summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--failed.txt11
-rw-r--r--php-bug75457.patch86
-rw-r--r--php-bug78380.patch78
-rw-r--r--php.spec12
4 files changed, 181 insertions, 6 deletions
diff --git a/failed.txt b/failed.txt
index c209104..c100cd2 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,22 +1,23 @@
-===== 5.6.40-12 (2019-07-30)
+===== 5.6.40-13 (2019-08-28)
$ grep -r 'Tests failed' /var/lib/mock/scl56*/build.log
/var/lib/mock/scl56el6x/build.log:Tests failed : 3
-/var/lib/mock/scl56el7x/build.log:Tests failed : 0
+/var/lib/mock/scl56el7x/build.log:Tests failed : 1
/var/lib/mock/scl56el8x/build.log:Tests failed : 28
-/var/lib/mock/scl56fc28x/build.log:Tests failed : 1
/var/lib/mock/scl56fc29x/build.log:Tests failed : 3
/var/lib/mock/scl56fc30x/build.log:Tests failed : 3
+/var/lib/mock/scl56fc31x/build.log:Tests failed : 3
el6x:
3 Bug #65538: SSL context "cafile" disallows URL stream wrappers [ext/openssl/tests/bug65538_002.phpt]
3 gethostbyname() function - basic return valid ip address test [ext/standard/tests/network/gethostbyname_error004.phpt]
3 getmxrr() test [ext/standard/tests/network/getmxrr.phpt]
-fc28x, fc29x, fc30x:
+el7x:
+ 2 Bug #75457 (heap-use-after-free in php7.0.25) [ext/pcre/tests/bug75457.phpt]
+fc29x, fc30x, fc31x:
2 substr_compare() [ext/standard/tests/strings/substr_compare.phpt]
-fc29x, fc30x:
openssl_error_string() tests [ext/openssl/tests/openssl_error_string_basic.phpt]
TLS server rate-limits client-initiated renegotiation [ext/openssl/tests/stream_server_reneg_limit.phpt]
diff --git a/php-bug75457.patch b/php-bug75457.patch
new file mode 100644
index 0000000..88a1061
--- /dev/null
+++ b/php-bug75457.patch
@@ -0,0 +1,86 @@
+From 582128d6b5acdef94752cc4ea4a049497067bb38 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Fri, 16 Aug 2019 14:29:19 +0200
+Subject: [PATCH 1/3] Fix #75457: heap-use-after-free in php7.0.25
+
+Backport <https://vcs.pcre.org/pcre?view=revision&revision=1638>.
+
+(cherry picked from commit 7bf1f9d561826c4a3ed748e55bb756375cdf28b9)
+---
+ ext/pcre/pcrelib/pcre_compile.c | 11 ++++++++++-
+ ext/pcre/tests/bug75457.phpt | 10 ++++++++++
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+ create mode 100644 ext/pcre/tests/bug75457.phpt
+
+diff --git a/ext/pcre/pcrelib/pcre_compile.c b/ext/pcre/pcrelib/pcre_compile.c
+index c9171cbee9..1d37671635 100644
+--- a/ext/pcre/pcrelib/pcre_compile.c
++++ b/ext/pcre/pcrelib/pcre_compile.c
+@@ -485,7 +485,7 @@ static const char error_texts[] =
+ "lookbehind assertion is not fixed length\0"
+ "malformed number or name after (?(\0"
+ "conditional group contains more than two branches\0"
+- "assertion expected after (?(\0"
++ "assertion expected after (?( or (?(?C)\0"
+ "(?R or (?[+-]digits must be followed by )\0"
+ /* 30 */
+ "unknown POSIX class name\0"
+@@ -6734,6 +6734,15 @@ for (;; ptr++)
+ for (i = 3;; i++) if (!IS_DIGIT(ptr[i])) break;
+ if (ptr[i] == CHAR_RIGHT_PARENTHESIS)
+ tempptr += i + 1;
++
++ /* tempptr should now be pointing to the opening parenthesis of the
++ assertion condition. */
++
++ if (*tempptr != CHAR_LEFT_PARENTHESIS)
++ {
++ *errorcodeptr = ERR28;
++ goto FAILED;
++ }
+ }
+
+ /* For conditions that are assertions, check the syntax, and then exit
+diff --git a/ext/pcre/tests/bug75457.phpt b/ext/pcre/tests/bug75457.phpt
+new file mode 100644
+index 0000000000..c7ce9ed0f9
+--- /dev/null
++++ b/ext/pcre/tests/bug75457.phpt
+@@ -0,0 +1,10 @@
++--TEST--
++Bug #75457 (heap-use-after-free in php7.0.25)
++--FILE--
++<?php
++$pattern = "/(((?(?C)0?=))(?!()0|.(?0)0)())/";
++var_dump(preg_match($pattern, "hello"));
++?>
++--EXPECTF--
++Warning: preg_match(): Compilation failed: assertion expected after (?( or (?(?C) at offset 4 in %sbug75457.php on line %d
++bool(false)
+--
+2.20.1
+
+From b781eb2900cc0d74e385e704711a0002a9ecc8cb Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Wed, 28 Aug 2019 14:34:48 +0200
+Subject: [PATCH] relax test, offset may be different on various system lib
+ versions
+
+---
