From 852e6cd66551e37f66edf6413cdd208914784a31 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Thu, 9 Jul 2026 10:31:03 +0200 Subject: rename patch --- php-cve-2026-14355.patch | 113 +++++++++++++++++++++++++++++++++++++++++++++++ php-gh22187.patch | 113 ----------------------------------------------- php.spec | 3 +- 3 files changed, 115 insertions(+), 114 deletions(-) create mode 100644 php-cve-2026-14355.patch delete mode 100644 php-gh22187.patch diff --git a/php-cve-2026-14355.patch b/php-cve-2026-14355.patch new file mode 100644 index 0000000..cf982fd --- /dev/null +++ b/php-cve-2026-14355.patch @@ -0,0 +1,113 @@ +From f15d1e26160a8175474160907eb6ab7e10090fa0 Mon Sep 17 00:00:00 2001 +From: David Carlier +Date: Fri, 29 May 2026 21:44:14 +0100 +Subject: [PATCH] ext/openssl: openssl_encrypt() zend mm heap overflow on + AES-WRAP-PAD mode. + +Fix #22186 + +close GH-22187 + +(cherry picked from commit cbc0489126a7682796aad1e5fb4e51de74af162c) +(cherry picked from commit 95e9851111d249e43948b76663cff1baeb5e758d) +(cherry picked from commit 2a73e91a9f9136fbbfcc9177573b6af71e3d5dce) +(cherry picked from commit e058b01e1bd23421a425cffae9f458b0fa8db222) +(cherry picked from commit 09cccab30d53614bb826e4390ad23ad7451b6d6c) +--- + NEWS | 6 ++++++ + ext/openssl/openssl.c | 15 ++++++++++++++- + ext/openssl/tests/gh22186.phpt | 32 ++++++++++++++++++++++++++++++++ + 3 files changed, 52 insertions(+), 1 deletion(-) + create mode 100644 ext/openssl/tests/gh22186.phpt + +diff --git a/NEWS b/NEWS +index 0278901554..d7b2cb2fbc 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,12 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 8.2.32 ++ ++- OpenSSL: ++ . Fixed bug GH-22187 (Memory corruption (zend_mm_heap corrupted) in ++ openssl_encrypt with AES-WRAP-PAD). (David Carlier) ++ + Backported from 8.2.31 + + - FPM: +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index 3eea08c649..258b1f462f 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -6516,6 +6516,7 @@ static int php_openssl_cipher_update(const EVP_CIPHER *cipher_type, + char *aad, size_t aad_len, int enc) /* {{{ */ + { + int i = 0; ++ size_t outlen = data_len + EVP_CIPHER_block_size(cipher_type); + + if (mode->is_single_run_aead && !EVP_CipherUpdate(cipher_ctx, NULL, &i, NULL, (int)data_len)) { + php_openssl_store_errors(); +@@ -6529,7 +6530,19 @@ static int php_openssl_cipher_update(const EVP_CIPHER *cipher_type, + return FAILURE; + } + +- *poutbuf = zend_string_alloc((int)data_len + EVP_CIPHER_block_size(cipher_type), 0); ++#ifdef EVP_CIPH_WRAP_MODE ++ if ((EVP_CIPHER_mode(cipher_type)) == EVP_CIPH_WRAP_MODE) { ++ /* ++ * RFC 5649 wrap-with-padding rounds the input up to the block size ++ * and prepends an integrity block, we reserve one extra block. ++ * See EVP_EncryptUpdate(3): wrap mode may write up to ++ * inl + cipher_block_size bytes. ++ */ ++ outlen += EVP_CIPHER_block_size(cipher_type); ++ } ++#endif ++ ++ *poutbuf = zend_string_alloc(outlen, 0); + + if (!EVP_CipherUpdate(cipher_ctx, (unsigned char*)ZSTR_VAL(*poutbuf), + &i, (unsigned char *)data, (int)data_len)) { +diff --git a/ext/openssl/tests/gh22186.phpt b/ext/openssl/tests/gh22186.phpt +new file mode 100644 +index 0000000000..8f28e6c45b +--- /dev/null ++++ b/ext/openssl/tests/gh22186.phpt +@@ -0,0 +1,32 @@ ++--TEST-- ++GH-22186 (Heap buffer overflow in openssl_encrypt with AES-WRAP-PAD) ++--EXTENSIONS-- ++openssl ++--SKIPIF-- ++ ++--FILE-- ++ ++--EXPECT-- ++done +-- +2.54.0 + diff --git a/php-gh22187.patch b/php-gh22187.patch deleted file mode 100644 index