summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2020-01-21 10:13:56 +0100
committerRemi Collet <remi@remirepo.net>2020-01-21 10:13:56 +0100
commitfe7e497fe0ca7b736680b115b110344d42e5c8b1 (patch)
tree642de630d2f0c184bb1752d402836e26b8b46d43
parent5155e7af6ac73b0e341a5c42d1dcee4d2f13ee24 (diff)
mbstring:
Fix #79037 global buffer-overflow in mbfl_filt_conv_big5_wchar CVE-2020-7060 standard: Fix #79099 OOB read in php_strip_tags_ex CVE-2020-7059
-rw-r--r--failed.txt6
-rw-r--r--php-bug79037.patch93
-rw-r--r--php-bug79099.patch81
-rw-r--r--php70.spec14
4 files changed, 189 insertions, 5 deletions
diff --git a/failed.txt b/failed.txt
index 5902f10..3ef0d58 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,14 +1,12 @@
-===== 7.0.33-13 (2019-08-28)
+===== 7.0.33-16 (2020-01-21)
$ grep -r 'Tests failed' /var/lib/mock/*/build.log
/var/lib/mock/el6i/build.log:Tests failed : 0
-/var/lib/mock/el6x/build.log:Tests failed : 1
+/var/lib/mock/el6x/build.log:Tests failed : 0
/var/lib/mock/el7x/build.log:Tests failed : 1
-el6x:
- 1 php://input is empty when enable_post_data_reading=Off [tests/basic/bug67198.phpt]
el7x:
Bug #75457 (heap-use-after-free in php7.0.25) [ext/pcre/tests/bug75457.phpt]
diff --git a/php-bug79037.patch b/php-bug79037.patch
new file mode 100644
index 0000000..65d9a39
--- /dev/null
+++ b/php-bug79037.patch
@@ -0,0 +1,93 @@
+From 8abd64d9c5999d42b8e93ab21e84911ec4ca751e Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 20 Jan 2020 21:42:44 -0800
+Subject: [PATCH] Fix bug #79037 (global buffer-overflow in
+ `mbfl_filt_conv_big5_wchar`)
+
+(cherry picked from commit 2bcbc95f033c31b00595ed39f79c3a99b4ed0501)
+---
+ ext/mbstring/libmbfl/filters/mbfilter_big5.c | 17 ++++++++++++-----
+ ext/mbstring/tests/bug79037.phpt | 10 ++++++++++
+ 2 files changed, 22 insertions(+), 5 deletions(-)
+ create mode 100644 ext/mbstring/tests/bug79037.phpt
+
+diff --git a/ext/mbstring/libmbfl/filters/mbfilter_big5.c b/ext/mbstring/libmbfl/filters/mbfilter_big5.c
+index 122ff4c778..657eb98aa5 100644
+--- a/ext/mbstring/libmbfl/filters/mbfilter_big5.c
++++ b/ext/mbstring/libmbfl/filters/mbfilter_big5.c
+@@ -138,6 +138,17 @@ static unsigned short cp950_pua_tbl[][4] = {
+ {0xf70f,0xf848,0xc740,0xc8fe},
+ };
+
++static inline int is_in_cp950_pua(int c1, int c) {
++ if ((c1 >= 0xfa && c1 <= 0xfe) || (c1 >= 0x8e && c1 <= 0xa0) ||
++ (c1 >= 0x81 && c1 <= 0x8d) || (c1 >= 0xc7 && c1 <= 0xc8)) {
++ return (c >=0x40 && c <= 0x7e) || (c >= 0xa1 && c <= 0xfe);
++ }
++ if (c1 == 0xc6) {
++ return c >= 0xa1 && c <= 0xfe;
++ }
++ return 0;
++}
++
+ /*
+ * Big5 => wchar
+ */
+@@ -186,11 +197,7 @@ mbfl_filt_conv_big5_wchar(int c, mbfl_convert_filter *filter)
+
+ if (filter->from->no_encoding == mbfl_no_encoding_cp950) {
+ /* PUA for CP950 */
+- if (w <= 0 &&
+- (((c1 >= 0xfa && c1 <= 0xfe) || (c1 >= 0x8e && c1 <= 0xa0) ||
+- (c1 >= 0x81 && c1 <= 0x8d) ||(c1 >= 0xc7 && c1 <= 0xc8))
+- && ((c > 0x39 && c < 0x7f) || (c > 0xa0 && c < 0xff))) ||
+- ((c1 == 0xc6) && (c > 0xa0 && c < 0xff))) {
++ if (w <= 0 && is_in_cp950_pua(c1, c)) {
+ c2 = c1 << 8 | c;
+ for (k = 0; k < sizeof(cp950_pua_tbl)/(sizeof(unsigned short)*4); k++) {
+ if (c2 >= cp950_pua_tbl[k][2] && c2 <= cp950_pua_tbl[k][3]) {
+diff --git a/ext/mbstring/tests/bug79037.phpt b/ext/mbstring/tests/bug79037.phpt
+new file mode 100644
+index 0000000000..94ff01a4a1
+--- /dev/null
++++ b/ext/mbstring/tests/bug79037.phpt
+@@ -0,0 +1,10 @@
++--TEST--
++Bug #79037: global buffer-overflow in `mbfl_filt_conv_big5_wchar`
++--FILE--
++<?php
++
++var_dump(mb_convert_encoding("\x81\x3a", "UTF-8", "CP950"));
++
++?>
++--EXPECT--
++string(1) "?"
