php: CVE-2019-11045.patch CVE-2019-11046.patch CVE-2019-11047.patch CVE-2019-11050.patch

Security Advisory References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11045 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11046 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11047 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11050 Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Wang Mingyu <wangmy@cn.fujitsu.com> 2020-03-19 00:39:15 -0700
committer: Khem Raj <raj.khem@gmail.com> 2020-03-18 19:29:01 -0700
commit: 539119d170270bc1fee0a2510f635d6e8fabff04 (patch)
tree: 34db1993f4599e82a83113cb3f68a9302ff5d7a7 /meta-oe
parent: 68710f24671a1485aca983367e6b692cc9ec1208 (diff)
download: meta-openembedded-539119d170270bc1fee0a2510f635d6e8fabff04.tar.gz
5 files changed, 251 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/php/php/CVE-2019-11045.patch b/meta-oe/recipes-devtools/php/php/CVE-2019-11045.patch
new file mode 100644
index 000000000..3b3c187a4
--- /dev/null
+++ b/meta-oe/recipes-devtools/php/php/CVE-2019-11045.patch
@@ -0,0 +1,78 @@
+From a5a15965da23c8e97657278fc8dfbf1dfb20c016 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Mon, 25 Nov 2019 16:56:34 +0100
+Subject: [PATCH] Fix #78863: DirectoryIterator class silently truncates after
+ a null byte
+Since the constructor of DirectoryIterator and friends is supposed to
+accepts paths (i.e. strings without NUL bytes), we must not accept
+arbitrary strings.
+Upstream-Status: Accepted
+CVE: CVE-2019-11045
+   
+Reference to upstream patch:
+http://git.php.net/?p=php-src.git;a=commit;h=a5a15965da23c8e97657278fc8dfbf1dfb20c016
+http://git.php.net/?p=php-src.git;a=commit;h=d74907b8575e6edb83b728c2a94df434c23e1f79
+---
+ ext/spl/spl_directory.c     |  4 ++--
+ ext/spl/tests/bug78863.phpt | 31 +++++++++++++++++++++++++++++++
+ 2 files changed, 33 insertions(+), 2 deletions(-)
+ create mode 100644 ext/spl/tests/bug78863.phpt
+diff --git a/ext/spl/spl_directory.c b/ext/spl/spl_directory.c
+index 91ea2e0265..56e809b1c7 100644
+--- a/ext/spl/spl_directory.c
+++ b/ext/spl/spl_directory.c
+@@ -708,10 +708,10 @@ void spl_filesystem_object_construct(INTERNAL_FUNCTION_PARAMETERS, zend_long cto
+ 
+        if (SPL_HAS_FLAG(ctor_flags, DIT_CTOR_FLAGS)) {
+                flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_FILEINFO;
+-               parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "s|l", &path, &len, &flags);
+               parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "p|l", &path, &len, &flags);
+        } else {
+                flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_SELF;
+-               parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "s", &path, &len);
+               parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "p", &path, &len);
+        }
+        if (SPL_HAS_FLAG(ctor_flags, SPL_FILE_DIR_SKIPDOTS)) {
+                flags |= SPL_FILE_DIR_SKIPDOTS;
+diff --git a/ext/spl/tests/bug78863.phpt b/ext/spl/tests/bug78863.phpt
+new file mode 100644
+index 0000000000..dc88d98dee
+--- /dev/null
+++ b/ext/spl/tests/bug78863.phpt
+@@ -0,0 +1,31 @@
+--TEST--
+Bug #78863 (DirectoryIterator class silently truncates after a null byte)
+--FILE--
+<?php
+$dir = __DIR__ . '/bug78863';
+mkdir($dir);
+touch("$dir/bad");
+mkdir("$dir/sub");
+touch("$dir/sub/good");
+
+$it = new DirectoryIterator(__DIR__ . "/bug78863\0/sub");
+foreach ($it as $fileinfo) {
+    if (!$fileinfo->isDot()) {
+        var_dump($fileinfo->getFilename());
+    }
+}
+?>
+--EXPECTF--
+Fatal error: Uncaught UnexpectedValueException: DirectoryIterator::__construct() expects parameter 1 to be a valid path, string given in %s:%d
+Stack trace:
+#0 %s(%d): DirectoryIterator->__construct('%s')
+#1 {main}
+  thrown in %s on line %d
+--CLEAN--
+<?php
+$dir = __DIR__ . '/bug78863';
+unlink("$dir/sub/good");
+rmdir("$dir/sub");
+unlink("$dir/bad");
+rmdir($dir);
+?>
+-- 
+2.11.0
diff --git a/meta-oe/recipes-devtools/php/php/CVE-2019-11046.patch b/meta-oe/recipes-devtools/php/php/CVE-2019-11046.patch
new file mode 100644
index 000000000..711b8525a
--- /dev/null
+++ b/meta-oe/recipes-devtools/php/php/CVE-2019-11046.patch
@@ -0,0 +1,59 @@
+From 2d07f00b73d8f94099850e0f5983e1cc5817c196 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Sat, 30 Nov 2019 12:26:37 +0100
+Subject: [PATCH] Fix #78878: Buffer underflow in bc_shift_addsub
+We must not rely on `isdigit()` to detect digits, since we only support
+decimal ASCII digits in the following processing.
