From e78f08a5c94a4e0c2b77cb8a545e333068ebbe95 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Wed, 9 Jan 2019 15:17:00 +0100 Subject: - core: Fix #77369 memcpy with negative length via crafted DNS response - mbstring: Fix #77370 buffer overflow on mb regex functions - fetch_token Fix #77371 heap buffer overflow in mb regex functions compile_string_node Fix #77381 heap buffer overflow in multibyte match_at Fix #77382 heap buffer overflow in expand_case_fold_string Fix #77385 buffer overflow in fetch_token Fix #77394 buffer overflow in multibyte case folding - unicode Fix #77418 heap overflow in utf32be_mbc_to_code - phar: Fix #77247 heap buffer overflow in phar_detect_phar_fname_ext - xmlrpc: Fix #77242 heap out of bounds read in xmlrpc_decode Fix #77380 global out of bounds read in xmlrpc base64 code --- failed.txt | 2 +- php-bug77242.patch | 45 +++++++++++ php-bug77247.patch | 49 ++++++++++++ php-bug77369.patch | 42 ++++++++++ php-bug77370.patch | 66 ++++++++++++++++ php-bug77371.patch | 41 ++++++++++ php-bug77380.patch | 57 ++++++++++++++ php-bug77381.patch | 158 ++++++++++++++++++++++++++++++++++++++ php-bug77418.patch | 103 +++++++++++++++++++++++++ php-openssl-cert.patch | 203 +++++++++++++++++++++++++++++++++++++++++++++++++ php70.spec | 37 ++++++++- 11 files changed, 801 insertions(+), 2 deletions(-) create mode 100644 php-bug77242.patch create mode 100644 php-bug77247.patch create mode 100644 php-bug77369.patch create mode 100644 php-bug77370.patch create mode 100644 php-bug77371.patch create mode 100644 php-bug77380.patch create mode 100644 php-bug77381.patch create mode 100644 php-bug77418.patch create mode 100644 php-openssl-cert.patch diff --git a/failed.txt b/failed.txt index 969bdf0..702c1d2 100644 --- a/failed.txt +++ b/failed.txt @@ -1,4 +1,4 @@ -===== 7.0.33 (2018-12-06) +===== 7.0.33-2 (2019-01-10) $ grep -r 'Tests failed' /var/lib/mock/*/build.log diff --git a/php-bug77242.patch b/php-bug77242.patch new file mode 100644 index 0000000..b6afc78 --- /dev/null +++ b/php-bug77242.patch @@ -0,0 +1,45 @@ +Backported for 7.0 by Remi + + +From 4fc0bceb7c39be206c73f69993e3936ef329f656 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sat, 29 Dec 2018 17:56:36 -0800 +Subject: [PATCH] Fix bug #77242 (heap out of bounds read in xmlrpc_decode()) + +--- + ext/xmlrpc/libxmlrpc/xml_element.c | 3 +++ + ext/xmlrpc/tests/bug77242.phpt | 10 ++++++++++ + 2 files changed, 13 insertions(+) + create mode 100644 ext/xmlrpc/tests/bug77242.phpt + +diff --git a/ext/xmlrpc/libxmlrpc/xml_element.c b/ext/xmlrpc/libxmlrpc/xml_element.c +index 56642d46142e..eeec5379bf68 100644 +--- a/ext/xmlrpc/libxmlrpc/xml_element.c ++++ b/ext/xmlrpc/libxmlrpc/xml_element.c +@@ -723,6 +723,9 @@ xml_element* xml_elem_parse_buf(const char* in_buf, int len, XML_ELEM_INPUT_OPTI + long byte_idx = XML_GetCurrentByteIndex(parser); + /* int byte_total = XML_GetCurrentByteCount(parser); */ + const char * error_str = XML_ErrorString(err_code); ++ if(byte_idx > len) { ++ byte_idx = len; ++ } + if(byte_idx >= 0) { + snprintf(buf, + sizeof(buf), +diff --git a/ext/xmlrpc/tests/bug77242.phpt b/ext/xmlrpc/tests/bug77242.phpt +new file mode 100644 +index 000000000000..542c06311f74 +--- /dev/null ++++ b/ext/xmlrpc/tests/bug77242.phpt +@@ -0,0 +1,10 @@ ++--TEST-- ++Bug #77242 (heap out of bounds read in xmlrpc_decode()) ++--SKIPIF-- ++ ++--FILE-- ++ ++--EXPECT-- ++NULL +\ No newline at end of file diff --git a/php-bug77247.patch b/php-bug77247.patch new file mode 100644 index 0000000..6a2c8b4 --- /dev/null +++ b/php-bug77247.patch @@ -0,0 +1,49 @@ +Backported for 7.0 by Remi + + +From 78bd3477745f1ada9578a79f61edb41886bec1cb Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sat, 29 Dec 2018 18:25:37 -0800 +Subject: [PATCH] Fix bug #77247 (heap buffer overflow in + phar_detect_phar_fname_ext) + +--- + ext/phar/phar.c | 2 +- + ext/phar/tests/bug77247.phpt | 14 ++++++++++++++ + 2 files changed, 15 insertions(+), 1 deletion(-) + create mode 100644 ext/phar/tests/bug77247.phpt + +diff --git a/ext/phar/phar.c b/ext/phar/phar.c +index 82a9ef31943a..0d2173195c32 