diff options
author | Wang Mingyu <wangmy@cn.fujitsu.com> | 2020-03-19 00:39:15 -0700 |
---|---|---|
committer | Khem Raj <raj.khem@gmail.com> | 2020-03-18 19:29:01 -0700 |
commit | 539119d170270bc1fee0a2510f635d6e8fabff04 (patch) | |
tree | 34db1993f4599e82a83113cb3f68a9302ff5d7a7 | |
parent | 68710f24671a1485aca983367e6b692cc9ec1208 (diff) | |
download | meta-openembedded-539119d170270bc1fee0a2510f635d6e8fabff04.tar.gz |
php: CVE-2019-11045.patch CVE-2019-11046.patch CVE-2019-11047.patch CVE-2019-11050.patch
Security Advisory
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11045
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11046
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11047
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11050
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
5 files changed, 251 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/php/php/CVE-2019-11045.patch b/meta-oe/recipes-devtools/php/php/CVE-2019-11045.patch new file mode 100644 index 000000000..3b3c187a4 --- /dev/null +++ b/meta-oe/recipes-devtools/php/php/CVE-2019-11045.patch | |||
@@ -0,0 +1,78 @@ | |||
1 | From a5a15965da23c8e97657278fc8dfbf1dfb20c016 Mon Sep 17 00:00:00 2001 | ||
2 | From: "Christoph M. Becker" <cmbecker69@gmx.de> | ||
3 | Date: Mon, 25 Nov 2019 16:56:34 +0100 | ||
4 | Subject: [PATCH] Fix #78863: DirectoryIterator class silently truncates after | ||
5 | a null byte | ||
6 | |||
7 | Since the constructor of DirectoryIterator and friends is supposed to | ||
8 | accepts paths (i.e. strings without NUL bytes), we must not accept | ||
9 | arbitrary strings. | ||
10 | |||
11 | Upstream-Status: Accepted | ||
12 | CVE: CVE-2019-11045 | ||
13 | |||
14 | Reference to upstream patch: | ||
15 | http://git.php.net/?p=php-src.git;a=commit;h=a5a15965da23c8e97657278fc8dfbf1dfb20c016 | ||
16 | http://git.php.net/?p=php-src.git;a=commit;h=d74907b8575e6edb83b728c2a94df434c23e1f79 | ||
17 | --- | ||
18 | ext/spl/spl_directory.c | 4 ++-- | ||
19 | ext/spl/tests/bug78863.phpt | 31 +++++++++++++++++++++++++++++++ | ||
20 | 2 files changed, 33 insertions(+), 2 deletions(-) | ||
21 | create mode 100644 ext/spl/tests/bug78863.phpt | ||
22 | |||
23 | diff --git a/ext/spl/spl_directory.c b/ext/spl/spl_directory.c | ||
24 | index 91ea2e0265..56e809b1c7 100644 | ||
25 | --- a/ext/spl/spl_directory.c | ||
26 | +++ b/ext/spl/spl_directory.c | ||
27 | @@ -708,10 +708,10 @@ void spl_filesystem_object_construct(INTERNAL_FUNCTION_PARAMETERS, zend_long cto | ||
28 | |||
29 | if (SPL_HAS_FLAG(ctor_flags, DIT_CTOR_FLAGS)) { | ||
30 | flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_FILEINFO; | ||
31 | - parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "s|l", &path, &len, &flags); | ||
32 | + parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "p|l", &path, &len, &flags); | ||
33 | } else { | ||
34 | flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_SELF; | ||
35 | - parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "s", &path, &len); | ||
36 | + parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "p", &path, &len); | ||
37 | } | ||
38 | if (SPL_HAS_FLAG(ctor_flags, SPL_FILE_DIR_SKIPDOTS)) { | ||
39 | flags |= SPL_FILE_DIR_SKIPDOTS; | ||
40 | diff --git a/ext/spl/tests/bug78863.phpt b/ext/spl/tests/bug78863.phpt | ||
41 | new file mode 100644 | ||
42 | index 0000000000..dc88d98dee | ||
43 | --- /dev/null | ||
44 | +++ b/ext/spl/tests/bug78863.phpt | ||
