- iconv:

  Fix #78069 Out-of-bounds read in iconv.c:_php_iconv_mime_decode()
  CVE-2019-11039
- exif:
  Fix #77988 Heap-buffer-overflow on php_jpg_get16
  CVE-2019-11040
- sqlite3:
  Fix #77967 Bypassing open_basedir restrictions via file uris

5 files changed, 184 insertions, 2 deletions

diff --git a/failed.txt b/failed.txt
index 235452a..c0072c0 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,4 +1,4 @@
-===== 7.0.33-8 (2019-04-30)
+===== 7.0.33-9 (2019-05-28)
 
 $ grep -r 'Tests failed' /var/lib/mock/*/build.log
 
diff --git a/php-bug77967.patch b/php-bug77967.patch
new file mode 100644
index 0000000..8d80aee
--- /dev/null
+++ b/php-bug77967.patch
@@ -0,0 +1,71 @@
+From c7d9dee3b911ad6417a6c94dc91f7af7607b313e Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 27 May 2019 18:04:00 -0700
+Subject: [PATCH] Fix bug #77967 - Bypassing open_basedir restrictions via file
+ uris
+
+(cherry picked from commit c34895e837b50213c2bb201c612904342d2bd216)
+---
+ NEWS                  | 15 +++++++++------
+ ext/sqlite3/sqlite3.c |  9 +++++++++
+ 2 files changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index b6e18aa242..ede58a694e 100644
+--- a/NEWS
++++ b/NEWS
+@@ -4,16 +4,19 @@ PHP                                                                        NEWS
+ Backported from 7.1.30
+ 
+ - EXIF:
+-  . Fixed bug #77988 (heap-buffer-overflow on php_jpg_get16). 
+-  (CVE-2019-11040) (Stas)
++  . Fixed bug #77988 (heap-buffer-overflow on php_jpg_get16).
++    (CVE-2019-11040) (Stas)
+ 
+ - GD:
+   . Fixed bug #77973 (Uninitialized read in gdImageCreateFromXbm).
+-  (CVE-2019-11038) (cmb)
++    (CVE-2019-11038) (cmb)
+ 
+ - Iconv:
+   . Fixed bug #78069 (Out-of-bounds read in iconv.c:_php_iconv_mime_decode()
+-  due to integer overflow). (CVE-2019-11039). (maris dot adam)
++    due to integer overflow). (CVE-2019-11039). (maris dot adam)
++
++- SQLite:
++  . Fixed bug #77967 (Bypassing open_basedir restrictions via file uris). (Stas)
+ 
+ Backported from 7.1.29
+ 
+@@ -26,8 +29,8 @@ Backported from 7.1.28
+ - EXIF:
+   . Fixed bug #77753 (Heap-buffer-overflow in php_ifd_get32s). (CVE-2019-11034)
+     (Stas)
+-  . Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value). 
+-	(CVE-2019-11035) (Stas)
++  . Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value).
++    (CVE-2019-11035) (Stas)
+ 
+ - SQLite3:
+   . Added sqlite3.defensive INI directive. (BohwaZ)
+diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c
+index 5e6d9dd792..1753b27907 100644
+--- a/ext/sqlite3/sqlite3.c
++++ b/ext/sqlite3/sqlite3.c
+@@ -2054,6 +2054,15 @@ static int php_sqlite3_authorizer(void *autharg, int access_type, const char *ar
+ 				}
+ #endif
+ 
++				if (strncmp(arg3, "file:", 5) == 0) {
++					/* starts with "file:" */
++					if (!arg3[5]) {
++						return SQLITE_DENY;
++					}
++					if (php_check_open_basedir(arg3 + 5)) {
++						return SQLITE_DENY;
++					}
++				}
+ 				if (php_check_open_basedir(arg3)) {
+ 					return SQLITE_DENY;
+ 				}
diff --git a/php-bug77988.patch b/php-bug77988.patch
new file mode 100644
index 0000000..77dbc10
--- /dev/null
+++ b/php-bug77988.patch
@@ -0,0 +1,59 @@
+Without test as binary patch not supported
+
+
+
+
+From 205b94a281839a91d805af27b997331e76029a4b Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 27 May 2019 17:16:29 -0700
+Subject: [PATCH] Fix bug #77988 - heap-buffer-overflow on php_jpg_get16
+
+(cherry picked from commit 73ff4193be24192c894dc0502d06e2b2db35eefb)
+---
+ NEWS                         |  16 +++++++++++++++-
+ ext/exif/exif.c              |   2 ++
+ ext/exif/tests/bug77988.jpg  | Bin 0 -> 1202 bytes
+ ext/exif/tests/bug77988.phpt |  11 +++++++++++
+ 4 files changed, 28 insertions(+), 1 deletion(-)
+ create mode 100644 ext/exif/tests/bug77988.jpg
+ create mode 100644 ext/exif/tests/bug77988.phpt
+
+diff --git a/NEWS b/NEWS
+index ebcd60c4be..b6e18aa242 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,20 @@
+ PHP                                                                        NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+ 
++Backported from 7.1.30
++
++- EXIF:
++  . Fixed bug #77988 (heap-buffer-overflow on php_jpg_get16). 
++  (CVE-2019-11040) (Stas)
++
++- GD:
++  . Fixed bug #77973 (Uninitialized read in gdImageCreateFromXbm).
++  (CVE-2019-11038) (cmb)
++
++- Iconv:
++  . Fixed bug #78069 (Out-of-bounds read in iconv.c:_php_iconv_mime_decode()
++  due to integer overflow). (CVE-2019-11039). (maris dot adam)
++
+ Backported from 7.1.29
+ 
+ - EXIF
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index a9df95d554..dd7d268bbd 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -3525,6 +3525,8 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo)
+ 		if (c == 0xFF)
+ 			return FALSE;
+ 		marker = c;
++		if (pos>=ImageInfo->Thumbnail.size)
++			return FALSE;
+ 		length = php_jpg_get16(data+pos);
+ 		if (length > ImageInfo->Thumbnail.size || pos >= ImageInfo->Thumbnail.size - length) {
+ 			return FALSE;
+
diff --git a/php-bug78069.patch b/php-bug78069.patch
new file mode 100644
index 0000000..2e816c9
--- /dev/null
+++ b/php-bug78069.patch
@@ -0,0 +1,36 @@
+Without test as binary patch not supported
+
+
+
+
+From 17d5e269dabc704c1cf24ebb03056142e28c9bfe Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 27 May 2019 16:32:42 -0700
+Subject: [PATCH] Fix bug #78069 - Out-of-bounds read in
+ iconv.c:_php_iconv_mime_decode() due to integer overflow
+
+(cherry picked from commit 7cf7148a8f8f4f55fb04de2a517d740bb6253eac)
+---
+ ext/iconv/iconv.c             |   4 +++-
+ ext/iconv/tests/bug78069.data | Bin 0 -> 107 bytes
+ ext/iconv/tests/bug78069.phpt |  15 +++++++++++++++
+ 3 files changed, 18 insertions(+), 1 deletion(-)
+ create mode 100644 ext/iconv/tests/bug78069.data
+ create mode 100644 ext/iconv/tests/bug78069.phpt
+
+diff --git a/ext/iconv/iconv.c b/ext/iconv/iconv.c
+index ea619aa227..06145348f2 100644
+--- a/ext/iconv/iconv.c
++++ b/ext/iconv/iconv.c
+@@ -1645,7 +1645,9 @@ static php_iconv_err_t _php_iconv_mime_decode(smart_str *pretval, const char *st
+ 							 * we can do at this point. */
+ 							if (*(p1 + 1) == '=') {
+ 								++p1;
+-								--str_left;
++								if (str_left > 1) {
++									--str_left;
++								}
+ 							}
+ 
+ 							err = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl);
+
diff --git a/php70.spec b/php70.spec
index 440c4f3..72110ea 100644
--- a/php70.spec
+++ b/php70.spec
@@ -112,7 +112,7 @@
 Summary: PHP scripting language for creating dynamic web sites
 Name: php
 Version: %{upver}%{?rcver:~%{rcver}}
-Release: 8%{?dist}
+Release: 9%{?dist}
 # All files licensed under PHP version 3.01, except
 # Zend is licensed under Zend
 # TSRM is licensed under BSD
@@ -190,6 +190,9 @@ Patch215: php-sqlite3-defensive.patch
 Patch216: php-bug77753.patch
 Patch217: php-bug77831.patch
 Patch218: php-bug77950.patch
+Patch219: php-bug78069.patch
+Patch220: php-bug77988.patch
+Patch221: php-bug77967.patch
 
