summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2020-02-18 09:05:00 +0100
committerRemi Collet <remi@remirepo.net>2020-02-18 09:05:00 +0100
commitcc34720530d9a9c85aee555ed66254ef58bedebc (patch)
tree6c8a84c965f9c63e6ebd5634197a2fb8d53a1736
parente64421cd767593ba51cf32917a1bf33064f3edd8 (diff)
phar:
Fix #79082 Files added to tar with Phar::buildFromIterator have all-access permissions CVE-2020-7063 session: Fix #79221 Null Pointer Dereference in PHP Session Upload Progress CVE-2020-7062
-rw-r--r--php-bug79082.patch154
-rw-r--r--php-bug79221.patch86
-rw-r--r--php.spec14
3 files changed, 253 insertions, 1 deletions
diff --git a/php-bug79082.patch b/php-bug79082.patch
new file mode 100644
index 0000000..6df2de1
--- /dev/null
+++ b/php-bug79082.patch
@@ -0,0 +1,154 @@
+From ed163ca242932e7f60467fb32ec00166f4318a40 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 15 Feb 2020 22:17:14 -0800
+Subject: [PATCH 2/3] Fix bug #79082 - Files added to tar with
+ Phar::buildFromIterator have all-access permissions
+
+(cherry picked from commit e5c95234d87fcb8f6b7569a96a89d1e1544749a6)
+---
+ ext/phar/phar_object.c | 11 +++++
+ ext/phar/tests/bug79082.phpt | 52 ++++++++++++++++++++
+ ext/phar/tests/test79082/test79082-testfile | 1 +
+ ext/phar/tests/test79082/test79082-testfile2 | 1 +
+ 4 files changed, 65 insertions(+)
+ create mode 100644 ext/phar/tests/bug79082.phpt
+ create mode 100644 ext/phar/tests/test79082/test79082-testfile
+ create mode 100644 ext/phar/tests/test79082/test79082-testfile2
+
+diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
+index d69837218f..5722828c37 100644
+--- a/ext/phar/phar_object.c
++++ b/ext/phar/phar_object.c
+@@ -1427,6 +1427,7 @@ static int phar_build(zend_object_iterator *iter, void *puser TSRMLS_DC) /* {{{
+ zend_class_entry *ce = p_obj->c;
+ phar_archive_object *phar_obj = p_obj->p;
+ char *str = "[stream]";
++ php_stream_statbuf ssb;
+
+ iter->funcs->get_current_data(iter, &value TSRMLS_CC);
+
+@@ -1709,6 +1710,16 @@ after_open_fp:
+ php_stream_copy_to_stream_ex(fp, p_obj->fp, PHP_STREAM_COPY_ALL, &contents_len);
+ data->internal_file->uncompressed_filesize = data->internal_file->compressed_filesize =
+ php_stream_tell(p_obj->fp) - data->internal_file->offset;
++ if (php_stream_stat(fp, &ssb) != -1) {
++ data->internal_file->flags = ssb.sb.st_mode & PHAR_ENT_PERM_MASK ;
++ } else {
++#ifndef _WIN32
++ mode_t mask;
++ mask = umask(0);
++ umask(mask);
++ data->internal_file->flags &= ~mask;
++#endif
++ }
+ }
+
+ if (close_fp) {
+diff --git a/ext/phar/tests/bug79082.phpt b/ext/phar/tests/bug79082.phpt
+new file mode 100644
+index 0000000000..ca453d1b57
+--- /dev/null
++++ b/ext/phar/tests/bug79082.phpt
+@@ -0,0 +1,52 @@
++--TEST--
++Phar: Bug #79082: Files added to tar with Phar::buildFromIterator have all-access permissions
++--SKIPIF--
++<?php
