From e1a245a0066008cda88f910f2b84e33dbc4c9b61 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Wed, 13 Nov 2024 08:22:31 +0100 Subject: rename patches --- php-bug81740.patch | 84 --------------------- php-bug81744.patch | 188 ----------------------------------------------- php-bug81746.patch | 98 ------------------------ php-cve-2022-31631.patch | 84 +++++++++++++++++++++ php-cve-2023-0567.patch | 188 +++++++++++++++++++++++++++++++++++++++++++++++ php-cve-2023-0568.patch | 98 ++++++++++++++++++++++++ php.spec | 14 ++-- 7 files changed, 377 insertions(+), 377 deletions(-) delete mode 100644 php-bug81740.patch delete mode 100644 php-bug81744.patch delete mode 100644 php-bug81746.patch create mode 100644 php-cve-2022-31631.patch create mode 100644 php-cve-2023-0567.patch create mode 100644 php-cve-2023-0568.patch diff --git a/php-bug81740.patch b/php-bug81740.patch deleted file mode 100644 index 4826efc..0000000 --- a/php-bug81740.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 7cb160efe19d3dfb8b92629805733ea186b55050 Mon Sep 17 00:00:00 2001 -From: "Christoph M. Becker" -Date: Mon, 31 Oct 2022 17:20:23 +0100 -Subject: [PATCH 1/2] Fix #81740: PDO::quote() may return unquoted string - -`sqlite3_snprintf()` expects its first parameter to be `int`; we need -to avoid overflow. - -(cherry picked from commit 921b6813da3237a83e908998483f46ae3d8bacba) ---- - ext/pdo_sqlite/sqlite_driver.c | 3 +++ - ext/pdo_sqlite/tests/bug81740.phpt | 17 +++++++++++++++++ - 2 files changed, 20 insertions(+) - create mode 100644 ext/pdo_sqlite/tests/bug81740.phpt - -diff --git a/ext/pdo_sqlite/sqlite_driver.c b/ext/pdo_sqlite/sqlite_driver.c -index 0595bd09feb..54f9d05e1e2 100644 ---- a/ext/pdo_sqlite/sqlite_driver.c -+++ b/ext/pdo_sqlite/sqlite_driver.c -@@ -233,6 +233,9 @@ static char *pdo_sqlite_last_insert_id(pdo_dbh_t *dbh, const char *name, size_t - /* NB: doesn't handle binary strings... use prepared stmts for that */ - static int sqlite_handle_quoter(pdo_dbh_t *dbh, const char *unquoted, size_t unquotedlen, char **quoted, size_t *quotedlen, enum pdo_param_type paramtype ) - { -+ if (unquotedlen > (INT_MAX - 3) / 2) { -+ return 0; -+ } - *quoted = safe_emalloc(2, unquotedlen, 3); - sqlite3_snprintf(2*unquotedlen + 3, *quoted, "'%q'", unquoted); - *quotedlen = strlen(*quoted); -diff --git a/ext/pdo_sqlite/tests/bug81740.phpt b/ext/pdo_sqlite/tests/bug81740.phpt -new file mode 100644 -index 00000000000..99fb07c3048 ---- /dev/null -+++ b/ext/pdo_sqlite/tests/bug81740.phpt -@@ -0,0 +1,17 @@ -+--TEST-- -+Bug #81740 (PDO::quote() may return unquoted string) -+--SKIPIF-- -+ -+--INI-- -+memory_limit=-1 -+--FILE-- -+quote($string)); -+?