From 64096d0a04a58b3984cf744e10dcfb47413692a8 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Thu, 18 Dec 2025 08:13:35 +0100 Subject: Fix Null byte termination in dns_get_record() GHSA-www2-q4fc-65wf Fix Heap buffer overflow in array_merge() CVE-2025-14178 Fix Information Leak of Memory in getimagesize CVE-2025-14177 --- failed.txt | 20 ++-- php-7.2.0-includedir.patch | 2 +- php-7.4.33-bash53.patch | 26 +++++ php-cve-2025-14177.patch | 103 +++++++++++++++++++ php-cve-2025-14178.patch | 62 ++++++++++++ php-ghsa-www2-q4fc-65wf.patch | 231 ++++++++++++++++++++++++++++++++++++++++++ php80.spec | 25 ++++- 7 files changed, 459 insertions(+), 10 deletions(-) create mode 100644 php-7.4.33-bash53.patch create mode 100644 php-cve-2025-14177.patch create mode 100644 php-cve-2025-14178.patch create mode 100644 php-ghsa-www2-q4fc-65wf.patch diff --git a/failed.txt b/failed.txt index 82a5a21..87a24d1 100644 --- a/failed.txt +++ b/failed.txt @@ -1,21 +1,27 @@ -===== 8.0.30-14 (2025-07-03) +===== 8.0.30-15 (2025-12-18) $ grep -ar 'Tests failed' /var/lib/mock/*/build.log /var/lib/mock/el8a80/build.log:Tests failed : 0 /var/lib/mock/el8x80/build.log:Tests failed : 0 -/var/lib/mock/el9a80/build.log:Tests failed : 0 -/var/lib/mock/el9x80/build.log:Tests failed : 0 -/var/lib/mock/el10a80/build.log:Tests failed : 0 -/var/lib/mock/el10x80/build.log:Tests failed : 0 -/var/lib/mock/fc40a80/build.log:Tests failed : 0 -/var/lib/mock/fc40x80/build.log:Tests failed : 0 +/var/lib/mock/el9a80/build.log:Tests failed : 1 +/var/lib/mock/el9x80/build.log:Tests failed : 1 +/var/lib/mock/el10a80/build.log:Tests failed : 1 +/var/lib/mock/el10x80/build.log:Tests failed : 1 /var/lib/mock/fc41a80/build.log:Tests failed : 0 /var/lib/mock/fc41x80/build.log:Tests failed : 0 /var/lib/mock/fc42a80/build.log:Tests failed : 0 /var/lib/mock/fc42x80/build.log:Tests failed : 0 +/var/lib/mock/fc43a80/build.log:Tests failed : 4 +/var/lib/mock/fc43x80/build.log:Tests failed : 4 +el9, el10, fc43: + 3 Bug #74341 (openssl_x509_parse fails to parse ASN.1 UTCTime without seconds) [ext/openssl/tests/bug74341.phpt] +fc43: + 3 X (PCRE_EXTRA) modifier is ignored (no error, no change) [ext/pcre/tests/pcre_extra.phpt] + 3 preg_split() [ext/pcre/tests/split.phpt] + 3 preg_grep() 2nd test [ext/pcre/tests/grep2.phpt] 1 proc_open give erratic test results :( diff --git a/php-7.2.0-includedir.patch b/php-7.2.0-includedir.patch index b6205ad..3f7c5db 100644 --- a/php-7.2.0-includedir.patch +++ b/php-7.2.0-includedir.patch @@ -5,7 +5,7 @@ EXPANDED_PHP_CONFIG_FILE_PATH=`eval echo "$PHP_CONFIG_FILE_PATH"` EXPANDED_PHP_CONFIG_FILE_SCAN_DIR=`eval echo "$PHP_CONFIG_FILE_SCAN_DIR"` -INCLUDE_PATH=.:$EXPANDED_PEAR_INSTALLDIR -+INCLUDE_PATH=.:$EXPANDED_PEAR_INSTALLDIR:${EXPANDED_DATADIR}/php:/usr/share/pear:/usr/share/php ++INCLUDE_PATH=.:$EXPANDED_PEAR_INSTALLDIR:${EXPANDED_DATADIR}/php exec_prefix=$old_exec_prefix libdir=$old_libdir diff --git a/php-7.4.33-bash53.patch