From 6a75ec7b86fc3f19b758a0e6525e9df7eb87a9f9 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Thu, 1 Mar 2018 10:08:47 +0100 Subject: fix #73549: Use after free when stream is passed to imagepng fix #73868: Fix DOS vulnerability in gdImageCreateFromGd2Ctx() CVE-2016-10167 fix #73869: Signed Integer Overflow gd_io.c CVE-2016-10168 fix #74435: Buffer over-read into uninitialized memory CVE-2017-7890 fix #75571: Potential infinite loop in gdImageCreateFromGifCtx CVE-2018-5711 fix #75981: stack-buffer-overflow while parsing HTTP response --- .gitignore | 10 ++++- bug73549.patch | 95 ++++++++++++++++++++++++++++++++++++++++++ bug73868.patch | 47 +++++++++++++++++++++ bug73869.patch | 45 ++++++++++++++++++++ bug74435.patch | 35 ++++++++++++++++ bug75571.patch | 58 ++++++++++++++++++++++++++ bug75981.patch | 68 ++++++++++++++++++++++++++++++ php-5.4.34-systzdata-v11.patch | 3 ++ php54.spec | 28 ++++++++++++- 9 files changed, 386 insertions(+), 3 deletions(-) create mode 100644 bug73549.patch create mode 100644 bug73868.patch create mode 100644 bug73869.patch create mode 100644 bug74435.patch create mode 100644 bug75571.patch create mode 100644 bug75981.patch diff --git a/.gitignore b/.gitignore index 4ab9ab5..6f69818 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,9 @@ -tembed5* +clog +package-*.xml +*.tgz +*.tar.gz +*.tar.bz2 +*.tar.xz +*.tar.xz.asc +*.src.rpm +*/*rpm diff --git a/bug73549.patch b/bug73549.patch new file mode 100644 index 0000000..5c39852 --- /dev/null +++ b/bug73549.patch @@ -0,0 +1,95 @@ +From 5049ef2f1c496c4964cd147e185c1f765ab0347b Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Thu, 17 Nov 2016 13:44:30 +0100 +Subject: [PATCH] Fix #73549: Use after free when stream is passed to imagepng + +If a stream is passed to imagepng() or other image output functions, +opposed to a filename, we must not close this stream. +--- + NEWS | 3 +++ + ext/gd/gd_ctx.c | 18 +++++++++++++++++- + ext/gd/tests/bug73549.phpt | 22 ++++++++++++++++++++++ + 3 files changed, 42 insertions(+), 1 deletion(-) + create mode 100644 ext/gd/tests/bug73549.phpt + +diff --git a/ext/gd/gd_ctx.c b/ext/gd/gd_ctx.c +index 34a9a00..acb96e1 100644 +--- a/ext/gd/gd_ctx.c ++++ b/ext/gd/gd_ctx.c +@@ -62,6 +62,16 @@ static int _php_image_stream_putbuf(struct gdIOCtx *ctx, const void* buf, int l) + + static void _php_image_stream_ctxfree(struct gdIOCtx *ctx) + { ++ if(ctx->data) { ++ ctx->data = NULL; ++ } ++ if(ctx) { ++ efree(ctx); ++ } ++} /* }}} */ ++ ++static void _php_image_stream_ctxfreeandclose(struct gdIOCtx *ctx) /* {{{ */ ++{ + TSRMLS_FETCH(); + + if(ctx->data) { +@@ -87,6 +97,7 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type, + gdIOCtx *ctx = NULL; + zval *to_zval = NULL; + php_stream *stream; ++ int close_stream = 1; + + /* The third (quality) parameter for Wbmp stands for the threshold when called from image2wbmp(). + * The third (quality) parameter for Wbmp and Xbm stands for the foreground color index when called +@@ -123,6 +134,7 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type, + if (stream == NULL) { + RETURN_FALSE; + } ++ close_stream = 0; + } else if (Z_TYPE_P(to_zval) == IS_STRING) { + if (CHECK_ZVAL_NULL_PATH(to_zval)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid 2nd parameter, filename must not contain null bytes"); +@@ -159,7 +171,11 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type, + ctx = emalloc(sizeof(gdIOCtx)); + ctx->putC = _php_image_stream_putc; + ctx->putBuf = _php_image_stream_putbuf; +- ctx->gd_free = _php_image_stream_ctxfree; ++ if (close_stream) { ++ ctx->gd_free = _php_image_stream_ctxfreeandclose; ++ } else { ++ ctx->gd_free = _php_image_stream_ctxfree; ++ } + ctx->data = (void *)stream; + } + +diff --git a/ext/gd/tests/bug73549.phpt b/ext/gd/tests/bug73549.phpt +new file mode 100644 +index 0000000..e0cc6cf +--- /dev/null ++++ b/ext/gd/tests/bug73549.phpt +@@ -0,0 +1,22 @@ ++--TEST-- ++Bug #73549 (Use after free when stream is passed to imagepng) ++--SKIPIF-- ++ ++--FILE-- ++ ++===DONE=== ++--EXPECTF-- ++bool(true) ++resource(%d) of type (stream) ++===DONE=== ++--CLEAN-- ++ +-- +2.1.4 + diff --git a/bug73868.patch b/bug73868.patch new file mode 100644 index 0000000..6df0a22 --- /dev/null +++ b/bug73868.patch @@ -0,0 +1,47 @@ +Fix for CVE-2017-10168 +Backported for 5.4 without test and binary patch + + +From f1b2afc9d9e77edf41804f5dfc4e2069d8a12975 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Tue, 16 Aug 2016 18:23:36 +0200 +Subject: [PATCH] Fix #73868: DOS vulnerability in gdImageCreateFromGd2Ctx() + +We must not pretend that there are image data if there are none. Instead +we fail reading the image file gracefully. + +(cherry picked from commit cdb648dc4115ce0722f3cc75e6a65115fc0e56ab) +--- + ext/gd/libgd/gd_gd2.c | 8 ++++++-- + ext/gd/tests/bug73868.gd2 | Bin 0 -> 1050 bytes + ext/gd/tests/bug73868.phpt | 18 ++++++++++++++++++ + 3 files changed, 24 insertions(+), 2 deletions(-) + create mode 100644 ext/gd/tests/bug73868.gd2 + create mode 100644 ext/gd/tests/bug73868.phpt + +diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c +index d06f328..196b785 100644 +--- a/ext/gd/libgd/gd_gd2.c ++++ b/ext/gd/libgd/gd_gd2.c +@@ -334,12 +334,16 @@ gdImagePtr gdImageCreateFromGd2Ctx (gdIOCtxPtr in) + for (x = xlo; x < xhi; x++) { + if (im->trueColor) { + if (!gdGetInt(&im->tpixels[y][x], in)) { +- im->tpixels[y][x] = 0; ++ php_gd_error("gd2: EOF while reading\n"); ++ gdImageDestroy(im); ++ return NULL; + } + } else { + int ch; + if (!gdGetByte(&ch, in)) { +- ch = 0; ++ php_gd_error("gd2: EOF while reading\n"); ++ gdImageDestroy(im); ++ return NULL; + } + im->pixels[y][x] = ch; + } +-- +2.1.4 + diff --git a/bug73869.patch b/bug73869.patch new file mode 100644 index 0000000..6e5b08e --- /dev/null +++ b/bug73869.patch @@ -0,0 +1,45 @@ +Fix for CVE-2017-10168 +Backported for 5.4 without test and binary patch + + +From d2274b01cbbadf5516b3ea87ad76fbae18834007 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Sat, 17 Dec 2016 17:06:58 +0100 +Subject: [PATCH] Fix #73869: Signed Integer Overflow gd_io.c + +GD2 stores the number of horizontal and vertical chunks as words (i.e. 2 +byte unsigned). These values are multiplied and assigned to an int when +reading the image, what can cause integer overflows. We have to avoid +that, and also make sure that either chunk count is actually greater +than zero. If illegal chunk counts are detected, we bail out from +reading the image. + +(cherry picked from commit 5b5d9db3988b829e0b121b74bb3947f01c2796a1) +--- + ext/gd/libgd/gd_gd2.c | 4 ++++ + ext/gd/tests/bug73869.phpt | 19 +++++++++++++++++++ + ext/gd/tests/bug73869a.gd2 | Bin 0 -> 92 bytes + ext/gd/tests/bug73869b.gd2 | Bin 0 -> 18 bytes + 4 files changed, 23 insertions(+) + create mode 100644 ext/gd/tests/bug73869.phpt + create mode 100644 ext/gd/tests/bug73869a.gd2 + create mode 100644 ext/gd/tests/bug73869b.gd2 + +diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c +index 196b785..3eba6b3 100644 +--- a/ext/gd/libgd/gd_gd2.c ++++ b/ext/gd/libgd/gd_gd2.c +@@ -136,6 +136,10 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in + GD2_DBG(php_gd_error("%d Chunks vertically", *ncy)); + + if (gd2_compressed(*fmt)) { ++ if (*ncx <= 0 || *ncy <= 0 || *ncx > INT_MAX / *ncy) { ++ GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy)); ++ goto fail1; ++ } + nc = (*ncx) * (*ncy); + GD2_DBG(php_gd_error("Reading %d chunk index entries", nc)); + if (overflow2(sizeof(t_chunk_info), nc)) { +-- +2.1.4 + diff --git a/bug74435.patch b/bug74435.patch new file mode 100644 index 0000000..968078c --- /dev/null +++ b/bug74435.patch @@ -0,0 +1,35 @@ +Adapted for 5.4.13 +With test removed (binary patch not handled) + +From 018092125538782b25d3ab6b036f0c8d5968f757 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Tue, 20 Jun 2017 16:45:42 +0200 +Subject: [PATCH] Fix #74435: Buffer over-read into uninitialized memory + +The stack allocated color map buffers were not zeroed before usage, and +so undefined palette indexes could cause information leakage. +--- + ext/gd/libgd/gd_gif_in.c | 3 +++ + ext/gd/tests/bug74435.gif | Bin 0 -> 11464 bytes + ext/gd/tests/bug74435.phpt | 27 +++++++++++++++++++++++++++ + 3 files changed, 30 insertions(+) + create mode 100644 ext/gd/tests/bug74435.gif + create mode 100644 ext/gd/tests/bug74435.phpt + +diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c +index 74b7493..76ba152 100644 +--- a/ext/gd/libgd/gd_gif_in.c ++++ b/ext/gd/libgd/gd_gif_in.c +@@ -147,6 +147,9 @@ gdImagePtr gdImageCreateFromGifCtx(gdIOCtxPtr fd) /* {{{ */ + int haveGlobalColormap; + gdImagePtr im = 0; + ++ memset(ColorMap, 0, 3 * MAXCOLORMAPSIZE); ++ memset(localColorMap, 0, 3 * MAXCOLORMAPSIZE); ++ + /*1.4//imageNumber = 1; */ + if (! ReadOK(fd,buf,6)) { + return 0; +-- +2.1.4 + diff --git a/bug75571.patch b/bug75571.patch new file mode 100644 index 0000000..d35ca3a --- /dev/null +++ b/bug75571.patch @@ -0,0 +1,58 @@ +Backported for 5.4 without test and binary patch + +From 8d6e9588671136837533fe3785657c31c5b52767 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Wed, 29 Nov 2017 18:52:33 +0100 +Subject: [PATCH] Fixed bug #75571: Potential infinite loop in + gdImageCreateFromGifCtx + +Due to a signedness confusion in `GetCode_` a corrupt GIF file can +trigger an infinite loop. Furthermore we make sure that a GIF without +any palette entries is treated as invalid *after* open palette entries +have been removed. +--- + ext/gd/libgd/gd_gif_in.c | 10 +++++----- + ext/gd/tests/bug75571.gif | Bin 0 -> 1731 bytes + ext/gd/tests/bug75571.phpt | 15 +++++++++++++++ + 3 files changed, 20 insertions(+), 5 deletions(-) + create mode 100644 ext/gd/tests/bug75571.gif + create mode 100644 ext/gd/tests/bug75571.phpt + +diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c +index e0f0fe3..16776d3 100644 +--- a/ext/gd/libgd/gd_gif_in.c ++++ b/ext/gd/libgd/gd_gif_in.c +@@ -261,10 +261,6 @@ terminated: + if (!im) { + return 0; + } +- if (!im->colorsTotal) { +- gdImageDestroy(im); +- return 0; +- } + /* Check for open colors at the end, so + we can reduce colorsTotal and ultimately + BitsPerPixel */ +@@ -275,6 +271,10 @@ terminated: + break; + } + } ++ if (!im->colorsTotal) { ++ gdImageDestroy(im); ++ return 0; ++ } + return im; + } + /* }}} */ +@@ -375,7 +375,7 @@ static int + GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP) + { + int i, j, ret; +- unsigned char count; ++ int count; + + if (flag) { + scd->curbit = 0; +-- +2.1.4 + diff --git a/bug75981.patch b/bug75981.patch new file mode 100644 index 0000000..27af03b --- /dev/null +++ b/bug75981.patch @@ -0,0 +1,68 @@ +From 523f230c831d7b33353203fa34aee4e92ac12bba Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Tue, 20 Feb 2018 15:34:43 -0800 +Subject: [PATCH] Fix bug #75981: prevent reading beyond buffer start + +--- + ext/standard/http_fopen_wrapper.c | 4 ++-- + ext/standard/tests/http/bug75981.phpt | 32 ++++++++++++++++++++++++++++++++ + 2 files changed, 34 insertions(+), 2 deletions(-) + create mode 100644 ext/standard/tests/http/bug75981.phpt + +diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c +index ed6adc0..78bd935 100644 +--- a/ext/standard/http_fopen_wrapper.c ++++ b/ext/standard/http_fopen_wrapper.c +@@ -737,9 +737,9 @@ finish: + tmp_line, response_code); + } + } +- if (tmp_line[tmp_line_len - 1] == '\n') { ++ if (tmp_line_len >= 1 && tmp_line[tmp_line_len - 1] == '\n') { + --tmp_line_len; +- if (tmp_line[tmp_line_len - 1] == '\r') { ++ if (tmp_line_len >= 1 &&tmp_line[tmp_line_len - 1] == '\r') { + --tmp_line_len; + } + } +diff --git a/ext/standard/tests/http/bug75981.phpt b/ext/standard/tests/http/bug75981.phpt +new file mode 100644 +index 0000000..d415de6 +--- /dev/null ++++ b/ext/standard/tests/http/bug75981.phpt +@@ -0,0 +1,32 @@ ++--TEST-- ++Bug #75981 (stack-buffer-overflow while parsing HTTP response) ++--INI-- ++allow_url_fopen=1 ++--SKIPIF-- ++ ++--FILE-- ++ [ ++ 'protocol_version' => '1.1', ++ 'header' => 'Connection: Close' ++ ], ++]; ++ ++$ctx = stream_context_create($options); ++ ++$responses = [ ++ "data://text/plain,000000000100\xA\xA" ++]; ++$pid = http_server('tcp://127.0.0.1:12342', $responses); ++ ++echo @file_get_contents('http://127.0.0.1:12342/', false, $ctx); ++ ++http_server_kill($pid); ++ ++?> ++DONE ++--EXPECT-- ++DONE +-- +2.1.4 + diff --git a/php-5.4.34-systzdata-v11.patch b/php-5.4.34-systzdata-v11.patch index bfca49b..a12320c 100644 --- a/php-5.4.34-systzdata-v11.patch +++ b/php-5.4.34-systzdata-v11.patch @@ -1,3 +1,6 @@ +# License: MIT +# http://opensource.org/licenses/MIT + Add support for use of the system timezone database, rather than embedding a copy. Discussed upstream but was not desired. diff --git a/php54.spec b/php54.spec index 4f653e0..f85cacf 100644 --- a/php54.spec +++ b/php54.spec @@ -98,7 +98,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: 5.4.45 -Release: 13%{?dist} +Release: 14%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -222,6 +222,12 @@ Patch261: bug73737.patch Patch262: bug73764.patch Patch263: bug73768.patch Patch264: bug73773.patch +Patch265: bug73549.patch +Patch266: bug73868.patch +Patch267: bug73869.patch +Patch268: bug74435.patch +Patch269: bug75571.patch +Patch270: bug75981.patch # Fixes for tests # no_NO issue @@ -994,6 +1000,12 @@ rm -f ext/json/utf8_to_utf16.* %patch262 -p1 -b .bug73764 %patch263 -p1 -b .bug73768 %patch264 -p1 -b .bug73773 +%patch265 -p1 -b .bug73549 +%patch266 -p1 -b .bug73868 +%patch267 -p1 -b .bug73869 +%patch268 -p1 -b .bug74435 +%patch269 -p1 -b .bug75571 +%patch270 -p1 -b .bug75981 # Fixes for tests %patch301 -p1 -b .datetests2 @@ -1659,7 +1671,7 @@ cat << EOF backported from 5.5 or 5.6, The UPGRADE to a maintained version is very strongly RECOMMENDED. -%if %{?fedora}%{!?fedora:99} < 24 +%if %{?fedora}%{!?fedora:99} < 26 WARNING : Fedora %{fedora} is now EOL : You should consider upgrading to a supported release %endif @@ -1880,6 +1892,18 @@ fi %changelog +* Thu Mar 1 2018 Remi Collet - 5.4.45-14 +- fix #73549: Use after free when stream is passed to imagepng +- fix #73868: Fix DOS vulnerability in gdImageCreateFromGd2Ctx() + CVE-2016-10167 +- fix #73869: Signed Integer Overflow gd_io.c + CVE-2016-10168 +- fix #74435: Buffer over-read into uninitialized memory + CVE-2017-7890 +- fix #75571: Potential infinite loop in gdImageCreateFromGifCtx + CVE-2018-5711 +- fix #75981: stack-buffer-overflow while parsing HTTP response + * Sat Feb 18 2017 Remi Collet - 5.4.45-13 - fix #73737: FPE when parsing a tag format CVE-2016-10158 -- cgit