diff options
author | Remi Collet <remi@remirepo.net> | 2019-05-28 09:34:16 +0200 |
---|---|---|
committer | Remi Collet <remi@remirepo.net> | 2019-05-28 09:34:16 +0200 |
commit | e5b6444eef61226b5305c149a2f3da552ba3e771 (patch) | |
tree | b4f78cf3a29c5ac97841ebb8f68ace7978ffcf44 /php-bug77967.patch | |
parent | 73ce1409877bd5dd18289e69915ccb835b1ca4bf (diff) |
- iconv:
Fix #78069 Out-of-bounds read in iconv.c:_php_iconv_mime_decode()
CVE-2019-11039
- exif:
Fix #77988 Heap-buffer-overflow on php_jpg_get16
CVE-2019-11040
- sqlite3:
Fix #77967 Bypassing open_basedir restrictions via file uris
Diffstat (limited to 'php-bug77967.patch')
-rw-r--r-- | php-bug77967.patch | 71 |
1 files changed, 71 insertions, 0 deletions
diff --git a/php-bug77967.patch b/php-bug77967.patch new file mode 100644 index 0000000..8d80aee --- /dev/null +++ b/php-bug77967.patch @@ -0,0 +1,71 @@ +From c7d9dee3b911ad6417a6c94dc91f7af7607b313e Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 27 May 2019 18:04:00 -0700 +Subject: [PATCH] Fix bug #77967 - Bypassing open_basedir restrictions via file + uris + +(cherry picked from commit c34895e837b50213c2bb201c612904342d2bd216) +--- + NEWS | 15 +++++++++------ + ext/sqlite3/sqlite3.c | 9 +++++++++ + 2 files changed, 18 insertions(+), 6 deletions(-) + +diff --git a/NEWS b/NEWS +index b6e18aa242..ede58a694e 100644 +--- a/NEWS ++++ b/NEWS +@@ -4,16 +4,19 @@ PHP NEWS + Backported from 7.1.30 + + - EXIF: +- . Fixed bug #77988 (heap-buffer-overflow on php_jpg_get16). +- (CVE-2019-11040) (Stas) ++ . Fixed bug #77988 (heap-buffer-overflow on php_jpg_get16). ++ (CVE-2019-11040) (Stas) + + - GD: + . Fixed bug #77973 (Uninitialized read in gdImageCreateFromXbm). +- (CVE-2019-11038) (cmb) ++ (CVE-2019-11038) (cmb) + + - Iconv: + . Fixed bug #78069 (Out-of-bounds read in iconv.c:_php_iconv_mime_decode() +- due to integer overflow). (CVE-2019-11039). (maris dot adam) ++ due to integer overflow). (CVE-2019-11039). (maris dot adam) ++ ++- SQLite: ++ . Fixed bug #77967 (Bypassing open_basedir restrictions via file uris). (Stas) + + Backported from 7.1.29 + +@@ -26,8 +29,8 @@ Backported from 7.1.28 + - EXIF: + . Fixed bug #77753 (Heap-buffer-overflow in php_ifd_get32s). (CVE-2019-11034) + (Stas) +- . Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value). +- (CVE-2019-11035) (Stas) ++ . Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value). ++ (CVE-2019-11035) (Stas) + + - SQLite3: + . Added sqlite3.defensive INI directive. (BohwaZ) +diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c +index 5e6d9dd792..1753b27907 100644 +--- a/ext/sqlite3/sqlite3.c ++++ b/ext/sqlite3/sqlite3.c +@@ -2054,6 +2054,15 @@ static int php_sqlite3_authorizer(void *autharg, int access_type, const char *ar + } + #endif + ++ if (strncmp(arg3, "file:", 5) == 0) { ++ /* starts with "file:" */ ++ if (!arg3[5]) { ++ return SQLITE_DENY; ++ } ++ if (php_check_open_basedir(arg3 + 5)) { ++ return SQLITE_DENY; ++ } ++ } + if (php_check_open_basedir(arg3)) { + return SQLITE_DENY; + } |