diff options
| author | Remi Collet <remi@remirepo.net> | 2020-02-18 07:32:53 +0100 |
|---|---|---|
| committer | Remi Collet <remi@remirepo.net> | 2020-02-18 07:32:53 +0100 |
| commit | 4f475d8871cad5efb7d7a6d04e31df8b7c1048db (patch) | |
| tree | 2d860df909936e86335b5691fa148a081f76c591 /php-bug79082.patch | |
| parent | 3d971fc1bdd27c528c245732809ff69d9f6d4e7e (diff) | |
dom:
Fix #77569 Write Access Violation in DomImplementation
phar:
Fix #79082 Files added to tar with Phar::buildFromIterator have all-access permissions
CVE-2020-7063
session:
Fix #79221 Null Pointer Dereference in PHP Session Upload Progress
CVE-2020-7062
Diffstat (limited to 'php-bug79082.patch')
| -rw-r--r-- | php-bug79082.patch | 146 |
1 files changed, 146 insertions, 0 deletions
diff --git a/php-bug79082.patch b/php-bug79082.patch new file mode 100644 index 0000000..5ad894a --- /dev/null +++ b/php-bug79082.patch @@ -0,0 +1,146 @@ +From d1b4f9477f43c55cfb631e7c60d5b3568bdc889c Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sat, 15 Feb 2020 22:17:14 -0800 +Subject: [PATCH] Fix bug #79082 - Files added to tar with + Phar::buildFromIterator have all-access permissions + +(cherry picked from commit e5c95234d87fcb8f6b7569a96a89d1e1544749a6) +--- + ext/phar/phar_object.c | 11 +++++ + ext/phar/tests/bug79082.phpt | 52 ++++++++++++++++++++ + ext/phar/tests/test79082/test79082-testfile | 1 + + ext/phar/tests/test79082/test79082-testfile2 | 1 + + 4 files changed, 65 insertions(+) + create mode 100644 ext/phar/tests/bug79082.phpt + create mode 100644 ext/phar/tests/test79082/test79082-testfile + create mode 100644 ext/phar/tests/test79082/test79082-testfile2 + +diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c +index c1ba97a195..b22a6acf90 100644 +--- a/ext/phar/phar_object.c ++++ b/ext/phar/phar_object.c +@@ -1439,6 +1439,7 @@ static int phar_build(zend_object_iterator *iter, void *puser) /* {{{ */ + char *str_key; + zend_class_entry *ce = p_obj->c; + phar_archive_object *phar_obj = p_obj->p; ++ php_stream_statbuf ssb; + + value = iter->funcs->get_current_data(iter); + +@@ -1718,6 +1719,16 @@ static int phar_build(zend_object_iterator *iter, void *puser) /* {{{ */ + php_stream_copy_to_stream_ex(fp, p_obj->fp, PHP_STREAM_COPY_ALL, &contents_len); + data->internal_file->uncompressed_filesize = data->internal_file->compressed_filesize = + php_stream_tell(p_obj->fp) - data->internal_file->offset; ++ if (php_stream_stat(fp, &ssb) != -1) { ++ data->internal_file->flags = ssb.sb.st_mode & PHAR_ENT_PERM_MASK ; ++ } else { ++#ifndef _WIN32 ++ mode_t mask; ++ mask = umask(0); ++ umask(mask); ++ data->internal_file->flags &= ~mask; ++#endif ++ } + } + + if (close_fp) { +diff --git a/ext/phar/tests/bug79082.phpt b/ext/phar/tests/bug79082.phpt +new file mode 100644 +index 0000000000..ca453d1b57 +--- /dev/null ++++ b/ext/phar/tests/bug79082.phpt +@@ -0,0 +1,52 @@ ++--TEST-- ++Phar: Bug #79082: Files added to tar with Phar::buildFromIterator have all-access permissions ++--SKIPIF-- ++<?php ++if (!extension_loaded("phar")) die("skip"); ++if (defined("PHP_WINDOWS_VERSION_MAJOR")) die("skip not for Windows") ++?