php: Fix CVE-2023-3824

Upstream-Status: Backport from [https://github.com/php/php-src/commit/80316123f3e9dcce8ac419bd9dd43546e2ccb5ef] CVE: CVE-2023-3824 Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Siddharth Doshi <sdoshi@mvista.com> 2023-09-27 12:27:23 +0530
committer: Armin Kuster <akuster808@gmail.com> 2023-09-30 08:55:03 -0400
commit: 0f10a0d394ddffeeb1db0ea94046d86792d704fe (patch)
tree: 9a4a6e39e1a17eccbf2da156797a4f4c082b53a6
parent: 2f4f70a7033b258bfa0a2732601c29d6fee7e9d7 (diff)
download: meta-openembedded-0f10a0d394ddffeeb1db0ea94046d86792d704fe.tar.gz
2 files changed, 92 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/php/php/CVE-2023-3824.patch b/meta-oe/recipes-devtools/php/php/CVE-2023-3824.patch
new file mode 100644
index 000000000..953b5258e
--- /dev/null
+++ b/meta-oe/recipes-devtools/php/php/CVE-2023-3824.patch
@@ -0,0 +1,91 @@
+From 80316123f3e9dcce8ac419bd9dd43546e2ccb5ef Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
+Date: Mon, 10 Jul 2023 13:25:34 +0200
+Subject: [PATCH] Fix buffer mismanagement in phar_dir_read()
+Fixes GHSA-jqcx-ccgc-xwhv.
+Upstream-Status: Backport from [https://github.com/php/php-src/commit/80316123f3e9dcce8ac419bd9dd43546e2ccb5ef]
+CVE: CVE-2023-3824
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ ext/phar/dirstream.c                    | 15 ++++++++------
+ ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt | 27 +++++++++++++++++++++++++
+ 2 files changed, 36 insertions(+), 6 deletions(-)
+ create mode 100644 ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt
+diff --git a/ext/phar/dirstream.c b/ext/phar/dirstream.c
+index 4710703c..490b1452 100644
+--- a/ext/phar/dirstream.c
+++ b/ext/phar/dirstream.c
+@@ -91,25 +91,28 @@ static int phar_dir_seek(php_stream *stream, zend_off_t offset, int whence, zend
+  */
+ static ssize_t phar_dir_read(php_stream *stream, char *buf, size_t count) /* {{{ */
+ {
+-       size_t to_read;
+        HashTable *data = (HashTable *)stream->abstract;
+        zend_string *str_key;
+        zend_ulong unused;
+ 
+       if (count != sizeof(php_stream_dirent)) {
+               return -1;
+       }
+
+        if (HASH_KEY_NON_EXISTENT == zend_hash_get_current_key(data, &str_key, &unused)) {
+                return 0;
+        }
+ 
+        zend_hash_move_forward(data);
+-       to_read = MIN(ZSTR_LEN(str_key), count);
+ 
+-       if (to_read == 0 || count < ZSTR_LEN(str_key)) {
+       php_stream_dirent *dirent = (php_stream_dirent *) buf;
+
+       if (sizeof(dirent->d_name) <= ZSTR_LEN(str_key)) {
+                return 0;
+        }
+ 
+-       memset(buf, 0, sizeof(php_stream_dirent));
