vp-hh57.phpt | 22 +++++++++++++++++++++ + 2 files changed, 26 insertions(+), 4 deletions(-) + create mode 100644 ext/standard/tests/GHSA-96wq-48vp-hh57.phpt + +diff --git a/ext/standard/metaphone.c b/ext/standard/metaphone.c +index 9bf67bbda89..23ebf144e76 100644 +--- a/ext/standard/metaphone.c ++++ b/ext/standard/metaphone.c +@@ -122,10 +122,10 @@ char _codes[26] = + + /* Allows us to safely look ahead an arbitrary # of letters */ + /* I probably could have just used strlen... */ +-static char Lookahead(char *word, int how_far) ++static char Lookahead(char *word, size_t how_far) + { + char letter_ahead = '\0'; /* null by default */ +- int idx; ++ size_t idx; + for (idx = 0; word[idx] != '\0' && idx < how_far; idx++); + /* Edge forward in the string... */ + +@@ -167,8 +167,8 @@ static char Lookahead(char *word, int how_far) + */ + static int metaphone(unsigned char *word, size_t word_len, zend_long max_phonemes, zend_string **phoned_word, int traditional) + { +- int w_idx = 0; /* point in the phonization we're at. */ +- int p_idx = 0; /* end of the phoned phrase */ ++ size_t w_idx = 0; /* point in the phonization we're at. */ ++ size_t p_idx = 0; /* end of the phoned phrase */ + size_t max_buffer_len = 0; /* maximum length of the destination buffer */ + + /*-- Parameter checks --*/ +diff --git a/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt b/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt +new file mode 100644 +index 00000000000..cf9a40062f8 +--- /dev/null ++++ b/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt +@@ -0,0 +1,22 @@ ++--TEST-- ++GHSA-96wq-48vp-hh57: signed integer overflow of char array offset ++--CREDITS-- ++Aleksey Solovev (Positive Technologies) ++--INI-- ++memory_limit=3G ++--SKIPIF-- ++ ++--FILE-- ++ ++===DONE=== ++--EXPECT-- ++===DONE=== +-- +2.54.0 + -- cgit