diff options
author | Remi Collet <remi@remirepo.net> | 2019-07-30 11:12:58 +0200 |
---|---|---|
committer | Remi Collet <remi@remirepo.net> | 2019-07-30 11:12:58 +0200 |
commit | 671d9816d288c0bda30629fdaa1235c3baf5cc16 (patch) | |
tree | 25938cf83b834f3faeb5436bf5bbd45e67f8061e | |
parent | e8d44282fed603ea166c157ea7cc7ddc4fe0c9ef (diff) |
- exif:
Fix #78256 heap-buffer-overflow on exif_process_user_comment
CVE-2019-11042
Fix #78222 heap-buffer-overflow on exif_scan_thumbnail
CVE-2019-11041
- phar:
Fix #77919 Potential UAF in Phar RSHUTDOWN
-rw-r--r-- | failed.txt | 6 | ||||
-rw-r--r-- | php-bug77919.patch | 74 | ||||
-rw-r--r-- | php-bug78222.patch | 32 | ||||
-rw-r--r-- | php-bug78256.patch | 47 | ||||
-rw-r--r-- | php56.spec | 17 |
5 files changed, 173 insertions, 3 deletions
@@ -1,9 +1,9 @@ -===== 5.6.40-9 (2019-05-28) +===== 5.6.40-12 (2019-07-30) $ grep -r 'Tests failed' /var/lib/mock/*/build.log /var/lib/mock/el6i/build.log:Tests failed : 4 -/var/lib/mock/el6x/build.log:Tests failed : 0 +/var/lib/mock/el6x/build.log:Tests failed : 1 /var/lib/mock/el7x/build.log:Tests failed : 0 @@ -12,6 +12,8 @@ el6i: 4 Test getdate() function : usage variation - Passing high positive and negative float values to timestamp. [ext/date/tests/getdate_variation7.phpt] Peer verification enabled for client streams [ext/openssl/tests/peer_verification.phpt] Peer verification matches SAN names [ext/openssl/tests/san_peer_matching.phpt] +el6x: + Test disk_free_space and its alias diskfreespace() functions : basic functionality [ext/standard/tests/file/disk_free_space_basic.phpt] 1 proc_open have erratic results... :( diff --git a/php-bug77919.patch b/php-bug77919.patch new file mode 100644 index 0000000..4245a5d --- /dev/null +++ b/php-bug77919.patch @@ -0,0 +1,74 @@ +From 245e5011da14098b8158cf5c5400483399729298 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" <cmbecker69@gmx.de> +Date: Mon, 29 Jul 2019 16:08:03 +0200 +Subject: [PATCH] Fix #77919: Potential UAF in Phar RSHUTDOWN + +We have to properly clean up in case phar_flush() is failing. + +We also make the expectation of the respective test case less liberal +to avoid missing such bugs in the future. + +(cherry picked from commit cd1101e8c87aa175c2d5e87ddec656e50ef4ab5d) +--- + NEWS | 10 ++++++++++ + ext/phar/phar_object.c | 4 +++- + ext/phar/tests/bug71488.phpt | 5 ++++- + 3 files changed, 17 insertions(+), 2 deletions(-) + +diff --git a/NEWS b/NEWS +index 3f49461732..5039cdf59d 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,17 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 7.1.31 ++ ++- EXIF: ++ . Fixed bug #78256 (heap-buffer-overflow on exif_process_user_comment). ++ (CVE-2019-11042) (Stas) ++ . Fixed bug #78222 (heap-buffer-overflow on exif_scan_thumbnail). ++ (CVE-2019-11041) (Stas) ++ ++- Phar: ++ . Fixed bug #77919 (Potential UAF in Phar RSHUTDOWN). (cmb) ++ + Backported from 7.1.30 + + - EXIF: +diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c +index 77e08c52a5..d69837218f 100644 +--- a/ext/phar/phar_object.c ++++ b/ext/phar/phar_object.c +@@ -2026,7 +2026,7 @@ static zval *phar_rename_archive(phar_archive_data **sphar, char *ext, zend_bool + char *newname = NULL, *newpath = NULL; + zval *ret, arg1; + zend_class_entry *ce; +- char *error; ++ char *error = NULL; + const char *pcr_error; + int ext_len = ext ? strlen(ext) : 0; + int oldname_len; +@@ -2186,6 +2186,8 @@ static zval *phar_rename_archive(phar_archive_data **sphar, char *ext, zend_bool + phar_flush(phar, 0, 0, 1, &error TSRMLS_CC); + + if (error) { ++ zend_hash_del(&(PHAR_G(phar_fname_map)), newpath, phar->fname_len); ++ *sphar = NULL; + zend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, "%s", error); + efree(error); + efree(oldpath); +diff --git a/ext/phar/tests/bug71488.phpt b/ext/phar/tests/bug71488.phpt +index 8468ce212a..b8c0f33250 100644 +--- a/ext/phar/tests/bug71488.phpt ++++ b/ext/phar/tests/bug71488.phpt +@@ -15,4 +15,7 @@ DONE + ?