+(cherry picked from commit eb23c6008753b1cdc5359dead3a096dce46c9018)
+Upstream-Status: Accepted
+CVE: CVE-2019-11046
+   
+Reference to upstream patch:
+http://git.php.net/?p=php-src.git;a=commit;h=eb23c6008753b1cdc5359dead3a096dce46c9018
+http://git.php.net/?p=php-src.git;a=commit;h=2d07f00b73d8f94099850e0f5983e1cc5817c196
+---
+ ext/bcmath/libbcmath/src/str2num.c |  4 ++--
+ ext/bcmath/tests/bug78878.phpt     | 13 +++++++++++++
+ 2 files changed, 15 insertions(+), 2 deletions(-)
+ create mode 100644 ext/bcmath/tests/bug78878.phpt
+diff --git a/ext/bcmath/libbcmath/src/str2num.c b/ext/bcmath/libbcmath/src/str2num.c
+index f38d341570..03aec15930 100644
+--- a/ext/bcmath/libbcmath/src/str2num.c
+++ b/ext/bcmath/libbcmath/src/str2num.c
+@@ -57,9 +57,9 @@ bc_str2num (bc_num *num, char *str, int scale)
+   zero_int = FALSE;
+   if ( (*ptr == '+') || (*ptr == '-'))  ptr++;  /* Sign */
+   while (*ptr == '0') ptr++;                   /* Skip leading zeros. */
+-  while (isdigit((int)*ptr)) ptr++, digits++;  /* digits */
+  while (*ptr >= '0' && *ptr <= '9') ptr++, digits++;  /* digits */
+   if (*ptr == '.') ptr++;                      /* decimal point */
+-  while (isdigit((int)*ptr)) ptr++, strscale++;        /* digits */
+  while (*ptr >= '0' && *ptr <= '9') ptr++, strscale++;        /* digits */
+   if ((*ptr != '\0') || (digits+strscale == 0))
+     {
+       *num = bc_copy_num (BCG(_zero_));
+diff --git a/ext/bcmath/tests/bug78878.phpt b/ext/bcmath/tests/bug78878.phpt
+new file mode 100644
+index 0000000000..2c9d72b946
+--- /dev/null
+++ b/ext/bcmath/tests/bug78878.phpt
+@@ -0,0 +1,13 @@
+--TEST--
+Bug #78878 (Buffer underflow in bc_shift_addsub)
+--SKIPIF--
+<?php
+if (!extension_loaded('bcmath')) die('skip bcmath extension not available');
+?>
+--FILE--
+<?php
+print @bcmul("\xB26483605105519922841849335928742092", bcpowmod(2, 65535, -4e-4));
+?>
+--EXPECT--
+bc math warning: non-zero scale in modulus
+0
+-- 
+2.11.0
diff --git a/meta-oe/recipes-devtools/php/php/CVE-2019-11047.patch b/meta-oe/recipes-devtools/php/php/CVE-2019-11047.patch
new file mode 100644
index 000000000..e2922bf8f
--- /dev/null
+++ b/meta-oe/recipes-devtools/php/php/CVE-2019-11047.patch
@@ -0,0 +1,57 @@
+From d348cfb96f2543565691010ade5e0346338be5a7 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 16 Dec 2019 00:10:39 -0800
+Subject: [PATCH] Fixed bug #78910
+Upstream-Status: Accepted
+CVE-2019-11047
+   
+Reference to upstream patch:
+http://git.php.net/?p=php-src.git;a=commit;h=d348cfb96f2543565691010ade5e0346338be5a7
+http://git.php.net/?p=php-src.git;a=commit;h=57325460d2bdee01a13d8e6cf03345c90543ff4f
+---
+ ext/exif/exif.c              |  3 ++-
+ ext/exif/tests/bug78910.phpt | 17 +++++++++++++++++
+ 2 files changed, 19 insertions(+), 1 deletion(-)
+ create mode 100644 ext/exif/tests/bug78910.phpt
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 2804807e..a5780113 100644