+From 2f7a097fb2ad1020a179e596f9ee18b02d0d90ae Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 21 Jan 2020 09:36:28 +0100
+Subject: [PATCH] update NEWS
+
+---
+ NEWS | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index ba237b8e33..a1dc8a81c3 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,15 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 7.2.27
++
++- Mbstring:
++ . Fixed bug #79037 (global buffer-overflow in `mbfl_filt_conv_big5_wchar`).
++ (CVE-2020-7060) (Nikita)
++
++- Standard:
++ . Fixed bug #79099 (OOB read in php_strip_tags_ex). (CVE-2020-7059). (cmb)
++
+ Backported from 7.2.26
+
+ - Bcmath:
diff --git a/php-bug79099.patch b/php-bug79099.patch
new file mode 100644
index 0000000..c0b5e72
--- /dev/null
+++ b/php-bug79099.patch
@@ -0,0 +1,81 @@
+From 89084ce9e34ed38403f8cbb5d67e6299f1b1ab60 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 20 Jan 2020 21:33:17 -0800
+Subject: [PATCH] Fix #79099: OOB read in php_strip_tags_ex
+
+(cherry picked from commit 0f79b1bf301f455967676b5129240140c5c45b09)
+---
+ ext/standard/string.c | 6 ++---
+ ext/standard/tests/file/bug79099.phpt | 32 +++++++++++++++++++++++++++
+ 2 files changed, 35 insertions(+), 3 deletions(-)
+ create mode 100644 ext/standard/tests/file/bug79099.phpt
+
+diff --git a/ext/standard/string.c b/ext/standard/string.c
+index a8b39ee615..c4b5e031ed 100644
+--- a/ext/standard/string.c
++++ b/ext/standard/string.c
+@@ -4757,7 +4757,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, int *stateptr, const cha
+ if (state == 4) {
+ /* Inside <!-- comment --> */
+ break;
+- } else if (state == 2 && *(p-1) != '\\') {
++ } else if (state == 2 && p >= buf + 1 && *(p-1) != '\\') {
+ if (lc == c) {
+ lc = '\0';
+ } else if (lc != '\\') {
+@@ -4784,7 +4784,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, int *stateptr, const cha
+
+ case '!':
+ /* JavaScript & Other HTML scripting languages */
+- if (state == 1 && *(p-1) == '<') {
++ if (state == 1 && p >= buf + 1 && *(p-1) == '<') {
+ state = 3;
+ lc = c;
+ } else {
+@@ -4811,7 +4811,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, int *stateptr, const cha
+
+ case '?':
+
+- if (state == 1 && *(p-1) == '<') {
++ if (state == 1 && p >= buf + 1 && *(p-1) == '<') {
+ br=0;
+ state=2;
+ break;
+diff --git a/ext/standard/tests/file/bug79099.phpt b/ext/standard/tests/file/bug79099.phpt
+new file mode 100644
+index 0000000000..7c842f4654
+--- /dev/null
++++ b/ext/standard/tests/file/bug79099.phpt
+@@ -0,0 +1,32 @@
++--TEST--
++Bug #79099 (OOB read in php_strip_tags_ex)
++--FILE--
++<?php
++$stream = fopen('php://memory', 'w+');
++fputs($stream, "<?\n\"\n");
++rewind($stream);
++var_dump(fgetss($stream));
++var_dump(fgetss($stream));
++fclose($stream);
++
++$stream = fopen('php://memory', 'w+');
++fputs($stream, "<\0\n!\n");
++rewind($stream);
++var_dump(fgetss($stream));
++var_dump(fgetss($stream));
++fclose($stream);
++
++$stream = fopen('php://memory', 'w+');
++fputs($stream, "<\0\n?\n");
++rewind($stream);
++var_dump(fgetss($stream));
++var_dump(fgetss($stream));
++fclose($stream);
++?>
++--EXPECT--
++string(0) ""
++string(0) ""
++string(0) ""
++string(0) ""
++string(0) ""
++string(0) ""
diff --git a/php70.spec b/php70.spec
index 359479c..8b2d831 100644
--- a/php70.spec
+++ b/php70.spec
@@ -118,7 +118,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: php
Version: %{upver}%{?rcver:~%{rcver}}
-Release: 15%{?dist}
+Release: 16%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -210,6 +210,8 @@ Patch229: php-bug78862.patch
Patch230: php-bug78863.patch
Patch231: php-bug78793.patch
Patch232: php-bug78910.patch
+Patch233: php-bug79099.patch
+Patch234: php-bug79037.patch
# Fixes for tests (300+)
# Factory is droped from system tzdata
@@ -1097,6 +1099,8 @@ echo CIBLE = %{name}-%{version}-%{release} oci8=%{with_oci8} libzip=%{with_libzi
%patch230 -p1 -b .bug78863
%patch231 -p1 -b .bug78793
%patch232 -p1 -b .bug78910
+%patch233 -p1 -b .bug79099
+%patch234 -p1 -b .bug79037
# Fixes for tests
%if 0%{?fedora} >= 21 || 0%{?rhel} >= 5
@@ -2131,6 +2135,14 @@ fi
%changelog
+* Tue Jan 21 2020 Remi Collet <remi@remirepo.net> - 7.0.33-16
+- mbstring:
+ Fix #79037 global buffer-overflow in mbfl_filt_conv_big5_wchar
+ CVE-2020-7060
+- standard:
+ Fix #79099 OOB read in php_strip_tags_ex
+ CVE-2020-7059
+
* Tue Dec 17 2019 Remi Collet <remi@remirepo.net> - 7.0.33-15
- bcmath:
Fix #78878 Buffer underflow in bc_shift_addsub