45 | @@ -0,0 +1,31 @@ | ||
46 | +--TEST-- | ||
47 | +Bug #78863 (DirectoryIterator class silently truncates after a null byte) | ||
48 | +--FILE-- | ||
49 | +<?php | ||
50 | +$dir = __DIR__ . '/bug78863'; | ||
51 | +mkdir($dir); | ||
52 | +touch("$dir/bad"); | ||
53 | +mkdir("$dir/sub"); | ||
54 | +touch("$dir/sub/good"); | ||
55 | + | ||
56 | +$it = new DirectoryIterator(__DIR__ . "/bug78863\0/sub"); | ||
57 | +foreach ($it as $fileinfo) { | ||
58 | + if (!$fileinfo->isDot()) { | ||
59 | + var_dump($fileinfo->getFilename()); | ||
60 | + } | ||
61 | +} | ||
62 | +?> | ||
63 | +--EXPECTF-- | ||
64 | +Fatal error: Uncaught UnexpectedValueException: DirectoryIterator::__construct() expects parameter 1 to be a valid path, string given in %s:%d | ||
65 | +Stack trace: | ||
66 | +#0 %s(%d): DirectoryIterator->__construct('%s') | ||
67 | +#1 {main} | ||
68 | + thrown in %s on line %d | ||
69 | +--CLEAN-- | ||
70 | +<?php | ||
71 | +$dir = __DIR__ . '/bug78863'; | ||
72 | +unlink("$dir/sub/good"); | ||
73 | +rmdir("$dir/sub"); | ||
74 | +unlink("$dir/bad"); | ||
75 | +rmdir($dir); | ||
76 | +?> | ||
77 | -- | ||
78 | 2.11.0 | ||
diff --git a/meta-oe/recipes-devtools/php/php/CVE-2019-11046.patch b/meta-oe/recipes-devtools/php/php/CVE-2019-11046.patch new file mode 100644 index 000000000..711b8525a --- /dev/null +++ b/meta-oe/recipes-devtools/php/php/CVE-2019-11046.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | From 2d07f00b73d8f94099850e0f5983e1cc5817c196 Mon Sep 17 00:00:00 2001 | ||
2 | From: "Christoph M. Becker" <cmbecker69@gmx.de> | ||
3 | Date: Sat, 30 Nov 2019 12:26:37 +0100 | ||
4 | Subject: [PATCH] Fix #78878: Buffer underflow in bc_shift_addsub | ||
5 | |||
6 | We must not rely on `isdigit()` to detect digits, since we only support | ||
7 | decimal ASCII digits in the following processing. | ||
8 | |||
9 | (cherry picked from commit eb23c6008753b1cdc5359dead3a096dce46c9018) | ||
10 | |||
11 | Upstream-Status: Accepted | ||
12 | CVE: CVE-2019-11046 | ||
13 | |||
14 | Reference to upstream patch: | ||
15 | http://git.php.net/?p=php-src.git;a=commit;h=eb23c6008753b1cdc5359dead3a096dce46c9018 | ||
16 | http://git.php.net/?p=php-src.git;a=commit;h=2d07f00b73d8f94099850e0f5983e1cc5817c196 | ||
17 | --- | ||
18 | ext/bcmath/libbcmath/src/str2num.c | 4 ++-- | ||
19 | ext/bcmath/tests/bug78878.phpt | 13 +++++++++++++ | ||
20 | 2 files changed, 15 insertions(+), 2 deletions(-) | ||
21 | create mode 100644 ext/bcmath/tests/bug78878.phpt | ||
22 | |||
23 | diff --git a/ext/bcmath/libbcmath/src/str2num.c b/ext/bcmath/libbcmath/src/str2num.c | ||
24 | index f38d341570..03aec15930 100644 | ||
25 | --- a/ext/bcmath/libbcmath/src/str2num.c | ||
26 | +++ b/ext/bcmath/libbcmath/src/str2num.c | ||
27 | @@ -57,9 +57,9 @@ bc_str2num (bc_num *num, char *str, int scale) | ||
28 | zero_int = FALSE; | ||
29 | if ( (*ptr == '+') || (*ptr == '-')) ptr++; /* Sign */ | ||
30 | while (*ptr == '0') ptr++; /* Skip leading zeros. */ | ||
31 | - while (isdigit((int)*ptr)) ptr++, digits++; /* digits */ | ||
32 | + while (*ptr >= '0' && *ptr <= '9') ptr++, digits++; /* digits */ | ||
33 | if (*ptr == '.') ptr++; /* decimal point */ | ||
34 | - while (isdigit((int)*ptr)) ptr++, strscale++; /* digits */ | ||
35 | + while (*ptr >= '0' && *ptr <= '9') ptr++, strscale++; /* digits */ | ||
36 | if ((*ptr != '\0') || (digits+strscale == 0)) | ||
37 | { | ||
38 | *num = bc_copy_num (BCG(_zero_)); | ||
