diff options
| -rw-r--r-- | failed.txt | 2 | ||||
| -rw-r--r-- | php-cve-2025-14178.patch | 92 | ||||
| -rw-r--r-- | php-fpm.service | 2 | ||||
| -rw-r--r-- | php.spec | 25 |
4 files changed, 103 insertions, 18 deletions
@@ -1,4 +1,4 @@ -===== 7.3.33-18 (2024-11-28) +===== 7.3.33-19 (2026-02-17) $ grep -ar 'Tests failed' /var/lib/mock/*/build.log diff --git a/php-cve-2025-14178.patch b/php-cve-2025-14178.patch new file mode 100644 index 0000000..8376a85 --- /dev/null +++ b/php-cve-2025-14178.patch @@ -0,0 +1,92 @@ +From d8f3aac707341374fa8bffc90b76c0c8b0f6d1b0 Mon Sep 17 00:00:00 2001 +From: Niels Dossche <7771979+ndossche@users.noreply.github.com> +Date: Sun, 9 Nov 2025 13:23:11 +0100 +Subject: [PATCH 1/2] Fix GHSA-h96m-rvf9-jgm2 + +(cherry picked from commit 8b801151bd54b36aae4593ed6cfc096e8122b415) +(cherry picked from commit e4516e52979e8b67d9d35dfdbcc5dc7368263fa2) +(cherry picked from commit 84b83e2979bad57618528d4e669636117022f37c) +--- + ext/standard/array.c | 7 ++++++- + .../tests/array/GHSA-h96m-rvf9-jgm2.phpt | 16 ++++++++++++++++ + 2 files changed, 22 insertions(+), 1 deletion(-) + create mode 100644 ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt + +diff --git a/ext/standard/array.c b/ext/standard/array.c +index 09c3a9f256..fd92ef0e8d 100644 +--- a/ext/standard/array.c ++++ b/ext/standard/array.c +@@ -3778,7 +3778,7 @@ static inline void php_array_merge_or_replace_wrapper(INTERNAL_FUNCTION_PARAMETE + } else { + zval *src_entry; + HashTable *src, *dest; +- uint32_t count = 0; ++ uint64_t count = 0; + + for (i = 0; i < argc; i++) { + zval *arg = args + i; +@@ -3790,6 +3790,11 @@ static inline void php_array_merge_or_replace_wrapper(INTERNAL_FUNCTION_PARAMETE + count += zend_hash_num_elements(Z_ARRVAL_P(arg)); + } + ++ if (UNEXPECTED(count >= HT_MAX_SIZE)) { ++ zend_throw_error(NULL, "The total number of elements must be lower than %u", HT_MAX_SIZE); ++ return; ++ } ++ + arg = args; + src = Z_ARRVAL_P(arg); + /* copy first array */ +diff --git a/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt b/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt +new file mode 100644 +index 0000000000..2e3e85357e +--- /dev/null ++++ b/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt +@@ -0,0 +1,16 @@ ++--TEST-- ++GHSA-h96m-rvf9-jgm2 ++--FILE-- ++<?php ++ ++$power = 20; // Chosen to be well within a memory_limit ++$arr = range(0, 2**$power); ++try { ++ array_merge(...array_fill(0, 2**(32-$power), $arr)); ++} catch (Error $e) { ++ echo $e->getMessage(), "\n"; ++} ++ ++?> ++--EXPECTF-- ++The total number of elements must be lower than %d +-- +2.53.0 + +From 143f4339e80c13ffa1b11aae7f629807c9442edc Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@remirepo.net> +Date: Tue, 17 Feb 2026 15:48:22 +0100 +Subject: [PATCH 2/2] NEWS + +--- + NEWS | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/NEWS b/NEWS +index 342c184c30..464f4b55f4 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,11 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 8.1.34 ++ ++ . Fixed GHSA-h96m-rvf9-jgm2 (Heap buffer overflow in array_merge()). ++ (CVE-2025-14178) (ndossche) ++ + Backported from 8.1.31 + + - CLI: +-- +2.53.0 + diff --git a/php-fpm.service b/php-fpm.service index 687dfc0..0712a11 100644 --- a/php-fpm.service +++ b/php-fpm.service @@ -4,7 +4,7 @@ [Unit] Description=The PHP FastCGI Process Manager -After=syslog.target network.target +After=network.target [Service] Type=notify @@ -55,17 +55,10 @@ %global mysql_sock %(mysql_config --socket 2>/dev/null || echo /var/lib/mysql/mysql.sock) -%ifarch aarch64 -%global oraclever 19.24 -%global oraclemax 20 -%global oraclelib 19.1 -%global oracledir 19.24 -%else -%global oraclever 23.6 +%global oraclever 23.26.1 %global oraclemax 24 %global oraclelib 23.1 %global oracledir 23 -%endif # Build for LiteSpeed Web Server (LSAPI) %global with_lsws 1 @@ -135,7 +128,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: %{upver}%{?rcver:~%{rcver}} -Release: 18%{?dist} +Release: 19%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -231,6 +224,7 @@ Patch220: php-cve-2024-8932.patch Patch221: php-cve-2024-11233.patch Patch222: php-ghsa-4w77-75f9-2c8w.patch Patch223: php-cve-2024-8929.patch +Patch224: php-cve-2025-14178.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -667,14 +661,7 @@ Summary: A module for PHP applications that use OCI8 databases Group: Development/Languages # All files licensed under PHP version 3.01 License: PHP -%ifarch aarch64 -BuildRequires: oracle-instantclient%{oraclever}-devel -# Should requires libclntsh.so.19.1()(aarch-64), but it's not provided by Oracle RPM. -Requires: libclntsh.so.%{oraclelib} -AutoReq: 0 -%else BuildRequires: (oracle-instantclient-devel >= %{oraclever} with oracle-instantclient-devel < %{oraclemax}) -%endif Requires: %{?scl_prefix}php-pdo%{?_isa} = %{version}-%{release} Provides: %{?scl_prefix}php_database Provides: %{?scl_prefix}php-pdo_oci @@ -1034,6 +1021,7 @@ sed -e 's/php-devel/%{?scl_prefix}php-devel/' -i scripts/phpize.in %patch -P221 -p1 -b .cve11233 %patch -P222 -p1 -b .ghsa4w77 %patch -P223 -p1 -b .cve8929 +%patch -P224 -p1 -b .cve14178 # Fixes for tests %patch -P300 -p1 -b .datetests @@ -1993,6 +1981,11 @@ EOF %changelog +* Tue Feb 17 2026 Remi Collet <remi@remirepo.net> - 7.3.33-19 +- Fix Heap buffer overflow in array_merge() + CVE-2025-14178 +- use oracle client library version 23.26 on x86_64 and aarch64 + * Wed Nov 27 2024 Remi Collet <remi@remirepo.net> - 7.3.33-18 - Fix Leak partial content of the heap through heap buffer over-read CVE-2024-8929 |