b/php-7.4.33-bash53.patch new file mode 100644 index 0000000..0b09e2a --- /dev/null +++ b/php-7.4.33-bash53.patch @@ -0,0 +1,26 @@ +From 98d2b923243d406b3d26f0770ac02f917729b948 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Thu, 4 Sep 2025 09:01:49 +0200 +Subject: [PATCH] Fix GH-19681 PHP_EXPAND_PATH broken with bash 5.3.0 + +--- + build/php.m4 | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/build/php.m4 b/build/php.m4 +index 142ddf08fd98b..e5ead0f4c44af 100644 +--- a/build/php.m4 ++++ b/build/php.m4 +@@ -64,7 +64,11 @@ AC_DEFUN([PHP_EXPAND_PATH],[ + changequote({,}) + ep_dir=`echo $1|$SED 's%/*[^/][^/]*/*$%%'` + changequote([,]) +- ep_realdir=`(cd "$ep_dir" && pwd)` ++ if test -z $ep_dir ; then ++ ep_realdir=`(pwd)` ++ else ++ ep_realdir=`(cd "$ep_dir" && pwd)` ++ fi + $2="$ep_realdir"/`basename "$1"` + fi + ]) diff --git a/php-cve-2025-14177.patch b/php-cve-2025-14177.patch new file mode 100644 index 0000000..7ef1b2b --- /dev/null +++ b/php-cve-2025-14177.patch @@ -0,0 +1,103 @@ +From ed665eb1903737d2b52b27368b155f6208604ed9 Mon Sep 17 00:00:00 2001 +From: Niels Dossche <7771979+ndossche@users.noreply.github.com> +Date: Tue, 25 Nov 2025 23:11:38 +0100 +Subject: [PATCH 1/5] Fix GH-20584: Information Leak of Memory + +The string added had uninitialized memory due to +php_read_stream_all_chunks() not moving the buffer position, resulting +in the same data always being overwritten instead of new data being +added to the end of the buffer. + +This is backport as there is a security impact as described in +GHSA-3237-qqm7-mfv7 . + +(cherry picked from commit c5f28c7cf0a052f48e47877c7aa5c5bcc54f1cfc) +--- + ext/standard/image.c | 17 +++++++++++- + ext/standard/tests/image/gh20584.phpt | 39 +++++++++++++++++++++++++++ + 2 files changed, 55 insertions(+), 1 deletion(-) + create mode 100644 ext/standard/tests/image/gh20584.phpt + +diff --git a/ext/standard/image.c b/ext/standard/image.c +index 419522c6a2e..69f18d100f5 100644 +--- a/ext/standard/image.c ++++ b/ext/standard/image.c +@@ -424,6 +424,21 @@ static int php_skip_variable(php_stream * stream) + } + /* }}} */ + ++static size_t php_read_stream_all_chunks(php_stream *stream, char *buffer, size_t length) ++{ ++ size_t read_total = 0; ++ do { ++ ssize_t read_now = php_stream_read(stream, buffer, length - read_total); ++ read_total += read_now; ++ if (read_now < stream->chunk_size && read_total != length) { ++ return 0; ++ } ++ buffer += read_now; ++ } while (read_total < length); ++ ++ return read_total; ++} ++ + /* {{{ php_read_APP */ + static int php_read_APP(php_stream * stream, unsigned int marker, zval *info) + { +@@ -440,7 +455,7 @@ static int php_read_APP(php_stream * stream, unsigned int marker, zval *info) + + buffer = emalloc(length); + +- if (php_stream_read(stream, buffer, (size_t) length) != length) { ++ if (php_read_stream_all_chunks(stream, buffer, length) != length) { + efree(buffer); + return 0; + } +diff --git a/ext/standard/tests/image/gh20584.phpt