From 49e30ac8f208b89b4131e537f8afe6f2114f5da1 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Wed, 13 May 2026 13:19:04 +0200 Subject: Fix XSS within status endpoint CVE-2026-6735 Fix Stale SOAP_GLOBAL(ref_map) pointer with Apache Map CVE-2026-6722 Fix Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION CVE-2026-7261 Fix Broken Apache map value NULL check CVE-2026-7262 Fix Signed integer overflow of char array offset CVE-2026-7568 --- php-cve-2026-7261.patch | 119 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 119 insertions(+) create mode 100644 php-cve-2026-7261.patch (limited to 'php-cve-2026-7261.patch') diff --git a/php-cve-2026-7261.patch b/php-cve-2026-7261.patch new file mode 100644 index 0000000..ac6c531 --- /dev/null +++ b/php-cve-2026-7261.patch @@ -0,0 +1,119 @@ +From f91bcf961ac15eacabf33f86f62c17dbec4a39ab Mon Sep 17 00:00:00 2001 +From: Ilija Tovilo +Date: Sun, 3 May 2026 19:57:16 +0200 +Subject: [PATCH 2/6] GHSA-m33r-qmcv-p97q: [soap] Fix use-after-free after + header parsing failure with SOAP_PERSISTENCE_SESSION + +Fixes GHSA-m33r-qmcv-p97q +Fixes CVE-2026-7261 + +(cherry picked from commit db2a7f9348fd5dda5fd162061786a664c417bf5b) +(cherry picked from commit 5dd8dd8493d49bb6fcd810a6e9d2ffb6fdc15714) +(cherry picked from commit 63cf032e9675d7d2bbc007c8c787597187a7567b) +(cherry picked from commit dd14d36e31dd99b7589f917924840fe4f46ca022) +(cherry picked from commit 7b354983a33c314b76c594c9c5b790e3b073dcf1) + +adapt test for 7.2 +--- + ext/soap/soap.c | 12 ++++- + ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt | 60 +++++++++++++++++++++++++ + 2 files changed, 70 insertions(+), 2 deletions(-) + create mode 100644 ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt + +diff --git a/ext/soap/soap.c b/ext/soap/soap.c +index 4cf0323a0a..6ffd7cdd35 100644 +--- a/ext/soap/soap.c ++++ b/ext/soap/soap.c +@@ -1824,13 +1824,21 @@ PHP_METHOD(SoapServer, handle) + php_output_discard(); + soap_server_fault_ex(function, &h->retval, h); + efree(fn_name); +- if (service->type == SOAP_CLASS && soap_obj) {zval_ptr_dtor(soap_obj);} ++ if (service->type == SOAP_CLASS && soap_obj) { ++ if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION) { ++ zval_ptr_dtor(soap_obj); ++ } ++ } + goto fail; + } else if (EG(exception)) { + php_output_discard(); + _soap_server_exception(service, function, getThis()); + efree(fn_name); +- if (service->type == SOAP_CLASS && soap_obj) {zval_ptr_dtor(soap_obj);} ++ if (service->type == SOAP_CLASS && soap_obj) { ++ if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION) { ++ zval_ptr_dtor(soap_obj); ++ } ++ } + goto fail; + } + } else if (h->mustUnderstand) { +diff --git a/ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt b/ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt +new file mode 100644 +index 0000000000..6e4e9e75fb +--- /dev/null ++++ b/ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt +@@ -0,0 +1,60 @@ ++--TEST-- ++GHSA-m33r-qmcv-p97q: Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION ++--CREDITS-- ++Ilia Alshanetsky (iliaal) ++--EXTENSIONS-- ++soap ++session ++--FILE-- ++ 'urn:a']); ++$srv->setClass(Handler::class); ++$srv->setPersistence(SOAP_PERSISTENCE_SESSION); ++ ++$x = << ++ ++ ++ ++ ++ ++ ++ ++ ++XML; ++$srv->handle($x); ++ ++$x = << ++ ++ ++ ++ ++ ++ ++ ++ ++XML; ++$srv->handle($x); ++ ++?> ++--EXPECT-- ++ ++SOAP-ENV:Serverdenied ++ ++SOAP-ENV:Serverdenied +-- +2.54.0 + -- cgit