From 9eb1d50117cb6df4f7ce70ed92813ec77a87d78e Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 7 Jun 2022 11:05:41 +0200 Subject: use oracle client library version 21.6 mysqlnd: fix #81719: mysqlnd/pdo password buffer overflow. CVE-2022-31626 pgsql: fix #81720: Uninitialized array in pg_query_params(). CVE-2022-31625 pcre: fix default options for pcre >= 10.38 --- failed.txt | 10 ++++--- php-bug81719.patch | 60 ++++++++++++++++++++++++++++++++++++++++++ php-bug81720.patch | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ php-pcre1038.patch | 27 +++++++++++++++++++ php.spec | 19 +++++++++++--- 5 files changed, 185 insertions(+), 7 deletions(-) create mode 100644 php-bug81719.patch create mode 100644 php-bug81720.patch create mode 100644 php-pcre1038.patch diff --git a/failed.txt b/failed.txt index 8e3124f..b653506 100644 --- a/failed.txt +++ b/failed.txt @@ -1,16 +1,18 @@ -===== 7.3.33 (2021-11-16) +===== 7.3.33-3 (2022-06-07) $ grep -ar 'Tests failed' /var/lib/mock/*/build.log -/var/lib/mock/scl73el7x/build.log:Tests failed : 0 -/var/lib/mock/scl73el8x/build.log:Tests failed : 13 -/var/lib/mock/scl73fc33x/build.log:Tests failed : 14 +/var/lib/mock/scl73el7x/build.log:Tests failed : 1 +/var/lib/mock/scl73el8x/build.log:Tests failed : 15 /var/lib/mock/scl73fc34x/build.log:Tests failed : 14 /var/lib/mock/scl73fc35x/build.log:Tests failed : 14 +el7x: + 5 ext/openssl/tests/openssl_x509_checkpurpose_basic.phpt el8x, fc33x 2 buildroot issue with strict openssl policy (fixed in 7.4) + 5 ext/standard/tests/strings/setlocale_variation2.phpt fc33x, fc34x, fc35x 4 ext/date/tests/bug33415-2.phpt diff --git a/php-bug81719.patch b/php-bug81719.patch new file mode 100644 index 0000000..c40e1ba --- /dev/null +++ b/php-bug81719.patch @@ -0,0 +1,60 @@ +From 9433de72e291db518357fe55531cc15432d43ec4 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 6 Jun 2022 00:56:51 -0600 +Subject: [PATCH 2/3] Fix bug #81719: mysqlnd/pdo password buffer overflow + +(cherry picked from commit 58006537fc5f133ae8549efe5118cde418b3ace9) +--- + ext/mysqlnd/mysqlnd_wireprotocol.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ext/mysqlnd/mysqlnd_wireprotocol.c b/ext/mysqlnd/mysqlnd_wireprotocol.c +index 6459fe4964..1aee62c64e 100644 +--- a/ext/mysqlnd/mysqlnd_wireprotocol.c ++++ b/ext/mysqlnd/mysqlnd_wireprotocol.c +@@ -768,7 +768,8 @@ php_mysqlnd_change_auth_response_write(MYSQLND_CONN_DATA * conn, void * _packet) + MYSQLND_VIO * vio = conn->vio; + MYSQLND_STATS * stats = conn->stats; + MYSQLND_CONNECTION_STATE * connection_state = &conn->state; +- zend_uchar * buffer = pfc->cmd_buffer.length >= packet->auth_data_len? pfc->cmd_buffer.buffer : mnd_emalloc(packet->auth_data_len); ++ size_t total_packet_size = packet->auth_data_len + MYSQLND_HEADER_SIZE; ++ zend_uchar * const buffer = pfc->cmd_buffer.length >= total_packet_size? pfc->cmd_buffer.buffer : mnd_emalloc(total_packet_size); + zend_uchar * p = buffer + MYSQLND_HEADER_SIZE; /* start after the header */ + + DBG_ENTER("php_mysqlnd_change_auth_response_write"); +-- +2.35.3 + +From f451082baf14ee9ea86cdd19870e906adb368f02 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Tue, 7 Jun 2022 09:57:15 +0200 +Subject: [PATCH 3/3] NEWS + +--- + NEWS | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/NEWS b/NEWS +index ffbe82d7aa..fd227bd33a 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,5 +1,16 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ++ ++Backported from 7.4.30 ++ ++- mysqlnd: ++ . Fixed bug #81719: mysqlnd/pdo password buffer overflow. ++ (CVE-2022-31626) (c dot fol at ambionics dot io) ++ ++- pgsql ++ . Fixed bug #81720: Uninitialized array in pg_query_params(). ++ (CVE-2022-31625) (cmb) ++ + 18 Nov 2021, PHP 7.3.33 + + - XML: +-- +2.35.3 + diff --git a/php-bug81720.patch b/php-bug81720.patch new file mode 100644 index 0000000..8580d7a --- /dev/null +++ b/php-bug81720.patch @@ -0,0 +1,76 @@ +From 6f979c832c861fb32e2dbad5e0cc29edcee7c500 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Tue, 17 May 2022 12:59:23 +0200 +Subject: [PATCH 1/3] Fix #81720: Uninitialized array in pg_query_params() + leading to RCE + +We must not free parameters which we haven't initialized yet. + +We also fix the not directly related issue, that we checked for the +wrong value being `NULL`, potentially causing a segfault. + +(cherry picked from commit 55f6895f4b4c677272fd4ee1113acdbd99c4b5ab) +--- + ext/pgsql/pgsql.c | 4 ++-- + ext/pgsql/tests/bug81720.phpt | 27 +++++++++++++++++++++++++++ + 2 files changed, 29 insertions(+), 2 deletions(-) + create mode 100644 ext/pgsql/tests/bug81720.phpt + +diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c +index 27462bc336..1dd892d359 100644 +--- a/ext/pgsql/pgsql.c ++++ b/ext/pgsql/pgsql.c +@@ -1994,7 +1994,7 @@ PHP_FUNCTION(pg_query_params) + if (Z_TYPE(tmp_val) != IS_STRING) { + php_error_docref(NULL, E_WARNING,"Error converting parameter"); + zval_ptr_dtor(&tmp_val); +- _php_pgsql_free_params(params, num_params); ++ _php_pgsql_free_params(params, i); + RETURN_FALSE; + } + params[i] = estrndup(Z_STRVAL(tmp_val), Z_STRLEN(tmp_val)); +@@ -5179,7 +5179,7 @@ PHP_FUNCTION(pg_send_execute) + if (Z_TYPE(tmp_val) != IS_STRING) { + php_error_docref(NULL, E_WARNING,"Error converting parameter"); + zval_ptr_dtor(&tmp_val); +- _php_pgsql_free_params(params, num_params); ++ _php_pgsql_free_params(params, i); + RETURN_FALSE; + } + params[i] = estrndup(Z_STRVAL(tmp_val), Z_STRLEN(tmp_val)); +diff --git a/ext/pgsql/tests/bug81720.phpt b/ext/pgsql/tests/bug81720.phpt +new file mode 100644 +index 0000000000..d79f1fcdd6 +--- /dev/null ++++ b/ext/pgsql/tests/bug81720.phpt +@@ -0,0 +1,27 @@ ++--TEST-- ++Bug #81720 (Uninitialized array in pg_query_params() leading to RCE) ++--SKIPIF-- ++ ++--FILE-- ++getMessage(), PHP_EOL; ++} ++ ++try { ++ pg_send_prepare($conn, "my_query", 'SELECT $1, $2'); ++ pg_get_result($conn); ++ pg_send_execute($conn, "my_query", [1, new stdClass()]); ++} catch (Throwable $ex) { ++ echo $ex->getMessage(), PHP_EOL; ++} ++?