1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
|
From d1b4f9477f43c55cfb631e7c60d5b3568bdc889c Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sat, 15 Feb 2020 22:17:14 -0800
Subject: [PATCH] Fix bug #79082 - Files added to tar with
Phar::buildFromIterator have all-access permissions
(cherry picked from commit e5c95234d87fcb8f6b7569a96a89d1e1544749a6)
---
ext/phar/phar_object.c | 11 +++++
ext/phar/tests/bug79082.phpt | 52 ++++++++++++++++++++
ext/phar/tests/test79082/test79082-testfile | 1 +
ext/phar/tests/test79082/test79082-testfile2 | 1 +
4 files changed, 65 insertions(+)
create mode 100644 ext/phar/tests/bug79082.phpt
create mode 100644 ext/phar/tests/test79082/test79082-testfile
create mode 100644 ext/phar/tests/test79082/test79082-testfile2
diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
index c1ba97a195..b22a6acf90 100644
--- a/ext/phar/phar_object.c
+++ b/ext/phar/phar_object.c
@@ -1439,6 +1439,7 @@ static int phar_build(zend_object_iterator *iter, void *puser) /* {{{ */
char *str_key;
zend_class_entry *ce = p_obj->c;
phar_archive_object *phar_obj = p_obj->p;
+ php_stream_statbuf ssb;
value = iter->funcs->get_current_data(iter);
@@ -1718,6 +1719,16 @@ static int phar_build(zend_object_iterator *iter, void *puser) /* {{{ */
php_stream_copy_to_stream_ex(fp, p_obj->fp, PHP_STREAM_COPY_ALL, &contents_len);
data->internal_file->uncompressed_filesize = data->internal_file->compressed_filesize =
php_stream_tell(p_obj->fp) - data->internal_file->offset;
+ if (php_stream_stat(fp, &ssb) != -1) {
+ data->internal_file->flags = ssb.sb.st_mode & PHAR_ENT_PERM_MASK ;
+ } else {
+#ifndef _WIN32
+ mode_t mask;
+ mask = umask(0);
+ umask(mask);
+ data->internal_file->flags &= ~mask;
+#endif
+ }
}
if (close_fp) {
diff --git a/ext/phar/tests/bug79082.phpt b/ext/phar/tests/bug79082.phpt
new file mode 100644
index 0000000000..ca453d1b57
--- /dev/null
+++ b/ext/phar/tests/bug79082.phpt
@@ -0,0 +1,52 @@
+--TEST--
+Phar: Bug #79082: Files added to tar with Phar::buildFromIterator have all-access permissions
+--SKIPIF--
+<?php
+if (!extension_loaded("phar")) die("skip");
+if (defined("PHP_WINDOWS_VERSION_MAJOR")) die("skip not for Windows")
+?>
+--FILE--
+<?php
+umask(022);
+var_dump(decoct(umask()));
+chmod(__DIR__ . '/test79082/test79082-testfile', 0644);
+chmod(__DIR__ . '/test79082/test79082-testfile2', 0400);
+
+foreach([Phar::TAR => 'tar', Phar::ZIP => 'zip'] as $mode => $ext) {
+ clearstatcache();
+ $phar = new PharData(__DIR__ . '/test79082.' . $ext, null, null, $mode);
+ $phar->buildFromIterator(new \RecursiveDirectoryIterator(__DIR__ . '/test79082', \FilesystemIterator::SKIP_DOTS), __DIR__ . '/test79082');
+ $phar->extractTo(__DIR__);
+ var_dump(decoct(stat(__DIR__ . '/test79082-testfile')['mode']));
+ var_dump(decoct(stat(__DIR__ . '/test79082-testfile2')['mode']));
+ unlink(__DIR__ . '/test79082-testfile');
+ unlink(__DIR__ . '/test79082-testfile2');
+}
+foreach([Phar::TAR => 'tar', Phar::ZIP => 'zip'] as $mode => $ext) {
+ clearstatcache();
+ $phar = new PharData(__DIR__ . '/test79082-d.' . $ext, null, null, $mode);
+ $phar->buildFromDirectory(__DIR__ . '/test79082');
+ $phar->extractTo(__DIR__);
+ var_dump(decoct(stat(__DIR__ . '/test79082-testfile')['mode']));
+ var_dump(decoct(stat(__DIR__ . '/test79082-testfile2')['mode']));
+ unlink(__DIR__ . '/test79082-testfile');
+ unlink(__DIR__ . '/test79082-testfile2');
+}
+?>
+--CLEAN--
+<?
+unlink(__DIR__ . '/test79082.tar');
+unlink(__DIR__ . '/test79082.zip');
+unlink(__DIR__ . '/test79082-d.tar');
+unlink(__DIR__ . '/test79082-d.zip');
+?>
+--EXPECT--
+string(2) "22"
+string(6) "100644"
+string(6) "100400"
+string(6) "100644"
+string(6) "100400"
+string(6) "100644"
+string(6) "100400"
+string(6) "100644"
+string(6) "100400"
diff --git a/ext/phar/tests/test79082/test79082-testfile b/ext/phar/tests/test79082/test79082-testfile
new file mode 100644
index 0000000000..9daeafb986
--- /dev/null
+++ b/ext/phar/tests/test79082/test79082-testfile
@@ -0,0 +1 @@
+test
diff --git a/ext/phar/tests/test79082/test79082-testfile2 b/ext/phar/tests/test79082/test79082-testfile2
new file mode 100644
index 0000000000..9daeafb986
--- /dev/null
+++ b/ext/phar/tests/test79082/test79082-testfile2
@@ -0,0 +1 @@
+test
From f59b90d7c7d5b593fdde3fda1195490125d0f170 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Tue, 18 Feb 2020 06:34:16 +0100
Subject: [PATCH] NEWS
---
NEWS | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/NEWS b/NEWS
index 7e220aae24..4233a530c1 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,14 @@ Backported from 7.2.28
. Fixed bug #77569: (Write Access Violation in DomImplementation). (Nikita,
cmb)
+- Phar:
+ . Fixed bug #79082 (Files added to tar with Phar::buildFromIterator have
+ all-access permissions). (CVE-2020-7063) (stas)
+
+- Session:
+ . Fixed bug #79221 (Null Pointer Dereference in PHP Session Upload Progress).
+ (CVE-2020-7062) (stas)
+
Backported from 7.2.27
- Mbstring:
|