summaryrefslogtreecommitdiffstats
path: root/php-ghsa-www2-q4fc-65wf.patch
diff options
context:
space:
mode:
Diffstat (limited to 'php-ghsa-www2-q4fc-65wf.patch')
-rw-r--r--php-ghsa-www2-q4fc-65wf.patch231
1 files changed, 231 insertions, 0 deletions
diff --git a/php-ghsa-www2-q4fc-65wf.patch b/php-ghsa-www2-q4fc-65wf.patch
new file mode 100644
index 0000000..6d43dd8
--- /dev/null
+++ b/php-ghsa-www2-q4fc-65wf.patch
@@ -0,0 +1,231 @@
+From 52c5762a902e8731b7068ded027fbd780f5a1991 Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
+Date: Sat, 6 Sep 2025 21:55:13 +0200
+Subject: [PATCH 4/5] Fix GHSA-www2-q4fc-65wf
+
+(cherry picked from commit ed70b1ea43a9b7ffa2f53b3e5d6ba403f37ae81c)
+---
+ ext/standard/basic_functions.c | 12 ++--
+ ext/standard/dns.c | 6 +-
+ ext/standard/dns_win32.c | 6 +-
+ .../tests/network/ghsa-www2-q4fc-65wf.phpt | 62 +++++++++++++++++++
+ 4 files changed, 74 insertions(+), 12 deletions(-)
+ create mode 100644 ext/standard/tests/network/ghsa-www2-q4fc-65wf.phpt
+
+diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c
+index 876ef347ebf..9eba6d5a14c 100755
+--- a/ext/standard/basic_functions.c
++++ b/ext/standard/basic_functions.c
+@@ -633,7 +633,7 @@ PHP_FUNCTION(inet_pton)
+ char buffer[17];
+
+ ZEND_PARSE_PARAMETERS_START(1, 1)
+- Z_PARAM_STRING(address, address_len)
++ Z_PARAM_PATH(address, address_len)
+ ZEND_PARSE_PARAMETERS_END();
+
+ memset(buffer, 0, sizeof(buffer));
+@@ -670,7 +670,7 @@ PHP_FUNCTION(ip2long)
+ #endif
+
+ ZEND_PARSE_PARAMETERS_START(1, 1)
+- Z_PARAM_STRING(addr, addr_len)
++ Z_PARAM_PATH(addr, addr_len)
+ ZEND_PARSE_PARAMETERS_END();
+
+ #ifdef HAVE_INET_PTON
+@@ -2265,8 +2265,8 @@ PHP_FUNCTION(getservbyname)
+ struct servent *serv;
+
+ ZEND_PARSE_PARAMETERS_START(2, 2)
+- Z_PARAM_STRING(name, name_len)
+- Z_PARAM_STRING(proto, proto_len)
++ Z_PARAM_PATH(name, name_len)
++ Z_PARAM_PATH(proto, proto_len)
+ ZEND_PARSE_PARAMETERS_END();
+
+
+@@ -2309,7 +2309,7 @@ PHP_FUNCTION(getservbyport)
+
+ ZEND_PARSE_PARAMETERS_START(2, 2)
+ Z_PARAM_LONG(port)
+- Z_PARAM_STRING(proto, proto_len)
++ Z_PARAM_PATH(proto, proto_len)
+ ZEND_PARSE_PARAMETERS_END();
+
+ serv = getservbyport(htons((unsigned short) port), proto);
+@@ -2332,7 +2332,7 @@ PHP_FUNCTION(getprotobyname)
+ struct protoent *ent;
+
+ ZEND_PARSE_PARAMETERS_START(1, 1)
+- Z_PARAM_STRING(name, name_len)
++ Z_PARAM_PATH(name, name_len)
+ ZEND_PARSE_PARAMETERS_END();
+
+ ent = getprotobyname(name);
+diff --git a/ext/standard/dns.c b/ext/standard/dns.c
+index a81ae3f71fc..4b3fac8e915 100644
+--- a/ext/standard/dns.c
++++ b/ext/standard/dns.c
+@@ -368,7 +368,7 @@ PHP_FUNCTION(dns_check_record)
+ #endif
+
+ ZEND_PARSE_PARAMETERS_START(1, 2)
+- Z_PARAM_STRING(hostname, hostname_len)
++ Z_PARAM_PATH(hostname, hostname_len)
+ Z_PARAM_OPTIONAL
+ Z_PARAM_STRING(rectype, rectype_len)
+ ZEND_PARSE_PARAMETERS_END();
+@@ -815,7 +815,7 @@ PHP_FUNCTION(dns_get_record)
+ zend_bool raw = 0;
+
+ ZEND_PARSE_PARAMETERS_START(1, 5)
+- Z_PARAM_STRING(hostname, hostname_len)
++ Z_PARAM_PATH(hostname, hostname_len)
+ Z_PARAM_OPTIONAL
+ Z_PARAM_LONG(type_param)
+ Z_PARAM_ZVAL(authns)
+@@ -1053,7 +1053,7 @@ PHP_FUNCTION(dns_get_mx)
+ #endif
+
+ ZEND_PARSE_PARAMETERS_START(2, 3)
+- Z_PARAM_STRING(hostname, hostname_len)
++ Z_PARAM_PATH(hostname, hostname_len)
+ Z_PARAM_ZVAL(mx_list)
+ Z_PARAM_OPTIONAL
+ Z_PARAM_ZVAL(weight_list)
+diff --git a/ext/standard/dns_win32.c b/ext/standard/dns_win32.c
+index d677da0c150..1870998ef1f 100644
+--- a/ext/standard/dns_win32.c
++++ b/ext/standard/dns_win32.c
+@@ -48,7 +48,7 @@ PHP_FUNCTION(dns_get_mx) /* {{{ */
+ DNS_STATUS status; /* Return value of DnsQuery_A() function */
+ PDNS_RECORD pResult, pRec; /* Pointer to DNS_RECORD structure */
