diff options
author | Remi Collet <remi@remirepo.net> | 2020-03-17 09:34:41 +0100 |
---|---|---|
committer | Remi Collet <remi@remirepo.net> | 2020-03-17 09:34:41 +0100 |
commit | b1e6c483142a56315f782827dd9eac76b06864d2 (patch) | |
tree | c717542a0cb8d6e8d35dfd23ca207d6663c71452 | |
parent | aa260171c680e90059482026252bea3c7b939c9e (diff) |
standard:
Fix #79329 get_headers() silently truncates after a null byte
CVE-2020-7066
exif:
Fix #79282 Use-of-uninitialized-value in exif
CVE-2020-7064
use oracle client library version 19.6 (18.5 on EL-6)
-rw-r--r-- | php-bug79282.patch | 107 | ||||
-rw-r--r-- | php-bug79329.patch | 54 | ||||
-rw-r--r-- | php.spec | 17 |
3 files changed, 176 insertions, 2 deletions
diff --git a/php-bug79282.patch b/php-bug79282.patch new file mode 100644 index 0000000..0ea2bae --- /dev/null +++ b/php-bug79282.patch @@ -0,0 +1,107 @@ +From 8577fa5891220dac40d42b2f745fa159dcd871ad Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 15 Mar 2020 17:26:00 -0700 +Subject: [PATCH] Fixed bug #79282 + +(cherry picked from commit 41f66e2a2cfd611e35be5ac3bf747f0b56161216) +--- + ext/exif/exif.c | 7 ++++++- + ext/exif/tests/bug79282.phpt | 15 +++++++++++++++ + 2 files changed, 21 insertions(+), 1 deletion(-) + create mode 100644 ext/exif/tests/bug79282.phpt + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index 406fee4ff4..9130ceaf6d 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -3243,6 +3243,11 @@ static void exif_process_TIFF_in_JPEG(image_info_type *ImageInfo, char *CharBuf, + { + unsigned exif_value_2a, offset_of_ifd; + ++ if (length < 2) { ++ exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Missing TIFF alignment marker"); ++ return; ++ } ++ + /* set the thumbnail stuff to nothing so we can test to see if they get set up */ + if (memcmp(CharBuf, "II", 2) == 0) { + ImageInfo->motorola_intel = 0; +@@ -3395,7 +3400,7 @@ static int exif_scan_JPEG_header(image_info_type *ImageInfo) + return FALSE; + } + +- sn = exif_file_sections_add(ImageInfo, marker, itemlen+1, NULL); ++ sn = exif_file_sections_add(ImageInfo, marker, itemlen, NULL); + Data = ImageInfo->file.list[sn].data; + + /* Store first two pre-read bytes. */ +diff --git a/ext/exif/tests/bug79282.phpt b/ext/exif/tests/bug79282.phpt +new file mode 100644 +index 0000000000..7b7e365657 +--- /dev/null ++++ b/ext/exif/tests/bug79282.phpt +@@ -0,0 +1,15 @@ ++--TEST-- ++Bug #79282: Use-of-uninitialized-value in exif ++--FILE-- ++<?php ++ ++var_dump(exif_read_data('data://image/jpeg;base64,/9jhAAlFeGlmAAAg')); ++ ++?> ++--EXPECTF-- ++Warning: exif_read_data(): Invalid TIFF alignment marker in %s on line %d ++ ++Warning: exif_read_data(): File structure corrupted in %s on line %d ++ ++Warning: exif_read_data(): Invalid JPEG file in %s on line %d ++bool(false) +From ad05ad4dbafc29dd23828760d4bfa2be12ccbb1c Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 15 Mar 2020 17:55:28 -0700 +Subject: [PATCH] Fix test + +(cherry picked from commit 2c081b7e269d0f63cd9d60a40997f18b5cf793be) +--- + ext/exif/tests/bug79282.phpt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/exif/tests/bug79282.phpt b/ext/exif/tests/bug79282.phpt +index 7b7e365657..df91127c9c 100644 +--- a/ext/exif/tests/bug79282.phpt ++++ b/ext/exif/tests/bug79282.phpt +@@ -7,7 +7,7 @@ var_dump(exif_read_data('data://image/jpeg;base64,/9jhAAlFeGlmAAAg')); + + ?> + --EXPECTF-- +-Warning: exif_read_data(): Invalid TIFF alignment marker in %s on line %d ++Warning: exif_read_data(): Missing TIFF alignment marker in %s on line %d + + Warning: exif_read_data(): File structure corrupted in %s on line %d + +From b42b6d0ff774fdced1155cb0c721d91914d619f5 Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@remirepo.net> +Date: Tue, 17 Mar 2020 07:23:32 +0100 +Subject: [PATCH] fix test + +--- + ext/exif/tests/bug79282.phpt | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/ext/exif/tests/bug79282.phpt b/ext/exif/tests/bug79282.phpt +index df91127c9c..142cf28a6c 100644 +--- a/ext/exif/tests/bug79282.phpt ++++ b/ext/exif/tests/bug79282.phpt +@@ -7,9 +7,9 @@ var_dump(exif_read_data('data://image/jpeg;base64,/9jhAAlFeGlmAAAg')); + + ?