> -+--EXPECT-- -+bool(false) --- -2.38.1 - -From 7328f3a0344806b846bd05657bdce96e47810bf0 Mon Sep 17 00:00:00 2001 -From: Remi Collet -Date: Mon, 19 Dec 2022 09:24:02 +0100 -Subject: [PATCH 2/2] NEWS - ---- - NEWS | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/NEWS b/NEWS -index 8a8c0c9285d..03e8c839c77 100644 ---- a/NEWS -+++ b/NEWS -@@ -1,5 +1,12 @@ - PHP NEWS - ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| -+ -+Backported from 8.0.27 -+ -+- PDO/SQLite: -+ . Fixed bug #81740 (PDO::quote() may return unquoted string). -+ (CVE-2022-31631) (cmb) -+ - 03 Nov 2022, PHP 7.4.33 - - - GD: --- -2.38.1 - diff --git a/php-bug81744.patch b/php-bug81744.patch deleted file mode 100644 index 62296ce..0000000 --- a/php-bug81744.patch +++ /dev/null @@ -1,188 +0,0 @@ -From 7437aaae38cf4b3357e7580f9e22fd4a403b6c23 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= -Date: Mon, 23 Jan 2023 21:15:24 +0100 -Subject: [PATCH 1/7] crypt: Fix validation of malformed BCrypt hashes -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -PHP’s implementation of crypt_blowfish differs from the upstream Openwall -version by adding a “PHP Hack”, which allows one to cut short the BCrypt salt -by including a `$` character within the characters that represent the salt. - -Hashes that are affected by the “PHP Hack” may erroneously validate any -password as valid when used with `password_verify` and when comparing the -return value of `crypt()` against the input. - -The PHP Hack exists since the first version of PHP’s own crypt_blowfish -implementation that was added in 1e820eca02dcf322b41fd2fe4ed2a6b8309f8ab5. - -No clear reason is given for the PHP Hack’s existence. This commit removes it, -because BCrypt hashes containing a `$` character in their salt are not valid -BCrypt hashes. - -(cherry picked from commit c840f71524067aa474c00c3eacfb83bd860bfc8a) ---- - ext/standard/crypt_blowfish.c | 8 -- - .../tests/crypt/bcrypt_salt_dollar.phpt | 82 +++++++++++++++++++ - 2 files changed, 82 insertions(+), 8 deletions(-) - create mode 100644 ext/standard/tests/crypt/bcrypt_salt_dollar.phpt - -diff --git a/ext/standard/crypt_blowfish.c b/ext/standard/crypt_blowfish.c -index c1f945f29ed..aa7e1bc2e68 100644 ---- a/ext/standard/crypt_blowfish.c -+++ b/ext/standard/crypt_blowfish.c -@@ -376,7 +376,6 @@ static unsigned char BF_atoi64[0x60] = { - #define BF_safe_atoi64(dst, src) \ - { \ - tmp = (unsigned char)(src); \ -- if (tmp == '$') break; /* PHP hack */ \ - if ((unsigned int)(tmp -= 0x20) >= 0x60) return -1; \ - tmp = BF_atoi64[tmp]; \ - if (tmp > 63) return -1; \ -@@ -404,13 +403,6 @@ static int BF_decode(BF_word *dst, const char *src, int size) - *dptr++ = ((c3 & 0x03) << 6) | c4; - } while (dptr < end); - -- if (end - dptr == size) { -- return -1; -- } -- -- while (dptr < end) /* PHP hack */ -- *dptr++ = 0; -- - return 0; - } - -diff --git a/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt b/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt -new file mode 100644 -index 00000000000..32e335f4b08 ---- /dev/null -+++ b/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt -@@ -0,0 +1,82 @@ -+--TEST-- -+bcrypt correctly rejects salts containing $ -+--FILE-- -+ -+--EXPECT-- -+string(8) "$2y$04$$" -+string(2) "*0" -+bool(false) -+string(9) "$2y$04$0$" -+string(2) "*0" -+bool(false) -+string(10) "$2y$04$00$" -+string(2) "*0" -+bool(false) -+string(11) "$2y$04$000$" -+string(2) "*0" -+bool(false) -+string(12) "$2y$04$0000$" -+string(2) "*0" -+bool(false) -+string(13) "$2y$04$00000$" -+string(2) "*0" -+bool(false) -+string(14) "$2y$04$000000$" -+string(2) "*0" -+bool(false) -+string(15) "$2y$04$0000000$" -+string(2) "*0" -+bool(false) -+string(16) "$2y$04$00000000$" -+string(2) "*0" -+bool(false) -+string(17) "$2y$04$000000000$" -+string(2) "*0" -+bool(false) -+string(18) "$2y$04$0000000000$" -+string(2) "*0" -+bool(false) -+string(19) "$2y$04$00000000000$" -+string(2) "*0" -+bool(false) -+string(20) "$2y$04$000000000000$" -+string(2) "*0" -+bool(false) -+string(21) "$2y$04$0000000000000$" -+string(2) "*0" -+bool(false) -+string(22) "$2y$04$00000000000000$" -+string(2) "*0" -+bool(false) -+string(23) "$2y$04$000000000000000$" -+string(2) "*0" -+bool(false) -+string(24) "$2y$04$0000000000000000$" -+string(2) "*0" -+bool(false) -+string(25) "$2y$04$00000000000000000$" -+string(2) "*0" -+bool(false) -+string(26) "$2y$04$000000000000000000$" -+string(2) "*0" -+bool(false) -+string(27) "$2y$04$0000000000000000000$" -+string(2) "*0" -+bool(false) -+string(28) "$2y$04$00000000000000000000$" -+string(2) "*0" -+bool(false) -+string(29) "$2y$04$000000000000000000000$" -+string(2) "*0" -+bool(false) -+string(30) "$2y$04$0000000000000000000000$" -+string(60) "$2y$04$000000000000000000000u2a2UpVexIt9k3FMJeAVr3c04F5tcI8K" -+bool(false) --- -2.39.1 - -From ed0281b588a6840cb95f3134a4e68847a3be5bb7 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= -Date: Mon, 23 Jan 2023 22:13:57 +0100 -Subject: [PATCH 2/7] crypt: Fix possible buffer overread in php_crypt() - -(cherry picked from commit a92acbad873a05470af1a47cb785a18eadd827b5) ---- - ext/standard/crypt.c | 1 + - ext/standard/tests/password/password_bcrypt_short.phpt | 8 ++++++++ - 2 files changed, 9 insertions(+) - create mode 100644 ext/standard/tests/password/password_bcrypt_short.phpt - -diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c -index 92430b69f77..04487f3fe5a 100644 ---- a/ext/standard/crypt.c -+++ b/ext/standard/crypt.c -@@ -151,6 +151,7 @@ PHPAPI zend_string *php_crypt(const char *password, const int pass_len, const ch - } else if ( - salt[0] == '$' && - salt[1] == '2' && -+ salt[2] != 0 && - salt[3] == '$') { - char output[PHP_MAX_SALT_LEN + 1]; - -diff --git a/ext/standard/tests/password/password_bcrypt_short.phpt b/ext/standard/tests/password/password_bcrypt_short.phpt -new file mode 100644 -index 00000000000..085bc8a2390 ---- /dev/null -+++ b/ext/standard/tests/password/password_bcrypt_short.phpt -@@ -0,0 +1,8 @@ -+--TEST-- -+Test that password_hash() does not overread buffers when a short hash is passed -+--FILE-- -+ -+--EXPECT-- -+bool(false) --- -2.39.1 - diff --git a/php-bug81746.patch b/php-bug81746.patch deleted file mode 100644 index 6e2ba19..0000000 --- a/php-bug81746.