+--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
+@@ -3138,7 +3138,8 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
+                /*exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "check (%s)", maker_note->make?maker_note->make:"");*/
+                if (maker_note->make && (!ImageInfo->make || strcmp(maker_note->make, ImageInfo->make)))
+                        continue;
+-               if (maker_note->id_string && strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len))
+               if (maker_note->id_string && value_len >= maker_note->id_string_len
+                               && strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len))
+                        continue;
+                break;
+        }
+diff --git a/ext/exif/tests/bug78910.phpt b/ext/exif/tests/bug78910.phpt
+new file mode 100644
+index 00000000..f5b1c32c
+--- /dev/null
+++ b/ext/exif/tests/bug78910.phpt
+@@ -0,0 +1,17 @@
+--TEST--
+Bug #78910: Heap-buffer-overflow READ in exif (OSS-Fuzz #19044)
+--FILE--
+<?php
+
+var_dump(exif_read_data('data:image/jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN'));
+
+?>
+--EXPECTF--
+Notice: exif_read_data(): Read from TIFF: tag(0x927C, MakerNote  ): Illegal format code 0x2020, switching to BYTE in %s on line %d
+
+Warning: exif_read_data(): Process tag(x927C=MakerNote  ): Illegal format code 0x2020, suppose BYTE in %s on line %d
+
+Warning: exif_read_data(): IFD data too short: 0x0000 offset 0x000C in %s on line %d
+
+Warning: exif_read_data(): Invalid TIFF file in %s on line %d
+bool(false)
+-- 
+2.17.1
diff --git a/meta-oe/recipes-devtools/php/php/CVE-2019-11050.patch b/meta-oe/recipes-devtools/php/php/CVE-2019-11050.patch
new file mode 100644
index 000000000..700b99bd9
--- /dev/null
+++ b/meta-oe/recipes-devtools/php/php/CVE-2019-11050.patch
@@ -0,0 +1,53 @@
+From c14eb8de974fc8a4d74f3515424c293bc7a40fba Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 16 Dec 2019 01:14:38 -0800
+Subject: [PATCH] Fix bug #78793
+Upstream-Status: Accepted
+CVE-2019-11050
+   
+Reference to upstream patch:
+http://git.php.net/?p=php-src.git;a=commit;h=c14eb8de974fc8a4d74f3515424c293bc7a40fba
+http://git.php.net/?p=php-src.git;a=commit;h=1b3b4a0d367b6f0b67e9f73d82f53db6c6b722b2
+---
+ ext/exif/exif.c              |  5 +++--
+ ext/exif/tests/bug78793.phpt | 12 ++++++++++++
+ 2 files changed, 15 insertions(+), 2 deletions(-)
+ create mode 100644 ext/exif/tests/bug78793.phpt
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index c0be05922f..7fe055f381 100644
+--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
+@@ -3240,8 +3240,9 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
+        }
+ 
+        for (de=0;de<NumDirEntries;de++) {
+-               if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de,
+-                                                                 offset_base, data_len, displacement, section_index, 0, maker_note->tag_table)) {
