diff options
author | Remi Collet <remi@remirepo.net> | 2018-12-10 18:15:14 +0100 |
---|---|---|
committer | Remi Collet <remi@remirepo.net> | 2018-12-10 18:15:14 +0100 |
commit | 474971c0b5e4ce5b004b726ece8ee41c57181ea7 (patch) | |
tree | 5dcc410438cfa0754c7e0b5446822478884ac50d /bug77020.patch | |
parent | 8d7778b180a2bae4dd69f32c3d3b404784f78ff5 (diff) |
Fix #77231 Segfault when using convert.quoted-printable-encode filter
Fix #77020 null pointer dereference in imap_mail CVE-2018-19935
Fix #77153 imap_open allows to run arbitrary shell commands via mailbox parameter CVE-2018-19158
Diffstat (limited to 'bug77020.patch')
-rw-r--r-- | bug77020.patch | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/bug77020.patch b/bug77020.patch new file mode 100644 index 0000000..c4a080c --- /dev/null +++ b/bug77020.patch @@ -0,0 +1,51 @@ +Backported for 5.4/5.5, from 5.6, by Remi + + +From 7edc639b9ff1c3576773d79d016abbeed1f93846 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 11 Nov 2018 10:04:01 -0800 +Subject: [PATCH] Fix #77020: null pointer dereference in imap_mail + +If an empty $message is passed to imap_mail(), we must not set message +to NULL, since _php_imap_mail() is not supposed to handle NULL pointers +(opposed to pointers to NUL). +--- + NEWS | 1 + + ext/imap/php_imap.c | 1 - + ext/imap/tests/bug77020.phpt | 15 +++++++++++++++ + 3 files changed, 16 insertions(+), 1 deletion(-) + create mode 100644 ext/imap/tests/bug77020.phpt + +diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c +index a23e84c08521..b30440f000f3 100644 +--- a/ext/imap/php_imap.c ++++ b/ext/imap/php_imap.c +@@ -4088,7 +4088,6 @@ PHP_FUNCTION(imap_mail) + if (!message_len) { + /* this is not really an error, so it is allowed. */ + php_error_docref(NULL TSRMLS_CC, E_WARNING, "No message string in mail command"); +- message = NULL; + } + + if (_php_imap_mail(to, subject, message, headers, cc, bcc, rpath TSRMLS_CC)) { +diff --git a/ext/imap/tests/bug77020.phpt b/ext/imap/tests/bug77020.phpt +new file mode 100644 +index 000000000000..8a65232eec6d +--- /dev/null ++++ b/ext/imap/tests/bug77020.phpt +@@ -0,0 +1,15 @@ ++--TEST-- ++Bug #77020 (null pointer dereference in imap_mail) ++--SKIPIF-- ++<?php ++if (!extension_loaded('imap')) die('skip imap extension not available'); ++?> ++--FILE-- ++<?php ++imap_mail('1', 1, NULL); ++?> ++===DONE=== ++--EXPECTF-- ++Warning: imap_mail(): No message string in mail command in %s on line %d ++%s ++===DONE=== |