diff options
| author | Remi Collet <remi@remirepo.net> | 2019-10-22 14:33:24 +0200 |
|---|---|---|
| committer | Remi Collet <remi@remirepo.net> | 2019-10-22 14:33:24 +0200 |
| commit | a4201fe247b1230830bcf7f8b89db5b699f7ca99 (patch) | |
| tree | ef3eb8fd1d5185d8b37814ce5f3d430384dec578 | |
| parent | fe5d970fb9bac5d6db1801db7a40355810895891 (diff) | |
Fix CVE-2019-11043 env_path_info underflow in fpm_main.c
| -rw-r--r-- | bug78599.patch | 33 | ||||
| -rw-r--r-- | php55.spec | 8 |
2 files changed, 40 insertions, 1 deletions
diff --git a/bug78599.patch b/bug78599.patch new file mode 100644 index 0000000..6ce8f02 --- /dev/null +++ b/bug78599.patch @@ -0,0 +1,33 @@ +Backported for 5.5 from: + + + +From c69bcb212b37900fd61daaf38762e4974cb4dcc9 Mon Sep 17 00:00:00 2001 +From: Jakub Zelenka <bukka@php.net> +Date: Sat, 12 Oct 2019 15:56:16 +0100 +Subject: [PATCH 1/2] Fix bug #78599 (env_path_info underflow can lead to RCE) + (CVE-2019-11043) + +cheery-picked from ab061f95ca966731b1c84cf5b7b20155c0a1c06a +without the test as tester not available +--- + sapi/fpm/fpm/fpm_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sapi/fpm/fpm/fpm_main.c b/sapi/fpm/fpm/fpm_main.c +index d12ac01859..22b889c167 100644 +--- a/sapi/fpm/fpm/fpm_main.c ++++ b/sapi/fpm/fpm/fpm_main.c +@@ -1214,8 +1214,8 @@ static void init_request_info(TSRMLS_D) + path_info = script_path_translated + ptlen; + tflag = (slen != 0 && (!orig_path_info || strcmp(orig_path_info, path_info) != 0)); + } else { +- path_info = env_path_info ? env_path_info + pilen - slen : NULL; +- tflag = (orig_path_info != path_info); ++ path_info = (env_path_info && pilen > slen) ? env_path_info + pilen - slen : NULL; ++ tflag = path_info && (orig_path_info != path_info); + } + + if (tflag) { + + @@ -141,7 +141,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: 5.5.38 -Release: 11%{?dist} +Release: 12%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -265,6 +265,7 @@ Patch159: bug77020.patch Patch160: bug77231.patch Patch161: bug77242.patch Patch162: bug77380.patch +Patch163: bug78599.patch # Security fixes (200+) @@ -1093,6 +1094,7 @@ rm -rf ext/json %patch160 -p1 -b .bug77231 %patch161 -p1 -b .bug77242 %patch162 -p1 -b .bug77380 +%patch163 -p1 -b .bug78599 # Fixes for tests %patch300 -p1 -b .datetests @@ -2117,6 +2119,10 @@ EOF %changelog +* Tue Oct 22 2019 Remi Collet <remi@remirepo.net> - 5.5.38-12 +- FPM: + Fix CVE-2019-11043 env_path_info underflow in fpm_main.c + * Fri Jan 11 2019 Remi Collet <remi@remirepo.net> - 5.5.38-11 - Fix #77242 heap out of bounds read in xmlrpc_decode - Fix #77380 Global out of bounds read in xmlrpc base64 code |