diff options
| author | Remi Collet <remi@remirepo.net> | 2019-12-17 17:00:58 +0100 |
|---|---|---|
| committer | Remi Collet <remi@remirepo.net> | 2019-12-17 17:00:58 +0100 |
| commit | 5155e7af6ac73b0e341a5c42d1dcee4d2f13ee24 (patch) | |
| tree | 3e4a58f8e73e87866a134d97dc709180881717ba /php-bug78862.patch | |
| parent | 91fb9e67870e51cc69fd08e588a153c5f7e186ed (diff) | |
- bcmath:
Fix #78878 Buffer underflow in bc_shift_addsub
CVE-2019-11046
- core:
Fix #78862 link() silently truncates after a null byte on Windows
CVE-2019-11044
Fix #78863 DirectoryIterator class silently truncates after a null byte
CVE-2019-11045
- exif
Fix #78793 Use-after-free in exif parsing under memory sanitizer
CVE-2019-11050
Fix #78910 Heap-buffer-overflow READ in exif
CVE-2019-11047
- use oracle client library version 19.5 (18.5 on EL-6)
Diffstat (limited to 'php-bug78862.patch')
| -rw-r--r-- | php-bug78862.patch | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/php-bug78862.patch b/php-bug78862.patch new file mode 100644 index 0000000..1ecc1f5 --- /dev/null +++ b/php-bug78862.patch @@ -0,0 +1,68 @@ +From 76a8b07ed74add68c52ed1a5399416ff267cef88 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" <cmbecker69@gmx.de> +Date: Tue, 17 Dec 2019 10:53:47 +0100 +Subject: [PATCH] Fix #78862: link() silently truncates after a null byte on + Windows + +Since link() is supposed to accepts paths (i.e. strings without NUL +bytes), we must not accept arbitrary strings. + +(cherry picked from commit 0e6c0654ed06751ced134515f7629c40bd979d7f) +--- + NEWS | 4 ++++ + ext/standard/link_win32.c | 2 +- + .../tests/file/windows_links/bug78862.phpt | 17 +++++++++++++++++ + 3 files changed, 22 insertions(+), 1 deletion(-) + create mode 100644 ext/standard/tests/file/windows_links/bug78862.phpt + +diff --git a/NEWS b/NEWS +index 29fcce8947..02cd502c8c 100644 +--- a/NEWS ++++ b/NEWS +@@ -7,6 +7,10 @@ Backported from 7.2.26 + . Fixed bug #78878 (Buffer underflow in bc_shift_addsub). (CVE-2019-11046). + (cmb) + ++- Core: ++ . Fixed bug #78862 (link() silently truncates after a null byte on Windows). ++ (CVE-2019-11044). (cmb) ++ + Backported from 7.1.33 + + - FPM: +diff --git a/ext/standard/link_win32.c b/ext/standard/link_win32.c +index 0068a3edb1..c6133c7ef6 100644 +--- a/ext/standard/link_win32.c ++++ b/ext/standard/link_win32.c +@@ -208,7 +208,7 @@ PHP_FUNCTION(link) + + /*First argument to link function is the target and hence should go to frompath + Second argument to link function is the link itself and hence should go to topath */ +- if (zend_parse_parameters(ZEND_NUM_ARGS(), "ss", &frompath, &frompath_len, &topath, &topath_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS(), "pp", &frompath, &frompath_len, &topath, &topath_len) == FAILURE) { + return; + } + +diff --git a/ext/standard/tests/file/windows_links/bug78862.phpt b/ext/standard/tests/file/windows_links/bug78862.phpt +new file mode 100644 +index 0000000000..33b4b49293 +--- /dev/null ++++ b/ext/standard/tests/file/windows_links/bug78862.phpt +@@ -0,0 +1,17 @@ ++--TEST-- ++Bug #78862 (link() silently truncates after a null byte on Windows) ++--FILE-- ++<?php ++file_put_contents(__DIR__ . '/bug78862.target', 'foo'); ++var_dump(link(__DIR__ . "/bug78862.target\0more", __DIR__ . "/bug78862.link\0more")); ++var_dump(file_exists(__DIR__ . '/bug78862.link')); ++?> ++--EXPECTF-- ++Warning: link() expects parameter 1 to be a valid path, string given in %s on line %d ++NULL ++bool(false) ++--CLEAN-- ++<?php ++unlink(__DIR__ . '/bug78862.target'); ++unlink(__DIR__ . '/bug78862.link'); ++?> |