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 887cd0710ad856a0d22c329b6ea6c71ebd8621ae Mon Sep 17 00:00:00 2001 -From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> -Date: Fri, 27 Jan 2023 19:28:27 +0100 -Subject: [PATCH 3/7] Fix array overrun when appending slash to paths - -Fix it by extending the array sizes by one character. As the input is -limited to the maximum path length, there will always be place to append -the slash. As the php_check_specific_open_basedir() simply uses the -strings to compare against each other, no new failures related to too -long paths are introduced. -We'll let the DOM and XML case handle a potentially too long path in the -library code. - -(cherry picked from commit ec10b28d64decbc54aa1e585dce580f0bd7a5953) ---- - ext/dom/document.c | 2 +- - ext/xmlreader/php_xmlreader.c | 2 +- - main/fopen_wrappers.c | 6 +++--- - 3 files changed, 5 insertions(+), 5 deletions(-) - -diff --git a/ext/dom/document.c b/ext/dom/document.c -index b478e1a1aab..e683eb8f701 100644 ---- a/ext/dom/document.c -+++ b/ext/dom/document.c -@@ -1380,7 +1380,7 @@ static xmlDocPtr dom_document_parser(zval *id, int mode, char *source, size_t so - int validate, recover, resolve_externals, keep_blanks, substitute_ent; - int resolved_path_len; - int old_error_reporting = 0; -- char *directory=NULL, resolved_path[MAXPATHLEN]; -+ char *directory=NULL, resolved_path[MAXPATHLEN + 1]; - - if (id != NULL) { - intern = Z_DOMOBJ_P(id); -diff --git a/ext/xmlreader/php_xmlreader.c b/ext/xmlreader/php_xmlreader.c -index 06f569949ce..ecc81ad1470 100644 ---- a/ext/xmlreader/php_xmlreader.c -+++ b/ext/xmlreader/php_xmlreader.c -@@ -1038,7 +1038,7 @@ PHP_METHOD(xmlreader, XML) - xmlreader_object *intern = NULL; - char *source, *uri = NULL, *encoding = NULL; - int resolved_path_len, ret = 0; -- char *directory=NULL, resolved_path[MAXPATHLEN]; -+ char *directory=NULL, resolved_path[MAXPATHLEN + 1]; - xmlParserInputBufferPtr inputbfr; - xmlTextReaderPtr reader; - -diff --git a/main/fopen_wrappers.c b/main/fopen_wrappers.c -index 27135020fa3..90de040a218 100644 ---- a/main/fopen_wrappers.c -+++ b/main/fopen_wrappers.c -@@ -138,10 +138,10 @@ PHPAPI ZEND_INI_MH(OnUpdateBaseDir) - */ - PHPAPI int php_check_specific_open_basedir(const char *basedir, const char *path) - { -- char resolved_name[MAXPATHLEN]; -- char resolved_basedir[MAXPATHLEN]; -+ char resolved_name[MAXPATHLEN + 1]; -+ char resolved_basedir[MAXPATHLEN + 1]; - char local_open_basedir[MAXPATHLEN]; -- char path_tmp[MAXPATHLEN]; -+ char path_tmp[MAXPATHLEN + 1]; - char *path_file; - size_t resolved_basedir_len; - size_t resolved_name_len; --- -2.39.1 - -From 614468ce4056c0ef93aae09532dcffdf65b594b5 Mon Sep 17 00:00:00 2001 -From: Remi Collet -Date: Mon, 13 Feb 2023 11:46:47 +0100 -Subject: [PATCH 4/7] NEWS - ---- - NEWS | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/NEWS b/NEWS -index 03e8c839c77..8157a20d4b3 100644 ---- a/NEWS -+++ b/NEWS -@@ -1,6 +1,14 @@ - PHP NEWS - ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| - -+Backported from 8.0.28 -+ -+- Core: -+ . Fixed bug #81744 (Password_verify() always return true with some hash). -+ (CVE-2023-0567). (Tim Düsterhus) -+ . Fixed bug #81746 (1-byte array overrun in common path resolve code). -+ (CVE-2023-0568). (Niels Dossche) -+ - Backported from 8.0.27 - - - PDO/SQLite: --- -2.39.1 - diff --git a/php-cve-2022-31631.patch b/php-cve-2022-31631.patch new file mode 100644 index 0000000..4826efc --- /dev/null +++ b/php-cve-2022-31631.patch @@ -0,0 +1,84 @@ +From 7cb160efe19d3dfb8b92629805733ea186b55050 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Mon, 31 Oct 2022 17:20:23 +0100 +Subject: [PATCH 1/2] Fix #81740: PDO::quote() may return unquoted string + +`sqlite3_snprintf()` expects its first parameter to be `int`; we need +to avoid overflow. + +(cherry picked from commit 921b6813da3237a83e908998483f46ae3d8bacba) +--- + ext/pdo_sqlite/sqlite_driver.c | 3 +++ + ext/pdo_sqlite/tests/bug81740.phpt | 17 +++++++++++++++++ + 2 files changed, 20 insertions(+) + create mode 100644 ext/pdo_sqlite/tests/bug81740.phpt + +diff --git a/ext/pdo_sqlite/sqlite_driver.c b/ext/pdo_sqlite/sqlite_driver.c +index 0595bd09feb..54f9d05e1e2 100644 +--- a/ext/pdo_sqlite/sqlite_driver.c ++++ b/ext/pdo_sqlite/sqlite_driver.c +@@ -233,6 +233,9 @@ static char *pdo_sqlite_last_insert_id(pdo_dbh_t *dbh, const char *name, size_t + /* NB: doesn't handle binary strings... use prepared stmts for that */ + static int sqlite_handle_quoter(pdo_dbh_t *dbh, const char *unquoted, size_t unquotedlen, char **quoted, size_t *quotedlen, enum pdo_param_type paramtype ) + { ++ if (unquotedlen > (INT_MAX - 3) / 2) { ++ return 0; ++ } + *quoted = safe_emalloc(2, unquotedlen, 3); + sqlite3_snprintf(2*unquotedlen + 3, *quoted, "'%q'", unquoted); + *quotedlen = strlen(*quoted); +diff --git a/ext/pdo_sqlite/tests/bug81740.phpt b/ext/pdo_sqlite/tests/bug81740.phpt +new file mode 100644 +index 00000000000..99fb07c3048 +--- /dev/null ++++ b/ext/pdo_sqlite/tests/bug81740.phpt +@@ -0,0 +1,17 @@ ++--TEST-- ++Bug #81740 (PDO::quote() may return unquoted string) ++--SKIPIF-- ++ ++--INI-- ++memory_limit=-1 ++--FILE-- ++quote($string)); ++?> ++--EXPECT-- ++bool(false) +-- +2.38.1 + +From 7328f3a0344806b846bd05657bdce96e47810bf0 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Mon, 19 Dec 2022 09:24:02 +0100 +Subject: [PATCH 2/2] NEWS + +--- + NEWS | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/NEWS b/NEWS +index 8a8c0c9285d..03e8c839c77 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,5 +1,12 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ++ ++Backported from 8.0.27 ++ ++- PDO/SQLite: ++ . Fixed bug #81740 (PDO::quote() may return unquoted string). ++ (CVE-2022-31631) (cmb) ++ + 03 Nov 2022, PHP 7.4.33 + + - GD: +-- +2.38.1 + diff --git a/php-cve-2023-0567.patch b/php-cve-2023-0567.patch new file mode 100644 index 0000000..62296ce --- /dev/null +++ b/php-cve-2023-0567.patch @@ -0,0 +1,188 @@ +From 7437aaae38cf4b3357e7580f9e22fd4a403b6c23 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= +Date: Mon, 23 Jan 2023 21:15:24 +0100 +Subject: [PATCH 1/7] crypt: Fix validation of malformed BCrypt hashes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +PHP’s implementation of crypt_blowfish differs from the upstream Openwall +version by adding a “PHP Hack”, which allows one to cut short the BCrypt salt +by including a `$` character within the characters that represent the salt. + +Hashes that are affected by the “PHP Hack” may erroneously validate any +password as valid when used with `password_verify` and when comparing the +return value of `crypt()` against the input. + +The PHP Hack exists since the first version of PHP’s own crypt_blowfish +implementation that was added in 1e820eca02dcf322b41fd2fe4ed2a6b8309f8ab5. + +No clear reason is given for the PHP Hack’s existence. This commit removes it, +because BCrypt hashes containing a `$` character in their salt are not valid +BCrypt hashes. + +(cherry picked from commit c840f71524067aa474c00c3eacfb83bd860bfc8a) +--- + ext/standard/crypt_blowfish.c | 8 -- + .../tests/crypt/bcrypt_salt_dollar.phpt | 82 +++++++++++++++++++ + 2 files changed, 82 insertions(+), 8 deletions(-) + create mode 100644 ext/standard/tests/crypt/bcrypt_salt_dollar.phpt + +diff --git a/ext/standard/crypt_blowfish.c b/ext/standard/crypt_blowfish.c +index c1f945f29ed..aa7e1bc2e68 100644 +--- a/ext/standard/crypt_blowfish.c ++++ b/ext/standard/crypt_blowfish.c +@@ -376,7 +376,6 @@ static unsigned char BF_atoi64[0x60] = { + #define BF_safe_atoi64(dst, src) \ + { \ + tmp = (unsigned char)(src); \ +- if (tmp == '$') break; /* PHP hack */ \ + if ((unsigned int)(tmp -= 0x20) >= 0x60) return -1; \ + tmp = BF_atoi64[tmp]; \ + if (tmp > 63) return -1; \ +@@ -404,13 +403,6 @@ static int BF_decode(BF_word *dst, const char *src, int size) + *dptr++ = ((c3 & 0x03) << 6) | c4; + } while (dptr < end); + +- if (end - dptr == size) { +- return -1; +- } +- +- while (dptr < end) /* PHP hack */ +- *dptr++ = 0; +- + return 0; + } + +diff --git a/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt b/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt +new file mode 100644 +index 00000000000..32e335f4b08 +--- /dev/null ++++ b/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt +@@ -0,0 +1,82 @@ ++--TEST-- ++bcrypt correctly rejects salts containing $ ++--FILE-- ++ ++--EXPECT-- ++string(8) "$2y$04$$" ++string(2) "*0" ++bool(false) ++string(9) "$2y$04$0$" ++string(2) "*0" ++bool(false) ++string(10) "$2y$04$00$" ++string(2) "*0" ++bool(false) ++string(11) "$2y$04$000$" ++string(2) "*0" ++bool(false) ++string(12) "$2y$04$0000$" ++string(2) "*0" ++bool(false) ++string(13) "$2y$04$00000$" ++string(2) "*0" ++bool(false) ++string(14) "$2y$04$000000$" ++string(2) "*0" ++bool(false) ++string(15) "$2y$04$0000000$" ++string(2) "*0" ++bool(false) ++string(16) "$2y$04$00000000$" ++string(2) "*0" ++bool(false) ++string(17) "$2y$04$000000000$" ++string(2) "*0" ++bool(false) ++string(18) "$2y$04$0000000000$" ++string(2) "*0" ++bool(false) ++string(19) "$2y$04$00000000000$" ++string(2) "*0" ++bool(false) ++string(20) "$2y$04$000000000000$" ++string(2) "*0" ++bool(false) ++string(21) "$2y$04$0000000000000$" ++string(2) "*0" ++bool(false) ++string(22) "$2y$04$00000000000000$" ++string(2) "*0" ++bool(false) ++string(23) "$2y$04$000000000000000$" ++string(2) "*0" ++bool(false) ++string(24) "$2y$04$0000000000000000$" ++string(2) "*0" ++bool(false) ++string(25) "$2y$04$00000000000000000$" ++string(2) "*0" ++bool(false) ++string(26) "$2y$04$000000000000000000$" ++string(2) "*0" ++bool(false) ++string(27) "$2y$04$0000000000000000000$" ++string(2) "*0" ++bool(false) ++string(28) "$2y$04$00000000000000000000$" ++string(2) "*0" ++bool(false) ++string(29) "$2y$04$000000000000000000000$" ++string(2) "*0" ++bool(false) ++string(30) "$2y$04$0000000000000000000000$" ++string(60) "$2y$04$000000000000000000000u2a2UpVexIt9k3FMJeAVr3c04F5tcI8K" ++bool(false) +-- +2.39.1 + +From ed0281b588a6840cb95f3134a4e68847a3be5bb7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= +Date: Mon, 23 Jan 2023 22:13:57 +0100 +Subject: [PATCH 2/7] crypt: Fix possible buffer overread in php_crypt() + +(cherry picked from commit a92acbad873a05470af1a47cb785a18eadd827b5) +--- + ext/standard/crypt.c | 1 + + ext/standard/tests/password/password_bcrypt_short.phpt | 8 ++++++++ + 2 files changed, 9 insertions(+) + create mode 100644 ext/standard/tests/password/password_bcrypt_short.phpt + +diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c +index 92430b69f77..04487f3fe5a 100644 +--- a/ext/standard/crypt.c ++++ b/ext/standard/crypt.c +@@ -151,6 +151,7 @@ PHPAPI zend_string *php_crypt(const char *password, const int pass_len, const ch + } else if ( + salt[0] == '$' && + salt[1] == '2' && ++ salt[2] != 0 && + salt[3] == '$') { + char output[PHP_MAX_SALT_LEN + 1]; + +diff --git a/ext/standard/tests/password/password_bcrypt_short.phpt b/ext/standard/tests/password/password_bcrypt_short.phpt +new file mode 100644 +index 00000000000..085bc8a2390 +--- /dev/null ++++ b/ext/standard/tests/password/password_bcrypt_short.phpt +@@ -0,0 +1,8 @@ ++--TEST-- ++Test that password_hash() does not overread buffers when a short hash is passed ++--FILE-- ++ ++--EXPECT-- ++bool(false) +-- +2.39.1 + diff --git a/php-cve-2023-0568.patch b/php-cve-2023-0568.patch new file mode 100644 index 0000000..6e2ba19 --- /dev/null +++ b/php-cve-2023-0568.patch @@ -0,0 +1,98 @@ +From 887cd0710ad856a0d22c329b6ea6c71ebd8621ae Mon Sep 17 00:00:00 2001 +From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> +Date: Fri, 27 Jan 2023 19:28:27 +0100 +Subject: [PATCH 3/7] Fix array overrun when appending slash to paths + +Fix it by extending the array sizes by one character. As the input is +limited to the maximum path length, there will always be place to append +the slash. As the php_check_specific_open_basedir() simply uses the +strings to compare against each other, no new failures related to too +long paths are introduced. +We'll let the DOM and XML case handle a potentially too long path in the +library code. + +(cherry picked from commit ec10b28d64decbc54aa1e585dce580f0bd7a5953) +--- + ext/dom/document.c | 2 +- + ext/xmlreader/php_xmlreader.c | 2 +- + main/fopen_wrappers.c | 6 +++--- + 3 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/ext/dom/document.c b/ext/dom/document.c +index b478e1a1aab..e683eb8f701 100644 +--- a/ext/dom/document.c ++++ b/ext/dom/document.c +@@ -1380,7 +1380,7 @@ static xmlDocPtr dom_document_parser(zval *id, int mode, char *source, size_t so + int validate, recover, resolve_externals, keep_blanks, substitute_ent; + int resolved_path_len; + int old_error_reporting = 