cf982fd..0000000 --- a/php-gh22187.patch +++ /dev/null @@ -1,113 +0,0 @@ -From f15d1e26160a8175474160907eb6ab7e10090fa0 Mon Sep 17 00:00:00 2001 -From: David Carlier -Date: Fri, 29 May 2026 21:44:14 +0100 -Subject: [PATCH] ext/openssl: openssl_encrypt() zend mm heap overflow on - AES-WRAP-PAD mode. - -Fix #22186 - -close GH-22187 - -(cherry picked from commit cbc0489126a7682796aad1e5fb4e51de74af162c) -(cherry picked from commit 95e9851111d249e43948b76663cff1baeb5e758d) -(cherry picked from commit 2a73e91a9f9136fbbfcc9177573b6af71e3d5dce) -(cherry picked from commit e058b01e1bd23421a425cffae9f458b0fa8db222) -(cherry picked from commit 09cccab30d53614bb826e4390ad23ad7451b6d6c) ---- - NEWS | 6 ++++++ - ext/openssl/openssl.c | 15 ++++++++++++++- - ext/openssl/tests/gh22186.phpt | 32 ++++++++++++++++++++++++++++++++ - 3 files changed, 52 insertions(+), 1 deletion(-) - create mode 100644 ext/openssl/tests/gh22186.phpt - -diff --git a/NEWS b/NEWS -index 0278901554..d7b2cb2fbc 100644 ---- a/NEWS -+++ b/NEWS -@@ -1,6 +1,12 @@ - PHP NEWS - ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| - -+Backported from 8.2.32 -+ -+- OpenSSL: -+ . Fixed bug GH-22187 (Memory corruption (zend_mm_heap corrupted) in -+ openssl_encrypt with AES-WRAP-PAD). (David Carlier) -+ - Backported from 8.2.31 - - - FPM: -diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c -index 3eea08c649..258b1f462f 100644 ---- a/ext/openssl/openssl.c -+++ b/ext/openssl/openssl.c -@@ -6516,6 +6516,7 @@ static int php_openssl_cipher_update(const EVP_CIPHER *cipher_type, - char *aad, size_t aad_len, int enc) /* {{{ */ - { - int i = 0; -+ size_t outlen = data_len + EVP_CIPHER_block_size(cipher_type); - - if (mode->is_single_run_aead && !EVP_CipherUpdate(cipher_ctx, NULL, &i, NULL, (int)data_len)) { - php_openssl_store_errors(); -@@ -6529,7 +6530,19 @@ static int php_openssl_cipher_update(const EVP_CIPHER *cipher_type, - return FAILURE; - } - -- *poutbuf = zend_string_alloc((int)data_len + EVP_CIPHER_block_size(cipher_type), 0); -+#ifdef EVP_CIPH_WRAP_MODE -+ if ((EVP_CIPHER_mode(cipher_type)) == EVP_CIPH_WRAP_MODE) { -+ /* -+ * RFC 5649 wrap-with-padding rounds the input up to the block size -+ * and prepends an integrity block, we reserve one extra block. -+ * See EVP_EncryptUpdate(3): wrap mode may write up to -+ * inl + cipher_block_size bytes. -+ */ -+ outlen += EVP_CIPHER_block_size(cipher_type); -+ } -+#endif -+ -+ *poutbuf = zend_string_alloc(outlen, 0); - - if (!EVP_CipherUpdate(cipher_ctx, (unsigned char*)ZSTR_VAL(*poutbuf), - &i, (unsigned char *)data, (int)data_len)) { -diff --git a/ext/openssl/tests/gh22186.phpt b/ext/openssl/tests/gh22186.phpt -new file mode 100644 -index 0000000000..8f28e6c45b ---- /dev/null -+++ b/ext/openssl/tests/gh22186.phpt -@@ -0,0 +1,32 @@ -+--TEST-- -+GH-22186 (Heap buffer overflow in openssl_encrypt with AES-WRAP-PAD) -+--EXTENSIONS-- -+openssl -+--SKIPIF-- -+ -+--FILE-- -+ -+--EXPECT-- -+done --- -2.54.0 - diff --git a/php.spec b/php.spec index e876d9c..f710c98 100644 --- a/php.spec +++ b/php.spec @@ -231,7 +231,7 @@ Patch233: php-cve-2026-7261.patch Patch234: php-cve-2026-7262.patch Patch235: php-cve-2026-6735.patch Patch236: php-cve-2026-7568.patch -Patch237: php-gh22187.patch +Patch237: php-cve-2026-14355.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -1999,6 +1999,7 @@ EOF %changelog * Thu Jul 2 2026 Remi Collet - 7.2.34-28 - Fix Memory corruption in openssl_encrypt with AES-WRAP-PAD + CVE-2026-14355 * Tue May 12 2026 Remi Collet - 7.2.34-27 - Fix XSS within status endpoint -- cgit