100644 +--- a/ext/phar/phar.c ++++ b/ext/phar/phar.c +@@ -2021,7 +2021,7 @@ int phar_detect_phar_fname_ext(const char *filename, int filename_len, const cha + } + + while (pos != filename && (*(pos - 1) == '/' || *(pos - 1) == '\0')) { +- pos = memchr(pos + 1, '.', filename_len - (pos - filename) + 1); ++ pos = memchr(pos + 1, '.', filename_len - (pos - filename) - 1); + if (!pos) { + return FAILURE; + } +diff --git a/ext/phar/tests/bug77247.phpt b/ext/phar/tests/bug77247.phpt +new file mode 100644 +index 000000000000..588975f9f2f8 +--- /dev/null ++++ b/ext/phar/tests/bug77247.phpt +@@ -0,0 +1,14 @@ ++--TEST-- ++PHP bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext) ++--SKIPIF-- ++ ++--FILE-- ++ ++--EXPECT-- ++OK +\ No newline at end of file diff --git a/php-bug77369.patch b/php-bug77369.patch new file mode 100644 index 0000000..21fb348 --- /dev/null +++ b/php-bug77369.patch @@ -0,0 +1,42 @@ +Backported for 7.0 by Remi + + +From 8d3dfabef459fe7815e8ea2fd68753fd17859d7b Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sat, 29 Dec 2018 20:39:08 -0800 +Subject: [PATCH] Fix #77369 - memcpy with negative length via crafted DNS + response + +--- + ext/standard/dns.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/ext/standard/dns.c b/ext/standard/dns.c +index 8e102f816f6e..b5fbcb96f968 100644 +--- a/ext/standard/dns.c ++++ b/ext/standard/dns.c +@@ -459,6 +459,10 @@ static u_char *php_parserr(u_char *cp, u + GETLONG(ttl, cp); + GETSHORT(dlen, cp); + CHECKCP(dlen); ++ if (dlen == 0) { ++ /* No data in the response - nothing to do */ ++ return NULL; ++ } + if (type_to_fetch != T_ANY && type != type_to_fetch) { + cp += dlen; + return cp; +@@ -549,7 +553,12 @@ static u_char *php_parserr(u_char *cp, u + CHECKCP(n); + add_assoc_stringl(subarray, "tag", (char*)cp, n); + cp += n; +- add_assoc_string(subarray, "value", (char*)cp); ++ if ( (size_t) dlen < ((size_t)n) + 2 ) { ++ return NULL; ++ } ++ n = dlen - n - 2; ++ CHECKCP(n); ++ add_assoc_stringl(subarray, "value", (char*)cp, n); + break; + case DNS_T_TXT: + { diff --git a/php-bug77370.patch b/php-bug77370.patch new file mode 100644 index 0000000..b85944a --- /dev/null +++ b/php-bug77370.patch @@ -0,0 +1,66 @@ +From deb06bbb9cbb31292fc219501614a8c3ff25bb11 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sat, 29 Dec 2018 19:51:24 -0800 +Subject: [PATCH] Fix bug #77370 - check that we do not read past buffer end + when parsing multibytes + +--- + ext/mbstring/oniguruma/regparse.c | 9 +++++++++ + ext/mbstring/tests/bug77370.phpt | 13 +++++++++++++ + 2 files changed, 22 insertions(+) + create mode 100644 ext/mbstring/tests/bug77370.phpt + +diff --git a/ext/mbstring/oniguruma/regparse.c b/ext/mbstring/oniguruma/regparse.c +index d2925f1e81b0..252ca1871202 100644 +--- a/ext/mbstring/oniguruma/regparse.c ++++ b/ext/mbstring/oniguruma/regparse.c +@@ -246,6 +246,12 @@ strdup_with_null(OnigEncoding enc, UChar* s, UChar* end) + } + #endif + ++#if (defined (__GNUC__) && __GNUC__ > 2 ) && !defined(DARWIN) && !defined(__hpux) && !defined(_AIX) ++# define UNEXPECTED(condition) __builtin_expect(condition, 0) ++#else ++# define UNEXPECTED(condition) (condition) ++#endif ++ + /* scan pattern methods */ + #define PEND_VALUE 0 + +@@ -260,14 +266,17 @@ strdup_with_null(OnigEncoding enc, UChar* s, UChar* end) + c = ONIGENC_MBC_TO_CODE(enc, p, end); \ + pfetch_prev = p; \ + p += ONIGENC_MBC_ENC_LEN(enc, p); \ ++ if(UNEXPECTED(p > end)) p = end; \ + } while (0) + + #define PINC_S do { \ + p += ONIGENC_MBC_ENC_LEN(enc, p); \ ++ if(UNEXPECTED(p > end)) p = end; \ + } while (0) + #define PFETCH_S(c) do { \ + c = ONIGENC_MBC_TO_CODE(enc, p, end); \ + p += ONIGENC_MBC_ENC_LEN(enc, p); \ ++ if(UNEXPECTED(p > end)) p = end; \ + } while (0) + + #define PPEEK (p < end ? ONIGENC_MBC_TO_CODE(enc, p, end) : PEND_VALUE) +diff --git a/ext/mbstring/tests/bug77370.phpt b/ext/mbstring/tests/bug77370.phpt +new file mode 100644 +index 000000000000..c4d25582fe3b +--- /dev/null ++++ b/ext/mbstring/tests/bug77370.phpt +@@ -0,0 +1,13 @@ ++--TEST-- ++Bug #77370 (Buffer overflow on mb regex