0; +- char *directory=NULL, resolved_path[MAXPATHLEN]; ++ char *directory=NULL, resolved_path[MAXPATHLEN + 1]; + + if (id != NULL) { + intern = Z_DOMOBJ_P(id); +diff --git a/ext/xmlreader/php_xmlreader.c b/ext/xmlreader/php_xmlreader.c +index 06f569949ce..ecc81ad1470 100644 +--- a/ext/xmlreader/php_xmlreader.c ++++ b/ext/xmlreader/php_xmlreader.c +@@ -1038,7 +1038,7 @@ PHP_METHOD(xmlreader, XML) + xmlreader_object *intern = NULL; + char *source, *uri = NULL, *encoding = NULL; + int resolved_path_len, ret = 0; +- char *directory=NULL, resolved_path[MAXPATHLEN]; ++ char *directory=NULL, resolved_path[MAXPATHLEN + 1]; + xmlParserInputBufferPtr inputbfr; + xmlTextReaderPtr reader; + +diff --git a/main/fopen_wrappers.c b/main/fopen_wrappers.c +index 27135020fa3..90de040a218 100644 +--- a/main/fopen_wrappers.c ++++ b/main/fopen_wrappers.c +@@ -138,10 +138,10 @@ PHPAPI ZEND_INI_MH(OnUpdateBaseDir) + */ + PHPAPI int php_check_specific_open_basedir(const char *basedir, const char *path) + { +- char resolved_name[MAXPATHLEN]; +- char resolved_basedir[MAXPATHLEN]; ++ char resolved_name[MAXPATHLEN + 1]; ++ char resolved_basedir[MAXPATHLEN + 1]; + char local_open_basedir[MAXPATHLEN]; +- char path_tmp[MAXPATHLEN]; ++ char path_tmp[MAXPATHLEN + 1]; + char *path_file; + size_t resolved_basedir_len; + size_t resolved_name_len; +-- +2.39.1 + +From 614468ce4056c0ef93aae09532dcffdf65b594b5 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Mon, 13 Feb 2023 11:46:47 +0100 +Subject: [PATCH 4/7] NEWS + +--- + NEWS | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/NEWS b/NEWS +index 03e8c839c77..8157a20d4b3 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,14 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 8.0.28 ++ ++- Core: ++ . Fixed bug #81744 (Password_verify() always return true with some hash). ++ (CVE-2023-0567). (Tim Düsterhus) ++ . Fixed bug #81746 (1-byte array overrun in common path resolve code). ++ (CVE-2023-0568). (Niels Dossche) ++ + Backported from 8.0.27 + + - PDO/SQLite: +-- +2.39.1 + diff --git a/php.spec b/php.spec index 2bd4d2e..ab1f9ba 100644 --- a/php.spec +++ b/php.spec @@ -55,7 +55,7 @@ %global oraclelib 19.1 %global oracledir 19.24 %else -%global oraclever 23.5 +%global oraclever 23.6 %global oraclemax 24 %global oraclelib 23.1 %global oracledir 23 @@ -187,9 +187,9 @@ Patch91: php-7.2.0-oci8conf.patch # Upstream fixes (100+) # Security fixes (200+) -Patch200: php-bug81740.patch -Patch201: php-bug81744.patch -Patch202: php-bug81746.patch +Patch200: php-cve-2022-31631.patch +Patch201: php-cve-2023-0567.patch +Patch202: php-cve-2023-0568.patch Patch203: php-cve-2023-0662.patch Patch204: php-cve-2023-3247.patch Patch205: php-cve-2023-3823.patch @@ -992,9 +992,9 @@ rm ext/openssl/tests/p12_with_extra_certs.p12 # upstream patches # security patches -%patch -P200 -p1 -b .bug81740 -%patch -P201 -p1 -b .bug81744 -%patch -P202 -p1 -b .bug81746 +%patch -P200 -p1 -b .cve31631 +%patch -P201 -p1 -b .cve0567 +%patch -P202 -p1 -b .cve0568 %patch -P203 -p1 -b .cve0662 %patch -P204 -p1 -b .cve3247 %patch -P205 -p1 -b .cve3823 -- cgit