39 | diff --git a/ext/bcmath/tests/bug78878.phpt b/ext/bcmath/tests/bug78878.phpt | ||
40 | new file mode 100644 | ||
41 | index 0000000000..2c9d72b946 | ||
42 | --- /dev/null | ||
43 | +++ b/ext/bcmath/tests/bug78878.phpt | ||
44 | @@ -0,0 +1,13 @@ | ||
45 | +--TEST-- | ||
46 | +Bug #78878 (Buffer underflow in bc_shift_addsub) | ||
47 | +--SKIPIF-- | ||
48 | +<?php | ||
49 | +if (!extension_loaded('bcmath')) die('skip bcmath extension not available'); | ||
50 | +?> | ||
51 | +--FILE-- | ||
52 | +<?php | ||
53 | +print @bcmul("\xB26483605105519922841849335928742092", bcpowmod(2, 65535, -4e-4)); | ||
54 | +?> | ||
55 | +--EXPECT-- | ||
56 | +bc math warning: non-zero scale in modulus | ||
57 | +0 | ||
58 | -- | ||
59 | 2.11.0 | ||
diff --git a/meta-oe/recipes-devtools/php/php/CVE-2019-11047.patch b/meta-oe/recipes-devtools/php/php/CVE-2019-11047.patch new file mode 100644 index 000000000..e2922bf8f --- /dev/null +++ b/meta-oe/recipes-devtools/php/php/CVE-2019-11047.patch | |||
@@ -0,0 +1,57 @@ | |||
1 | From d348cfb96f2543565691010ade5e0346338be5a7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Stanislav Malyshev <stas@php.net> | ||
3 | Date: Mon, 16 Dec 2019 00:10:39 -0800 | ||
4 | Subject: [PATCH] Fixed bug #78910 | ||
5 | |||
6 | Upstream-Status: Accepted | ||
7 | CVE-2019-11047 | ||
8 | |||
9 | Reference to upstream patch: | ||
10 | http://git.php.net/?p=php-src.git;a=commit;h=d348cfb96f2543565691010ade5e0346338be5a7 | ||
11 | http://git.php.net/?p=php-src.git;a=commit;h=57325460d2bdee01a13d8e6cf03345c90543ff4f | ||
12 | --- | ||
13 | ext/exif/exif.c | 3 ++- | ||
14 | ext/exif/tests/bug78910.phpt | 17 +++++++++++++++++ | ||
15 | 2 files changed, 19 insertions(+), 1 deletion(-) | ||
16 | create mode 100644 ext/exif/tests/bug78910.phpt | ||
17 | |||
18 | diff --git a/ext/exif/exif.c b/ext/exif/exif.c | ||
19 | index 2804807e..a5780113 100644 | ||
20 | --- a/ext/exif/exif.c | ||
21 | +++ b/ext/exif/exif.c | ||
22 | @@ -3138,7 +3138,8 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu | ||
23 | /*exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "check (%s)", maker_note->make?maker_note->make:"");*/ | ||
24 | if (maker_note->make && (!ImageInfo->make || strcmp(maker_note->make, ImageInfo->make))) | ||
25 | continue; | ||
26 | - if (maker_note->id_string && strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len)) | ||
27 | + if (maker_note->id_string && value_len >= maker_note->id_string_len | ||
28 | + && strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len)) | ||
29 | continue; | ||
30 | break; | ||
31 | } | ||
32 | diff --git a/ext/exif/tests/bug78910.phpt b/ext/exif/tests/bug78910.phpt | ||
33 | new file mode 100644 | ||
34 | index 00000000..f5b1c32c | ||
35 | --- /dev/null | ||
36 | +++ b/ext/exif/tests/bug78910.phpt | ||
37 | @@ -0,0 +1,17 @@ | ||
38 | +--TEST-- | ||
39 | +Bug #78910: Heap-buffer-overflow READ in exif (OSS-Fuzz #19044) | ||
40 | +--FILE-- | ||
41 | +<?php | ||
42 | + | ||
43 | +var_dump(exif_read_data('data:image/jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN')); | ||
44 | + | ||
45 | +?> | ||
46 | +--EXPECTF-- | ||
47 | +Notice: exif_read_data(): Read from TIFF: tag(0x927C, MakerNote ): Illegal format code 0x2020, switching to BYTE in %s on line %d | ||
48 | + | ||
49 | +Warning: exif_read_data(): Process tag(x927C=MakerNote ): Illegal format code 0x2020, suppose BYTE in %s on line %d | ||
50 | + | ||