> + --EXPECTF-- +-Warning: exif_read_data(): Missing TIFF alignment marker in %s on line %d ++Warning: exif_read_data(%s): Missing TIFF alignment marker in %s on line %d + +-Warning: exif_read_data(): File structure corrupted in %s on line %d ++Warning: exif_read_data(%s): File structure corrupted in %s on line %d + +-Warning: exif_read_data(): Invalid JPEG file in %s on line %d ++Warning: exif_read_data(%s): Invalid JPEG file in %s on line %d + bool(false) diff --git a/php-bug79329.patch b/php-bug79329.patch new file mode 100644 index 0000000..1dedb01 --- /dev/null +++ b/php-bug79329.patch @@ -0,0 +1,54 @@ +From b7b9302660a23a67285e204bc3d7fcf6ba7f6533 Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@remirepo.net> +Date: Tue, 17 Mar 2020 07:25:12 +0100 +Subject: [PATCH] Fix bug #79329 - get_headers should not accept \0 + +From 0d139c5b94a5f485a66901919e51faddb0371c43 +--- + ext/standard/url.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/standard/url.c b/ext/standard/url.c +index 0eac03ee0a..39e5b1b2c2 100644 +--- a/ext/standard/url.c ++++ b/ext/standard/url.c +@@ -660,7 +660,7 @@ PHP_FUNCTION(get_headers) + zval *zcontext = NULL; + php_stream_context *context; + +- if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|lr!", &url, &url_len, &format, &zcontext) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS(), "p|lr!", &url, &url_len, &format, &zcontext) == FAILURE) { + return; + } + +From 03471e31c9b467d1d8d944e44fa009ef247e81bd Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 15 Mar 2020 19:35:26 -0700 +Subject: [PATCH] [ci skip] Update NEWS + +(cherry picked from commit c8d21d7728109b0f911033c098cfaeb7438ba1d5) +--- + NEWS | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/NEWS b/NEWS +index 4233a530c1..f0bec6aa69 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,16 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 7.2.29 ++ ++- Core: ++ . Fixed bug #79329 (get_headers() silently truncates after a null byte) ++ (CVE-2020-7066) (cmb) ++ ++- EXIF: ++ . Fixed bug #79282 (Use-of-uninitialized-value in exif) (CVE-2020-7064) ++ (Nikita) ++ + Backported from 7.2.28 + + - DOM: @@ -63,7 +63,7 @@ %endif %global oraclelib 18.1 %else -%global oraclever 19.5 +%global oraclever 19.6 %global oraclelib 19.1 %endif @@ -140,7 +140,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: %{upver}%{?rcver:~%{rcver}} -Release: 5%{?dist} +Release: 6%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -212,6 +212,8 @@ Patch208: php-bug79037.patch Patch209: php-bug77569.patch Patch210: php-bug79221.patch Patch211: php-bug79082.patch +Patch212: php-bug79282.patch +Patch213: php-bug79329.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -954,6 +956,8 @@ sed -e 's/php-devel/%{?scl_prefix}php-devel/' -i scripts/phpize.in %patch209 -p1 -b .bug77569 %patch210 -p1 -b .bug79221 %patch211 -p1 -b .bug79082 +%patch212 -p1 -b .bug79282 +%patch213 -p1 -b .bug79329 # Fixes for tests %patch300 -p1 -b .datetests @@ -1912,6 +1916,15 @@ EOF %changelog +* Tue Mar 17 2020 Remi Collet <remi@remirepo.net> - 7.1.33-6 +- standard: + Fix #79329 get_headers() silently truncates after a null byte + CVE-2020-7066 +- exif: + Fix #79282 Use-of-uninitialized-value in exif + CVE-2020-7064 +- use oracle client library version 19.6 (18.5 on EL-6) + * Tue Feb 18 2020 Remi Collet <remi@remirepo.net> - 7.1.33-5 - dom: Fix #77569 Write Access Violation in DomImplementation |