From 1336d456e93c07227d6a4b0ff442923216af35f8 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Tue, 14 Feb 2023 10:32:39 +0100
Subject: fix #81744: Password_verify() always return true with some hash

  CVE-2023-0567
fix #81746: 1-byte array overrun in common path resolve code
  CVE-2023-0568
fix DOS vulnerability when parsing multipart request body
  CVE-2023-0662
add dependency on pcre2 minimal version
---
 php.spec | 32 +++++++++++++++++++++++++++++---
 1 file changed, 29 insertions(+), 3 deletions(-)

(limited to 'php.spec')

diff --git a/php.spec b/php.spec
index b58b04a..d825595 100644
--- a/php.spec
+++ b/php.spec
@@ -65,7 +65,12 @@
 
 # Optional components; pass "--with mssql" etc to rpmbuild.
 %global with_oci8      %{?_with_oci8:1}%{!?_with_oci8:0}
+%if 0%{?fedora} >= 38 || 0%{?rhel} >= 10
+# uw-imap is not available
+%global with_imap      0
+%else
 %global with_imap      1
+%endif
 %global with_interbase 1
 %global with_freetds   1
 %global with_tidy      1
@@ -110,7 +115,7 @@
 Summary: PHP scripting language for creating dynamic web sites
 Name:    %{?scl_prefix}php
 Version: %{upver}%{?rcver:~%{rcver}}%{?gh_date:.%{gh_date}}
-Release: 2%{?dist}
+Release: 4%{?dist}
 # All files licensed under PHP version 3.01, except
 # Zend is licensed under Zend
 # TSRM is licensed under BSD
@@ -176,6 +181,9 @@ Patch91: php-7.2.0-oci8conf.patch
 
 # Security fixes (200+)
 Patch200: php-bug81740.patch
+Patch201: php-bug81744.patch
+Patch202: php-bug81746.patch
+Patch203: php-cve-2023-0662.patch
 
 # Fixes for tests (300+)
 # Factory is droped from system tzdata
@@ -354,6 +362,12 @@ Summary: Common files for PHP
 # fileinfo is licensed under PHP version 3.0
 # regex, libmagic are licensed under BSD
 License: PHP and BSD
+
+%if %{with_libpcre}
+%global pcre2_buildver %(pkg-config --silence-errors --modversion libpcre2-8 2>/dev/null || echo 10.30)
+Requires:  pcre2%{?_isa} >= %{pcre2_buildver}
+%endif
+
 # ABI/API check - Arch specific
 Provides: %{?scl_prefix}php(api) = %{apiver}-%{__isa_bits}
 Provides: %{?scl_prefix}php(zend-abi) = %{zendver}-%{__isa_bits}
@@ -955,6 +969,9 @@ rm ext/openssl/tests/p12_with_extra_certs.p12
 
 # security patches
 %patch200 -p1 -b .bug81740
+%patch201 -p1 -b .bug81744
+%patch202 -p1 -b .bug81746
+%patch203 -p1 -b .cve0662
 
 # Fixes for tests
 %patch300 -p1 -b .datetests
@@ -1678,7 +1695,7 @@ cat << EOF
 
   WARNING : PHP 7.4 have reached its "End of Life" in
   November 2022. Even, if this package includes some of
-  the important security fix, backported from 8.0, the
+  the important security fixes, backported from 8.0, the
   UPGRADE to a maintained version is very strongly RECOMMENDED.
 
 =====================================================================
@@ -1844,7 +1861,16 @@ EOF
 
 
 %changelog
-* Mon Dec 19 2022 Remi Collet <remi@remirepo.net> - 7.4.33-1
+* Tue Feb 14 2023 Remi Collet <remi@remirepo.net> - 7.4.33-4
+- fix #81744: Password_verify() always return true with some hash
+  CVE-2023-0567
+- fix #81746: 1-byte array overrun in common path resolve code
+  CVE-2023-0568
+- fix DOS vulnerability when parsing multipart request body
+  CVE-2023-0662
+- add dependency on pcre2 minimal version
+
+* Mon Dec 19 2022 Remi Collet <remi@remirepo.net> - 7.4.33-2
 - pdo: fix #81740: PDO::quote() may return unquoted string
   CVE-2022-31631
 - use oracle client library version 21.8
-- 
cgit