+-       memcpy(((php_stream_dirent *) buf)->d_name, ZSTR_VAL(str_key), to_read);
+-       ((php_stream_dirent *) buf)->d_name[to_read + 1] = '\0';
+       memset(dirent, 0, sizeof(php_stream_dirent));
+       PHP_STRLCPY(dirent->d_name, ZSTR_VAL(str_key), sizeof(dirent->d_name), ZSTR_LEN(str_key));
+ 
+        return sizeof(php_stream_dirent);
+ }
+diff --git a/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt b/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt
+new file mode 100644
+index 00000000..4e12f05f
+--- /dev/null
+++ b/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt
+@@ -0,0 +1,27 @@
+--TEST--
+GHSA-jqcx-ccgc-xwhv (Buffer overflow and overread in phar_dir_read())
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--INI--
+phar.readonly=0
+--FILE--
+<?php
+$phar = new Phar(__DIR__. '/GHSA-jqcx-ccgc-xwhv.phar');
+$phar->startBuffering();
+$phar->addFromString(str_repeat('A', PHP_MAXPATHLEN - 1), 'This is the content of file 1.');
+$phar->addFromString(str_repeat('B', PHP_MAXPATHLEN - 1).'C', 'This is the content of file 2.');
+$phar->stopBuffering();
+
+$handle = opendir('phar://' . __DIR__ . '/GHSA-jqcx-ccgc-xwhv.phar');
+var_dump(strlen(readdir($handle)));
+// Must not be a string of length PHP_MAXPATHLEN+1
+var_dump(readdir($handle));
+closedir($handle);
+?>
+--CLEAN--
+<?php
+unlink(__DIR__. '/GHSA-jqcx-ccgc-xwhv.phar');
+?>
+--EXPECTF--
+int(%d)
+bool(false)
+-- 
+2.24.4
diff --git a/meta-oe/recipes-devtools/php/php_7.4.33.bb b/meta-oe/recipes-devtools/php/php_7.4.33.bb
index cde482079..2a82d62ca 100644
--- a/meta-oe/recipes-devtools/php/php_7.4.33.bb
+++ b/meta-oe/recipes-devtools/php/php_7.4.33.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \
           file://debian-php-fixheader.patch \
           file://0001-configure.ac-don-t-include-build-libtool.m4.patch \
           file://0001-php.m4-don-t-unset-cache-variables.patch \
+           file://CVE-2023-3824.patch \
          "
 SRC_URI_append_class-target = " \
author	Siddharth Doshi <sdoshi@mvista.com>	2023-09-27 12:27:23 +0530
committer	Armin Kuster <akuster808@gmail.com>	2023-09-30 08:55:03 -0400
commit	0f10a0d394ddffeeb1db0ea94046d86792d704fe (patch)
tree	9a4a6e39e1a17eccbf2da156797a4f4c082b53a6
parent	2f4f70a7033b258bfa0a2732601c29d6fee7e9d7 (diff)
download	meta-openembedded-0f10a0d394ddffeeb1db0ea94046d86792d704fe.tar.gz

diff --git a/meta-oe/recipes-devtools/php/php/CVE-2023-3824.patch b/meta-oe/recipes-devtools/php/php/CVE-2023-3824.patch new file mode 100644 index 000000000..953b5258e --- /dev/null +++ b/meta-oe/recipes-devtools/php/php/CVE-2023-3824.patch
