diff options
-rw-r--r-- | php-bug81738.patch | 113 | ||||
-rw-r--r-- | php-bug81739.patch | 70 | ||||
-rw-r--r-- | php.spec | 13 |
3 files changed, 6 insertions, 190 deletions
diff --git a/php-bug81738.patch b/php-bug81738.patch deleted file mode 100644 index 9a3fa1c..0000000 --- a/php-bug81738.patch +++ /dev/null @@ -1,113 +0,0 @@ -Cleanup from upstream - - - -From 248f647724e385bfb8d83aa5b5a5ca3c4ee2c7fd Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev <smalyshev@gmail.com> -Date: Thu, 20 Oct 2022 23:57:35 -0600 -Subject: [PATCH] Fix bug #81738 (buffer overflow in hash_update() on long - parameter) - ---- - NEWS | 4 ++++ - ext/hash/sha3/generic32lc/KeccakSponge.inc | 14 ++++++++------ - ext/hash/sha3/generic64lc/KeccakSponge.inc | 14 ++++++++------ - main/php_version.h | 10 +++++----- - 4 files changed, 25 insertions(+), 17 deletions(-) - -diff --git a/ext/hash/sha3/generic32lc/KeccakSponge.inc b/ext/hash/sha3/generic32lc/KeccakSponge.inc -index 42a15aac6d93..f8c42ff788b7 100644 ---- a/ext/hash/sha3/generic32lc/KeccakSponge.inc -+++ b/ext/hash/sha3/generic32lc/KeccakSponge.inc -@@ -160,7 +160,7 @@ int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dat - i = 0; - curData = data; - while(i < dataByteLen) { -- if ((instance->byteIOIndex == 0) && (dataByteLen >= (i + rateInBytes))) { -+ if ((instance->byteIOIndex == 0) && (dataByteLen-i >= rateInBytes)) { - #ifdef SnP_FastLoop_Absorb - /* processing full blocks first */ - if ((rateInBytes % (SnP_width/200)) == 0) { -@@ -186,9 +186,10 @@ int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dat - } - else { - /* normal lane: using the message queue */ -- partialBlock = (unsigned int)(dataByteLen - i); -- if (partialBlock+instance->byteIOIndex > rateInBytes) -+ if (dataByteLen-i > rateInBytes-instance->byteIOIndex) - partialBlock = rateInBytes-instance->byteIOIndex; -+ else -+ partialBlock = (unsigned int)(dataByteLen - i); - #ifdef KeccakReference - displayBytes(1, "Block to be absorbed (part)", curData, partialBlock); - #endif -@@ -263,7 +264,7 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByte - i = 0; - curData = data; - while(i < dataByteLen) { -- if ((instance->byteIOIndex == rateInBytes) && (dataByteLen >= (i + rateInBytes))) { -+ if ((instance->byteIOIndex == rateInBytes) && (dataByteLen-i >= rateInBytes)) { - for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) { - SnP_Permute(instance->state); - SnP_ExtractBytes(instance->state, curData, 0, rateInBytes); -@@ -280,9 +281,10 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByte - SnP_Permute(instance->state); - instance->byteIOIndex = 0; - } -- partialBlock = (unsigned int)(dataByteLen - i); -- if (partialBlock+instance->byteIOIndex > rateInBytes) -+ if (dataByteLen-i > rateInBytes-instance->byteIOIndex) - partialBlock = rateInBytes-instance->byteIOIndex; -+ else -+ partialBlock = (unsigned int)(dataByteLen - i); - i += partialBlock; - - SnP_ExtractBytes(instance->state, curData, instance->byteIOIndex, partialBlock); -diff --git a/ext/hash/sha3/generic64lc/KeccakSponge.inc b/ext/hash/sha3/generic64lc/KeccakSponge.inc -index 42a15aac6d93..f8c42ff788b7 100644 ---- a/ext/hash/sha3/generic64lc/KeccakSponge.inc -+++ b/ext/hash/sha3/generic64lc/KeccakSponge.inc -@@ -160,7 +160,7 @@ int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dat - i = 0; - curData = data; - while(i < dataByteLen) { -- if ((instance->byteIOIndex == 0) && (dataByteLen >= (i + rateInBytes))) { -+ if ((instance->byteIOIndex == 0) && (dataByteLen-i >= rateInBytes)) { - #ifdef SnP_FastLoop_Absorb - /* processing full blocks first */ - if ((rateInBytes % (SnP_width/200)) == 0) { -@@ -186,9 +186,10 @@ int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dat - } - else { - /* normal lane: using the message queue */ -- partialBlock = (unsigned int)(dataByteLen - i); -- if (partialBlock+instance->byteIOIndex > rateInBytes) -+ if (dataByteLen-i > rateInBytes-instance->byteIOIndex) - partialBlock = rateInBytes-instance->byteIOIndex; -+ else -+ partialBlock = (unsigned int)(dataByteLen - i); - #ifdef KeccakReference - displayBytes(1, "Block to be absorbed (part)", curData, partialBlock); - #endif -@@ -263,7 +264,7 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByte - i = 0; - curData = data; - while(i < dataByteLen) { -- if ((instance->byteIOIndex == rateInBytes) && (dataByteLen >= (i + rateInBytes))) { -+ if ((instance->byteIOIndex == rateInBytes) && (dataByteLen-i >= rateInBytes)) { - for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) { - SnP_Permute(instance->state); - SnP_ExtractBytes(instance->state, curData, 0, rateInBytes); -@@ -280,9 +281,10 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByte - SnP_Permute(instance->state); - instance->byteIOIndex = 0; - } -- partialBlock = (unsigned int)(dataByteLen - i); -- if (partialBlock+instance->byteIOIndex > rateInBytes) -+ if (dataByteLen-i > rateInBytes-instance->byteIOIndex) - partialBlock = rateInBytes-instance->byteIOIndex; -+ else -+ partialBlock = (unsigned int)(dataByteLen - i); - i += partialBlock; - - SnP_ExtractBytes(instance->state, curData, instance->byteIOIndex, partialBlock); diff --git a/php-bug81739.patch b/php-bug81739.patch deleted file mode 100644 index f76e8c0..0000000 --- a/php-bug81739.patch +++ /dev/null @@ -1,70 +0,0 @@ -From d50532be91f054ef9beb1afca2ea94f4a70f7c4d Mon Sep 17 00:00:00 2001 -From: "Christoph M. Becker" <cmbecker69@gmx.de> -Date: Tue, 18 Oct 2022 12:13:16 +0200 -Subject: [PATCH] Fix #81739: OOB read due to insufficient validation in - imageloadfont() - -If we swap the byte order of the relevant header bytes, we need to make -sure again that the following multiplication does not overflow. ---- - ext/gd/gd.c | 7 +++++++ - ext/gd/tests/bug81739.phpt | 24 ++++++++++++++++++++++++ - 2 files changed, 31 insertions(+) - create mode 100644 ext/gd/tests/bug81739.phpt - -diff --git a/ext/gd/gd.c b/ext/gd/gd.c -index 336a73969267..fde93bba496f 100644 ---- a/ext/gd/gd.c -+++ b/ext/gd/gd.c -@@ -1485,6 +1485,12 @@ PHP_FUNCTION(imageloadfont) - font->w = FLIPWORD(font->w); - font->h = FLIPWORD(font->h); - font->nchars = FLIPWORD(font->nchars); -+ if (overflow2(font->nchars, font->h) || overflow2(font->nchars * font->h, font->w )) { -+ php_error_docref(NULL, E_WARNING, "Error reading font, invalid font header"); -+ efree(font); -+ php_stream_close(stream); -+ RETURN_FALSE; -+ } - body_size = font->w * font->h * font->nchars; - } - -@@ -1495,6 +1501,7 @@ PHP_FUNCTION(imageloadfont) - RETURN_FALSE; - } - -+ ZEND_ASSERT(body_size > 0); - font->data = emalloc(body_size); - b = 0; - while (b < body_size && (n = php_stream_read(stream, &font->data[b], body_size - b)) > 0) { -diff --git a/ext/gd/tests/bug81739.phpt b/ext/gd/tests/bug81739.phpt -new file mode 100644 -index 000000000000..cc2a90381bab ---- /dev/null -+++ b/ext/gd/tests/bug81739.phpt -@@ -0,0 +1,24 @@ -+--TEST-- -+Bug #81739 (OOB read due to insufficient validation in imageloadfont()) -+--SKIPIF-- -+<?php -+if (!extension_loaded("gd")) die("skip gd extension not available"); -+?> -+--FILE-- -+<?php -+$s = fopen(__DIR__ . "/font.font", "w"); -+// header without character data -+fwrite($s, "\x01\x00\x00\x00\x20\x00\x00\x00\x08\x00\x00\x00\x08\x00\x00\x00"); -+fclose($s); -+var_dump(imageloadfont(__DIR__ . "/font.font")); -+?> -+--CLEAN-- -+<?php -+@unlink(__DIR__ . "/font.font"); -+?> -+--EXPECTF-- -+Warning: imageloadfont(): %croduct of memory allocation multiplication would exceed INT_MAX, failing operation gracefully -+ in %s on line %d -+ -+Warning: imageloadfont(): Error reading font, invalid font header in %s on line %d -+bool(false) -\ No newline at end of file @@ -104,13 +104,13 @@ #global gh_date 20190612 %global gh_owner php %global gh_project php-src -%global upver 7.4.32 +%global upver 7.4.33 #global rcver RC1 Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: %{upver}%{?rcver:~%{rcver}}%{?gh_date:.%{gh_date}} -Release: 2%{?dist} +Release: 1%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -175,8 +175,6 @@ Patch91: php-7.2.0-oci8conf.patch # Upstream fixes (100+) # Security fixes (200+) -Patch200: php-bug81738.patch -Patch201: php-bug81739.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -955,8 +953,6 @@ rm ext/openssl/tests/p12_with_extra_certs.p12 # upstream patches # security patches -%patch200 -p1 -b .81738 -%patch201 -p1 -b .81739 # Fixes for tests %patch300 -p1 -b .datetests @@ -985,9 +981,9 @@ rm ext/date/tests/timezone_location_get.phpt %if 0%{?fedora} < 28 # need tzdata 2018i rm ext/date/tests/bug33414-1.phpt -rm ext/date/tests/bug33415-2.phpt rm ext/date/tests/date_modify-1.phpt %endif +rm ext/date/tests/bug33415-2.phpt # too fast builder rm ext/date/tests/bug73837.phpt # fails sometime @@ -1833,6 +1829,9 @@ fi %changelog +* Tue Nov 1 2022 Remi Collet <remi@remirepo.net> - 7.4.33-1 +- Update to 7.4.33 - http://www.php.net/releases/7_4_33.php + * Wed Oct 26 2022 Remi Collet <remi@remirepo.net> - 7.4.32-2 - add upstream fix for CVE-2022-31630 and CVE-2022-37454 |