b/ext/standard/tests/image/gh20584.phpt +new file mode 100644 +index 00000000000..d117f218202 +--- /dev/null ++++ b/ext/standard/tests/image/gh20584.phpt +@@ -0,0 +1,39 @@ ++--TEST-- ++GH-20584 (Information Leak of Memory) ++--CREDITS-- ++Nikita Sveshnikov (Positive Technologies) ++--FILE-- ++ ++--CLEAN-- ++ ++--EXPECT-- ++bool(true) +-- +2.52.0 + diff --git a/php-cve-2025-14178.patch b/php-cve-2025-14178.patch new file mode 100644 index 0000000..867ffba --- /dev/null +++ b/php-cve-2025-14178.patch @@ -0,0 +1,62 @@ +From e4516e52979e8b67d9d35dfdbcc5dc7368263fa2 Mon Sep 17 00:00:00 2001 +From: Niels Dossche <7771979+ndossche@users.noreply.github.com> +Date: Sun, 9 Nov 2025 13:23:11 +0100 +Subject: [PATCH 3/5] Fix GHSA-h96m-rvf9-jgm2 + +(cherry picked from commit 8b801151bd54b36aae4593ed6cfc096e8122b415) +--- + ext/standard/array.c | 7 ++++++- + .../tests/array/GHSA-h96m-rvf9-jgm2.phpt | 16 ++++++++++++++++ + 2 files changed, 22 insertions(+), 1 deletion(-) + create mode 100644 ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt + +diff --git a/ext/standard/array.c b/ext/standard/array.c +index 4b68040adc8..2960713d00e 100644 +--- a/ext/standard/array.c ++++ b/ext/standard/array.c +@@ -3798,7 +3798,7 @@ static zend_always_inline void php_array_merge_wrapper(INTERNAL_FUNCTION_PARAMET + int argc, i; + zval *src_entry; + HashTable *src, *dest; +- uint32_t count = 0; ++ uint64_t count = 0; + + ZEND_PARSE_PARAMETERS_START(0, -1) + Z_PARAM_VARIADIC('+', args, argc) +@@ -3818,6 +3818,11 @@ static zend_always_inline void php_array_merge_wrapper(INTERNAL_FUNCTION_PARAMET + count += zend_hash_num_elements(Z_ARRVAL_P(arg)); + } + ++ if (UNEXPECTED(count >= HT_MAX_SIZE)) { ++ zend_throw_error(NULL, "The total number of elements must be lower than %u", HT_MAX_SIZE); ++ RETURN_THROWS(); ++ } ++ + if (argc == 2) { + zval *ret = NULL; + +diff --git a/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt b/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt +new file mode 100644 +index 00000000000..2e3e85357e1 +--- /dev/null ++++ b/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt +@@ -0,0 +1,16 @@ ++--TEST-- ++GHSA-h96m-rvf9-jgm2 ++--FILE-- ++getMessage(), "\n"; ++} ++ ++?> ++--EXPECTF-- ++The total number of elements must be lower than %d +-- +2.52.0 + diff --git a/php-ghsa-www2-q4fc-65wf.patch b/php-ghsa-www2-q4fc-65wf.patch new file mode 100644 index 0000000..6d43dd8 --- /dev/null +++ b/php-ghsa-www2-q4fc-65wf.patch @@ -0,0 +1,231 @@ +From 52c5762a902e8731b7068ded027fbd780f5a1991 Mon Sep 17 00:00:00 2001 +From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> +Date: Sat, 6 Sep 2025 21:55:13 +0200 +Subject: [PATCH 4/5] Fix GHSA-www2-q4fc-65wf + +(cherry picked from commit ed70b1ea43a9b7ffa2f53b3e5d6ba403f37ae81c) +--- + ext/standard/basic_functions.c | 12 ++-- + ext/standard/dns.c | 6 +- + ext/standard/dns_win32.c | 6 +- + .../tests/network/ghsa-www2-q4fc-65wf.phpt | 62 +++++++++++++++++++ + 4 files