From f292ba6629135879fcd628ba36f206261af1dc71 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Tue, 27 Sep 2022 19:05:59 +0200
Subject: phar: fix #81726 DOS when using quine gzip file. CVE-2022-31628

core: fix #81727 Don't mangle HTTP variable names that clash with ones
  that have a specific semantic meaning. CVE-2022-31629
use oracle client library version 21.7
---
 php-bug81726.patch | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 php.spec           |  4 ++--
 2 files changed, 61 insertions(+), 2 deletions(-)

diff --git a/php-bug81726.patch b/php-bug81726.patch
index 53dcde3..c83affd 100644
--- a/php-bug81726.patch
+++ b/php-bug81726.patch
@@ -86,3 +86,62 @@ index ba76a9b0e0..52c973d7c4 100644
  				continue;
  			}
  
+From 8fad7bf40e1b5bf74f308eb882b1d72987ef539c Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 27 Sep 2022 17:43:40 +0200
+Subject: [PATCH] Fix regression introduced by fixing bug 81726
+
+When a tar phar is created, `phar_open_from_fp()` is also called, but
+since the file has just been created, none of the format checks can
+succeed, so we continue to loop, but must not check again for the
+format.  Therefore, we bring back the old `test` variable.
+
+Closes GH-9620.
+
+(cherry picked from commit 432bf196d59bcb661fcf9cb7029cea9b43f490af)
+---
+ ext/phar/phar.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/ext/phar/phar.c b/ext/phar/phar.c
+index 52c973d7c4..534af318f4 100644
+--- a/ext/phar/phar.c
++++ b/ext/phar/phar.c
+@@ -1575,7 +1575,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a
+ 	const char zip_magic[] = "PK\x03\x04";
+ 	const char gz_magic[] = "\x1f\x8b\x08";
+ 	const char bz_magic[] = "BZh";
+-	char *pos;
++	char *pos, test = '\0';
+ 	int recursion_count = 3; // arbitrary limit to avoid too deep or even infinite recursion
+ 	const int window_size = 1024;
+ 	char buffer[1024 + sizeof(token)]; /* a 1024 byte window + the size of the halt_compiler token (moving window) */
+@@ -1604,7 +1604,8 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a
+ 			MAPPHAR_ALLOC_FAIL("internal corruption of phar \"%s\" (truncated entry)")
+ 		}
+ 
+-		if (recursion_count) {
++		if (!test && recursion_count) {
++			test = '\1';
+ 			pos = buffer+tokenlen;
+ 			if (!memcmp(pos, gz_magic, 3)) {
+ 				char err = 0;
+@@ -1664,6 +1665,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a
+ 				compression = PHAR_FILE_COMPRESSED_GZ;
+ 
+ 				/* now, start over */
++				test = '\0';
+ 				if (!--recursion_count) {
+ 					MAPPHAR_ALLOC_FAIL("unable to decompress gzipped phar archive \"%s\"");
+ 					break;
+@@ -1705,6 +1707,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a
+ 				compression = PHAR_FILE_COMPRESSED_BZ2;
+ 
+ 				/* now, start over */
++				test = '\0';
+ 				if (!--recursion_count) {
+ 					MAPPHAR_ALLOC_FAIL("unable to decompress bzipped phar archive \"%s\"");
+ 					break;
+-- 
+2.37.3
+
diff --git a/php.spec b/php.spec
index b675beb..1347776 100644
--- a/php.spec
+++ b/php.spec
@@ -126,7 +126,7 @@
 Summary: PHP scripting language for creating dynamic web sites
 Name: %{?scl_prefix}php
 Version: %{upver}%{?rcver:~%{rcver}}
-Release: 12%{?dist}
+Release: 13%{?dist}
 # All files licensed under PHP version 3.01, except
 # Zend is licensed under Zend
 # TSRM is licensed under BSD
@@ -1945,7 +1945,7 @@ EOF
 
 
 %changelog
-* Tue Sep 27 2022 Remi Collet <remi@remirepo.net> - 7.2.34-12
+* Tue Sep 27 2022 Remi Collet <remi@remirepo.net> - 7.2.34-13
 - phar: fix #81726 DOS when using quine gzip file. CVE-2022-31628
 - core: fix #81727 Don't mangle HTTP variable names that clash with ones
   that have a specific semantic meaning. CVE-2022-31629
-- 
cgit