From 2000ef9d03eec8264287a4bcbd642496fe982f2d Mon Sep 17 00:00:00 2001 From: Ilija Tovilo Date: Sat, 25 Apr 2026 00:44:37 +0200 Subject: [PATCH 2/5] GHSA-hmxp-6pc4-f3vv: [soap] Fix broken Apache map value NULL check Fixes GHSA-hmxp-6pc4-f3vv Fixes CVE-2026-7262 (cherry picked from commit 79551ab8b1a97760c739e372f9bc359619f3554d) (cherry picked from commit aed3e63e282235b32a07ca28cc20728eedfcfec3) (cherry picked from commit 8c897384b867a573d52a04b455fe2da30671d0ea) (cherry picked from commit b41a11a9786cc5b6b343b47c37ad8c1fdc2dbf33) (cherry picked from commit 254773b5b1d0ef25409c35e74b87c5ef93459115) (cherry picked from commit c21561700dcfc3304322845c2d3da028c3c73345) (cherry picked from commit 16c2b25d363d73d72a3139e747cc9d5c8d5bef2b) (cherry picked from commit b1bc3b191eb9ff6ca90f90572ba8fac016163fe9) --- ext/soap/php_encoding.c | 2 +- ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt | 39 +++++++++++++++++++++++++ 2 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt diff --git a/ext/soap/php_encoding.c b/ext/soap/php_encoding.c index 0f85ddde1b..40e87f238e 100644 --- a/ext/soap/php_encoding.c +++ b/ext/soap/php_encoding.c @@ -2850,7 +2850,7 @@ static zval *to_zval_map(encodeTypePtr type, xmlNodePtr data TSRMLS_DC) } xmlValue = get_node(item->children, "value"); - if (!xmlKey) { + if (!xmlValue) { soap_error0(E_ERROR, "Encoding: Can't decode apache map, missing value"); } diff --git a/ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt b/ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt new file mode 100644 index 0000000000..e46ab2e460 --- /dev/null +++ b/ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt @@ -0,0 +1,39 @@ +--TEST-- +GHSA-hmxp-6pc4-f3vv: Null pointer dereference on missing Apache map value +--CREDITS-- +Ilia Alshanetsky (iliaal) +--EXTENSIONS-- +soap +--FILE-- + + + + + + + hello + + + + +XML; + +$server = new SoapServer(null, [ + 'uri' => 'urn:test', + 'typemap' => [['type_name' => 'anything']], +]); +$server->addFunction('test'); +function test($m) { return null; } +$server->handle($request); + +?> +--EXPECT-- + +SOAP-ENV:ServerSOAP-ERROR: Encoding: Can't decode apache map, missing value -- 2.54.0 From 873ac18f30679150c499b240062cf8895df7c664 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Thu, 7 May 2026 09:01:35 +0200 Subject: [PATCH 4/5] NEWS from 8.2.31 (cherry picked from commit 7dff10e9a31d469fcd436e10b06f8b2bf2758a68) (cherry picked from commit 1cbf0c27044bd54fb77de8a6bf993a7ab53892a4) (cherry picked from commit 6b9f5d1673522bb3cf5d77889919084024565c7f) (cherry picked from commit 5be222339cd6d299aa9170e6fa9edd51a5c42f39) (cherry picked from commit 8884e113e8351693eb4b5f1c58485ad0e4508d3a) (cherry picked from commit 5cf6ff5fcde53a1a941fea374b483e9ff89a9f9f) --- NEWS | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/NEWS b/NEWS index 24fa47ec2b..b46e2b0c5d 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,14 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| +Backported from 8.2.31 + +- SOAP: + . Fixed GHSA-m33r-qmcv-p97q (Use-after-free after header parsing failure with + SOAP_PERSISTENCE_SESSION). (CVE-2026-7261) (ilutov) + . Fixed GHSA-hmxp-6pc4-f3vv (Broken Apache map value NULL check). + (CVE-2026-7262) (ilutov) + Backported from 8.1.31 - CLI: -- 2.54.0