51 | +Warning: exif_read_data(): IFD data too short: 0x0000 offset 0x000C in %s on line %d | ||
52 | + | ||
53 | +Warning: exif_read_data(): Invalid TIFF file in %s on line %d | ||
54 | +bool(false) | ||
55 | -- | ||
56 | 2.17.1 | ||
57 | |||
diff --git a/meta-oe/recipes-devtools/php/php/CVE-2019-11050.patch b/meta-oe/recipes-devtools/php/php/CVE-2019-11050.patch new file mode 100644 index 000000000..700b99bd9 --- /dev/null +++ b/meta-oe/recipes-devtools/php/php/CVE-2019-11050.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From c14eb8de974fc8a4d74f3515424c293bc7a40fba Mon Sep 17 00:00:00 2001 | ||
2 | From: Stanislav Malyshev <stas@php.net> | ||
3 | Date: Mon, 16 Dec 2019 01:14:38 -0800 | ||
4 | Subject: [PATCH] Fix bug #78793 | ||
5 | |||
6 | Upstream-Status: Accepted | ||
7 | CVE-2019-11050 | ||
8 | |||
9 | Reference to upstream patch: | ||
10 | http://git.php.net/?p=php-src.git;a=commit;h=c14eb8de974fc8a4d74f3515424c293bc7a40fba | ||
11 | http://git.php.net/?p=php-src.git;a=commit;h=1b3b4a0d367b6f0b67e9f73d82f53db6c6b722b2 | ||
12 | --- | ||
13 | ext/exif/exif.c | 5 +++-- | ||
14 | ext/exif/tests/bug78793.phpt | 12 ++++++++++++ | ||
15 | 2 files changed, 15 insertions(+), 2 deletions(-) | ||
16 | create mode 100644 ext/exif/tests/bug78793.phpt | ||
17 | |||
18 | diff --git a/ext/exif/exif.c b/ext/exif/exif.c | ||
19 | index c0be05922f..7fe055f381 100644 | ||
20 | --- a/ext/exif/exif.c | ||
21 | +++ b/ext/exif/exif.c | ||
22 | @@ -3240,8 +3240,9 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu | ||
23 | } | ||
24 | |||
25 | for (de=0;de<NumDirEntries;de++) { | ||
26 | - if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de, | ||
27 | - offset_base, data_len, displacement, section_index, 0, maker_note->tag_table)) { | ||
28 | + size_t offset = 2 + 12 * de; | ||
29 | + if (!exif_process_IFD_TAG(ImageInfo, dir_start + offset, | ||
30 | + offset_base, data_len - offset, displacement, section_index, 0, maker_note->tag_table)) { | ||
31 | return FALSE; | ||
32 | } | ||
33 | } | ||
34 | diff --git a/ext/exif/tests/bug78793.phpt b/ext/exif/tests/bug78793.phpt | ||
35 | new file mode 100644 | ||
36 | index 0000000000..033f255ace | ||
37 | --- /dev/null | ||
38 | +++ b/ext/exif/tests/bug78793.phpt | ||
39 | @@ -0,0 +1,12 @@ | ||
40 | +--TEST-- | ||
41 | +Bug #78793: Use-after-free in exif parsing under memory sanitizer | ||
42 | +--FILE-- | ||
43 | +<?php | ||
44 | +$f = "ext/exif/tests/bug77950.tiff"; | ||
45 | +for ($i = 0; $i < 10; $i++) { | ||
46 | + @exif_read_data($f); | ||
47 | +} | ||
48 | +?> | ||
49 | +===DONE=== | ||
50 | +--EXPECT-- | ||
51 | +===DONE=== | ||
52 | -- | ||
53 | 2.11.0 | ||
diff --git a/meta-oe/recipes-devtools/php/php_7.3.11.bb b/meta-oe/recipes-devtools/php/php_7.3.11.bb index 8dbaf8922..880ac839b 100644 --- a/meta-oe/recipes-devtools/php/php_7.3.11.bb +++ b/meta-oe/recipes-devtools/php/php_7.3.11.bb | |||
@@ -19,6 +19,10 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \ | |||
19 | file://debian-php-fixheader.patch \ | 19 | file://debian-php-fixheader.patch \ |
20 | file://CVE-2019-6978.patch \ | 20 | file://CVE-2019-6978.patch \ |
21 | file://CVE-2020-7059.patch \ | 21 | file://CVE-2020-7059.patch \ |
22 | file://CVE-2019-11045.patch \ | ||
23 | file://CVE-2019-11046.patch \ | ||
24 | file://CVE-2019-11047.patch \ | ||
25 | file://CVE-2019-11050.patch \ | ||
22 | " | 26 | " |
23 | 27 | ||
24 | SRC_URI_append_class-target = " \ | 28 | SRC_URI_append_class-target = " \ |