diff options
author | Remi Collet <remi@remirepo.net> | 2020-05-13 09:50:14 +0200 |
---|---|---|
committer | Remi Collet <remi@remirepo.net> | 2020-05-13 09:50:14 +0200 |
commit | b4686a8d7766a7849d8935a881fc78d4fb4d4c1e (patch) | |
tree | 55f45a8980d1e989c5e9568b7ac192014194faed | |
parent | 9c12c1d4aa8eeca236df0f7ce51ddb6e82dfca59 (diff) |
Core:
Fix #78875 Long filenames cause OOM and temp files are not cleaned
CVE-2019-11048
Fix #78876 Long variables in multipart/form-data cause OOM and temp
files are not cleaned
-rw-r--r-- | php-bug78875.patch | 69 | ||||
-rw-r--r-- | php.spec | 11 |
2 files changed, 79 insertions, 1 deletions
diff --git a/php-bug78875.patch b/php-bug78875.patch new file mode 100644 index 0000000..2d8f900 --- /dev/null +++ b/php-bug78875.patch @@ -0,0 +1,69 @@ +From a41cbed4532cc4d3d2fd1a8fa1a4ace5bdfcafc9 Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@remirepo.net> +Date: Wed, 13 May 2020 09:03:49 +0200 +Subject: [PATCH] Backports from 7.2.31 + + Fix #78875: Long filenames cause OOM and temp files are not cleaned +(from 1c9bd513ac5c7c1d13d7f0dfa7c16a7ad2ce0f87) + + Fix #78876: Long variables cause OOM and temp files are not cleaned +(from 3c8582ca4b8e84e5647220b647914876d2c3b124) +--- + NEWS | 8 ++++++++ + main/rfc1867.c | 9 +++++---- + 2 files changed, 13 insertions(+), 4 deletions(-) + +diff --git a/NEWS b/NEWS +index 281b52fe76..b53c9e28cb 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,14 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 7.2.31 ++ ++- Core: ++ . Fixed bug #78875 (Long filenames cause OOM and temp files are not cleaned). ++ (CVE-2019-11048) (cmb) ++ . Fixed bug #78876 (Long variables in multipart/form-data cause OOM and temp ++ files are not cleaned). (CVE-2019-11048) (cmb) ++ + Backported from 7.2.30 + + - Standard: +diff --git a/main/rfc1867.c b/main/rfc1867.c +index 0ddf0ed8f0..fb3035072a 100644 +--- a/main/rfc1867.c ++++ b/main/rfc1867.c +@@ -609,9 +609,9 @@ static void *php_ap_memstr(char *haystack, int haystacklen, char *needle, int ne + } + + /* read until a boundary condition */ +-static int multipart_buffer_read(multipart_buffer *self, char *buf, int bytes, int *end TSRMLS_DC) ++static unsigned int multipart_buffer_read(multipart_buffer *self, char *buf, unsigned int bytes, int *end TSRMLS_DC) + { +- int len, max; ++ unsigned int len, max; + char *bound; + + /* fill buffer if needed */ +@@ -658,7 +658,7 @@ static int multipart_buffer_read(multipart_buffer *self, char *buf, int bytes, i + static char *multipart_buffer_read_body(multipart_buffer *self, unsigned int *len TSRMLS_DC) + { + char buf[FILLUNIT], *out=NULL; +- int total_bytes=0, read_bytes=0; ++ unsigned int total_bytes=0, read_bytes=0; + + while((read_bytes = multipart_buffer_read(self, buf, sizeof(buf), NULL TSRMLS_CC))) { + out = erealloc(out, total_bytes + read_bytes + 1); +@@ -684,7 +684,8 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */ + { + char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL; + char *temp_filename = NULL, *lbuf = NULL, *abuf = NULL; +- int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0, array_len = 0; ++ int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0; ++ unsigned int array_len = 0; + int64_t total_bytes = 0, max_file_size = 0; + int skip_upload = 0, anonindex = 0, is_anonymous; + zval *http_post_files = NULL; @@ -146,7 +146,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: 5.6.40 -Release: 20%{?dist} +Release: 21%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -241,6 +241,7 @@ Patch238: php-bug79282.patch Patch239: php-bug79329.patch Patch240: php-bug79330.patch Patch241: php-bug79465.patch +Patch242: php-bug78875.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -1006,6 +1007,7 @@ sed -e 's/php-devel/%{?scl_prefix}php-devel/' -i scripts/phpize.in %patch239 -p1 -b .bug79329 %patch240 -p1 -b .bug79330 %patch241 -p1 -b .bug79465 +%patch242 -p1 -b .bug78875 # Fixes for tests %patch300 -p1 -b .datetests @@ -1951,6 +1953,13 @@ EOF %changelog +* Wed May 13 2020 Remi Collet <remi@remirepo.net> - 5.6.40-21 +- Core: + Fix #78875 Long filenames cause OOM and temp files are not cleaned + CVE-2019-11048 + Fix #78876 Long variables in multipart/form-data cause OOM and temp + files are not cleaned + * Tue Apr 14 2020 Remi Collet <remi@remirepo.net> - 5.6.40-20 - standard: Fix #79330 shell_exec silently truncates after a null byte |