diff options
| author | Remi Collet <remi@remirepo.net> | 2026-07-01 09:26:28 +0200 |
|---|---|---|
| committer | Remi Collet <remi@php.net> | 2026-07-01 09:26:28 +0200 |
| commit | bfda24353e5cb73d7849e7a95aa0b10e9cdaba3d (patch) | |
| tree | 1b3ccc8084791eeee7d1c5747a4d404542525e88 | |
| parent | 845aa58a97777a9249e78896c9cd90e3200241d6 (diff) | |
| -rw-r--r-- | failed.txt | 33 | ||||
| -rw-r--r-- | php-gh22187.patch | 118 | ||||
| -rw-r--r-- | php.spec | 14 |
3 files changed, 143 insertions, 22 deletions
@@ -1,28 +1,21 @@ -===== 8.1.34 (2025-12-18) +===== 8.1.34-3 (2026-07-02) $ grep -ar 'Tests failed' /var/lib/mock/*/build.log -/var/lib/mock/scl81el8a/build.log:Tests failed : 2 -/var/lib/mock/scl81el8x/build.log:Tests failed : 2 -/var/lib/mock/scl81el9a/build.log:Tests failed : 4 -/var/lib/mock/scl81el9x/build.log:Tests failed : 4 -/var/lib/mock/scl81el10a/build.log:Tests failed : 4 -/var/lib/mock/scl81el10x/build.log:Tests failed : 4 -/var/lib/mock/scl81fc42a/build.log:Tests failed : 3 -/var/lib/mock/scl81fc42x/build.log:Tests failed : 3 -/var/lib/mock/scl81fc43a/build.log:Tests failed : 4 -/var/lib/mock/scl81fc43x/build.log:Tests failed : 4 -/var/lib/mock/scl81fc41a/build.log:Tests failed : 4 -/var/lib/mock/scl81fc41x/build.log:Tests failed : 4 +/var/lib/mock/scl81el8a/build.log:Tests failed : 0 +/var/lib/mock/scl81el8x/build.log:Tests failed : 0 +/var/lib/mock/scl81el9a/build.log:Tests failed : 0 +/var/lib/mock/scl81el9x/build.log:Tests failed : 0 +/var/lib/mock/scl81el10a/build.log:Tests failed : 0 +/var/lib/mock/scl81el10x/build.log:Tests failed : 0 +/var/lib/mock/scl81fc42a/build.log:Tests failed : 0 +/var/lib/mock/scl81fc42x/build.log:Tests failed : 0 +/var/lib/mock/scl81fc43a/build.log:Tests failed : 0 +/var/lib/mock/scl81fc43x/build.log:Tests failed : 0 +/var/lib/mock/scl81fc41a/build.log:Tests failed : 0 +/var/lib/mock/scl81fc41x/build.log:Tests failed : 0 -fc*, el10: - 3 openssl_x509_parse() tests [ext/openssl/tests/openssl_x509_parse_basic.phpt] -fc43, el9, el10: - 3 Bug #74341 (openssl_x509_parse fails to parse ASN.1 UTCTime without seconds) [ext/openssl/tests/bug74341.phpt] -all - 3 sni_server [ext/openssl/tests/sni_server.phpt] - 3 sni_server with separate pk and cert [ext/openssl/tests/sni_server_key_cert.phpt] (1) proc_open give erratic test results :( diff --git a/php-gh22187.patch b/php-gh22187.patch new file mode 100644 index 0000000..ea9c407 --- /dev/null +++ b/php-gh22187.patch @@ -0,0 +1,118 @@ +From 95e9851111d249e43948b76663cff1baeb5e758d Mon Sep 17 00:00:00 2001 +From: David Carlier <devnexen@gmail.com> +Date: Fri, 29 May 2026 21:44:14 +0100 +Subject: [PATCH] ext/openssl: openssl_encrypt() zend mm heap overflow on + AES-WRAP-PAD mode. + +Fix #22186 + +close GH-22187 + +(cherry picked from commit cbc0489126a7682796aad1e5fb4e51de74af162c) +--- + NEWS | 6 ++++++ + ext/openssl/openssl.c | 17 +++++++++++++++-- + ext/openssl/tests/gh22186.phpt | 32 ++++++++++++++++++++++++++++++++ + 3 files changed, 53 insertions(+), 2 deletions(-) + create mode 100644 ext/openssl/tests/gh22186.phpt + +diff --git a/NEWS b/NEWS +index c245d3e757e..191502bb73b 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,12 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 8.2.32 ++ ++- OpenSSL: ++ . Fixed bug GH-22187 (Memory corruption (zend_mm_heap corrupted) in ++ openssl_encrypt with AES-WRAP-PAD). (David Carlier) ++ + Backported from 8.2.31 + + - FPM: +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index a6a05fe03db..331e94ba55e 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -7472,6 +7472,7 @@ static int php_openssl_cipher_update(const EVP_CIPHER *cipher_type, + const char *aad, size_t aad_len, int enc) /* {{{ */ + { + int i = 0; ++ size_t outlen = data_len + EVP_CIPHER_block_size(cipher_type); + + if (mode->is_single_run_aead && !EVP_CipherUpdate(cipher_ctx, NULL, &i, NULL, (int)data_len)) { + php_openssl_store_errors(); +@@ -7485,7 +7486,19 @@ static int