@@ -0,0 +1,91 @@
		1	From 80316123f3e9dcce8ac419bd9dd43546e2ccb5ef Mon Sep 17 00:00:00 2001
		2	From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
		3	Date: Mon, 10 Jul 2023 13:25:34 +0200
		4	Subject: [PATCH] Fix buffer mismanagement in phar_dir_read()
		5
		6	Fixes GHSA-jqcx-ccgc-xwhv.
		7
		8	Upstream-Status: Backport from [https://github.com/php/php-src/commit/80316123f3e9dcce8ac419bd9dd43546e2ccb5ef]
		9	CVE: CVE-2023-3824
		10	Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
		11	---
		12	ext/phar/dirstream.c \| 15 ++++++++------
		13	ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt \| 27 +++++++++++++++++++++++++
		14	2 files changed, 36 insertions(+), 6 deletions(-)
		15	create mode 100644 ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt
		16
		17	diff --git a/ext/phar/dirstream.c b/ext/phar/dirstream.c
		18	index 4710703c..490b1452 100644
		19	--- a/ext/phar/dirstream.c
		20	+++ b/ext/phar/dirstream.c
		21	@@ -91,25 +91,28 @@ static int phar_dir_seek(php_stream *stream, zend_off_t offset, int whence, zend
		22	*/
		23	static ssize_t phar_dir_read(php_stream stream, char buf, size_t count) /* {{{ */
		24	{
		25	- size_t to_read;
		26	HashTable data = (HashTable )stream->abstract;
		27	zend_string *str_key;
		28	zend_ulong unused;
		29
		30	+ if (count != sizeof(php_stream_dirent)) {
		31	+ return -1;
		32	+ }
		33	+
		34	if (HASH_KEY_NON_EXISTENT == zend_hash_get_current_key(data, &str_key, &unused)) {
		35	return 0;
		36	}
		37
		38	zend_hash_move_forward(data);
		39	- to_read = MIN(ZSTR_LEN(str_key), count);
		40
		41	- if (to_read == 0 \|\| count < ZSTR_LEN(str_key)) {
		42	+ php_stream_dirent dirent = (php_stream_dirent ) buf;
		43	+
		44	+ if (sizeof(dirent->d_name) <= ZSTR_LEN(str_key)) {
		45	return 0;
		46	}
		47
		48	- memset(buf, 0, sizeof(php_stream_dirent));
		49	- memcpy(((php_stream_dirent *) buf)->d_name, ZSTR_VAL(str_key), to_read);
		50	- ((php_stream_dirent *) buf)->d_name[to_read + 1] = '\0';
		51	+ memset(dirent, 0, sizeof(php_stream_dirent));
		52	+ PHP_STRLCPY(dirent->d_name, ZSTR_VAL(str_key), sizeof(dirent->d_name), ZSTR_LEN(str_key));
		53
		54	return sizeof(php_stream_dirent);
		55	}
		56	diff --git a/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt b/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt
		57	new file mode 100644
		58	index 00000000..4e12f05f
		59	--- /dev/null
		60	+++ b/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt
		61	@@ -0,0 +1,27 @@
		62	+--TEST--
		63	+GHSA-jqcx-ccgc-xwhv (Buffer overflow and overread in phar_dir_read())
		64	+--SKIPIF--
		65	+<?php if (!extension_loaded("phar")) die("skip"); ?>
		66	+--INI--
		67	+phar.readonly=0
		68	+--FILE--
		69	+<?php
		70	+$phar = new Phar(__DIR__. '/GHSA-jqcx-ccgc-xwhv.phar');
		71	+$phar->startBuffering();
		72	+$phar->addFromString(str_repeat('A', PHP_MAXPATHLEN - 1), 'This is the content of file 1.');
		73	+$phar->addFromString(str_repeat('B', PHP_MAXPATHLEN - 1).'C', 'This is the content of file 2.');
		74	+$phar->stopBuffering();
		75	+
		76	+$handle = opendir('phar://' . __DIR__ . '/GHSA-jqcx-ccgc-xwhv.phar');
		77	+var_dump(strlen(readdir($handle)));
		78	+// Must not be a string of length PHP_MAXPATHLEN+1
		79	+var_dump(readdir($handle));
		80	+closedir($handle);
		81	+?>
		82	+--CLEAN--
		83	+<?php
		84	+unlink(__DIR__. '/GHSA-jqcx-ccgc-xwhv.phar');
		85	+?>
		86	+--EXPECTF--
		87	+int(%d)
		88	+bool(false)
		89	--
		90	2.24.4
		91


diff --git a/meta-oe/recipes-devtools/php/php_7.4.33.bb b/meta-oe/recipes-devtools/php/php_7.4.33.bb index cde482079..2a82d62ca 100644 --- a/meta-oe/recipes-devtools/php/php_7.4.33.bb +++ b/meta-oe/recipes-devtools/php/php_7.4.33.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \
16	file://debian-php-fixheader.patch \	16	file://debian-php-fixheader.patch \
17	file://0001-configure.ac-don-t-include-build-libtool.m4.patch \	17	file://0001-configure.ac-don-t-include-build-libtool.m4.patch \
18	file://0001-php.m4-don-t-unset-cache-variables.patch \	18	file://0001-php.m4-don-t-unset-cache-variables.patch \
		19	file://CVE-2023-3824.patch \
19	"	20	"
20		21
21	SRC_URI_append_class-target = " \	22	SRC_URI_append_class-target = " \