+               size_t offset = 2 + 12 * de;
+               if (!exif_process_IFD_TAG(ImageInfo, dir_start + offset,
+                                                                 offset_base, data_len - offset, displacement, section_index, 0, maker_note->tag_table)) {
+                        return FALSE;
+                }
+        }
+diff --git a/ext/exif/tests/bug78793.phpt b/ext/exif/tests/bug78793.phpt
+new file mode 100644
+index 0000000000..033f255ace
+--- /dev/null
+++ b/ext/exif/tests/bug78793.phpt
+@@ -0,0 +1,12 @@
+--TEST--
+Bug #78793: Use-after-free in exif parsing under memory sanitizer
+--FILE--
+<?php
+$f = "ext/exif/tests/bug77950.tiff";
+for ($i = 0; $i < 10; $i++) {
+    @exif_read_data($f);
+}
+?>
+===DONE===
+--EXPECT--
+===DONE===
+-- 
+2.11.0
diff --git a/meta-oe/recipes-devtools/php/php_7.3.11.bb b/meta-oe/recipes-devtools/php/php_7.3.11.bb
index 8dbaf8922..880ac839b 100644
--- a/meta-oe/recipes-devtools/php/php_7.3.11.bb
+++ b/meta-oe/recipes-devtools/php/php_7.3.11.bb
@@ -19,6 +19,10 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \
           file://debian-php-fixheader.patch \
           file://CVE-2019-6978.patch \
           file://CVE-2020-7059.patch \
+           file://CVE-2019-11045.patch \
+           file://CVE-2019-11046.patch \
+           file://CVE-2019-11047.patch \
+           file://CVE-2019-11050.patch \
          "
 SRC_URI_append_class-target = " \
author	Wang Mingyu <wangmy@cn.fujitsu.com>	2020-03-19 00:39:15 -0700
committer	Khem Raj <raj.khem@gmail.com>	2020-03-18 19:29:01 -0700
commit	539119d170270bc1fee0a2510f635d6e8fabff04 (patch)
tree	34db1993f4599e82a83113cb3f68a9302ff5d7a7 /meta-oe
parent	68710f24671a1485aca983367e6b692cc9ec1208 (diff)
download	meta-openembedded-539119d170270bc1fee0a2510f635d6e8fabff04.tar.gz

diff --git a/meta-oe/recipes-devtools/php/php/CVE-2019-11045.patch b/meta-oe/recipes-devtools/php/php/CVE-2019-11045.patch new file mode 100644 index 000000000..3b3c187a4 --- /dev/null +++ b/meta-oe/recipes-devtools/php/php/CVE-2019-11045.patch
@@ -0,0 +1,78 @@
		1	From a5a15965da23c8e97657278fc8dfbf1dfb20c016 Mon Sep 17 00:00:00 2001
		2	From: "Christoph M. Becker" <cmbecker69@gmx.de>
		3	Date: Mon, 25 Nov 2019 16:56:34 +0100
		4	Subject: [PATCH] Fix #78863: DirectoryIterator class silently truncates after
		5	a null byte
		6
		7	Since the constructor of DirectoryIterator and friends is supposed to
		8	accepts paths (i.e. strings without NUL bytes), we must not accept
		9	arbitrary strings.
		10
		11	Upstream-Status: Accepted
		12	CVE: CVE-2019-11045
		13
		14	Reference to upstream patch:
		15	http://git.php.net/?p=php-src.git;a=commit;h=a5a15965da23c8e97657278fc8dfbf1dfb20c016
		16	http://git.php.net/?p=php-src.git;a=commit;h=d74907b8575e6edb83b728c2a94df434c23e1f79
		17	---
		18	ext/spl/spl_directory.c \| 4 ++--
