From 9fd633180dddf5573aa49084454a9357b29b06bb Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 21 Jan 2020 09:46:37 +0100 Subject: mbstring: Fix #79037 global buffer-overflow in mbfl_filt_conv_big5_wchar CVE-2020-7060 session: Fix #79091 heap use-after-free in session_create_id standard: Fix #79099 OOB read in php_strip_tags_ex CVE-2020-7059 --- php-bug79091.patch | 99 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 99 insertions(+) create mode 100644 php-bug79091.patch (limited to 'php-bug79091.patch') diff --git a/php-bug79091.patch b/php-bug79091.patch new file mode 100644 index 0000000..ad3a5cc --- /dev/null +++ b/php-bug79091.patch @@ -0,0 +1,99 @@ +From 35c8a53c098cd828413a80ed7964146d50161c6c Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Mon, 20 Jan 2020 18:05:00 +0100 +Subject: [PATCH] Fix #79091: heap use-after-free in session_create_id() + +If the `new_id` is released, we must not use it again. + +(cherry picked from commit f79c7742746907d676989cb7f97fb4f7cd26789f) +--- + ext/session/session.c | 1 + + ext/session/tests/bug79091.phpt | 67 +++++++++++++++++++++++++++++++++ + 2 files changed, 68 insertions(+) + create mode 100644 ext/session/tests/bug79091.phpt + +diff --git a/ext/session/session.c b/ext/session/session.c +index 8d60ac249a..44ecb85f74 100644 +--- a/ext/session/session.c ++++ b/ext/session/session.c +@@ -2049,6 +2049,7 @@ static PHP_FUNCTION(session_create_id) + /* Detect collision and retry */ + if (PS(mod)->s_validate_sid(&PS(mod_data), new_id) == FAILURE) { + zend_string_release(new_id); ++ new_id = NULL; + continue; + } + break; +diff --git a/ext/session/tests/bug79091.phpt b/ext/session/tests/bug79091.phpt +new file mode 100644 +index 0000000000..1d14427159 +--- /dev/null ++++ b/ext/session/tests/bug79091.phpt +@@ -0,0 +1,67 @@ ++--TEST-- ++Bug #79091 (heap use-after-free in session_create_id()) ++--SKIPIF-- ++ ++--FILE-- ++ ++--EXPECTF-- ++bool(true) ++bool(true) ++ ++Warning: session_create_id(): Failed to create new ID in %s on line %d -- cgit