functions - fetch_token) ++--SKIPIF-- ++ ++--FILE-- ++ ++--EXPECT-- ++array(1) { ++ [0]=> ++ string(0) "" ++} diff --git a/php-bug77371.patch b/php-bug77371.patch new file mode 100644 index 0000000..e574827 --- /dev/null +++ b/php-bug77371.patch @@ -0,0 +1,41 @@ +From c6e34d91b88638966662caac62c4d0e90538e317 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sat, 29 Dec 2018 20:06:08 -0800 +Subject: [PATCH] Fix bug #77371 (heap buffer overflow in mb regex functions - + compile_string_node) + +--- + ext/mbstring/oniguruma/regcomp.c | 1 + + ext/mbstring/tests/bug77371.phpt | 10 ++++++++++ + 2 files changed, 11 insertions(+) + create mode 100644 ext/mbstring/tests/bug77371.phpt + +diff --git a/ext/mbstring/oniguruma/regcomp.c b/ext/mbstring/oniguruma/regcomp.c +index b93ca948a773..c72d65d6942f 100644 +--- a/ext/mbstring/oniguruma/regcomp.c ++++ b/ext/mbstring/oniguruma/regcomp.c +@@ -524,6 +524,7 @@ compile_string_node(Node* node, regex_t* reg) + + for (; p < end; ) { + len = enclen(enc, p); ++ if (p + len > end) len = end - p; + if (len == prev_len) { + slen++; + } +diff --git a/ext/mbstring/tests/bug77371.phpt b/ext/mbstring/tests/bug77371.phpt +new file mode 100644 +index 000000000000..f23445bd0917 +--- /dev/null ++++ b/ext/mbstring/tests/bug77371.phpt +@@ -0,0 +1,10 @@ ++--TEST-- ++Bug #77371 (heap buffer overflow in mb regex functions - compile_string_node) ++--SKIPIF-- ++ ++--FILE-- ++ ++--EXPECT-- ++bool(false) +\ No newline at end of file diff --git a/php-bug77380.patch b/php-bug77380.patch new file mode 100644 index 0000000..4aea7b5 --- /dev/null +++ b/php-bug77380.patch @@ -0,0 +1,57 @@ +From 4feb9e66ff9636ad44bc23a91b7ebd37d83ddf1d Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Tue, 1 Jan 2019 17:15:20 -0800 +Subject: [PATCH] Fix bug #77380 (Global out of bounds read in xmlrpc base64 + code) + +--- + ext/xmlrpc/libxmlrpc/base64.c | 4 ++-- + ext/xmlrpc/tests/bug77380.phpt | 17 +++++++++++++++++ + 2 files changed, 19 insertions(+), 2 deletions(-) + create mode 100644 ext/xmlrpc/tests/bug77380.phpt + +diff --git a/ext/xmlrpc/libxmlrpc/base64.c b/ext/xmlrpc/libxmlrpc/base64.c +index 5ebdf31f7ade..a4fa19327b76 100644 +--- a/ext/xmlrpc/libxmlrpc/base64.c ++++ b/ext/xmlrpc/libxmlrpc/base64.c +@@ -77,7 +77,7 @@ void base64_encode_xmlrpc(struct buffer_st *b, const char *source, int length) + + while (!hiteof) { + unsigned char igroup[3], ogroup[4]; +- int c, n; ++ int c, n; + + igroup[0] = igroup[1] = igroup[2] = 0; + for (n = 0; n < 3; n++) { +@@ -169,7 +169,7 @@ void base64_decode_xmlrpc(struct buffer_st *bfr, const char *source, int length) + return; + } + +- if (dtable[c] & 0x80) { ++ if (dtable[(unsigned char)c] & 0x80) { + /* + fprintf(stderr, "Offset %i length %i\n", offset, length); + fprintf(stderr, "character '%c:%x:%c' in input file.\n", c, c, dtable[c]); +diff --git a/ext/xmlrpc/tests/bug77380.phpt b/ext/xmlrpc/tests/bug77380.phpt +new file mode 100644 +index 000000000000..8559c07a5aea +--- /dev/null ++++ b/ext/xmlrpc/tests/bug77380.phpt +@@ -0,0 +1,17 @@ ++--TEST-- ++Bug #77380 (Global out of bounds read in xmlrpc base64 code) ++--SKIPIF-- ++ ++--FILE-- ++ ++--EXPECT-- ++object(stdClass)#1 (2) { ++ ["scalar"]=> ++ string(0) "" ++ ["xmlrpc_type"]=> ++ string(6) "base64" ++} diff --git a/php-bug77381.patch b/php-bug77381.patch new file mode 100644 index 0000000..7494049 --- /dev/null +++ b/php-bug77381.patch @@ -0,0 +1,158 @@ +From 31f59e1f3074ab344b473dde6077a6844ca87264 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Wed, 2 Jan 2019 00:36:30 -0800 +Subject: [PATCH] Fix more issues with encodilng length + +Should fix bug #77381, bug #77382, bug #77385, bug #77394. +--- + ext/mbstring/oniguruma/enc/unicode.c | 1 + + ext/mbstring/oniguruma/regcomp.c | 11 +++++------ + ext/mbstring/oniguruma/regparse.c | 10 +++------- + ext/mbstring/oniguruma/regparse.h | 12 ++++++++++++ + ext/mbstring/tests/bug77371.phpt | 2 +- + ext/mbstring/tests/bug77381.phpt | 16 ++++++++++++++++ + 6 files changed, 38 insertions(+), 14 deletions(-) + create mode 100644 ext/mbstring/tests/bug77381.phpt + +diff --git