php_openssl_cipher_update(const EVP_CIPHER *cipher_type, + return FAILURE; + } + +- *poutbuf = zend_string_alloc((int)data_len + EVP_CIPHER_block_size(cipher_type), 0); ++#ifdef EVP_CIPH_WRAP_MODE ++ if ((EVP_CIPHER_mode(cipher_type)) == EVP_CIPH_WRAP_MODE) { ++ /* ++ * RFC 5649 wrap-with-padding rounds the input up to the block size ++ * and prepends an integrity block, we reserve one extra block. ++ * See EVP_EncryptUpdate(3): wrap mode may write up to ++ * inl + cipher_block_size bytes. ++ */ ++ outlen += EVP_CIPHER_block_size(cipher_type); ++ } ++#endif ++ ++ *poutbuf = zend_string_alloc(outlen, false); + + if (!EVP_CipherUpdate(cipher_ctx, (unsigned char*)ZSTR_VAL(*poutbuf), + &i, (const unsigned char *)data, (int)data_len)) { +@@ -7497,7 +7510,7 @@ static int php_openssl_cipher_update(const EVP_CIPHER *cipher_type, + } + */ + php_openssl_store_errors(); +- zend_string_release_ex(*poutbuf, 0); ++ zend_string_release_ex(*poutbuf, false); + return FAILURE; + } + +diff --git a/ext/openssl/tests/gh22186.phpt b/ext/openssl/tests/gh22186.phpt +new file mode 100644 +index 00000000000..8f28e6c45b5 +--- /dev/null ++++ b/ext/openssl/tests/gh22186.phpt +@@ -0,0 +1,32 @@ ++--TEST-- ++GH-22186 (Heap buffer overflow in openssl_encrypt with AES-WRAP-PAD) ++--EXTENSIONS-- ++openssl ++--SKIPIF-- ++<?php ++/* openssl_get_cipher_methods() enumerates provider ciphers, but openssl_encrypt() ++ * resolves names via the legacy EVP_get_cipherbyname(), so on some builds the ++ * cipher is listed yet not usable. Probe the actual call path instead. */ ++if (!@openssl_encrypt("test", "aes-128-wrap-pad", str_repeat("k", 16), ++ OPENSSL_RAW_DATA | OPENSSL_DONT_ZERO_PAD_KEY, str_repeat("\0", 4))) { ++ die('skip aes-128-wrap-pad not usable on this OpenSSL build'); ++} ++?> ++--FILE-- ++<?php ++$pass = str_repeat("k", 16); ++$iv = str_repeat("\0", 4); ++ ++for ($i = 1; $i < 258; $i++) { ++ $data = str_repeat("a", $i); ++ $enc = openssl_encrypt($data, 'aes-128-wrap-pad', $pass, OPENSSL_RAW_DATA | OPENSSL_DONT_ZERO_PAD_KEY, $iv); ++ $dec = openssl_decrypt($enc, 'aes-128-wrap-pad', $pass, OPENSSL_RAW_DATA | OPENSSL_DONT_ZERO_PAD_KEY, $iv); ++ if ($dec !== $data) { ++ die("mismatch at $i\n"); ++ } ++} ++ ++echo "done\n"; ++?> ++--EXPECT-- ++done +-- +2.54.0 + @@ -70,7 +70,7 @@ %bcond_with zip # Optional extensions; to disable: pass "--without xxx" etc to rpmbuild/mock. %bcond_without imap -%if 0%{?rhel} == 10 +%if 0%{?rhel} > 10 %bcond_with firebird %else %bcond_without firebird @@ -133,7 +133,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: %{upver}%{?rcver:~%{rcver}}%{?gh_date:.%{gh_date}} -Release: 2%{?dist} +Release: 3%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -206,6 +206,7 @@ Patch204: php-cve-2026-6735.patch Patch205: php-cve-2026-7259.patch Patch206: php-cve-2026-7568.patch Patch207: php-cve-2026-7258.patch +Patch208: php-gh22187.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -998,6 +999,7 @@ sed -e 's/php-devel/%{?scl_prefix}php-devel/' -i scripts/phpize.in %patch -P205 -p1 -b .cve7259 %patch -P206 -p1 -b .cve7268 %patch -P207 -p1 -b .cve7258 +%patch -P208 -p1 -b .gh22187 # Fixes for tests %patch -P300 -p1 -b .datetests @@ -1049,6 +1051,11 @@ rm ext/zlib/tests/004-mb.phpt # failed when systemd is enabled rm sapi/fpm/tests/gh8885-stderr-fd-reload-usr1.phpt rm sapi/fpm/tests/gh8885-stderr-fd-reload-usr2.phpt +# Outdated cert +rm ext/openssl/tests/openssl_x509_parse_basic.phpt +rm ext/openssl/tests/bug74341.phpt +rm ext/openssl/tests/sni_server.phpt +rm ext/openssl/tests/sni_server_key_cert.phpt # Safety check for API version change. pver=$(sed -n '/#define PHP_VERSION /{s/.* "//;s/".*$//;p}' main/php_version.h) @@ -1893,6 +1900,9 @@ EOF %changelog +* Wed Jul 1 2026 Remi Collet <remi@remirepo.net> - 8.1.34-3 +- Fix Memory corruption (zend_mm_heap corrupted) in openssl_encrypt with AES-WRAP-PAD + * Thu May 7 2026 Remi Collet <remi@remirepo.net> - 8.1.34-2 - Fix XSS within status endpoint CVE-2026-6735 |