> ++--FILE-- ++<?php ++umask(022); ++var_dump(decoct(umask())); ++chmod(__DIR__ . '/test79082/test79082-testfile', 0644); ++chmod(__DIR__ . '/test79082/test79082-testfile2', 0400); ++ ++foreach([Phar::TAR => 'tar', Phar::ZIP => 'zip'] as $mode => $ext) { ++ clearstatcache(); ++ $phar = new PharData(__DIR__ . '/test79082.' . $ext, null, null, $mode); ++ $phar->buildFromIterator(new \RecursiveDirectoryIterator(__DIR__ . '/test79082', \FilesystemIterator::SKIP_DOTS), __DIR__ . '/test79082'); ++ $phar->extractTo(__DIR__); ++ var_dump(decoct(stat(__DIR__ . '/test79082-testfile')['mode'])); ++ var_dump(decoct(stat(__DIR__ . '/test79082-testfile2')['mode'])); ++ unlink(__DIR__ . '/test79082-testfile'); ++ unlink(__DIR__ . '/test79082-testfile2'); ++} ++foreach([Phar::TAR => 'tar', Phar::ZIP => 'zip'] as $mode => $ext) { ++ clearstatcache(); ++ $phar = new PharData(__DIR__ . '/test79082-d.' . $ext, null, null, $mode); ++ $phar->buildFromDirectory(__DIR__ . '/test79082'); ++ $phar->extractTo(__DIR__); ++ var_dump(decoct(stat(__DIR__ . '/test79082-testfile')['mode'])); ++ var_dump(decoct(stat(__DIR__ . '/test79082-testfile2')['mode'])); ++ unlink(__DIR__ . '/test79082-testfile'); ++ unlink(__DIR__ . '/test79082-testfile2'); ++} ++?> ++--CLEAN-- ++<? ++unlink(__DIR__ . '/test79082.tar'); ++unlink(__DIR__ . '/test79082.zip'); ++unlink(__DIR__ . '/test79082-d.tar'); ++unlink(__DIR__ . '/test79082-d.zip'); ++?> ++--EXPECT-- ++string(2) "22" ++string(6) "100644" ++string(6) "100400" ++string(6) "100644" ++string(6) "100400" ++string(6) "100644" ++string(6) "100400" ++string(6) "100644" ++string(6) "100400" +diff --git a/ext/phar/tests/test79082/test79082-testfile b/ext/phar/tests/test79082/test79082-testfile +new file mode 100644 +index 0000000000..9daeafb986 +--- /dev/null ++++ b/ext/phar/tests/test79082/test79082-testfile +@@ -0,0 +1 @@ ++test +diff --git a/ext/phar/tests/test79082/test79082-testfile2 b/ext/phar/tests/test79082/test79082-testfile2 +new file mode 100644 +index 0000000000..9daeafb986 +--- /dev/null ++++ b/ext/phar/tests/test79082/test79082-testfile2 +@@ -0,0 +1 @@ ++test +From f59b90d7c7d5b593fdde3fda1195490125d0f170 Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@remirepo.net> +Date: Tue, 18 Feb 2020 06:34:16 +0100 +Subject: [PATCH] NEWS + +--- + NEWS | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/NEWS b/NEWS +index 7e220aae24..4233a530c1 100644 +--- a/NEWS ++++ b/NEWS +@@ -7,6 +7,14 @@ Backported from 7.2.28 + . Fixed bug #77569: (Write Access Violation in DomImplementation). (Nikita, + cmb) + ++- Phar: ++ . Fixed bug #79082 (Files added to tar with Phar::buildFromIterator have ++ all-access permissions). (CVE-2020-7063) (stas) ++ ++- Session: ++ . Fixed bug #79221 (Null Pointer Dereference in PHP Session Upload Progress). ++ (CVE-2020-7062) (stas) ++ + Backported from 7.2.27 + + - Mbstring: |