diff options
author | Remi Collet <remi@remirepo.net> | 2018-09-14 11:22:08 +0200 |
---|---|---|
committer | Remi Collet <remi@remirepo.net> | 2018-09-14 11:22:08 +0200 |
commit | 65638dbd3e83c7f78568c00c7013f568cf53606b (patch) | |
tree | d49df27c85e6ff170f5413b2d5e4c8e01436ba49 | |
parent | 03cb94d7835b8548cd35966c0cf3e10e48808f87 (diff) |
fix #76582: XSS due to the header Transfer-Encoding: chunked
-rw-r--r-- | bug76582.patch | 23 | ||||
-rw-r--r-- | php.spec | 7 |
2 files changed, 29 insertions, 1 deletions
diff --git a/bug76582.patch b/bug76582.patch new file mode 100644 index 0000000..fd35f43 --- /dev/null +++ b/bug76582.patch @@ -0,0 +1,23 @@ +From 23b057742e3cf199612fa8050ae86cae675e214e Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sat, 28 Jul 2018 22:16:29 -0700 +Subject: [PATCH] Fix for bug #76582 + +The brigade seems to end up in a messed up state if something fails +in shutdown, so we clean it up. +--- + sapi/apache2handler/sapi_apache2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sapi/apache2handler/sapi_apache2.c b/sapi/apache2handler/sapi_apache2.c +index 6fa2521c3847..0ebca9bca863 100644 +--- a/sapi/apache2handler/sapi_apache2.c ++++ b/sapi/apache2handler/sapi_apache2.c +@@ -678,6 +678,7 @@ zend_first_try { + if (!parent_req) { + php_apache_request_dtor(r TSRMLS_CC); + ctx->request_processed = 1; ++ apr_brigade_cleanup(brigade); + bucket = apr_bucket_eos_create(r->connection->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(brigade, bucket); + @@ -119,7 +119,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: 5.4.45 -Release: 14%{?dist} +Release: 15%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -251,6 +251,7 @@ Patch267: bug73869.patch Patch268: bug74435.patch Patch269: bug75571.patch Patch270: bug75981.patch +Patch271: bug76582.patch # Fixes for tests (300+) # Backported from 5.5 @@ -959,6 +960,7 @@ support for using the enchant library to PHP. %patch268 -p1 -b .bug74435 %patch269 -p1 -b .bug75571 %patch270 -p1 -b .bug75981 +%patch271 -p1 -b .bug76582 : ------------------------ #exit 1 @@ -1796,6 +1798,9 @@ EOF %changelog +* Fri Sep 14 2018 Remi Collet <remi@remirepo.net> - 5.4.45-15 +- fix #76582: XSS due to the header Transfer-Encoding: chunked + * Thu Mar 1 2018 Remi Collet <remi@remirepo.net> - 5.4.45-14 - fix #73549: Use after free when stream is passed to imagepng - fix #73868: Fix DOS vulnerability in gdImageCreateFromGd2Ctx() |