diff options
| -rw-r--r-- | failed.txt | 6 | ||||
| -rw-r--r-- | php-cve-2026-6722.patch | 111 | ||||
| -rw-r--r-- | php-cve-2026-6735.patch | 338 | ||||
| -rw-r--r-- | php-cve-2026-7261.patch | 119 | ||||
| -rw-r--r-- | php-cve-2026-7262.patch | 81 | ||||
| -rw-r--r-- | php-cve-2026-7568.patch | 86 | ||||
| -rw-r--r-- | php.spec | 24 |
7 files changed, 761 insertions, 4 deletions
@@ -1,9 +1,9 @@ -===== 7.2.34-26 (2026-02-18) +===== 7.2.34-27 (2026-05-13) $ grep -ar 'Tests failed' /var/lib/mock/*/build.log -/var/lib/mock/scl72el8a/build.log:Tests failed : 22 -/var/lib/mock/scl72el8x/build.log:Tests failed : 22 +/var/lib/mock/scl72el8a/build.log:Tests failed : 24 +/var/lib/mock/scl72el8x/build.log:Tests failed : 24 el8: diff --git a/php-cve-2026-6722.patch b/php-cve-2026-6722.patch new file mode 100644 index 0000000..228c6cc --- /dev/null +++ b/php-cve-2026-6722.patch @@ -0,0 +1,111 @@ +From 8fc3ed35cf67234da5201f64051e2ffa96d70f86 Mon Sep 17 00:00:00 2001 +From: Ilija Tovilo <ilija.tovilo@me.com> +Date: Sun, 3 May 2026 19:56:53 +0200 +Subject: [PATCH 1/6] GHSA-85c2-q967-79q5: [soap] Fix stale + SOAP_GLOBAL(ref_map) pointer with Apache Map + +Fixes GHSA-85c2-q967-79q5 +Fixes CVE-2026-6722 + +(cherry picked from commit aee3b3ac9b816b0def1c462695b483b49a83148e) +(cherry picked from commit 15064460d6682766f91c1a841d27cdfbc38907e8) +(cherry picked from commit bbc1be3fc763b81707ccaa91a4cd1d439b753b12) +(cherry picked from commit 6c4b67ca091afea4f436202d7f9db38a129106dc) +(cherry picked from commit 017843d76d595ae97cb97eba4affd69501244571) +--- + ext/soap/php_encoding.c | 3 +- + ext/soap/tests/GHSA-85c2-q967-79q5.phpt | 61 +++++++++++++++++++++++++ + 2 files changed, 63 insertions(+), 1 deletion(-) + create mode 100644 ext/soap/tests/GHSA-85c2-q967-79q5.phpt + +diff --git a/ext/soap/php_encoding.c b/ext/soap/php_encoding.c +index c29e967091..acb3a8cc44 100644 +--- a/ext/soap/php_encoding.c ++++ b/ext/soap/php_encoding.c +@@ -369,6 +369,7 @@ static zend_bool soap_check_xml_ref(zval *data, xmlNodePtr node) + static void soap_add_xml_ref(zval *data, xmlNodePtr node) + { + if (SOAP_GLOBAL(ref_map)) { ++ Z_TRY_ADDREF_P(data); + zend_hash_index_update(SOAP_GLOBAL(ref_map), (zend_ulong)node, data); + } + } +@@ -3456,7 +3457,7 @@ void encode_reset_ns() + } else { + SOAP_GLOBAL(ref_map) = emalloc(sizeof(HashTable)); + } +- zend_hash_init(SOAP_GLOBAL(ref_map), 0, NULL, NULL, 0); ++ zend_hash_init(SOAP_GLOBAL(ref_map), 0, NULL, ZVAL_PTR_DTOR, 0); + } + + void encode_finish() +diff --git a/ext/soap/tests/GHSA-85c2-q967-79q5.phpt b/ext/soap/tests/GHSA-85c2-q967-79q5.phpt +new file mode 100644 +index 0000000000..8bcac26ad1 +--- /dev/null ++++ b/ext/soap/tests/GHSA-85c2-q967-79q5.phpt +@@ -0,0 +1,61 @@ ++--TEST-- ++GHSA-85c2-q967-79q5: Stale SOAP_GLOBAL(ref_map) pointer with Apache Map ++--CREDITS-- ++brettgervasoni ++--EXTENSIONS-- ++soap ++--FILE-- ++<?php ++ ++class Handler { ++ public function test(...$args) { ++ $GLOBALS['result'] = $args; ++ } ++} ++ ++$envelope = <<<'XML' ++<?xml version="1.0" encoding="UTF-8"?