summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2019-03-05 08:49:47 +0100
committerRemi Collet <remi@remirepo.net>2019-03-05 08:49:47 +0100
commit9fcf313ce835b2433b6d1a2ad3644461cb706630 (patch)
tree2e8b49bff817498d36c600fe4afdde1f733e5486
parent85516dbd23e25135236ffb441d61dcdefd96eeaf (diff)
Fix #77630 rename() across the device may allow unwanted access during processing
-rw-r--r--php-bug77630.patch90
-rw-r--r--php56.spec8
2 files changed, 97 insertions, 1 deletions
diff --git a/php-bug77630.patch b/php-bug77630.patch
new file mode 100644
index 0000000..bc3f645
--- /dev/null
+++ b/php-bug77630.patch
@@ -0,0 +1,90 @@
+Backported to 5.6 from 7.1 by remi
+
+
+
+From e3133e4db70476fb7adfdedb738483e2255ce0e1 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 2 Mar 2019 23:42:53 -0800
+Subject: [PATCH] Fix bug #77630 - safer rename() procedure
+
+In order to rename safer, we do the following:
+- set umask to 077 (unfortunately, not TS, so excluding ZTS)
+- chown() first, to set proper group before allowing group access
+- chmod() after, even if chown() fails
+---
+ main/streams/plain_wrapper.c | 51 ++++++++++++++++++++++++------------
+ 1 file changed, 34 insertions(+), 17 deletions(-)
+
+diff --git a/main/streams/plain_wrapper.c b/main/streams/plain_wrapper.c
+index af890a9aa3bb..7fdf906e6fad 100644
+--- a/main/streams/plain_wrapper.c
++++ b/main/streams/plain_wrapper.c
+@@ -1126,34 +1126,51 @@ static int php_plain_files_rename(php_st
+ # ifdef EXDEV
+ if (errno == EXDEV) {
+ struct stat sb;
++# if !defined(ZTS) && !defined(TSRM_WIN32) && !defined(NETWARE)
++ /* not sure what to do in ZTS case, umask is not thread-safe */
++ int oldmask = umask(077);
++# endif
++ int success = 0;
+ if (php_copy_file(url_from, url_to TSRMLS_CC) == SUCCESS) {
+ if (VCWD_STAT(url_from, &sb) == 0) {
++ success = 1;
+ # if !defined(TSRM_WIN32) && !defined(NETWARE)
+- if (VCWD_CHMOD(url_to, sb.st_mode)) {
+- if (errno == EPERM) {
+- php_error_docref2(NULL TSRMLS_CC, url_from, url_to, E_WARNING, "%s", strerror(errno));
+- VCWD_UNLINK(url_from);
+- return 1;
+- }
++ /*
++ * Try to set user and permission info on the target.
++ * If we're not root, then some of these may fail.
++ * We try chown first, to set proper group info, relying
++ * on the system environment to have proper umask to not allow
++ * access to the file in the meantime.
++ */
++ if (VCWD_CHOWN(url_to, sb.st_uid, sb.st_gid)) {
+ php_error_docref2(NULL TSRMLS_CC, url_from, url_to, E_WARNING, "%s", strerror(errno));
+- return 0;
++ if (errno != EPERM) {
++ success = 0;
++ }
+ }
+- if (VCWD_CHOWN(url_to, sb.st_uid, sb.st_gid)) {
+- if (errno == EPERM) {
++
++ if (success) {
++ if (VCWD_CHMOD(url_to, sb.st_mode)) {
+ php_error_docref2(NULL TSRMLS_CC, url_from, url_to, E_WARNING, "%s", strerror(errno));
+- VCWD_UNLINK(url_from);
+- return 1;
++ if (errno != EPERM) {
++ success = 0;
++ }
+ }
+- php_error_docref2(NULL TSRMLS_CC, url_from, url_to, E_WARNING, "%s", strerror(errno));
+- return 0;
+ }
+ # endif
+- VCWD_UNLINK(url_from);
+- return 1;
++ if (success) {
++ VCWD_UNLINK(url_from);
++ }
++ } else {
++ php_error_docref2(NULL TSRMLS_CC, url_from, url_to, E_WARNING, "%s", strerror(errno));
+ }
++ } else {
++ php_error_docref2(NULL TSRMLS_CC, url_from, url_to, E_WARNING, "%s", strerror(errno));
+ }
+- php_error_docref2(NULL TSRMLS_CC, url_from, url_to, E_WARNING, "%s", strerror(errno));
+- return 0;
++# if !defined(ZTS) && !defined(TSRM_WIN32) && !defined(NETWARE)
++ umask(oldmask);
++# endif
++ return success;
+ }
+ # endif
+ #endif
diff --git a/php56.spec b/php56.spec
index e4c1a87..945c160 100644
--- a/php56.spec
+++ b/php56.spec
@@ -142,7 +142,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: php
Version: 5.6.40
-Release: 3%{?dist}
+Release: 4%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -205,6 +205,7 @@ Patch100: php-5.6.31-oci.patch
# Security fixes (200+)
Patch210: php-bug77540.patch
Patch211: php-bug77563.patch
+Patch213: php-bug77630.patch
# Fixes for tests (300+)
# Factory is droped from system tzdata
@@ -966,6 +967,7 @@ echo CIBLE = %{name}-%{version}-%{release} oci8=%{with_oci8} libzip=%{with_libzi
# security patches
%patch210 -p1 -b .bug77540
%patch211 -p1 -b .bug77563
+%patch213 -p1 -b .bug77630
# Fixes for tests
%patch300 -p1 -b .datetests
@@ -1996,6 +1998,10 @@ EOF
%changelog
+* Tue Mar 5 2019 Remi Collet <remi@remirepo.net> - 5.6.40-4
+- Fix #77630 rename() across the device may allow unwanted access
+ during processing
+
* Mon Mar 4 2019 Remi Collet <remi@remirepo.net> - 5.6.40-3
- exif:
Fix #77509 Uninitialized read in exif_process_IFD_in_TIFF