		19	ext/spl/tests/bug78863.phpt \| 31 +++++++++++++++++++++++++++++++
		20	2 files changed, 33 insertions(+), 2 deletions(-)
		21	create mode 100644 ext/spl/tests/bug78863.phpt
		22
		23	diff --git a/ext/spl/spl_directory.c b/ext/spl/spl_directory.c
		24	index 91ea2e0265..56e809b1c7 100644
		25	--- a/ext/spl/spl_directory.c
		26	+++ b/ext/spl/spl_directory.c
		27	@@ -708,10 +708,10 @@ void spl_filesystem_object_construct(INTERNAL_FUNCTION_PARAMETERS, zend_long cto
		28
		29	if (SPL_HAS_FLAG(ctor_flags, DIT_CTOR_FLAGS)) {
		30	flags = SPL_FILE_DIR_KEY_AS_PATHNAME\|SPL_FILE_DIR_CURRENT_AS_FILEINFO;
		31	- parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "s\|l", &path, &len, &flags);
		32	+ parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "p\|l", &path, &len, &flags);
		33	} else {
		34	flags = SPL_FILE_DIR_KEY_AS_PATHNAME\|SPL_FILE_DIR_CURRENT_AS_SELF;
		35	- parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "s", &path, &len);
		36	+ parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "p", &path, &len);
		37	}
		38	if (SPL_HAS_FLAG(ctor_flags, SPL_FILE_DIR_SKIPDOTS)) {
		39	flags \|= SPL_FILE_DIR_SKIPDOTS;
		40	diff --git a/ext/spl/tests/bug78863.phpt b/ext/spl/tests/bug78863.phpt
		41	new file mode 100644
		42	index 0000000000..dc88d98dee
		43	--- /dev/null
		44	+++ b/ext/spl/tests/bug78863.phpt
		45	@@ -0,0 +1,31 @@
		46	+--TEST--
		47	+Bug #78863 (DirectoryIterator class silently truncates after a null byte)
		48	+--FILE--
		49	+<?php
		50	+$dir = __DIR__ . '/bug78863';
		51	+mkdir($dir);
		52	+touch("$dir/bad");
		53	+mkdir("$dir/sub");
		54	+touch("$dir/sub/good");
		55	+
		56	+$it = new DirectoryIterator(__DIR__ . "/bug78863\0/sub");
		57	+foreach ($it as $fileinfo) {
		58	+ if (!$fileinfo->isDot()) {
		59	+ var_dump($fileinfo->getFilename());
		60	+ }
		61	+}
		62	+?>
		63	+--EXPECTF--
		64	+Fatal error: Uncaught UnexpectedValueException: DirectoryIterator::__construct() expects parameter 1 to be a valid path, string given in %s:%d
		65	+Stack trace:
		66	+#0 %s(%d): DirectoryIterator->__construct('%s')
		67	+#1 {main}
		68	+ thrown in %s on line %d
		69	+--CLEAN--
		70	+<?php
		71	+$dir = __DIR__ . '/bug78863';
		72	+unlink("$dir/sub/good");
		73	+rmdir("$dir/sub");
		74	+unlink("$dir/bad");
		75	+rmdir($dir);
		76	+?>
		77	--
		78	2.11.0


diff --git a/meta-oe/recipes-devtools/php/php/CVE-2019-11046.patch b/meta-oe/recipes-devtools/php/php/CVE-2019-11046.patch new file mode 100644 index 000000000..711b8525a --- /dev/null +++ b/meta-oe/recipes-devtools/php/php/CVE-2019-11046.patch
@@ -0,0 +1,59 @@
		1	From 2d07f00b73d8f94099850e0f5983e1cc5817c196 Mon Sep 17 00:00:00 2001
		2	From: "Christoph M. Becker" <cmbecker69@gmx.de>
		3	Date: Sat, 30 Nov 2019 12:26:37 +0100
		4	Subject: [PATCH] Fix #78878: Buffer underflow in bc_shift_addsub
		5
		6	We must not rely on `isdigit()` to detect digits, since we only support
		7	decimal ASCII digits in the following processing.