> ++<soapenv:Envelope ++ xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" ++ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ++ xmlns:xsd="http://www.w3.org/2001/XMLSchema"> ++ ++ <soapenv:Body> ++ <test> ++ <map xsi:type="apache:Map" xmlns:apache="http://xml.apache.org/xml-soap"> ++ <item> ++ <key>foo</key> ++ <value id="stale"><object>bar</object></value> ++ </item> ++ <item> ++ <key>foo</key> ++ <value>baz</value> ++ </item> ++ </map> ++ <stale href="#stale"/> ++ </test> ++ </soapenv:Body> ++</soapenv:Envelope> ++XML; ++ ++$s = new SoapServer(null, ['uri' => 'urn:a']); ++$s->setClass(Handler::class); ++$s->handle($envelope); ++var_dump($result); ++ ++?> ++--EXPECTF-- ++<?xml version="1.0" encoding="UTF-8"?> ++<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="urn:a" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:testResponse><return xsi:nil="true"/></ns1:testResponse></SOAP-ENV:Body></SOAP-ENV:Envelope> ++array(2) { ++ [0]=> ++ array(1) { ++ ["foo"]=> ++ string(3) "baz" ++ } ++ [1]=> ++ object(stdClass)#%d (1) { ++ ["object"]=> ++ string(3) "bar" ++ } ++} +-- +2.54.0 + diff --git a/php-cve-2026-6735.patch b/php-cve-2026-6735.patch new file mode 100644 index 0000000..769c0e8 --- /dev/null +++ b/php-cve-2026-6735.patch @@ -0,0 +1,338 @@ +From 8e0efa0f20484c8bbfdb8671d61b232b70e2bd0a Mon Sep 17 00:00:00 2001 +From: Jakub Zelenka <bukka@php.net> +Date: Sun, 3 May 2026 20:01:41 +0200 +Subject: [PATCH 5/6] GHSA-7qg2-v9fj-4mwv: [fpm] XSS within status endpoint + +Fixes GHSA-7qg2-v9fj-4mwv +Fixes CVE-2026-6735 + +(cherry picked from commit 99a5ad7441de9914246c7863adb6997396008b9d) +(cherry picked from commit cc2960e782eb5cc262d7bd572a7d18979a811954) +(cherry picked from commit 62daef7b73108ceda2545862cde0673f252ba2d2) +(cherry picked from commit aeaf48ca0bceba42b9595dff30d9e96029c54613) + +backport some new FPM tester features + +(cherry picked from commit 8b1746466f9fcf248f9879fabfa356106d365da0) +--- + sapi/fpm/fpm/fpm_status.c | 28 ++++- + .../tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt | 48 ++++++++ + sapi/fpm/tests/tester.inc | 111 ++++++++++++++++-- + 3 files changed, 172 insertions(+), 15 deletions(-) + create mode 100644 sapi/fpm/tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt + +diff --git a/sapi/fpm/fpm/fpm_status.c b/sapi/fpm/fpm/fpm_status.c +index 45852a5b39..2c0d770329 100644 +--- a/sapi/fpm/fpm/fpm_status.c ++++ b/sapi/fpm/fpm/fpm_status.c +@@ -387,8 +387,8 @@ int fpm_status_handle_request(void) /* {{{ */ + if (full_syntax) { + unsigned int i; + int first; +- zend_string *tmp_query_string; +- char *query_string; ++ zend_string *tmp_query_string, *tmp_request_uri_string; ++ char *query_string, *request_uri_string; + struct timeval duration, now; + #ifdef HAVE_FPM_LQ + float cpu; +@@ -415,13 +415,30 @@ int fpm_status_handle_request(void) /* {{{ */ + } + } + ++ request_uri_string = NULL; ++ tmp_request_uri_string = NULL; ++ if (proc.request_uri[0] != '\0') { ++ if (encode) { ++ tmp_request_uri_string = php_escape_html_entities_ex( ++ (unsigned char*)proc.request_uri, ++ strlen(proc.request_uri), 1, ENT_DISALLOWED | ENT_HTML_DOC_XML1 | ENT_COMPAT, ++ NULL, /* double_encode */ 1); ++ request_uri_string = ZSTR_VAL(tmp_request_uri_string); ++ } else { ++ request_uri_string = proc.request_uri; ++ } ++ } ++ + query_string = NULL; + tmp_query_string = NULL; + if (proc.query_string[0] != '\0') { + if (!encode) { + query_string = proc.query_string; + } else { +- tmp_query_string = php_escape_html_entities_ex((unsigned char *)proc.query_string, strlen(proc.query_string), 1, ENT_HTML_IGNORE_ERRORS & ENT_COMPAT, NULL, 1); ++ tmp_query_string = php_escape_html_entities_ex( ++ (unsigned char*)proc.query_string, ++ strlen(proc.query_string), 1, ENT_DISALLOWED | ENT_HTML_DOC_XML1 | ENT_COMPAT, ++ NULL, /* double_encode */ 1); + query_string = ZSTR_VAL(tmp_query_string); + } + } +@@ -449,7 +466,7 @@ int fpm_status_handle_request(void) /* {{{ */ + proc.requests, + duration.tv_sec * 1000000UL + duration.tv_usec, + proc.request_method[0] != '\0' ? proc.request_method : "-", +- proc.request_uri[0] != '\0' ? proc.request_uri : "-", ++ request_uri_string ? request_uri_string : "-", + query_string ? "?" : "", + query_string ? query_string : "", + proc.content_length, +@@ -462,6 +479,9 @@ int fpm_status_handle_request(void) /* {{{ */ + PUTS(buffer); + efree(buffer); + ++ if (tmp_request_uri_string) { ++ zend_string_free(tmp_request_uri_string); ++ } + if (tmp_query_string) { + zend_string_free(tmp_query_string); + } +diff --git a/sapi/fpm/tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt b/sapi/fpm/tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt +new file mode 100644 +index 0000000000..475bc130a4 +--- /dev/null ++++ b/sapi/fpm/tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt +@@ -0,0 +1,48 @@ ++--TEST-- ++FPM: GHSA-7qg2-v9fj-4mwv - status xss ++--SKIPIF-- ++<?php include "skipif.inc"; ?> ++--FILE-- ++<?php ++ ++require_once "tester.inc"; ++ ++$cfg = <<<EOT ++[global] ++error_log = {{FILE:LOG}} ++[unconfined] ++listen = {{ADDR}} ++pm = static ++pm.max_children = 2 ++pm.status_path = /status ++catch_workers_output = yes ++EOT; ++ ++$code = <<<EOT ++<?php ++usleep(200000); ++EOT; ++ ++$tester = new FPM\Tester($cfg, $code); ++$tester->start(); ++$tester->expectLogStartNotices(); ++$responses = $tester ++ ->multiRequest([ ++ ['uri' => '/<script>alert(1)</script>', 'query' => '<script>alert(2)</script>'], ++ ['uri' => '/status', 'query' => 'full&html', 'delay' => 100000], ++ ]); ++var_dump(strpos($responses[1]->getBody(), '<script>')); ++$tester->terminate(); ++$tester->expectLogTerminatingNotices(); ++$tester->close(); ++ ++?> ++Done ++--EXPECT-- ++bool(false) ++Done ++--CLEAN-- ++<?php ++require_once "tester.inc"; ++FPM\Tester::clean(); ++?> +diff --git a/sapi/fpm/tests/tester.inc b/sapi/fpm/tests/tester.inc +index 3b6702866c..c1384133f4 100644 +--- a/sapi/fpm/tests/tester.inc ++++ b/sapi/fpm/tests/tester.inc +@@ -489,7 +489,7 @@ class Tester + } + + /** +- * Execute request. ++ * Get request params array. + * + * @param string $query + * @param array $headers +@@ -498,20 +498,13 @@ class Tester + * @param string|null $successMessage + * @param string|null $errorMessage + * @param bool $connKeepAlive +- * @return Response ++ * @return array + */ +- public function request( ++ private function getRequestParams( + string $query = '', + array $headers = [], +- string $uri = null, +- string $address = null, +- string $successMessage = null, +- string $errorMessage = null, +- bool $connKeepAlive = false ++ string $uri = null + ) { +- if ($this->hasError()) { +- return new Response(null, true); +- } + if (is_null($uri)) { + $uri = $this->makeSourceFile(); + } +@@ -538,6 +531,42 @@ class Tester + ], + $headers + ); ++ ++ return array_filter($params, function($value) { ++ return !is_null($value); ++ }); ++ } ++ ++ /** ++ * Execute request. ++ * ++ * @param string $query ++ * @param array $headers ++ * @param string|null $uri ++ * @param string|null $address ++ * @param string|null $successMessage ++ * @param string|null $errorMessage ++ * @param bool $connKeepAlive ++ * @return Response ++ */ ++ public function request( ++ string $query = '', ++ array $headers = [], ++ string $uri = null, ++ string $address = null, ++ string $successMessage = null, ++ string $errorMessage = null, ++ bool $connKeepAlive = false ++ ) { ++ if ($this->hasError()) { ++ return new Response(null, true); ++ } ++ if (is_null($uri)) { ++ $uri = $this->makeSourceFile(); ++ } ++ ++ $params = $this->getRequestParams($query, $headers, $uri); ++ + try { + $this->response = new Response( + $this->getClient($address, $connKeepAlive)->request_data($params, false) +@@ -557,6 +586,66 @@ class Tester + return $this->response; + } + ++ /** ++ * Execute multiple requests in parallel. ++ * ++ * @param array|int $requests ++ * @param string|null $address ++ * @param string|null $successMessage ++ * @param string|null $errorMessage ++ * @param bool $connKeepAlive ++ * @return Response[] ++ * @throws \Exception ++ */ ++ public function multiRequest( ++ $requests, ++ string $address = null, ++ string $successMessage = null, ++ string $errorMessage = null, ++ bool $connKeepAlive = false ++ ) { ++ if ($this->hasError()) { ++ return new Response(null, true); ++ } ++ ++ if (is_numeric($requests)) { ++ $requests = array_fill(0, $requests, []); ++ } elseif (!is_array($requests)) { ++ throw new \Exception('Requests can be either numeric or array'); ++ } ++ ++ try { ++ $connections = array_map(function ($requestData) use ($address, $connKeepAlive) { ++ $client = $this->getClient($address, $connKeepAlive); ++ $params = $this->getRequestParams( ++ $requestData['query'] ?? '', ++ $requestData['headers'] ?? [], ++ $requestData['uri'] ?? null ++ ); ++ return [ ++ 'client' => $client, ++ 'requestId' => $client->async_request($params, false), ++ ]; ++ }, $requests); ++ ++ $responses = array_map(function ($conn) { ++ $response = new Response($conn['client']->wait_for_response_data($conn['requestId'])); ++ if ($this->debug) { ++ $response->debugOutput(); ++ } ++ return $response; ++ }, $connections); ++ $this->message($successMessage); ++ return $responses; ++ } catch (\Exception $exception) { ++ if ($errorMessage === null) { ++ $this->error("Request failed", $exception); ++ } else { ++ $this->message($errorMessage); ++ } ++ } ++ } ++ + /** + * Get client. + * +-- +2.54.0 + +From 8884e113e8351693eb4b5f1c58485ad0e4508d3a Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@remirepo.net> +Date: Thu, 7 May 2026 09:01:35 +0200 +Subject: [PATCH 6/6] NEWS from 8.2.31 + +(cherry picked from commit 7dff10e9a31d469fcd436e10b06f8b2bf2758a68) +(cherry picked from commit 1cbf0c27044bd54fb77de8a6bf993a7ab53892a4) +(cherry picked from commit 6b9f5d1673522bb3cf5d77889919084024565c7f) +(cherry picked from commit 5be222339cd6d299aa9170e6fa9edd51a5c42f39) +--- + NEWS | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/NEWS b/NEWS +index 18217680a1..0278901554 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,24 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 8.2.31 ++ ++- FPM: ++ . Fixed GHSA-7qg2-v9fj-4mwv (XSS within status endpoint). (CVE-2026-6735) ++ (Jakub Zelenka) ++ ++- SOAP: ++ . Fixed GHSA-85c2-q967-79q5 (Stale SOAP_GLOBAL(ref_map) pointer with Apache ++ Map). (CVE-2026-6722) (ilutov) ++ . Fixed GHSA-m33r-qmcv-p97q (Use-after-free after header parsing failure with ++ SOAP_PERSISTENCE_SESSION). (CVE-2026-7261) (ilutov) ++ . Fixed GHSA-hmxp-6pc4-f3vv (Broken Apache map value NULL check). ++ (CVE-2026-7262) (ilutov) ++ ++- Standard: ++ . Fixed GHSA-96wq-48vp-hh57 (Signed integer overflow of char array offset). ++ (CVE-2026-7568) (TimWolla) ++ + Backported from 8.1.34 + + . Fixed GHSA-h96m-rvf9-jgm2 (Heap buffer overflow in array_merge()). +-- +2.54.0 + diff --git a/php-cve-2026-7261.patch b/php-cve-2026-7261.patch new file mode 100644 index 0000000..ac6c531 --- /dev/null +++ b/php-cve-2026-7261.patch @@ -0,0 +1,119 @@ +From f91bcf961ac15eacabf33f86f62c17dbec4a39ab Mon Sep 17 00:00:00 2001 +From: Ilija Tovilo <ilija.tovilo@me.com> +Date: Sun, 3 May 2026 19:57:16 +0200 +Subject: [PATCH 2/6] GHSA-m33r-qmcv-p97q: [soap] Fix use-after-free after + header parsing failure with SOAP_PERSISTENCE_SESSION + +Fixes GHSA-m33r-qmcv-p97q +Fixes CVE-2026-7261 + +(cherry picked from commit db2a7f9348fd5dda5fd162061786a664c417bf5b) +(cherry picked from commit 5dd8dd8493d49bb6fcd810a6e9d2ffb6fdc15714) +(cherry picked from commit 63cf032e9675d7d2bbc007c8c787597187a7567b) +(cherry picked from commit dd14d36e31dd99b7589f917924840fe4f46ca022) +(cherry picked from commit 7b354983a33c314b76c594c9c5b790e3b073dcf1) + +adapt test for 7.2 +--- + ext/soap/soap.c | 12 ++++- + ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt | 60 +++++++++++++++++++++++++ + 2 files changed, 70 insertions(+), 2 deletions(-) + create mode 100644 ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt + +diff --git a/ext/soap/soap.c b/ext/soap/soap.c +index 4cf0323a0a..6ffd7cdd35 100644 +--- a/ext/soap/soap.c ++++ b/ext/soap/soap.c +@@ -1824,13 +1824,21 @@ PHP_METHOD(SoapServer, handle) + php_output_discard(); + soap_server_fault_ex(function, &h->retval, h); + efree(fn_name); +- if (service->type == SOAP_CLASS && soap_obj) {zval_ptr_dtor(soap_obj);} ++ if (service->type == SOAP_CLASS && soap_obj) { ++ if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION) { ++ zval_ptr_dtor(soap_obj); ++ } ++ } + goto fail; + } else if (EG(exception)) { + php_output_discard(); + _soap_server_exception(service, function, getThis()); + efree(fn_name); +- if (service->type == SOAP_CLASS && soap_obj) {zval_ptr_dtor(soap_obj);} ++ if (service->type == SOAP_CLASS && soap_obj) { ++ if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION) { ++ zval_ptr_dtor(soap_obj); ++ } ++ } + goto fail; + } + } else if (h->mustUnderstand) { +diff --git a/ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt b/ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt +new file mode 100644 +index 0000000000..6e4e9e75fb +--- /dev/null ++++ b/ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt +@@ -0,0 +1,60 @@ ++--TEST-- ++GHSA-m33r-qmcv-p97q: Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION ++--CREDITS-- ++Ilia Alshanetsky (iliaal) ++--EXTENSIONS-- ++soap ++session ++--FILE-- ++<?php ++ ++class Handler { ++ public function return() { ++ return new SoapFault('Server', 'denied'); ++ } ++ public function throw() { ++ throw new SoapFault('Server', 'denied'); ++ } ++ public function hello() { ++ return 'ok'; ++ } ++} ++ ++session_start(); ++ ++$srv = new SoapServer(null, ['uri' => 'urn:a']); ++$srv->setClass(Handler::class); ++$srv->setPersistence(SOAP_PERSISTENCE_SESSION); ++ ++$x = <<<XML ++<?xml version="1.0" encoding="UTF-8"?> ++<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="urn:a"> ++ <soap:Header> ++ <a:return/> ++ </soap:Header> ++ <soap:Body> ++ <a:hello/> ++ </soap:Body> ++</soap:Envelope> ++XML; ++$srv->handle($x); ++ ++$x = <<<XML ++<?xml version="1.0" encoding="UTF-8"?> ++<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="urn:a"> ++ <soap:Header> ++ <a:throw/> ++ </soap:Header> ++ <soap:Body> ++ <a:hello/> ++ </soap:Body> ++</soap:Envelope> ++XML; ++$srv->handle($x); ++ ++?> ++--EXPECT-- ++<?xml version="1.0" encoding="UTF-8"?> ++<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>denied</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope> ++<?xml version="1.0" encoding="UTF-8"?> ++<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>denied</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope> +-- +2.54.0 + diff --git a/php-cve-2026-7262.patch b/php-cve-2026-7262.patch new file mode 100644 index 0000000..e289114 --- /dev/null +++ b/php-cve-2026-7262.patch @@ -0,0 +1,81 @@ +From c21561700dcfc3304322845c2d3da028c3c73345 Mon Sep 17 00:00:00 2001 +From: Ilija Tovilo <ilija.tovilo@me.com> +Date: Sat, 25 Apr 2026 00:44:37 +0200 +Subject: [PATCH 3/6] GHSA-hmxp-6pc4-f3vv: [soap] Fix broken Apache map value + NULL check + +Fixes GHSA-hmxp-6pc4-f3vv +Fixes CVE-2026-7262 + +(cherry picked from commit 79551ab8b1a97760c739e372f9bc359619f3554d) +(cherry picked from commit aed3e63e282235b32a07ca28cc20728eedfcfec3) +(cherry picked from commit 8c897384b867a573d52a04b455fe2da30671d0ea) +(cherry picked from commit b41a11a9786cc5b6b343b47c37ad8c1fdc2dbf33) +(cherry picked from commit 254773b5b1d0ef25409c35e74b87c5ef93459115) +--- + ext/soap/php_encoding.c | 2 +- + ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt | 39 +++++++++++++++++++++++++ + 2 files changed, 40 insertions(+), 1 deletion(-) + create mode 100644 ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt + +diff --git a/ext/soap/php_encoding.c b/ext/soap/php_encoding.c +index acb3a8cc44..32b0384214 100644 +--- a/ext/soap/php_encoding.c ++++ b/ext/soap/php_encoding.c +@@ -2741,7 +2741,7 @@ static zval *to_zval_map(zval *ret, encodeTypePtr type, xmlNodePtr