 # Fixes for tests (300+)
 # Factory is droped from system tzdata
@@ -1062,6 +1065,9 @@ echo CIBLE = %{name}-%{version}-%{release} oci8=%{with_oci8} libzip=%{with_libzi
 %patch216 -p1 -b .bug77753
 %patch217 -p1 -b .bug77831
 %patch218 -p1 -b .bug77950
+%patch219 -p1 -b .bug78069
+%patch220 -p1 -b .bug77988
+%patch221 -p1 -b .bug77967
 
 # Fixes for tests
 %if 0%{?fedora} >= 21 || 0%{?rhel} >= 5
@@ -2099,6 +2105,16 @@ fi
 
 
 %changelog
+* Tue May 28 2019 Remi Collet <remi@remirepo.net> - 7.0.33-9
+- iconv:
+  Fix #78069 Out-of-bounds read in iconv.c:_php_iconv_mime_decode()
+  CVE-2019-11039
+- exif:
+  Fix #77988 Heap-buffer-overflow on php_jpg_get16
+  CVE-2019-11040
+- sqlite3:
+  Fix #77967 Bypassing open_basedir restrictions via file uris
+
 * Tue Apr 30 2019 Remi Collet <remi@remirepo.net> - 7.0.33-8
 - exif:
   Fix #77950 Heap-buffer-overflow in _estrndup via exif_process_IFD_TAG