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS(), "sz|z", &hostname, &hostname_len, &mx_list, &weight_list) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS(), "pz|z", &hostname, &hostname_len, &mx_list, &weight_list) == FAILURE) {
+ RETURN_THROWS();
+ }
+
+@@ -101,7 +101,7 @@ PHP_FUNCTION(dns_check_record)
+ DNS_STATUS status; /* Return value of DnsQuery_A() function */
+ PDNS_RECORD pResult; /* Pointer to DNS_RECORD structure */
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|s", &hostname, &hostname_len, &rectype, &rectype_len) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS(), "p|s", &hostname, &hostname_len, &rectype, &rectype_len) == FAILURE) {
+ RETURN_THROWS();
+ }
+
+@@ -353,7 +353,7 @@ PHP_FUNCTION(dns_get_record)
+ int type, type_to_fetch, first_query = 1, store_results = 1;
+ zend_bool raw = 0;
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|lz!z!b",
++ if (zend_parse_parameters(ZEND_NUM_ARGS(), "p|lz!z!b",
+ &hostname, &hostname_len, &type_param, &authns, &addtl, &raw) == FAILURE) {
+ RETURN_THROWS();
+ }
+diff --git a/ext/standard/tests/network/ghsa-www2-q4fc-65wf.phpt b/ext/standard/tests/network/ghsa-www2-q4fc-65wf.phpt
+new file mode 100644
+index 00000000000..3d082c8e952
+--- /dev/null
++++ b/ext/standard/tests/network/ghsa-www2-q4fc-65wf.phpt
+@@ -0,0 +1,62 @@
++--TEST--
++GHSA-www2-q4fc-65wf
++--DESCRIPTION--
++This is a ZPP test but *keep* this as it is security-sensitive!
++--FILE--
++<?php
++try {
++ dns_check_record("\0");
++} catch (ValueError $e) {
++ echo $e->getMessage(), "\n";
++}
++try {
++ dns_get_mx("\0", $out);
++} catch (ValueError $e) {
++ echo $e->getMessage(), "\n";
++}
++try {
++ dns_get_record("\0");
++} catch (ValueError $e) {
++ echo $e->getMessage(), "\n";
++}
++try {
++ getprotobyname("\0");
++} catch (ValueError $e) {
++ echo $e->getMessage(), "\n";
++}
++try {
++ getservbyname("\0", "tcp");
++} catch (ValueError $e) {
++ echo $e->getMessage(), "\n";
++}
++try {
++ getservbyname("x", "tcp\0");
++} catch (ValueError $e) {
++ echo $e->getMessage(), "\n";
++}
++try {
++ getservbyport(0, "tcp\0");
++} catch (ValueError $e) {
++ echo $e->getMessage(), "\n";
++}
++try {
++ inet_pton("\0");
++} catch (ValueError $e) {
++ echo $e->getMessage(), "\n";
++}
++try {
++ ip2long("\0");
++} catch (ValueError $e) {
++ echo $e->getMessage(), "\n";
++}
++?>
++--EXPECT--
++dns_check_record(): Argument #1 ($hostname) must not contain any null bytes
++dns_get_mx(): Argument #1 ($hostname) must not contain any null bytes
++dns_get_record(): Argument #1 ($hostname) must not contain any null bytes
++getprotobyname(): Argument #1 ($protocol) must not contain any null bytes
++getservbyname(): Argument #1 ($service) must not contain any null bytes
++getservbyname(): Argument #2 ($protocol) must not contain any null bytes
++getservbyport(): Argument #2 ($protocol) must not contain any null bytes
++inet_pton(): Argument #1 ($ip) must not contain any null bytes
++ip2long(): Argument #1 ($ip) must not contain any null bytes
+--
+2.52.0
+
+From 52b3bdaa74078e4ea8abd9696cdbdc35a8091446 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Thu, 18 Dec 2025 07:17:43 +0100
+Subject: [PATCH 5/5] NEWS from 8.1.34
+
+---
+ NEWS | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index c813f4f357a..ee3b272dfc6 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,16 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 8.1.34
++
++- Standard:
++ . Fixed GHSA-www2-q4fc-65wf (Null byte termination in dns_get_record()).
++ (ndossche)
++ . Fixed GHSA-h96m-rvf9-jgm2 (Heap buffer overflow in array_merge()).
++ (CVE-2025-14178) (ndossche)
++ . Fixed GHSA-3237-qqm7-mfv7 (Information Leak of Memory in getimagesize).
++ (CVE-2025-14177) (ndossche)
++
+ Backported from 8.1.33
+
+ - PGSQL:
+--
+2.52.0
+
generated by cgit (git 2.34.1) at 2025-12-19 20:00:34 +0000