1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
From 3640e9897928d5b5607270c20593a0c04a455e1e Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Fri, 27 Jan 2023 19:28:27 +0100
Subject: [PATCH 3/8] Fix array overrun when appending slash to paths
Fix it by extending the array sizes by one character. As the input is
limited to the maximum path length, there will always be place to append
the slash. As the php_check_specific_open_basedir() simply uses the
strings to compare against each other, no new failures related to too
long paths are introduced.
We'll let the DOM and XML case handle a potentially too long path in the
library code.
(cherry picked from commit ec10b28d64decbc54aa1e585dce580f0bd7a5953)
(cherry picked from commit 887cd0710ad856a0d22c329b6ea6c71ebd8621ae)
---
ext/dom/document.c | 2 +-
ext/xmlreader/php_xmlreader.c | 2 +-
main/fopen_wrappers.c | 6 +++---
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/ext/dom/document.c b/ext/dom/document.c
index 11ef4aa818..c212faa695 100644
--- a/ext/dom/document.c
+++ b/ext/dom/document.c
@@ -1359,7 +1359,7 @@ static xmlDocPtr dom_document_parser(zval *id, int mode, char *source, size_t so
int validate, recover, resolve_externals, keep_blanks, substitute_ent;
int resolved_path_len;
int old_error_reporting = 0;
- char *directory=NULL, resolved_path[MAXPATHLEN];
+ char *directory=NULL, resolved_path[MAXPATHLEN + 1];
if (id != NULL) {
intern = Z_DOMOBJ_P(id);
diff --git a/ext/xmlreader/php_xmlreader.c b/ext/xmlreader/php_xmlreader.c
index 6c1da2761d..0f2b62ae20 100644
--- a/ext/xmlreader/php_xmlreader.c
+++ b/ext/xmlreader/php_xmlreader.c
@@ -1040,7 +1040,7 @@ PHP_METHOD(xmlreader, XML)
xmlreader_object *intern = NULL;
char *source, *uri = NULL, *encoding = NULL;
int resolved_path_len, ret = 0;
- char *directory=NULL, resolved_path[MAXPATHLEN];
+ char *directory=NULL, resolved_path[MAXPATHLEN + 1];
xmlParserInputBufferPtr inputbfr;
xmlTextReaderPtr reader;
diff --git a/main/fopen_wrappers.c b/main/fopen_wrappers.c
index 520edfadbb..33047bb160 100644
--- a/main/fopen_wrappers.c
+++ b/main/fopen_wrappers.c
@@ -135,10 +135,10 @@ PHPAPI ZEND_INI_MH(OnUpdateBaseDir)
*/
PHPAPI int php_check_specific_open_basedir(const char *basedir, const char *path)
{
- char resolved_name[MAXPATHLEN];
- char resolved_basedir[MAXPATHLEN];
+ char resolved_name[MAXPATHLEN + 1];
+ char resolved_basedir[MAXPATHLEN + 1];
char local_open_basedir[MAXPATHLEN];
- char path_tmp[MAXPATHLEN];
+ char path_tmp[MAXPATHLEN + 1];
char *path_file;
size_t resolved_basedir_len;
size_t resolved_name_len;
--
2.39.1
From 2b9c9a8cb00914c08e34ee242d4aa3ba4aa74ef4 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Mon, 13 Feb 2023 11:46:47 +0100
Subject: [PATCH 4/8] NEWS
(cherry picked from commit 614468ce4056c0ef93aae09532dcffdf65b594b5)
---
NEWS | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/NEWS b/NEWS
index 1c00ef6357..ad57c5ccd5 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,14 @@
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+Backported from 8.0.28
+
+- Core:
+ . Fixed bug #81744 (Password_verify() always return true with some hash).
+ (CVE-2023-0567). (Tim Düsterhus)
+ . Fixed bug #81746 (1-byte array overrun in common path resolve code).
+ (CVE-2023-0568). (Niels Dossche)
+
Backported from 8.0.27
- PDO/SQLite:
--
2.39.1
|
