diff options
author | Siddharth Doshi <sdoshi@mvista.com> | 2023-09-27 12:27:23 +0530 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2023-09-30 08:55:03 -0400 |
commit | 0f10a0d394ddffeeb1db0ea94046d86792d704fe (patch) | |
tree | 9a4a6e39e1a17eccbf2da156797a4f4c082b53a6 | |
parent | 2f4f70a7033b258bfa0a2732601c29d6fee7e9d7 (diff) | |
download | meta-openembedded-0f10a0d394ddffeeb1db0ea94046d86792d704fe.tar.gz |
php: Fix CVE-2023-3824
Upstream-Status: Backport from [https://github.com/php/php-src/commit/80316123f3e9dcce8ac419bd9dd43546e2ccb5ef]
CVE: CVE-2023-3824
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r-- | meta-oe/recipes-devtools/php/php/CVE-2023-3824.patch | 91 | ||||
-rw-r--r-- | meta-oe/recipes-devtools/php/php_7.4.33.bb | 1 |
2 files changed, 92 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/php/php/CVE-2023-3824.patch b/meta-oe/recipes-devtools/php/php/CVE-2023-3824.patch new file mode 100644 index 000000000..953b5258e --- /dev/null +++ b/meta-oe/recipes-devtools/php/php/CVE-2023-3824.patch | |||
@@ -0,0 +1,91 @@ | |||
1 | From 80316123f3e9dcce8ac419bd9dd43546e2ccb5ef Mon Sep 17 00:00:00 2001 | ||
2 | From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> | ||
3 | Date: Mon, 10 Jul 2023 13:25:34 +0200 | ||
4 | Subject: [PATCH] Fix buffer mismanagement in phar_dir_read() | ||
5 | |||
6 | Fixes GHSA-jqcx-ccgc-xwhv. | ||
7 | |||
8 | Upstream-Status: Backport from [https://github.com/php/php-src/commit/80316123f3e9dcce8ac419bd9dd43546e2ccb5ef] | ||
9 | CVE: CVE-2023-3824 | ||
10 | Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> | ||
11 | --- | ||
12 | ext/phar/dirstream.c | 15 ++++++++------ | ||
13 | ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt | 27 +++++++++++++++++++++++++ | ||
14 | 2 files changed, 36 insertions(+), 6 deletions(-) | ||
15 | create mode 100644 ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt | ||
16 | |||
17 | diff --git a/ext/phar/dirstream.c b/ext/phar/dirstream.c | ||
18 | index 4710703c..490b1452 100644 | ||
19 | --- a/ext/phar/dirstream.c | ||
20 | +++ b/ext/phar/dirstream.c | ||
21 | @@ -91,25 +91,28 @@ static int phar_dir_seek(php_stream *stream, zend_off_t offset, int whence, zend | ||
22 | */ | ||
23 | static ssize_t phar_dir_read(php_stream *stream, char *buf, size_t count) /* {{{ */ | ||
24 | { | ||
25 | - size_t to_read; | ||
26 | HashTable *data = (HashTable *)stream->abstract; | ||
27 | zend_string *str_key; | ||
28 | zend_ulong unused; | ||
29 | |||
30 | + if (count != sizeof(php_stream_dirent)) { | ||
31 | + return -1; | ||
32 | + } | ||
33 | + | ||
34 | if (HASH_KEY_NON_EXISTENT == zend_hash_get_current_key(data, &str_key, &unused)) { | ||
35 | return 0; | ||
36 | } | ||
37 | |||
38 | zend_hash_move_forward(data); | ||
39 | - to_read = MIN(ZSTR_LEN(str_key), count); | ||
40 | |||
41 | - if (to_read == 0 || count < ZSTR_LEN(str_key)) { | ||
42 | + php_stream_dirent *dirent = (php_stream_dirent *) buf; | ||
43 | + | ||
44 | + if (sizeof(dirent->d_name) <= ZSTR_LEN(str_key)) { | ||
45 | return 0; | ||
46 | } | ||
47 | |||
48 | - memset(buf, 0, sizeof(php_stream_dirent)); | ||
49 | - memcpy(((php_stream_dirent *) buf)->d_name, ZSTR_VAL(str_key), to_read); | ||
50 | - ((php_stream_dirent *) buf)->d_name[to_read + 1] = '\0'; | ||
51 | + memset(dirent, 0, sizeof(php_stream_dirent)); | ||
52 | + PHP_STRLCPY(dirent->d_name, ZSTR_VAL(str_key), sizeof(dirent->d_name), ZSTR_LEN(str_key)); | ||
53 | |||
54 | return sizeof(php_stream_dirent); | ||
55 | } | ||
56 | diff --git a/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt b/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt | ||
57 | new file mode 100644 | ||
58 | index 00000000..4e12f05f | ||
59 | --- /dev/null | ||
60 | +++ b/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt | ||
61 | @@ -0,0 +1,27 @@ | ||
62 | +--TEST-- | ||
63 | +GHSA-jqcx-ccgc-xwhv (Buffer overflow and overread in phar_dir_read()) | ||
64 | +--SKIPIF-- | ||
65 | +<?php if (!extension_loaded("phar")) die("skip"); ?> | ||
66 | +--INI-- | ||
67 | +phar.readonly=0 | ||
68 | +--FILE-- | ||
69 | +<?php | ||
70 | +$phar = new Phar(__DIR__. '/GHSA-jqcx-ccgc-xwhv.phar'); | ||
71 | +$phar->startBuffering(); | ||
72 | +$phar->addFromString(str_repeat('A', PHP_MAXPATHLEN - 1), 'This is the content of file 1.'); | ||
73 | +$phar->addFromString(str_repeat('B', PHP_MAXPATHLEN - 1).'C', 'This is the content of file 2.'); | ||
74 | +$phar->stopBuffering(); | ||
75 | + | ||
76 | +$handle = opendir('phar://' . __DIR__ . '/GHSA-jqcx-ccgc-xwhv.phar'); | ||
77 | +var_dump(strlen(readdir($handle))); | ||
78 | +// Must not be a string of length PHP_MAXPATHLEN+1 | ||
79 | +var_dump(readdir($handle)); | ||
80 | +closedir($handle); | ||
81 | +?> | ||
82 | +--CLEAN-- | ||
83 | +<?php | ||
84 | +unlink(__DIR__. '/GHSA-jqcx-ccgc-xwhv.phar'); | ||
85 | +?> | ||
86 | +--EXPECTF-- | ||
87 | +int(%d) | ||
88 | +bool(false) | ||
89 | -- | ||
90 | 2.24.4 | ||
91 | |||
diff --git a/meta-oe/recipes-devtools/php/php_7.4.33.bb b/meta-oe/recipes-devtools/php/php_7.4.33.bb index cde482079..2a82d62ca 100644 --- a/meta-oe/recipes-devtools/php/php_7.4.33.bb +++ b/meta-oe/recipes-devtools/php/php_7.4.33.bb | |||
@@ -16,6 +16,7 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \ | |||
16 | file://debian-php-fixheader.patch \ | 16 | file://debian-php-fixheader.patch \ |
17 | file://0001-configure.ac-don-t-include-build-libtool.m4.patch \ | 17 | file://0001-configure.ac-don-t-include-build-libtool.m4.patch \ |
18 | file://0001-php.m4-don-t-unset-cache-variables.patch \ | 18 | file://0001-php.m4-don-t-unset-cache-variables.patch \ |
19 | file://CVE-2023-3824.patch \ | ||
19 | " | 20 | " |
20 | 21 | ||
21 | SRC_URI_append_class-target = " \ | 22 | SRC_URI_append_class-target = " \ |