++if (!extension_loaded("phar")) die("skip");
++if (defined("PHP_WINDOWS_VERSION_MAJOR")) die("skip not for Windows")
++?>
++--FILE--
++<?php
++umask(022);
++var_dump(decoct(umask()));
++chmod(__DIR__ . '/test79082/test79082-testfile', 0644);
++chmod(__DIR__ . '/test79082/test79082-testfile2', 0400);
++
++foreach([Phar::TAR => 'tar', Phar::ZIP => 'zip'] as $mode => $ext) {
++ clearstatcache();
++ $phar = new PharData(__DIR__ . '/test79082.' . $ext, null, null, $mode);
++ $phar->buildFromIterator(new \RecursiveDirectoryIterator(__DIR__ . '/test79082', \FilesystemIterator::SKIP_DOTS), __DIR__ . '/test79082');
++ $phar->extractTo(__DIR__);
++ var_dump(decoct(stat(__DIR__ . '/test79082-testfile')['mode']));
++ var_dump(decoct(stat(__DIR__ . '/test79082-testfile2')['mode']));
++ unlink(__DIR__ . '/test79082-testfile');
++ unlink(__DIR__ . '/test79082-testfile2');
++}
++foreach([Phar::TAR => 'tar', Phar::ZIP => 'zip'] as $mode => $ext) {
++ clearstatcache();
++ $phar = new PharData(__DIR__ . '/test79082-d.' . $ext, null, null, $mode);
++ $phar->buildFromDirectory(__DIR__ . '/test79082');
++ $phar->extractTo(__DIR__);
++ var_dump(decoct(stat(__DIR__ . '/test79082-testfile')['mode']));
++ var_dump(decoct(stat(__DIR__ . '/test79082-testfile2')['mode']));
++ unlink(__DIR__ . '/test79082-testfile');
++ unlink(__DIR__ . '/test79082-testfile2');
++}
++?>
++--CLEAN--
++<?
++unlink(__DIR__ . '/test79082.tar');
++unlink(__DIR__ . '/test79082.zip');
++unlink(__DIR__ . '/test79082-d.tar');
++unlink(__DIR__ . '/test79082-d.zip');
++?>
++--EXPECT--
++string(2) "22"
++string(6) "100644"
++string(6) "100400"
++string(6) "100644"
++string(6) "100400"
++string(6) "100644"
++string(6) "100400"
++string(6) "100644"
++string(6) "100400"
+diff --git a/ext/phar/tests/test79082/test79082-testfile b/ext/phar/tests/test79082/test79082-testfile
+new file mode 100644
+index 0000000000..9daeafb986
+--- /dev/null
++++ b/ext/phar/tests/test79082/test79082-testfile
+@@ -0,0 +1 @@
++test
+diff --git a/ext/phar/tests/test79082/test79082-testfile2 b/ext/phar/tests/test79082/test79082-testfile2
+new file mode 100644
+index 0000000000..9daeafb986
+--- /dev/null
++++ b/ext/phar/tests/test79082/test79082-testfile2
+@@ -0,0 +1 @@
++test
+--
+2.24.1
+
+From dbac37b3ea68d8a0ba7e4e519e1386bbe8eff400 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 18 Feb 2020 06:36:07 +0100
+Subject: [PATCH 3/3] NEWS
+
+---
+ NEWS | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index c387fa8f86..22e714e837 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,16 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 7.2.28
++
++- Phar:
++ . Fixed bug #79082 (Files added to tar with Phar::buildFromIterator have
++ all-access permissions). (CVE-2020-7063) (stas)
++
++- Session:
++ . Fixed bug #79221 (Null Pointer Dereference in PHP Session Upload Progress).
