summaryrefslogtreecommitdiffstats
path: root/bug77020.patch
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2018-12-10 18:15:14 +0100
committerRemi Collet <remi@remirepo.net>2018-12-10 18:15:14 +0100
commit474971c0b5e4ce5b004b726ece8ee41c57181ea7 (patch)
tree5dcc410438cfa0754c7e0b5446822478884ac50d /bug77020.patch
parent8d7778b180a2bae4dd69f32c3d3b404784f78ff5 (diff)
Fix #77231 Segfault when using convert.quoted-printable-encode filter
Fix #77020 null pointer dereference in imap_mail CVE-2018-19935 Fix #77153 imap_open allows to run arbitrary shell commands via mailbox parameter CVE-2018-19158
Diffstat (limited to 'bug77020.patch')
-rw-r--r--bug77020.patch51
1 files changed, 51 insertions, 0 deletions
diff --git a/bug77020.patch b/bug77020.patch
new file mode 100644
index 0000000..c4a080c
--- /dev/null
+++ b/bug77020.patch
@@ -0,0 +1,51 @@
+Backported for 5.4/5.5, from 5.6, by Remi
+
+
+From 7edc639b9ff1c3576773d79d016abbeed1f93846 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 11 Nov 2018 10:04:01 -0800
+Subject: [PATCH] Fix #77020: null pointer dereference in imap_mail
+
+If an empty $message is passed to imap_mail(), we must not set message
+to NULL, since _php_imap_mail() is not supposed to handle NULL pointers
+(opposed to pointers to NUL).
+---
+ NEWS | 1 +
+ ext/imap/php_imap.c | 1 -
+ ext/imap/tests/bug77020.phpt | 15 +++++++++++++++
+ 3 files changed, 16 insertions(+), 1 deletion(-)
+ create mode 100644 ext/imap/tests/bug77020.phpt
+
+diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c
+index a23e84c08521..b30440f000f3 100644
+--- a/ext/imap/php_imap.c
++++ b/ext/imap/php_imap.c
+@@ -4088,7 +4088,6 @@ PHP_FUNCTION(imap_mail)
+ if (!message_len) {
+ /* this is not really an error, so it is allowed. */
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "No message string in mail command");
+- message = NULL;
+ }
+
+ if (_php_imap_mail(to, subject, message, headers, cc, bcc, rpath TSRMLS_CC)) {
+diff --git a/ext/imap/tests/bug77020.phpt b/ext/imap/tests/bug77020.phpt
+new file mode 100644
+index 000000000000..8a65232eec6d
+--- /dev/null
++++ b/ext/imap/tests/bug77020.phpt
+@@ -0,0 +1,15 @@
++--TEST--
++Bug #77020 (null pointer dereference in imap_mail)
++--SKIPIF--
++<?php
++if (!extension_loaded('imap')) die('skip imap extension not available');
++?>
++--FILE--
++<?php
++imap_mail('1', 1, NULL);
++?>
++===DONE===
++--EXPECTF--
++Warning: imap_mail(): No message string in mail command in %s on line %d
++%s
++===DONE===