changed, 74 insertions(+), 12 deletions(-) + create mode 100644 ext/standard/tests/network/ghsa-www2-q4fc-65wf.phpt + +diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c +index 876ef347ebf..9eba6d5a14c 100755 +--- a/ext/standard/basic_functions.c ++++ b/ext/standard/basic_functions.c +@@ -633,7 +633,7 @@ PHP_FUNCTION(inet_pton) + char buffer[17]; + + ZEND_PARSE_PARAMETERS_START(1, 1) +- Z_PARAM_STRING(address, address_len) ++ Z_PARAM_PATH(address, address_len) + ZEND_PARSE_PARAMETERS_END(); + + memset(buffer, 0, sizeof(buffer)); +@@ -670,7 +670,7 @@ PHP_FUNCTION(ip2long) + #endif + + ZEND_PARSE_PARAMETERS_START(1, 1) +- Z_PARAM_STRING(addr, addr_len) ++ Z_PARAM_PATH(addr, addr_len) + ZEND_PARSE_PARAMETERS_END(); + + #ifdef HAVE_INET_PTON +@@ -2265,8 +2265,8 @@ PHP_FUNCTION(getservbyname) + struct servent *serv; + + ZEND_PARSE_PARAMETERS_START(2, 2) +- Z_PARAM_STRING(name, name_len) +- Z_PARAM_STRING(proto, proto_len) ++ Z_PARAM_PATH(name, name_len) ++ Z_PARAM_PATH(proto, proto_len) + ZEND_PARSE_PARAMETERS_END(); + + +@@ -2309,7 +2309,7 @@ PHP_FUNCTION(getservbyport) + + ZEND_PARSE_PARAMETERS_START(2, 2) + Z_PARAM_LONG(port) +- Z_PARAM_STRING(proto, proto_len) ++ Z_PARAM_PATH(proto, proto_len) + ZEND_PARSE_PARAMETERS_END(); + + serv = getservbyport(htons((unsigned short) port), proto); +@@ -2332,7 +2332,7 @@ PHP_FUNCTION(getprotobyname) + struct protoent *ent; + + ZEND_PARSE_PARAMETERS_START(1, 1) +- Z_PARAM_STRING(name, name_len) ++ Z_PARAM_PATH(name, name_len) + ZEND_PARSE_PARAMETERS_END(); + + ent = getprotobyname(name); +diff --git a/ext/standard/dns.c b/ext/standard/dns.c +index a81ae3f71fc..4b3fac8e915 100644 +--- a/ext/standard/dns.c ++++ b/ext/standard/dns.c +@@ -368,7 +368,7 @@ PHP_FUNCTION(dns_check_record) + #endif + + ZEND_PARSE_PARAMETERS_START(1, 2) +- Z_PARAM_STRING(hostname, hostname_len) ++ Z_PARAM_PATH(hostname, hostname_len) + Z_PARAM_OPTIONAL + Z_PARAM_STRING(rectype, rectype_len) + ZEND_PARSE_PARAMETERS_END(); +@@ -815,7 +815,7 @@ PHP_FUNCTION(dns_get_record) + zend_bool raw = 0; + + ZEND_PARSE_PARAMETERS_START(1, 5) +- Z_PARAM_STRING(hostname, hostname_len) ++ Z_PARAM_PATH(hostname, hostname_len) + Z_PARAM_OPTIONAL + Z_PARAM_LONG(type_param) + Z_PARAM_ZVAL(authns) +@@ -1053,7 +1053,7 @@ PHP_FUNCTION(dns_get_mx) + #endif + + ZEND_PARSE_PARAMETERS_START(2, 3) +- Z_PARAM_STRING(hostname, hostname_len) ++ Z_PARAM_PATH(hostname, hostname_len) + Z_PARAM_ZVAL(mx_list) + Z_PARAM_OPTIONAL + Z_PARAM_ZVAL(weight_list) +diff --git a/ext/standard/dns_win32.c b/ext/standard/dns_win32.c +index d677da0c150..1870998ef1f 100644 +--- a/ext/standard/dns_win32.c ++++ b/ext/standard/dns_win32.c +@@ -48,7 +48,7 @@ PHP_FUNCTION(dns_get_mx) /* {{{ */ + DNS_STATUS status; /* Return value of DnsQuery_A() function */ + PDNS_RECORD pResult, pRec; /* Pointer to DNS_RECORD structure */ + +- if (zend_parse_parameters(ZEND_NUM_ARGS(), "sz|z", &hostname, &hostname_len, &mx_list, &weight_list) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS(), "pz|z", &hostname, &hostname_len, &mx_list, &weight_list) == FAILURE) { + RETURN_THROWS(); + } + +@@ -101,7 +101,7 @@ PHP_FUNCTION(dns_check_record) + DNS_STATUS status; /* Return value of DnsQuery_A() function */ + PDNS_RECORD pResult; /* Pointer to DNS_RECORD structure */ + +- if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|s", &hostname, &hostname_len, &rectype, &rectype_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS(), "p|s", &hostname, &hostname_len, &rectype, &rectype_len) == FAILURE) { + RETURN_THROWS(); + } + +@@ -353,7 +353,7 @@ PHP_FUNCTION(dns_get_record) + int type, type_to_fetch, first_query = 1, store_results = 1; + zend_bool raw = 0; + +- if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|lz!z!b", ++ if (zend_parse_parameters(ZEND_NUM_ARGS(), "p|lz!z!b", + &hostname, &hostname_len, &type_param, &authns, &addtl, &raw) == FAILURE) { + RETURN_THROWS(); + } +diff --git a/ext/standard/tests/network/ghsa-www2-q4fc-65wf.phpt b/ext/standard/tests/network/ghsa-www2-q4fc-65wf.phpt +new file mode 100644 +index 00000000000..3d082c8e952 +--- /dev/null ++++ b/ext/standard/tests/network/ghsa-www2-q4fc-65wf.phpt +@@ -0,0 +1,62 @@ ++--TEST-- ++GHSA-www2-q4fc-65wf ++--DESCRIPTION-- ++This is a ZPP test but *keep* this as it is security-sensitive! ++--FILE-- ++getMessage(), "\n"; ++} ++try { ++ dns_get_mx("\0", $out); ++} catch (ValueError $e) { ++ echo $e->getMessage(), "\n"; ++} ++try { ++ dns_get_record("\0"); ++} catch (ValueError $e) { ++ echo $e->getMessage(), "\n"; ++} ++try { ++ getprotobyname("\0"); ++} catch (ValueError $e) { ++ echo $e->getMessage(), "\n"; ++} ++try { ++ getservbyname("\0", "tcp"); ++} catch (ValueError $e) { ++ echo $e->getMessage(), "\n"; ++} ++try { ++ getservbyname("x", "tcp\0"); ++} catch (ValueError $e) { ++ echo $e->getMessage(), "\n"; ++} ++try { ++ getservbyport(0, "tcp\0"); ++} catch (ValueError $e) { ++ echo $e->getMessage(), "\n"; ++} ++try { ++ inet_pton("\0"); ++} catch (ValueError $e) { ++ echo $e->getMessage(), "\n"; ++} ++try { ++ ip2long("\0"); ++} catch (ValueError $e) { ++ echo $e->getMessage(), "\n"; ++} ++?> ++--EXPECT-- ++dns_check_record(): Argument #1 ($hostname) must not contain any null bytes ++dns_get_mx(): Argument #1 ($hostname) must not contain any null bytes ++dns_get_record(): Argument #1 ($hostname) must not contain any null bytes ++getprotobyname(): Argument #1 ($protocol) must not contain any null bytes ++getservbyname(): Argument #1 ($service) must not contain any null bytes ++getservbyname(): Argument #2 ($protocol) must not contain any null bytes ++getservbyport(): Argument #2 ($protocol) must not contain any null bytes ++inet_pton(): Argument #1 ($ip) must not contain any null bytes ++ip2long(): Argument #1 ($ip) must not contain any null bytes +-- +2.52.0 + +From 52b3bdaa74078e4ea8abd9696cdbdc35a8091446 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Thu, 18 Dec 2025 07:17:43 +0100 +Subject: [PATCH 5/5] NEWS from 8.1.34 + +--- + NEWS | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/NEWS b/NEWS +index c813f4f357a..ee3b272dfc6 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,16 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 8.1.34 ++ ++- Standard: ++ . Fixed GHSA-www2-q4fc-65wf (Null byte termination in dns_get_record()). ++ (ndossche) ++ . Fixed GHSA-h96m-rvf9-jgm2 (Heap buffer overflow in array_merge()). ++ (CVE-2025-14178) (ndossche) ++ . Fixed GHSA-3237-qqm7-mfv7 (Information Leak of Memory in getimagesize). ++ (CVE-2025-14177) (ndossche) ++ + Backported from 8.1.33 + + - PGSQL: +-- +2.52.0 + diff --git a/php80.spec b/php80.spec index dcbdb02..9e826f6 100644 --- a/php80.spec +++ b/php80.spec @@ -24,7 +24,7 @@ %global mysql_sock %(mysql_config --socket 2>/dev/null || echo /var/lib/mysql/mysql.sock) -%global oraclever 23.8 +%global oraclever 23.9 %global oraclemax 24 %global oraclelib 23.1 %global oracledir 23 @@ -117,7 +117,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: %{upver}%{?rcver:~%{rcver}} -Release: 14%{?dist} +Release: 15%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -161,6 +161,8 @@ Patch9: php-8.0.6-deprecated.patch Patch11: php-8.0.30-icu.patch # Fix strict prototypes from 8.1 Patch12: php-8.0.30-proto.patch +# Fix for bash 5.3 (Fedora 43) +Patch13: php-7.4.33-bash53.patch # Functional changes # Use system nikic/php-parser @@ -215,6 +217,9 @@ Patch217: php-cve-2025-1219.patch Patch218: php-cve-2025-6491.patch Patch219: php-cve-2025-1220.patch Patch220: php-cve-2025-1735.patch +Patch221: php-cve-2025-14177.patch +Patch222: php-cve-2025-14178.patch +Patch223: php-ghsa-www2-q4fc-65wf.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -895,7 +900,11 @@ License: PHP and BSD %endif Requires: php-common%{?_isa} = %{version}-%{release} %if %{with libgd} +%if 0%{?rhel} +BuildRequires: gd3php-devel >= 2.3.3 +%else BuildRequires: pkgconfig(gdlib) >= 2.3.3 +%endif %else # Required to build the bundled GD library BuildRequires: pkgconfig(zlib) @@ -1208,6 +1217,7 @@ in pure PHP. %patch -P9 -p1 -b .deprecated %patch -P11 -p1 -b .icu74 %patch -P12 -p1 -b .proto +%patch -P13 -p1 -b .bash53 %patch -P41 -p1 -b .syslib %patch -P42 -p1 -b .systzdata @@ -1250,6 +1260,9 @@ rm ext/openssl/tests/p12_with_extra_certs.p12 %patch -P218 -p1 -b .cve6491 %patch -P219 -p1 -b .cve1220 %patch -P220 -p1 -b .cve1735 +%patch -P221 -p1 -b .cve14177 +%patch -P222 -p1 -b .cve14178 +%patch -P223 -p1 -b .ghsawwww2 # Fixes for tests related to tzdata %patch -P300 -p1 -b .datetests @@ -2265,6 +2278,14 @@ EOF %changelog +* Thu Dec 18 2025 Remi Collet - 8.0.30-15 +- Fix Null byte termination in dns_get_record() + GHSA-www2-q4fc-65wf +- Fix Heap buffer overflow in array_merge() + CVE-2025-14178 +- Fix Information Leak of Memory in getimagesize + CVE-2025-14177 + * Thu Jul 3 2025 Remi Collet - 8.0.30-14 - Fix pgsql extension does not check for errors during escaping CVE-2025-1735 -- cgit