++ (CVE-2020-7062) (stas)
++
+ Backported from 7.2.27
+
+ - Mbstring:
+--
+2.24.1
+
diff --git a/php-bug79221.patch b/php-bug79221.patch
new file mode 100644
index 0000000..5940baf
--- /dev/null
+++ b/php-bug79221.patch
@@ -0,0 +1,86 @@
+From a8b5510a30a5e8761e841c799a472c6f25560698 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 15 Feb 2020 20:52:19 -0800
+Subject: [PATCH 1/3] Fix bug #79221 - Null Pointer Dereference in PHP Session
+ Upload Progress
+
+(cherry picked from commit d76f7c6c636b8240e06a1fa29eebb98ad005008a)
+---
+ ext/session/session.c | 8 +++---
+ ext/session/tests/bug79221.phpt | 45 +++++++++++++++++++++++++++++++++
+ 2 files changed, 50 insertions(+), 3 deletions(-)
+ create mode 100644 ext/session/tests/bug79221.phpt
+
+diff --git a/ext/session/session.c b/ext/session/session.c
+index b2d02361df..d759fcabbf 100644
+--- a/ext/session/session.c
++++ b/ext/session/session.c
+@@ -2820,9 +2820,11 @@ static int php_session_rfc1867_callback(unsigned int event, void *event_data, vo
+ if (PS(rfc1867_cleanup)) {
+ php_session_rfc1867_cleanup(progress TSRMLS_CC);
+ } else {
+- add_assoc_bool_ex(progress->data, "done", sizeof("done"), 1);
+- Z_LVAL_P(progress->post_bytes_processed) = data->post_bytes_processed;
+- php_session_rfc1867_update(progress, 1 TSRMLS_CC);
++ if (progress->data) {
++ add_assoc_bool_ex(progress->data, "done", sizeof("done"), 1);
++ Z_LVAL_P(progress->post_bytes_processed) = data->post_bytes_processed;
++ php_session_rfc1867_update(progress, 1 TSRMLS_CC);
++ }
+ }
+ php_rshutdown_session_globals(TSRMLS_C);
+ }
+diff --git a/ext/session/tests/bug79221.phpt b/ext/session/tests/bug79221.phpt
+new file mode 100644
+index 0000000000..b0972c4697
+--- /dev/null
++++ b/ext/session/tests/bug79221.phpt
+@@ -0,0 +1,45 @@
++--TEST--
++Null Pointer Dereference in PHP Session Upload Progress
++--INI--
++error_reporting=0
++file_uploads=1
++upload_max_filesize=1024
++session.save_path=
++session.name=PHPSESSID
++session.serialize_handler=php
++session.use_strict_mode=0
++session.use_cookies=1
++session.use_only_cookies=0
++session.upload_progress.enabled=1
++session.upload_progress.cleanup=0
++session.upload_progress.prefix=upload_progress_
++session.upload_progress.name=PHP_SESSION_UPLOAD_PROGRESS
++session.upload_progress.freq=1%
++session.upload_progress.min_freq=0.000000001
++--COOKIE--
++PHPSESSID=session-upload
++--POST_RAW--
++Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
++-----------------------------20896060251896012921717172737
++Content-Disposition: form-data; name="PHPSESSID"
++
++session-upload
++-----------------------------20896060251896012921717172737
++Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS"
++
++ryat
++-----------------------------20896060251896012921717172737
++Content-Disposition: form-data; file="file"; ryat="filename"
++
++1
++-----------------------------20896060251896012921717172737--
++--FILE--
++<?php
++
++session_start();
++var_dump($_SESSION);
++session_destroy();
++
++--EXPECTF--
++array(0) {
++}
+--
+2.24.1
+
diff --git a/php.spec b/php.spec
index c55df12..d831dbb 100644
--- a/php.spec
+++ b/php.spec
@@ -146,7 +146,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: %{?scl_prefix}php
Version: 5.6.40
-Release: 17%{?dist}
+Release: 18%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -234,6 +234,8 @@ Patch231: php-bug78793.patch
Patch232: php-bug78910.patch
Patch233: php-bug79099.patch
Patch234: php-bug79037.patch
+Patch236: php-bug79221.patch
+Patch237: php-bug79082.patch
# Fixes for tests (300+)
# Factory is droped from system tzdata
@@ -990,6 +992,8 @@ sed -e 's/php-devel/%{?scl_prefix}php-devel/' -i scripts/phpize.in
%patch232 -p1 -b .bug78910
%patch233 -p1 -b .bug79099
%patch234 -p1 -b .bug79037
+%patch236 -p1 -b .bug79221
+%patch237 -p1 -b .bug79082
# Fixes for tests
%patch300 -p1 -b .datetests
@@ -1932,6 +1936,14 @@ EOF
%changelog
+* Tue Feb 18 2020 Remi Collet <remi@remirepo.net> - 5.6.40-18
+- phar:
+ Fix #79082 Files added to tar with Phar::buildFromIterator have all-access permissions
+ CVE-2020-7063
+- session:
+ Fix #79221 Null Pointer Dereference in PHP Session Upload Progress
+ CVE-2020-7062
+
* Thu Jan 23 2020 Remi Collet <remi@remirepo.net> - 5.6.40-17
- mbstring:
Fix #79037 global buffer-overflow in mbfl_filt_conv_big5_wchar