summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2020-04-14 09:45:07 +0200
committerRemi Collet <remi@remirepo.net>2020-04-14 09:45:07 +0200
commit9c12c1d4aa8eeca236df0f7ce51ddb6e82dfca59 (patch)
treeea7ebc440b4ac6113b0eaa80c4ae28136ae7cd71
parent3a162835ac7ba1d2994784d68a0d29bb8fe52576 (diff)
standard:
Fix #79330 shell_exec silently truncates after a null byte Fix #79465 OOB Read in urldecode CVE-2020-7067
-rw-r--r--php-bug79330.patch58
-rw-r--r--php-bug79465.patch59
-rw-r--r--php.spec12
3 files changed, 128 insertions, 1 deletions
diff --git a/php-bug79330.patch b/php-bug79330.patch
new file mode 100644
index 0000000..2c112ef
--- /dev/null
+++ b/php-bug79330.patch
@@ -0,0 +1,58 @@
+From 258ad37fe3f91cf862c2870d18d53e5cdb3b3752 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 13 Apr 2020 21:00:44 -0700
+Subject: [PATCH] Fix bug #79330 - make all execution modes consistent in
+ rejecting \0
+
+(cherry picked from commit 14fcc813948254b84f382ff537247d8a7e5e0e62)
+---
+ ext/standard/exec.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/ext/standard/exec.c b/ext/standard/exec.c
+index 88a6b4ab79..a586b786ee 100644
+--- a/ext/standard/exec.c
++++ b/ext/standard/exec.c
+@@ -537,6 +537,15 @@ PHP_FUNCTION(shell_exec)
+ return;
+ }
+
++ if (!command_len) {
++ php_error_docref(NULL, E_WARNING, "Cannot execute a blank command");
++ RETURN_FALSE;
++ }
++ if (strlen(command) != command_len) {
++ php_error_docref(NULL, E_WARNING, "NULL byte detected. Possible attack");
++ RETURN_FALSE;
++ }
++
+ #ifdef PHP_WIN32
+ if ((in=VCWD_POPEN(command, "rt"))==NULL) {
+ #else
+From 6117c162636bfd7e981f7531dc4d48e358e62be4 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 14 Apr 2020 08:15:07 +0200
+Subject: [PATCH] ZTS
+
+---
+ ext/standard/exec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ext/standard/exec.c b/ext/standard/exec.c
+index a586b786ee..40eca2b2c6 100644
+--- a/ext/standard/exec.c
++++ b/ext/standard/exec.c
+@@ -538,11 +538,11 @@ PHP_FUNCTION(shell_exec)
+ }
+
+ if (!command_len) {
+- php_error_docref(NULL, E_WARNING, "Cannot execute a blank command");
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot execute a blank command");
+ RETURN_FALSE;
+ }
+ if (strlen(command) != command_len) {
+- php_error_docref(NULL, E_WARNING, "NULL byte detected. Possible attack");
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "NULL byte detected. Possible attack");
+ RETURN_FALSE;
+ }
+
diff --git a/php-bug79465.patch b/php-bug79465.patch
new file mode 100644
index 0000000..6bdf194
--- /dev/null
+++ b/php-bug79465.patch
@@ -0,0 +1,59 @@
+From 26770fed5530c46a68653e868be0a266c42c33e8 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 13 Apr 2020 21:07:04 -0700
+Subject: [PATCH] Fix bug #79465 - use unsigneds as indexes.
+
+(cherry picked from commit 9d6bf8221b05f86ce5875832f0f646c4c1f218be)
+---
+ ext/standard/url.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ext/standard/url.c b/ext/standard/url.c
+index d6e71fa487..0278bd47e8 100644
+--- a/ext/standard/url.c
++++ b/ext/standard/url.c
+@@ -545,7 +545,7 @@ PHPAPI int php_url_decode(char *str, int len)
+ #ifndef CHARSET_EBCDIC
+ *dest = (char) php_htoi(data + 1);
+ #else
+- *dest = os_toebcdic[(char) php_htoi(data + 1)];
++ *dest = os_toebcdic[(unsigned char) php_htoi(data + 1)];
+ #endif
+ data += 2;
+ len -= 2;
+@@ -647,7 +647,7 @@ PHPAPI int php_raw_url_decode(char *str, int len)
+ #ifndef CHARSET_EBCDIC
+ *dest = (char) php_htoi(data + 1);
+ #else
+- *dest = os_toebcdic[(char) php_htoi(data + 1)];
++ *dest = os_toebcdic[(unsigned char) php_htoi(data + 1)];
+ #endif
+ data += 2;
+ len -= 2;
+From c1f77159cfd61479bc22cf41d7964673c31b222a Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 14 Apr 2020 08:02:28 +0200
+Subject: [PATCH] NEWS
+
+(cherry picked from commit bd4a5ebe653f36ea7705fbc95a6ec4842d7f86fc)
+---
+ NEWS | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 5085d35e9a..281b52fe76 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,12 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 7.2.30
++
++- Standard:
++ . Fixed bug #79330 (shell_exec silently truncates after a null byte). (stas)
++ . Fixed bug #79465 (OOB Read in urldecode). (CVE-2020-7067) (stas)
++
+ Backported from 7.2.29
+
+ - Core:
diff --git a/php.spec b/php.spec
index dbd689d..0131a92 100644
--- a/php.spec
+++ b/php.spec
@@ -146,7 +146,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: %{?scl_prefix}php
Version: 5.6.40
-Release: 19%{?dist}
+Release: 20%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -239,6 +239,8 @@ Patch236: php-bug79221.patch
Patch237: php-bug79082.patch
Patch238: php-bug79282.patch
Patch239: php-bug79329.patch
+Patch240: php-bug79330.patch
+Patch241: php-bug79465.patch
# Fixes for tests (300+)
# Factory is droped from system tzdata
@@ -1002,6 +1004,8 @@ sed -e 's/php-devel/%{?scl_prefix}php-devel/' -i scripts/phpize.in
%patch237 -p1 -b .bug79082
%patch238 -p1 -b .bug79282
%patch239 -p1 -b .bug79329
+%patch240 -p1 -b .bug79330
+%patch241 -p1 -b .bug79465
# Fixes for tests
%patch300 -p1 -b .datetests
@@ -1947,6 +1951,12 @@ EOF
%changelog
+* Tue Apr 14 2020 Remi Collet <remi@remirepo.net> - 5.6.40-20
+- standard:
+ Fix #79330 shell_exec silently truncates after a null byte
+ Fix #79465 OOB Read in urldecode
+ CVE-2020-7067
+
* Tue Mar 17 2020 Remi Collet <remi@remirepo.net> - 5.6.40-19
- standard:
Fix #79329 get_headers() silently truncates after a null byte