diff options
author | Remi Collet <remi@remirepo.net> | 2020-01-21 10:15:12 +0100 |
---|---|---|
committer | Remi Collet <remi@remirepo.net> | 2020-01-21 10:15:12 +0100 |
commit | 0f719845b87cb975effba75cf49b2c84cf5f28a1 (patch) | |
tree | 90779ec988fc5224bddabc45d69b3a291aaa8b3c /php-bug79091.patch | |
parent | 9d0e088bae4b092768b2779b9f82cac349cb80e2 (diff) |
mbstring:
Fix #79037 global buffer-overflow in mbfl_filt_conv_big5_wchar
CVE-2020-7060
session:
Fix #79091 heap use-after-free in session_create_id
standard:
Fix #79099 OOB read in php_strip_tags_ex
CVE-2020-7059
Diffstat (limited to 'php-bug79091.patch')
-rw-r--r-- | php-bug79091.patch | 99 |
1 files changed, 99 insertions, 0 deletions
diff --git a/php-bug79091.patch b/php-bug79091.patch new file mode 100644 index 0000000..ad3a5cc --- /dev/null +++ b/php-bug79091.patch @@ -0,0 +1,99 @@ +From 35c8a53c098cd828413a80ed7964146d50161c6c Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" <cmbecker69@gmx.de> +Date: Mon, 20 Jan 2020 18:05:00 +0100 +Subject: [PATCH] Fix #79091: heap use-after-free in session_create_id() + +If the `new_id` is released, we must not use it again. + +(cherry picked from commit f79c7742746907d676989cb7f97fb4f7cd26789f) +--- + ext/session/session.c | 1 + + ext/session/tests/bug79091.phpt | 67 +++++++++++++++++++++++++++++++++ + 2 files changed, 68 insertions(+) + create mode 100644 ext/session/tests/bug79091.phpt + +diff --git a/ext/session/session.c b/ext/session/session.c +index 8d60ac249a..44ecb85f74 100644 +--- a/ext/session/session.c ++++ b/ext/session/session.c +@@ -2049,6 +2049,7 @@ static PHP_FUNCTION(session_create_id) + /* Detect collision and retry */ + if (PS(mod)->s_validate_sid(&PS(mod_data), new_id) == FAILURE) { + zend_string_release(new_id); ++ new_id = NULL; + continue; + } + break; +diff --git a/ext/session/tests/bug79091.phpt b/ext/session/tests/bug79091.phpt +new file mode 100644 +index 0000000000..1d14427159 +--- /dev/null ++++ b/ext/session/tests/bug79091.phpt +@@ -0,0 +1,67 @@ ++--TEST-- ++Bug #79091 (heap use-after-free in session_create_id()) ++--SKIPIF-- ++<?php ++if (!extension_loaded('session')) die('skip session extension not available'); ++?> ++--FILE-- ++<?php ++class MySessionHandler implements SessionHandlerInterface, SessionIdInterface, SessionUpdateTimestampHandlerInterface ++{ ++ public function close() ++ { ++ return true; ++ } ++ ++ public function destroy($session_id) ++ { ++ return true; ++ } ++ ++ public function gc($maxlifetime) ++ { ++ return true; ++ } ++ ++ public function open($save_path, $session_name) ++ { ++ return true; ++ } ++ ++ public function read($session_id) ++ { ++ return ''; ++ } ++ ++ public function write($session_id, $session_data) ++ { ++ return true; ++ } ++ ++ public function create_sid() ++ { ++ return uniqid(); ++ } ++ ++ public function updateTimestamp($key, $val) ++ { ++ return true; ++ } ++ ++ public function validateId($key) ++ { ++ return false; ++ } ++} ++ ++ob_start(); ++var_dump(session_set_save_handler(new MySessionHandler())); ++var_dump(session_start()); ++ob_flush(); ++session_create_id(); ++?> ++--EXPECTF-- ++bool(true) ++bool(true) ++ ++Warning: session_create_id(): Failed to create new ID in %s on line %d |