data) + } + + xmlValue = get_node(item->children, "value"); +- if (!xmlKey) { ++ if (!xmlValue) { + soap_error0(E_ERROR, "Encoding: Can't decode apache map, missing value"); + } + +diff --git a/ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt b/ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt +new file mode 100644 +index 0000000000..e46ab2e460 +--- /dev/null ++++ b/ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt +@@ -0,0 +1,39 @@ ++--TEST-- ++GHSA-hmxp-6pc4-f3vv: Null pointer dereference on missing Apache map value ++--CREDITS-- ++Ilia Alshanetsky (iliaal) ++--EXTENSIONS-- ++soap ++--FILE-- ++<?php ++ ++$request = <<<XML ++<?xml version="1.0" encoding="UTF-8"?> ++<soap:Envelope ++ xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" ++ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ++ xmlns:xsd="http://www.w3.org/2001/XMLSchema" ++ xmlns:apache="http://xml.apache.org/xml-soap"> ++ ++ <soap:Body> ++ <test> ++ <map xsi:type="apache:Map"> ++ <item><key>hello</key></item> ++ </map> ++ </test> ++ </soap:Body> ++</soap:Envelope> ++XML; ++ ++$server = new SoapServer(null, [ ++ 'uri' => 'urn:test', ++ 'typemap' => [['type_name' => 'anything']], ++]); ++$server->addFunction('test'); ++function test($m) { return null; } ++$server->handle($request); ++ ++?> ++--EXPECT-- ++<?xml version="1.0" encoding="UTF-8"?> ++<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>SOAP-ERROR: Encoding: Can't decode apache map, missing value</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope> +-- +2.54.0 + diff --git a/php-cve-2026-7568.patch b/php-cve-2026-7568.patch new file mode 100644 index 0000000..7e47785 --- /dev/null +++ b/php-cve-2026-7568.patch @@ -0,0 +1,86 @@ +From b7702525bc4a540eb36f392a13461971a1bac31a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@tideways-gmbh.com> +Date: Sun, 3 May 2026 20:02:57 +0200 +Subject: [PATCH 4/6] GHSA-96wq-48vp-hh57: [metaphone] Fix signed integer + overflow of char array offset + +Fixes GHSA-96wq-48vp-hh57 +Fixes CVE-2026-7568 + +(cherry picked from commit 47def8ce1db1fdbffcfc1f5bb11877a0e22d4b32) +(cherry picked from commit e4fc187a011d91f26178f6dfbccdb07041b99153) +(cherry picked from commit 53de456406a6db5a8bcded8a4b242789ae5b2690) +(cherry picked from commit 909c2acc64d72bd57123b30e711c02aef0c08d14) + +[skip ci] Adjust credits for GHSA-96wq-48vp-hh57.phpt + +As requested by the reporter. + +(cherry picked from commit fee84dd8c7699e4e7f9b2e864a393ee5a372f974) +(cherry picked from commit 101e93900888ef43d42ec0e33866bca3824f51a8) +(cherry picked from commit 41134d0746a524d7265b67d3d8d0fd433fd7479a) +(cherry picked from commit b40b656c0fe8080f9cd097bf77b7a3681ea3e7a0) +(cherry picked from commit 9e4b7c856c57deda7b7887da7978328ec8b57187) +--- + ext/standard/metaphone.c | 6 +++--- + ext/standard/tests/GHSA-96wq-48vp-hh57.phpt | 22 +++++++++++++++++++++ + 2 files changed, 25 insertions(+), 3 deletions(-) + create mode 100644 ext/standard/tests/GHSA-96wq-48vp-hh57.phpt + +diff --git a/ext/standard/metaphone.c b/ext/standard/metaphone.c +index def371b523..70453ee447 100644 +--- a/ext/standard/metaphone.c ++++ b/ext/standard/metaphone.c +@@ -124,10 +124,10 @@ char _codes[26] = + + /* Allows us to safely look ahead an arbitrary # of letters */ + /* I probably could have just used strlen... */ +-static char Lookahead(char *word, int how_far) ++static char Lookahead(char *word, size_t how_far) + { + char letter_ahead = '\0'; /* null by default */ +- int idx; ++ size_t idx; + for (idx = 0; word[idx] != '\0' && idx < how_far; idx++); + /* Edge forward in the string... */ + +@@ -169,7 +169,7 @@ static char Lookahead(char *word, int how_far) + */ + static int metaphone(unsigned char *word, size_t word_len, zend_long max_phonemes, zend_string **phoned_word, int traditional) + { +- int w_idx = 0; /* point in the phonization we're at. */ ++ size_t w_idx = 0; /* point in the phonization we're at. */ + size_t p_idx = 0; /* end of the phoned phrase */ + size_t max_buffer_len = 0; /* maximum length of the destination buffer */ + +diff --git a/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt b/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt +new file mode 100644 +index 0000000000..cf9a40062f +--- /dev/null ++++ b/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt +@@ -0,0 +1,22 @@ ++--TEST-- ++GHSA-96wq-48vp-hh57: signed integer overflow of char array offset ++--CREDITS-- ++Aleksey Solovev (Positive Technologies) ++--INI-- ++memory_limit=3G ++--SKIPIF-- ++<?php ++if (!getenv('RUN_RESOURCE_HEAVY_TESTS')) die('skip resource-heavy test'); ++if (getenv('SKIP_SLOW_TESTS')) die('skip slow test'); ++if (PHP_INT_SIZE != 8) echo 'skip 64-bit only'; ++?> ++--FILE-- ++<?php ++ ++$str = str_repeat('0', 2 * (1024 ** 3) - 2) . 'AE'; ++metaphone($str, 1); ++ ++?> ++===DONE=== ++--EXPECT-- ++===DONE=== +-- +2.54.0 + @@ -128,7 +128,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: %{upver}%{?rcver:~%{rcver}} -Release: 26%{?dist} +Release: 27%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -226,6 +226,11 @@ Patch228: php-cve-2024-8932.patch Patch229: php-cve-2024-11233.patch Patch230: php-ghsa-4w77-75f9-2c8w.patch Patch231: php-cve-2025-14178.patch +Patch232: php-cve-2026-6722.patch +Patch233: php-cve-2026-7261.patch +Patch234: php-cve-2026-7262.patch +Patch235: php-cve-2026-6735.patch +Patch236: php-cve-2026-7568.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -1015,6 +1020,11 @@ sed -e 's/php-devel/%{?scl_prefix}php-devel/' -i scripts/phpize.in %patch -P229 -p1 -b .cve11233 %patch -P230 -p1 -b .ghsa4w77 %patch -P231 -p1 -b .cve14178 +%patch -P232 -p1 -b .cve6722 +%patch -P233 -p1 -b .cve7261 +%patch -P234 -p1 -b .cve7262 +%patch -P235 -p1 -b .cve6735 +%patch -P236 -p1 -b .cve7268 # Fixes for tests %patch -P300 -p1 -b .datetests @@ -1985,6 +1995,18 @@ EOF %changelog +* Tue May 12 2026 Remi Collet <remi@remirepo.net> - 7.2.34-27 +- Fix XSS within status endpoint + CVE-2026-6735 +- Fix Stale SOAP_GLOBAL(ref_map) pointer with Apache Map + CVE-2026-6722 +- Fix Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION + CVE-2026-7261 +- Fix Broken Apache map value NULL check + CVE-2026-7262 +- Fix Signed integer overflow of char array offset + CVE-2026-7568 + * Tue Feb 17 2026 Remi Collet <remi@remirepo.net> - 7.2.34-26 - Fix Heap buffer overflow in array_merge() CVE-2025-14178 |