> + --EXPECTF-- + Fatal error: Uncaught exception 'BadMethodCallException' with message 'tar-based phar "%sbug71488.test" cannot be created, link "%s" is too long for format' in %sbug71488.php:%d +-Stack trace:%A ++Stack trace: ++#0 %s(%d): PharData->decompress('test') ++#1 {main} ++ thrown in %s on line %d diff --git a/php-bug78222.patch b/php-bug78222.patch new file mode 100644 index 0000000..13ea1d5 --- /dev/null +++ b/php-bug78222.patch @@ -0,0 +1,32 @@ +Without test as binary patch not supported + + + + +From 13cbda640120afdaf68f44bb482723d451bc86ec Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 7 Jul 2019 17:01:01 -0700 +Subject: [PATCH] Fix bug #78222 (heap-buffer-overflow on exif_scan_thumbnail) + +(cherry picked from commit dea2989ab8ba87a6180af497b2efaf0527e985c5) +--- + ext/exif/exif.c | 2 +- + ext/exif/tests/bug78222.jpg | Bin 0 -> 91 bytes + ext/exif/tests/bug78222.phpt | 11 +++++++++++ + 3 files changed, 12 insertions(+), 1 deletion(-) + create mode 100644 ext/exif/tests/bug78222.jpg + create mode 100644 ext/exif/tests/bug78222.phpt + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index b6c31773ab..a5fa0b8fb0 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -3508,7 +3508,7 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo TSRMLS_DC) + size_t length=2, pos=0; + jpeg_sof_info sof_info; + +- if (!data) { ++ if (!data || ImageInfo->Thumbnail.size < 4) { + return FALSE; /* nothing to do here */ + } + if (memcmp(data, "\xFF\xD8\xFF", 3)) { diff --git a/php-bug78256.patch b/php-bug78256.patch new file mode 100644 index 0000000..553bcac --- /dev/null +++ b/php-bug78256.patch @@ -0,0 +1,47 @@ +Without test as binary patch not supported + + + + +From 63c0ed60c2b5580b1542690d52d4a26401342563 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 7 Jul 2019 17:39:59 -0700 +Subject: [PATCH] Fix bug #78256 (heap-buffer-overflow on + exif_process_user_comment) + +(cherry picked from commit aeb6d13185a2ea4f1496ede2697469faed98ce05) +--- + ext/exif/exif.c | 6 +++--- + ext/exif/tests/bug78256.jpg | Bin 0 -> 69 bytes + ext/exif/tests/bug78256.phpt | 11 +++++++++++ + 3 files changed, 14 insertions(+), 3 deletions(-) + create mode 100644 ext/exif/tests/bug78256.jpg + create mode 100644 ext/exif/tests/bug78256.phpt + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index a5fa0b8fb0..ec362f7e6d 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -2628,7 +2628,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP + { + int a; + char *decode; +- size_t len;; ++ size_t len; + + *pszEncoding = NULL; + /* Copy the comment */ +@@ -2641,11 +2641,11 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP + /* First try to detect BOM: ZERO WIDTH NOBREAK SPACE (FEFF 16) + * since we have no encoding support for the BOM yet we skip that. + */ +- if (!memcmp(szValuePtr, "\xFE\xFF", 2)) { ++ if (ByteCount >=2 && !memcmp(szValuePtr, "\xFE\xFF", 2)) { + decode = "UCS-2BE"; + szValuePtr = szValuePtr+2; + ByteCount -= 2; +- } else if (!memcmp(szValuePtr, "\xFF\xFE", 2)) { ++ } else if (ByteCount >=2 && !memcmp(szValuePtr, "\xFF\xFE", 2)) { + decode = "UCS-2LE"; + szValuePtr = szValuePtr+2; + ByteCount -= 2; @@ -148,7 +148,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: 5.6.40 -Release: 11%{?dist} +Release: 12%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -225,6 +225,9 @@ Patch218: php-bug77950.patch Patch219: php-bug78069.patch Patch220: php-bug77988.patch Patch221: php-bug77967.patch +Patch222: php-bug78222.patch +Patch223: php-bug78256.patch +Patch224: php-bug77919.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -1005,6 +1008,9 @@ echo CIBLE = %{name}-%{version}-%{release} oci8=%{with_oci8} libzip=%{with_libzi %patch219 -p1 -b .bug78069 %patch220 -p1 -b .bug77988 %patch221 -p1 -b .bug77967 +%patch222 -p1 -b .bug78222 +%patch223 -p1 -b .bug78256 +%patch224 -p1 -b .bug77919 # Fixes for tests %patch300 -p1 -b .datetests @@ -2057,6 +2063,15 @@ EOF %changelog +* Tue Jul 30 2019 Remi Collet <remi@remirepo.net> - 5.6.40-12 +- exif: + Fix #78256 heap-buffer-overflow on exif_process_user_comment + CVE-2019-11042 + Fix #78222 heap-buffer-overflow on exif_scan_thumbnail + CVE-2019-11041 +- phar: + Fix #77919 Potential UAF in Phar RSHUTDOWN + * Tue Jul 2 2019 Remi Collet <remi@remirepo.net> - 5.6.40-11 - use oracle client library version 19.3 |