a/ext/mbstring/oniguruma/enc/unicode.c b/ext/mbstring/oniguruma/enc/unicode.c +index e13429f51e9c..9f86095896b6 100644 +--- a/ext/mbstring/oniguruma/enc/unicode.c ++++ b/ext/mbstring/oniguruma/enc/unicode.c +@@ -10989,6 +10989,7 @@ onigenc_unicode_mbc_case_fold(OnigEncoding enc, + + code = ONIGENC_MBC_TO_CODE(enc, p, end); + len = enclen(enc, p); ++ if (*pp + len > end) len = end - *pp; + *pp += len; + + #ifdef USE_UNICODE_CASE_FOLD_TURKISH_AZERI +diff --git a/ext/mbstring/oniguruma/regcomp.c b/ext/mbstring/oniguruma/regcomp.c +index c72d65d6942f..820257341f54 100644 +--- a/ext/mbstring/oniguruma/regcomp.c ++++ b/ext/mbstring/oniguruma/regcomp.c +@@ -469,13 +469,13 @@ compile_length_string_node(Node* node, regex_t* reg) + ambig = NSTRING_IS_AMBIG(node); + + p = prev = sn->s; +- prev_len = enclen(enc, p); ++ SAFE_ENC_LEN(enc, p, sn->end, prev_len); + p += prev_len; + slen = 1; + rlen = 0; + + for (; p < sn->end; ) { +- len = enclen(enc, p); ++ SAFE_ENC_LEN(enc, p, sn->end, len); + if (len == prev_len) { + slen++; + } +@@ -518,13 +518,12 @@ compile_string_node(Node* node, regex_t* reg) + ambig = NSTRING_IS_AMBIG(node); + + p = prev = sn->s; +- prev_len = enclen(enc, p); ++ SAFE_ENC_LEN(enc, p, end, prev_len); + p += prev_len; + slen = 1; + + for (; p < end; ) { +- len = enclen(enc, p); +- if (p + len > end) len = end - p; ++ SAFE_ENC_LEN(enc, p, end, len); + if (len == prev_len) { + slen++; + } +@@ -3391,7 +3390,7 @@ expand_case_fold_string(Node* node, regex_t* reg) + goto err; + } + +- len = enclen(reg->enc, p); ++ SAFE_ENC_LEN(reg->enc, p, end, len); + + if (n == 0) { + if (IS_NULL(snode)) { +diff --git a/ext/mbstring/oniguruma/regparse.c b/ext/mbstring/oniguruma/regparse.c +index 252ca1871202..fcfaf4378c06 100644 +--- a/ext/mbstring/oniguruma/regparse.c ++++ b/ext/mbstring/oniguruma/regparse.c +@@ -246,12 +246,6 @@ strdup_with_null(OnigEncoding enc, UChar* s, UChar* end) + } + #endif + +-#if (defined (__GNUC__) && __GNUC__ > 2 ) && !defined(DARWIN) && !defined(__hpux) && !defined(_AIX) +-# define UNEXPECTED(condition) __builtin_expect(condition, 0) +-#else +-# define UNEXPECTED(condition) (condition) +-#endif +- + /* scan pattern methods */ + #define PEND_VALUE 0 + +@@ -3589,7 +3583,9 @@ fetch_token(OnigToken* tok, UChar** src, UChar* end, ScanEnv* env) + tok->u.code = (OnigCodePoint )num; + } + else { /* string */ +- p = tok->backp + enclen(enc, tok->backp); ++ int len; ++ SAFE_ENC_LEN(enc, tok->backp, end, len); ++ p = tok->backp + len; + } + break; + } +diff --git a/ext/mbstring/oniguruma/regparse.h b/ext/mbstring/oniguruma/regparse.h +index 0c5c2c936c04..bcab03ed5892 100644 +--- a/ext/mbstring/oniguruma/regparse.h ++++ b/ext/mbstring/oniguruma/regparse.h +@@ -348,4 +348,16 @@ extern int onig_print_names(FILE*, regex_t*); + #endif + #endif + ++#if (defined (__GNUC__) && __GNUC__ > 2 ) && !defined(DARWIN) && !defined(__hpux) && !defined(_AIX) ++# define UNEXPECTED(condition) __builtin_expect(condition, 0) ++#else ++# define UNEXPECTED(condition) (condition) ++#endif ++ ++#define SAFE_ENC_LEN(enc, p, end, res) do { \ ++ int __res = enclen(enc, p); \ ++ if (UNEXPECTED(p + __res > end)) __res = end - p; \ ++ res = __res; \ ++} while(0); ++ + #endif /* REGPARSE_H */ +diff --git a/ext/mbstring/tests/bug77371.phpt b/ext/mbstring/tests/bug77371.phpt +index f23445bd0917..33e5fc115c96 100644 +--- a/ext/mbstring/tests/bug77371.phpt ++++ b/ext/mbstring/tests/bug77371.phpt +@@ -4,7 +4,7 @@ Bug #77371 (heap buffer overflow in mb regex functions - compile_string_node) + + --FILE-- + + --EXPECT-- + bool(false) +\ No newline at end of file +diff --git a/ext/mbstring/tests/bug77381.phpt b/ext/mbstring/tests/bug77381.phpt +new file mode 100644 +index 000000000000..cb83759fc09b +--- /dev/null ++++ b/ext/mbstring/tests/bug77381.phpt +@@ -0,0 +1,16 @@ ++--TEST-- ++Bug #77381 (heap buffer overflow in multibyte match_at) ++--SKIPIF-- ++ ++--FILE-- ++ ++--EXPECT-- ++int(1) ++bool(false) ++bool(false) ++bool(false) diff --git a/php-bug77418.patch b/php-bug77418.patch new file mode 100644 index 0000000..7810cf6 --- /dev/null +++ b/php-bug77418.patch @@ -0,0 +1,103 @@ +From 9d6c59eeea88a3e9d7039cb4fed5126ef704593a Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 6 Jan 2019 23:31:15 -0800 +Subject: [PATCH] Fix bug #77418 - Heap overflow in utf32be_mbc_to_code + +--- + NEWS | 7 ++++--- + ext/mbstring/oniguruma/enc/utf16_be.c | 4 +++- + ext/mbstring/oniguruma/enc/utf16_le.c | 3 ++- + ext/mbstring/oniguruma/enc/utf32_be.c | 1 + + ext/mbstring/oniguruma/enc/utf32_le.c | 1 + + ext/mbstring/tests/bug77418.phpt | 14 ++++++++++++++ + 6 files changed, 25 insertions(+), 5 deletions(-) + create mode 100644 ext/mbstring/tests/bug77418.phpt + +diff --git a/ext/mbstring/oniguruma/enc/utf16_be.c b/ext/mbstring/oniguruma/enc/utf16_be.c +index 1e909ebbf293..9e2f73b0735e 100644 +--- a/ext/mbstring/oniguruma/enc/utf16_be.c ++++ b/ext/mbstring/oniguruma/enc/utf16_be.c +@@ -75,16 +75,18 @@ utf16be_is_mbc_newline(const UChar* p, const UChar* end) + } + + static OnigCodePoint +-utf16be_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED) ++utf16be_mbc_to_code(const UChar* p, const UChar* end) + { + OnigCodePoint code; + + if (UTF16_IS_SURROGATE_FIRST(*p)) { ++ if (end - p < 4) return 0; + code = ((((p[0] - 0xd8) << 2) + ((p[1] & 0xc0) >> 6) + 1) << 16) + + ((((p[1] & 0x3f) << 2) + (p[2] - 0xdc)) << 8) + + p[3]; + } + else { ++ if (end - p < 2) return 0; + code = p[0] * 256 + p[1]; + } + return code; +diff --git a/ext/mbstring/oniguruma/enc/utf16_le.c b/ext/mbstring/oniguruma/enc/utf16_le.c +index 5cc07591173a..580f8dffa2f4 100644 +--- a/ext/mbstring/oniguruma/enc/utf16_le.c ++++ b/ext/mbstring/oniguruma/enc/utf16_le.c +@@ -81,13 +81,14 @@ utf16le_is_mbc_newline(const UChar* p, const UChar* end) + } + + static OnigCodePoint +-utf16le_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED) ++utf16le_mbc_to_code(const UChar* p, const UChar* end) + { + OnigCodePoint code; + UChar c0 = *p; + UChar c1 = *(p+1); + + if (UTF16_IS_SURROGATE_FIRST(c1)) { ++ if (end - p < 4) return 0; + code = ((((c1 - 0xd8) << 2) + ((c0 & 0xc0) >> 6) + 1) << 16) + + ((((c0 & 0x3f) << 2) + (p[3] - 0xdc)) << 8) + + p[2]; +diff --git a/ext/mbstring/oniguruma/enc/utf32_be.c b/ext/mbstring/oniguruma/enc/utf32_be.c +index b4f822607c89..5295f26b1e59 100644 +--- a/ext/mbstring/oniguruma/enc/utf32_be.c ++++ b/ext/mbstring/oniguruma/enc/utf32_be.c +@@ -60,6 +60,7 @@ utf32be_is_mbc_newline(const UChar* p, const UChar* end) + static OnigCodePoint + utf32be_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED) + { ++ if (end - p < 4) return 0; + return (OnigCodePoint )(((p[0] * 256 + p[1]) * 256 + p[2]) * 256 + p[3]); + } + +diff --git a/ext/mbstring/oniguruma/enc/utf32_le.c b/ext/mbstring/oniguruma/enc/utf32_le.c +index 8f413bfc74e1..a78c4d0abcc7 100644 +--- a/ext/mbstring/oniguruma/enc/utf32_le.c ++++ b/ext/mbstring/oniguruma/enc/utf32_le.c +@@ -60,6 +60,7 @@ utf32le_is_mbc_newline(const UChar* p, const UChar* end) + static OnigCodePoint + utf32le_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED) + { ++ if (end - p < 4) return 0; + return (OnigCodePoint )(((p[3] * 256 + p[2]) * 256 + p[1]) * 256 + p[0]); + } + +diff --git a/ext/mbstring/tests/bug77418.phpt b/ext/mbstring/tests/bug77418.phpt +new file mode 100644 +index 000000000000..b4acc45c2117 +--- /dev/null ++++ b/ext/mbstring/tests/bug77418.phpt +@@ -0,0 +1,14 @@ ++--TEST-- ++Bug #77371 (Heap overflow in utf32be_mbc_to_code) ++--SKIPIF-- ++ ++--FILE-- ++ ++--EXPECT-- ++array(1) { ++ [0]=> ++ string(30) "000000000000000000000000000000" ++} diff --git a/php-openssl-cert.patch b/php-openssl-cert.patch new file mode 100644 index 0000000..adea20c --- /dev/null +++ b/php-openssl-cert.patch @@ -0,0 +1,203 @@ +From f51062523d03911cc141507112e3ce14b41f73a2 Mon Sep 17 00:00:00 2001 +From: Alexander Kurilo +Date: Mon, 31 Dec 2018 12:19:36 +0300 +Subject: [PATCH] Regenerate certs for openssl tests + +--- + ext/openssl/tests/bug54992-ca.pem | 54 +++++++++--------- + ext/openssl/tests/bug54992.pem | 28 ++++----- + ext/openssl/tests/bug54992.phpt | 42 ++++++++++++++ + ext/openssl/tests/bug65538.phar | Bin 11278 -> 11278 bytes + .../tests/openssl_peer_fingerprint_basic.phpt | 11 +++- + 5 files changed, 91 insertions(+), 44 deletions(-) + +diff --git a/ext/openssl/tests/bug54992-ca.pem b/ext/openssl/tests/bug54992-ca.pem +index ac139176aa53..743a11e8fde6 100644 +--- a/ext/openssl/tests/bug54992-ca.pem ++++ b/ext/openssl/tests/bug54992-ca.pem +@@ -1,35 +1,35 @@ + -----BEGIN CERTIFICATE----- +-MIIGAzCCA+ugAwIBAgIUVL06vQzqQ1uRdJ7NAAZyylsKOpYwDQYJKoZIhvcNAQEL ++MIIGAzCCA+ugAwIBAgIUZ7ZvvfVqSEf1EswMT9LfMIPc/U8wDQYJKoZIhvcNAQEL + BQAwgZAxCzAJBgNVBAYTAlBUMQ8wDQYDVQQIDAZMaXNib2ExDzANBgNVBAcMBkxp + c2JvYTEXMBUGA1UECgwOUEhQIEZvdW5kYXRpb24xHjAcBgNVBAMMFVJvb3QgQ0Eg + Zm9yIFBIUCBUZXN0czEmMCQGCSqGSIb3DQEJARYXaW50ZXJuYWxzQGxpc3RzLnBo +-cC5uZXQwHhcNMTgxMjAxMjEzNTUwWhcNMTgxMjMxMjEzNTUwWjCBkDELMAkGA1UE ++cC5uZXQwHhcNMTgxMjMxMDg0NDU3WhcNMjAwMjA0MDg0NDU3WjCBkDELMAkGA1UE + BhMCUFQxDzANBgNVBAgMBkxpc2JvYTEPMA0GA1UEBwwGTGlzYm9hMRcwFQYDVQQK + DA5QSFAgRm91bmRhdGlvbjEeMBwGA1UEAwwVUm9vdCBDQSBmb3IgUEhQIFRlc3Rz + MSYwJAYJKoZIhvcNAQkBFhdpbnRlcm5hbHNAbGlzdHMucGhwLm5ldDCCAiIwDQYJ +-KoZIhvcNAQEBBQADggIPADCCAgoCggIBANVgTLlHH3bNkxx+XA1xhr842rf+lP5A +-XDhM5N9vRCXs/6FAB6iFAfnR+YVgcHD/ppgrrOlAIf6QF2J9EOA4h9oOtCrbhC9y +-3uKT/dnPWpa39NAdHDJMl2GndulhfyNzXoPmHR+UmVl8RIwJa2yzq8kfI28VZOdG +-4oW+L8hybO1r+7kewnI/3TQme+yxRMtI/RDAneBPUu4yx+VTy6gP1R7PMwEnMgLC +-msdBEJh2FR2rjboejZiBAHRG5cWbmRlYV0ApDZAgaKbKGCgken7FF9mImduv7c9H +-pHkSKAFdt5hYaeJJy48lh5wC7gMjBo62WKUnBqnV1gBBniWSfsgfNJKPV5a3EO32 +-7KinHzzCH4V1C8tCU26om0CoRI+Bm/dpnwuDZWELzMnnyAeCmGWnPi2s/+QaWwKC +-sMXn0+3CFYtlZ+zEZm0KB10RMypRLhn9md9/TfxJNNjDIHCMCLJkxyxFnYOWqtCd +-zAA09r117AgM3tbRYY9NYvNzLw5hnPs2W3gB4vrUzqBcgdfIdVaE1QUyy8rWjMNI +-fIVJVFeyN2mcg3JQw2WmKINDQJWZxXFJR9BPgISpR93BF5zIfGZSSRPuBXaXQ6j/ +-9aw+fnA8asietOL2wGa60zqX1WKopNYvRlt6CCIYkFcfRRkoEjcMRpyVsSn2U9Dd +-pFlDHq9iE6SLAgMBAAGjUzBRMB0GA1UdDgQWBBQKZYIWtrUo8Iv5zBWfBn40D7p9 +-1DAfBgNVHSMEGDAWgBQKZYIWtrUo8Iv5zBWfBn40D7p91DAPBgNVHRMBAf8EBTAD +-AQH/MA0GCSqGSIb3DQEBCwUAA4ICAQAEJhZ6mMgRUJGF4dM5r+SfrwCTbNGDJkFz +-DSbeb6WMTtvzL1g2P5zHQ0OvlX+mvmqCRXM40sUFMHDLCQzIgKLpgd44yZM6k4wL +-hReX2okQ8tEwB73ahy/H3TaRr3B2l6s16kx4obDpyTsbrBZgiks515ru5EM2pv7x +-31Ya2sUlXBWt+Kc+Z/6UI2Eot7G4M11oeRGpWnFBqPFAIByEbnCR4NCPbAKl2t2q +-vhsQh0zAo9qB4uUyc/XblKKRtdupDnRceSCLg18ZwnBxrVZBuSK5oUCAwAFtE4BZ +-G793gbwIUeR0pFgNMKkfPnXy3Ii8OmPDc9CsxO0Qg4Xh2VXWpVI+N5xL5L/M3O1i +-UDDO2PeoaEVfz3htOCYo1U6BSQqMzg5JD2JifzKEscy3rFkpH21EHLg07Fv4ZSFo +-HG22zt00dJpNatyAzzaYHlMel4K1fwNrGrUH5M2OeRtvkUMlDKwp8qrKIDpTi6vT +-GW0woBoRlR1+qGGG9RHBqm937uhHJsLw8lFJmvO0ObqbdpdfW4nWugL8x1LZC9oz +-uaH7hwj5i0SKK/StuLxAPP6cl4RqQhXO5rxEz2iFjl4nwwtRH3KPEDEAvQcnNXpi +-2YV5z8C78j1amzbSJBlGpu3aoJNn+WPgjePmeBe7oE9t1/5kvIVIAj8kg6CaKfHz +-6hiK1Erl8g== ++KoZIhvcNAQEBBQADggIPADCCAgoCggIBAPVThsunmhda5hbNi+pXD3WF9ijryB9H ++JDnIbPW/vMffWcQgtiRzc+6aCykBygnhnN91NNRpxOsoLCb7OjUMM0TjhSE9DxKD ++aVLRoDcs5VSaddQjq3AwdkU6ek9InUOeDuZ8gatrpWlEyuQPwwnMAfR9NkcTajuF ++hGO0BlqkHg98GckQD0N5x6CrrDJt6RE6hf9gUZSGSWdPTiETBQUN8LTuxo/ybFSN ++hcpVNCF+r3eozATbSU8YvQU52RmPIZWHHmYb7KtMO3TEX4LnLJUOefUK4qk+ZJ0s ++f4JfnY7RhBlZGh2kIyE5jwqz8/KzKtxrutNaupdTFZO8nX09QSgmDCxVWVclrPaG ++q2ZFYpeauTy71pTm8DjF7PwQI/+PUrBdFIX0V6uxqUEG0pvPdb8zenVbaK4Jh39u ++w0V5tH/rbtd7zZX4vl3bmKo1Wk0SQxd83iXitxLiJnWNOsmrJcM/Hx91kE10+/ly ++zgL/w5A9HSA616kfPdNzny0laH1TXVLJsnyyV3DyfnU4O6VI0JG3WjhgRdMkgobn ++GvGJ2ZsZAxds9lBtT2y+gw5BU+jkSilPk3jM9MA7Kmyci93U9xxMuDNzyUzfcnXR ++UIq99dZWeMMy1LT3buZXrAWu1WRgPdQtDKcQHDIQaIkxlWsT8q2q/wIirb6fwxlw ++vXkFp+aEP35BAgMBAAGjUzBRMB0GA1UdDgQWBBR37F1+W1gcCp8bhZaFFi9JKQhu ++tTAfBgNVHSMEGDAWgBR37F1+W1gcCp8bhZaFFi9JKQhutTAPBgNVHRMBAf8EBTAD ++AQH/MA0GCSqGSIb3DQEBCwUAA4ICAQAYHqpISUI/x8UW33i35rYkFYNvXBMQDc8J ++v4G2eqEBNCOVmHg6P//lq1F2jrtAEr/saESN1uS1Q80sUsthlVsceV1z1isdpugG ++kMbfHxLe0QpthnP3PEChQw30TPB22BThuGVkteNSZKTCPGdzjSTPq2kOR6PCBZRd ++r0r/TW3lT/Ng3KgjT6g7E3ZUpAeFEQMlmNYr/eEOL7K+1jzQrbCLmXbs6rmtffr7 ++n4p+wMPMPaSRqQoQ86ff9GPzxWuAQGlytVoiS5Xt3jotd/RWlOy0YQ2QSzOQvFUW ++4te5lwdOvOFnJTo43U3DqASqMcaazvIsN41zVlOyOyKEr9oZERju6FU1aZmuZtHQ ++wMCmXVj/Swj67Zp9tG+vVQenbEk314+8c2nenuOIFP1F2C/NG3vMLIpENRGxpmAm ++s5gIT6mXvJ4JCwWYc75zucOr2KVkDmEziJh/pARuOrOAPdc6NjKku8HBC9UI96+x ++Db4hG2SqXUzShkFX/px7vlCADvgO3FDk2aiyW02PFsItob2O6OB98VGsU26hgRO/ ++Czz/jbjWTPHNOt6/fcL0m7XLwlJ+K9gRArY15DeJGumcHEq/Vd/Z8iPQKKdzgF4O ++9XFZvu+VHP82AS5TeiYHCddFJyzktQYcNu5/OBuxzO83d7rpqrLFETTEOL4cN8O7 ++LJ7Q89hYAQ== + -----END CERTIFICATE----- +diff --git a/ext/openssl/tests/bug54992.pem b/ext/openssl/tests/bug54992.pem +index 1a64a4e5b8a1..f207c3044810 100644 +--- a/ext/openssl/tests/bug54992.pem ++++ b/ext/openssl/tests/bug54992.pem +@@ -1,26 +1,26 @@ + -----BEGIN CERTIFICATE----- +-MIID7jCCAdYCFBDKe4ra5M5zJIb81D7zwFRmyHQGMA0GCSqGSIb3DQEBCwUAMIGQ ++MIID7jCCAdYCFDw0rvm7q8y5HfispK5A2I2+RBqHMA0GCSqGSIb3DQEBCwUAMIGQ + MQswCQYDVQQGEwJQVDEPMA0GA1UECAwGTGlzYm9hMQ8wDQYDVQQHDAZMaXNib2Ex + FzAVBgNVBAoMDlBIUCBGb3VuZGF0aW9uMR4wHAYDVQQDDBVSb290IENBIGZvciBQ + SFAgVGVzdHMxJjAkBgkqhkiG9w0BCQEWF2ludGVybmFsc0BsaXN0cy5waHAubmV0 +-MB4XDTE4MTIwMTIxNDU0MloXDTE4MTIzMTIxNDU0MlowWjEXMBUGA1UEAxMOYnVn ++MB4XDTE4MTIzMTA4NDY0M1oXDTIwMDIwNDA4NDY0M1owWjEXMBUGA1UEAxMOYnVn + NTQ5OTIubG9jYWwxCzAJBgNVBAYTAlBUMQ8wDQYDVQQHEwZMaXNib2ExDzANBgNV + BAgTBkxpc2JvYTEQMA4GA1UEChMHcGhwLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOB + jQAwgYkCgYEAtUAVQKTgpUPgtFOJ3w3kDJETS45tWeT96kUg1NeYLKW+jNbFhxPo + PJv7XhfemCaqh2tbq1cdYW906Wp1L+eNQvdTYA2IQG4EQBUlmfyIakOIMsN/RizV + kF09vlNQwTpaMpqTv7wB8vvwbxb9jbC2ZhQUBEg6PIn18dSstbM9FZ0CAwEAATAN +-BgkqhkiG9w0BAQsFAAOCAgEAid90+ulRK+4ifB2tKnt2MyuqXZexv2yQ4u15EYmE +-NLOpP5ZWN8vSvRI3IGruNA00dX/F2EOT+u82ApOxzYyxceAx29Ytpt7PSd2nUqkN +-TbDAsDTUZdoDLUa6dGPe5Faaai00nfNJ3lqmC9xPbBPKyJ3hjz0Uj6gi51Lfi410 +-4GZa4oIL3NEIKVtaK942EAYCjeWx1VT8AnsvK4Nqufo97sbZNHJhgY+ApM168kox +-kFA/RNYp/pNS0FCc8b9DwMnu38n2n33iDl3P54chpAcyuWJE5wL/kN2gnS6iMsLP +-14NtBg2mm++4XqBpt9glmWr56HZtvyFW0IhpDwQgRe4GSIwPES2g1s7iUs3T4VdJ +-aHkF4v8Bdl6DWXSVdbqIq8CpVZLhf7vt6pV/22YpVCjQFmiLtc8a4gWaYvpn6j+L +-nAajb9JpdkNeqNiBxmtfQwL7xtY+1goLd9OKtIO1b2517ZRgU9NkUfLKCTl2W2L8 +-sMY7FPVs6Z1jfaXw+vIWKCJKe0thf0HMV4q11ptsqpzyIzAAjAfma1b/MM5ATHsa +-6h7Poh0yg+WMSdXurjhDWogOWrzPXSe0izUYpREkTVl1oLhzorxlEDh7vBLB2TS3 +-TPAEdNxEbsIutMjoz5ql5dYxgZQGW7HARXrXhMbk6cBU8khNcGGqz1uzX1x7Vb2d +-hKs= ++BgkqhkiG9w0BAQsFAAOCAgEAKtSMguV5ZQ2KpdZ9MAFa+GiHL0APb58OrvwNK4BF ++6032UZLOWnsBZlo85WGLNnIT/GNzKKr7n9jHeuZcBVOFQLsebahSlfJZs9FPatlI ++9Md1tRzVoTKohjG86HeFhhL+gZQ69SdIcK40wpH1qNv7KyMGA8gnx6rRKbOxZqsx ++pkA/wS7CTqP9/DeOxh/MZPg7N/GZXW1QOz+SE537E9iyiRsbldNYFtwn5iaVfjpr ++xz09wYYW3HJpR+QKPCfJ79JxDhuMHMoUOpIy8vGFnt5zVTcFLa378Sy3vCT1Qwvt ++tTavFGHby4A7OqT6xu+9GTW37OaiV91UelLLV0+MoR4XiMVMX76mvqzmKCp6L9ae ++7RYHrrCtNxkYUKUSkOEc2VHnT+sENkJIZu7zzN7/QNlc0yE9Rtsmgy4QAxo2m9u0 ++pUZLAulZ1lS7g/sr7/8Pp17RDvJiJh+oAPyVYZ7OoLF1IoHDHcZI0bqcqhDhiHZs ++PXYqyMCxyYzHFOAOgvbrEkmp8z/E8ATVwdUbAYN1dMrYHre1P4HFEtJh2QiGG2KE ++4jheuNhH1R25AizbwYbD33Kdp7ltCgBlfYqjl771SlgY45QYs0mUdc1Pv39SGIwf ++ZUm7mOWjaTBdYANrkvGM5NNT9kESjKkWykyTg4UF5rHV6nlyexR4b3fjabroi4BS ++v6w= + -----END CERTIFICATE----- + -----BEGIN RSA PRIVATE KEY----- + MIICXgIBAAKBgQC1QBVApOClQ+C0U4nfDeQMkRNLjm1Z5P3qRSDU15gspb6M1sWH +diff --git a/ext/openssl/tests/bug54992.phpt b/ext/openssl/tests/bug54992.phpt +index 878cb4a8725b..a3cb36deecbe 100644 +--- a/ext/openssl/tests/bug54992.phpt ++++ b/ext/openssl/tests/bug54992.phpt +@@ -6,6 +6,48 @@ if (!extension_loaded("openssl")) die("skip openssl not loaded"); + if (!function_exists("proc_open")) die("skip no proc_open"); + --FILE-- + ext/openssl/tests/bug54992.key ++ ++ Extract CSR from existing certificate: ++ $ openssl x509 -x509toreq -in ext/openssl/tests/bug54992.pem -out ext/openssl/tests/bug54992.csr -signkey ext/openssl/tests/bug54992.key ++ ++ Sign the CSR: ++ $ openssl x509 -CA ext/openssl/tests/bug54992-ca.pem \ ++ -CAcreateserial \ ++ -CAkey ./ext/openssl/tests/bug54992-ca.key \ ++ -req \ ++ -in ext/openssl/tests/bug54992.csr \ ++ -sha256 \ ++ -days 400 \ ++ -out ./ext/openssl/tests/bug54992.pem ++ ++ Bundle certificate's private key with the certificate: ++ $ cat ext/openssl/tests/bug54992.key >> ext/openssl/tests/bug54992.pem\ ++ ++ ++ Dependants: ++ ++ 1. ext/openssl/tests/bug65538_003.phpt ++ Run the following to generate required phar: ++ php -d phar.readonly=Off -r '$phar = new