+ ext/pcre/tests/bug75457.phpt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/pcre/tests/bug75457.phpt b/ext/pcre/tests/bug75457.phpt
+index c7ce9ed0f9..571a4bde77 100644
+--- a/ext/pcre/tests/bug75457.phpt
++++ b/ext/pcre/tests/bug75457.phpt
+@@ -6,5 +6,5 @@ $pattern = "/(((?(?C)0?=))(?!()0|.(?0)0)())/";
+ var_dump(preg_match($pattern, "hello"));
+ ?>
+ --EXPECTF--
+-Warning: preg_match(): Compilation failed: assertion expected after (?( or (?(?C) at offset 4 in %sbug75457.php on line %d
++Warning: preg_match(): Compilation failed: assertion expected after (?( or (?(?C) at offset %d in %sbug75457.php on line %d
+ bool(false)
+--
+2.20.1
+
diff --git a/php-bug78380.patch b/php-bug78380.patch
new file mode 100644
index 0000000..4d7db35
--- /dev/null
+++ b/php-bug78380.patch
@@ -0,0 +1,78 @@
+From 8cc1b123b05c51442b9a4fc4ea61d7719ee96e0e Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 24 Aug 2019 23:11:45 -0700
+Subject: [PATCH 2/3] Fix CVE-2019-13224: don't allow different encodings for
+ onig_new_deluxe()
+
+Backport from https://github.com/kkos/oniguruma/commit/0f7f61ed1b7b697e283e37bd2d731d0bd57adb55
+
+(cherry picked from commit 1258303e66d8dede4f02347334b9f6576e98a21b)
+---
+ ext/mbstring/oniguruma/regext.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/ext/mbstring/oniguruma/regext.c b/ext/mbstring/oniguruma/regext.c
+index b1b957b40c..b108e638c6 100644
+--- a/ext/mbstring/oniguruma/regext.c
++++ b/ext/mbstring/oniguruma/regext.c
+@@ -29,6 +29,7 @@
+
+ #include "regint.h"
+
++#if 0
+ static void
+ conv_ext0be32(const UChar* s, const UChar* end, UChar* conv)
+ {
+@@ -158,6 +159,7 @@ conv_encoding(OnigEncoding from, OnigEncoding to, const UChar* s, const UChar* e
+
+ return ONIGERR_NOT_SUPPORTED_ENCODING_COMBINATION;
+ }
++#endif
+
+ extern int
+ onig_new_deluxe(regex_t** reg, const UChar* pattern, const UChar* pattern_end,
+@@ -169,9 +171,7 @@ onig_new_deluxe(regex_t** reg, const UChar* pattern, const UChar* pattern_end,
+ if (IS_NOT_NULL(einfo)) einfo->par = (UChar* )NULL;
+
+ if (ci->pattern_enc != ci->target_enc) {
+- r = conv_encoding(ci->pattern_enc, ci->target_enc, pattern, pattern_end,
+- &cpat, &cpat_end);
+- if (r) return r;
++ return ONIGERR_NOT_SUPPORTED_ENCODING_COMBINATION;
+ }
+ else {
+ cpat = (UChar* )pattern;
+--
+2.20.1
+
+From b0aa68eade0d15274465136a6d6b84edd8ab6e4b Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Wed, 28 Aug 2019 14:06:50 +0200
+Subject: [PATCH 3/3] NEWS
+
+---
+ NEWS | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 5039cdf59d..cb7919bafc 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,14 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 7.1.32
++
++- mbstring:
++ . Fixed CVE-2019-13224 (don't allow different encodings for onig_new_deluxe) (stas)
++
++- pcre:
++ . Fixed bug #75457 (heap use-after-free in pcrelib) (cmb)
++
+ Backported from 7.1.31
+
+ - EXIF:
+--
+2.20.1
+
diff --git a/php.spec b/php.spec
index 98c6afd..9064849 100644
--- a/php.spec
+++ b/php.spec
@@ -142,7 +142,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: %{?scl_prefix}php
Version: 5.6.40
-Release: 12%{?dist}
+Release: 13%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -220,6 +220,8 @@ Patch221: php-bug77967.patch
Patch222: php-bug78222.patch
Patch223: php-bug78256.patch
Patch224: php-bug77919.patch
+Patch225: php-bug75457.patch
+Patch226: php-bug78380.patch
# Fixes for tests (300+)
@@ -967,6 +969,8 @@ sed -e 's/php-devel/%{?scl_prefix}php-devel/' -i scripts/phpize.in
%patch222 -p1 -b .bug78222
%patch223 -p1 -b .bug78256
%patch224 -p1 -b .bug77919
+%patch225 -p1 -b .bug75457
+%patch226 -p1 -b .bug78380
# Fixes for tests
%patch300 -p1 -b .datetests
@@ -1912,6 +1916,12 @@ EOF
%changelog
+* Wed Aug 28 2019 Remi Collet <remi@remirepo.net> - 5.6.40-13
+- mbstring:
+ Fix CVE-2019-13224 don't allow different encodings for onig_new_deluxe
+- pcre:
+ Fix #75457 heap use-after-free in pcrelib
+
* Tue Jul 30 2019 Remi Collet <remi@remirepo.net> - 5.6.40-12
- exif:
Fix #78256 heap-buffer-overflow on exif_process_user_comment