> ++--EXPECT-- ++Object of class stdClass could not be converted to string ++Object of class stdClass could not be converted to string +-- +2.35.3 + diff --git a/php-pcre1038.patch b/php-pcre1038.patch new file mode 100644 index 0000000..404db72 --- /dev/null +++ b/php-pcre1038.patch @@ -0,0 +1,27 @@ +From 56495ac031005f8b64e75c94e86ec942dd15aa74 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Thu, 21 Oct 2021 10:38:16 +0200 +Subject: [PATCH] fix for pcre2 10.38 + +--- + ext/pcre/php_pcre.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/ext/pcre/php_pcre.c b/ext/pcre/php_pcre.c +index 19ea92713875..9d01b328228d 100644 +--- a/ext/pcre/php_pcre.c ++++ b/ext/pcre/php_pcre.c +@@ -169,7 +169,13 @@ static void php_pcre_free(void *block, void *data) + pefree(block, 1); + }/*}}}*/ + ++#ifdef PCRE2_EXTRA_ALLOW_LOOKAROUND_BSK ++ /* pcre 10.38 needs PCRE2_EXTRA_ALLOW_LOOKAROUND_BSK, disabled by default */ ++#define PHP_PCRE_DEFAULT_EXTRA_COPTIONS (PCRE2_EXTRA_BAD_ESCAPE_IS_LITERAL|PCRE2_EXTRA_ALLOW_LOOKAROUND_BSK) ++#else + #define PHP_PCRE_DEFAULT_EXTRA_COPTIONS PCRE2_EXTRA_BAD_ESCAPE_IS_LITERAL ++#endif ++ + #define PHP_PCRE_PREALLOC_MDATA_SIZE 32 + + static void php_pcre_init_pcre2(uint8_t jit) diff --git a/php.spec b/php.spec index 9bc5871..21edd09 100644 --- a/php.spec +++ b/php.spec @@ -55,7 +55,7 @@ %global mysql_sock %(mysql_config --socket 2>/dev/null || echo /var/lib/mysql/mysql.sock) -%global oraclever 21.5 +%global oraclever 21.6 %global oraclelib 21.1 # Build for LiteSpeed Web Server (LSAPI) @@ -126,7 +126,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: %{upver}%{?rcver:~%{rcver}} -Release: 2%{?dist} +Release: 3%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -194,8 +194,12 @@ Patch91: php-7.2.0-oci8conf.patch Patch100: php-bug80682.patch # Backported from 7.4.18 - pdo_odbc Patch101: php-bug80783.patch +# Backported from 7.4.26 for pcre >= 10.38 +Patch102: php-pcre1038.patch # Security fixes (200+) +Patch200: php-bug81719.patch +Patch201: php-bug81720.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -741,7 +745,7 @@ Requires: %{?scl_prefix}php-common%{?_isa} = %{version}-%{release} BuildRequires: libjpeg-devel, libpng-devel, freetype-devel BuildRequires: libXpm-devel %if %{with_libgd} -BuildRequires: gd-devel >= 2.3 +BuildRequires: gd-devel >= 2.3.3 %else BuildRequires: libwebp-devel Provides: bundled(gd) = 2.0.35 @@ -961,8 +965,11 @@ sed -e 's/php-devel/%{?scl_prefix}php-devel/' -i scripts/phpize.in # upstream patches %patch100 -p1 -b .bug80682 %patch101 -p1 -b .bug80783 +%patch102 -p1 -b .pcre1038 # security patches +%patch200 -p1 -b .bug81719 +%patch201 -p1 -b .bug81720 # Fixes for tests %patch300 -p1 -b .datetests @@ -1909,6 +1916,12 @@ fi %changelog +* Tue Jun 7 2022 Remi Collet - 7.3.33-3 +- use oracle client library version 21.6 +- mysqlnd: fix #81719: mysqlnd/pdo password buffer overflow. CVE-2022-31626 +- pgsql: fix #81720: Uninitialized array in pg_query_params(). CVE-2022-31625 +- pcre: fix default options for pcre >= 10.38 + * Wed Feb 23 2022 Remi Collet - 7.3.33-2 - retrieve tzdata version - use oracle client library version 21.5 -- cgit