Phar("ext/openssl/tests/bug65538.phar"); $phar->addFile("ext/openssl/tests/bug54992.pem", "bug54992.pem"); $phar->addFile("ext/openssl/tests/bug54992-ca.pem", "bug54992-ca.pem");' ++ ++ 2. Update ext/openssl/tests/openssl_peer_fingerprint_basic.phpt (see instructions in there) ++ */ + $serverCode = <<<'CODE' + $serverUri = "ssl://127.0.0.1:64321"; + $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN; +diff --git a/ext/openssl/tests/openssl_peer_fingerprint_basic.phpt b/ext/openssl/tests/openssl_peer_fingerprint_basic.phpt +index 39d62b29c901..3bca7cb640c6 100644 +--- a/ext/openssl/tests/openssl_peer_fingerprint_basic.phpt ++++ b/ext/openssl/tests/openssl_peer_fingerprint_basic.phpt +@@ -32,12 +32,17 @@ $clientCode = <<<'CODE' + + phpt_wait(); + +- // should be: 3610606deda596b3ae3859d33c4ce1d9 +- stream_context_set_option($clientCtx, 'ssl', 'peer_fingerprint', '3610606deda596b3ae3859d33c4ce1da'); ++ // Run the following to get actual md5 (from sources root): ++ // openssl x509 -noout -fingerprint -md5 -inform pem -in ext/openssl/tests/bug54992.pem | cut -d '=' -f 2 | tr -d ':' | tr 'A-F' 'a-f' ++ // Currently it's 4edbbaf40a6a4b6af22b6d6d9818378f ++ // One below is intentionally broken (compare the last character): ++ stream_context_set_option($clientCtx, 'ssl', 'peer_fingerprint', '4edbbaf40a6a4b6af22b6d6d98183780'); + var_dump(stream_socket_client($serverUri, $errno, $errstr, 2, $clientFlags, $clientCtx)); + ++ // Run the following to get actual sha256 (from sources root): ++ // openssl x509 -noout -fingerprint -sha256 -inform pem -in ext/openssl/tests/bug54992.pem | cut -d '=' -f 2 | tr -d ':' | tr 'A-F' 'a-f' + stream_context_set_option($clientCtx, 'ssl', 'peer_fingerprint', [ +- 'sha256' => 'dffa72247ab7e44d94b2858528e3f67015925782148d2cf0b15cd82d1c931215', ++ 'sha256' => 'b1d480a2f83594fa243d26378cf611f334d369e59558d87e3de1abe8f36cb997', + ]); + var_dump(stream_socket_client($serverUri, $errno, $errstr, 2, $clientFlags, $clientCtx)); + CODE; diff --git a/php70.spec b/php70.spec index 260af42..0d14216 100644 --- a/php70.spec +++ b/php70.spec @@ -112,7 +112,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: %{upver}%{?rcver:~%{rcver}} -Release: 1%{?dist} +Release: 2%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -167,8 +167,17 @@ Patch47: php-5.6.3-phpinfo.patch Patch91: php-5.6.3-oci8conf.patch # Upstream fixes (100+) +Patch102: php-openssl-cert.patch # Security fixes (200+) +Patch200: php-bug77242.patch +Patch201: php-bug77247.patch +Patch202: php-bug77370.patch +Patch203: php-bug77371.patch +Patch204: php-bug77380.patch +Patch205: php-bug77381.patch +Patch206: php-bug77369.patch +Patch207: php-bug77418.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -1011,8 +1020,17 @@ echo CIBLE = %{name}-%{version}-%{release} oci8=%{with_oci8} libzip=%{with_libzi %patch91 -p1 -b .remi-oci8 # upstream patches +%patch102 -p1 -b .up3 # security patches +%patch200 -p1 -b .bug77242 +%patch201 -p1 -b .bug77247 +%patch202 -p1 -b .bug77370 +%patch203 -p1 -b .bug77371 +%patch204 -p1 -b .bug77380 +%patch205 -p1 -b .bug77381 +%patch206 -p1 -b .bug77369 +%patch207 -p1 -b .bug77418 # Fixes for tests %if 0%{?fedora} >= 21 || 0%{?rhel} >= 5 @@ -2026,6 +2044,23 @@ fi %changelog +* Wed Jan 9 2019 Remi Collet - 7.0.33-2 +- core: + Fix #77369 memcpy with negative length via crafted DNS response +- mbstring: + Fix #77370 buffer overflow on mb regex functions - fetch_token + Fix #77371 heap buffer overflow in mb regex functions compile_string_node + Fix #77381 heap buffer overflow in multibyte match_at + Fix #77382 heap buffer overflow in expand_case_fold_string + Fix #77385 buffer overflow in fetch_token + Fix #77394 buffer overflow in multibyte case folding - unicode + Fix #77418 heap overflow in utf32be_mbc_to_code +- phar: + Fix #77247 heap buffer overflow in phar_detect_phar_fname_ext +- xmlrpc: + Fix #77242 heap out of bounds read in xmlrpc_decode + Fix #77380 global out of bounds read in xmlrpc base64 code + * Wed Dec 5 2018 Remi Collet - 7.0.33-1 - Update to 7.0.33 - http://www.php.net/releases/7_0_33.php - use oracle client library version 18.3 -- cgit