		8
		9	(cherry picked from commit eb23c6008753b1cdc5359dead3a096dce46c9018)
		10
		11	Upstream-Status: Accepted
		12	CVE: CVE-2019-11046
		13
		14	Reference to upstream patch:
		15	http://git.php.net/?p=php-src.git;a=commit;h=eb23c6008753b1cdc5359dead3a096dce46c9018
		16	http://git.php.net/?p=php-src.git;a=commit;h=2d07f00b73d8f94099850e0f5983e1cc5817c196
		17	---
		18	ext/bcmath/libbcmath/src/str2num.c \| 4 ++--
		19	ext/bcmath/tests/bug78878.phpt \| 13 +++++++++++++
		20	2 files changed, 15 insertions(+), 2 deletions(-)
		21	create mode 100644 ext/bcmath/tests/bug78878.phpt
		22
		23	diff --git a/ext/bcmath/libbcmath/src/str2num.c b/ext/bcmath/libbcmath/src/str2num.c
		24	index f38d341570..03aec15930 100644
		25	--- a/ext/bcmath/libbcmath/src/str2num.c
		26	+++ b/ext/bcmath/libbcmath/src/str2num.c
		27	@@ -57,9 +57,9 @@ bc_str2num (bc_num num, char str, int scale)
		28	zero_int = FALSE;
		29	if ( (ptr == '+') \|\| (ptr == '-')) ptr++; /* Sign */
		30	while (ptr == '0') ptr++; / Skip leading zeros. */
		31	- while (isdigit((int)ptr)) ptr++, digits++; / digits */
		32	+ while (ptr >= '0' && ptr <= '9') ptr++, digits++; /* digits */
		33	if (ptr == '.') ptr++; / decimal point */
		34	- while (isdigit((int)ptr)) ptr++, strscale++; / digits */
		35	+ while (ptr >= '0' && ptr <= '9') ptr++, strscale++; /* digits */
		36	if ((*ptr != '\0') \|\| (digits+strscale == 0))
		37	{
		38	*num = bc_copy_num (BCG(_zero_));
		39	diff --git a/ext/bcmath/tests/bug78878.phpt b/ext/bcmath/tests/bug78878.phpt
		40	new file mode 100644
		41	index 0000000000..2c9d72b946
		42	--- /dev/null
		43	+++ b/ext/bcmath/tests/bug78878.phpt
		44	@@ -0,0 +1,13 @@
		45	+--TEST--
		46	+Bug #78878 (Buffer underflow in bc_shift_addsub)
		47	+--SKIPIF--
		48	+<?php
		49	+if (!extension_loaded('bcmath')) die('skip bcmath extension not available');
		50	+?>
		51	+--FILE--
		52	+<?php
		53	+print @bcmul("\xB26483605105519922841849335928742092", bcpowmod(2, 65535, -4e-4));
		54	+?>
		55	+--EXPECT--
		56	+bc math warning: non-zero scale in modulus
		57	+0
		58	--
		59	2.11.0


diff --git a/meta-oe/recipes-devtools/php/php/CVE-2019-11047.patch b/meta-oe/recipes-devtools/php/php/CVE-2019-11047.patch new file mode 100644 index 000000000..e2922bf8f --- /dev/null +++ b/meta-oe/recipes-devtools/php/php/CVE-2019-11047.patch
@@ -0,0 +1,57 @@
		1	From d348cfb96f2543565691010ade5e0346338be5a7 Mon Sep 17 00:00:00 2001
		2	From: Stanislav Malyshev <stas@php.net>
		3	Date: Mon, 16 Dec 2019 00:10:39 -0800
		4	Subject: [PATCH] Fixed bug #78910
		5
		6	Upstream-Status: Accepted
		7	CVE-2019-11047
		8
		9	Reference to upstream patch:
		10	http://git.php.net/?p=php-src.git;a=commit;h=d348cfb96f2543565691010ade5e0346338be5a7
		11	http://git.php.net/?p=php-src.git;a=commit;h=57325460d2bdee01a13d8e6cf03345c90543ff4f
		12	---
		13	ext/exif/exif.c \| 3 ++-
		14	ext/exif/tests/bug78910.phpt \| 17 +++++++++++++++++
		15	2 files changed, 19 insertions(+), 1 deletion(-)
		16	create mode 100644 ext/exif/tests/bug78910.phpt
		17
		18	diff --git a/ext/exif/exif.c b/ext/exif/exif.c
		19	index 2804807e..a5780113 100644
		20	--- a/ext/exif/exif.c
		21	+++ b/ext/exif/exif.c
		22	@@ -3138,7 +3138,8 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type ImageInfo, char valu
		23	/exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "check (%s)", maker_note->make?maker_note->make:"");/
		24	if (maker_note->make && (!ImageInfo->make \|\| strcmp(maker_note->make, ImageInfo->make)))
		25	continue;
		26	- if (maker_note->id_string && strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len))
		27	+ if (maker_note->id_string && value_len >= maker_note->id_string_len
		28	+ && strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len))
		29	continue;
		30	break;
		31	}
		32	diff --git a/ext/exif/tests/bug78910.phpt b/ext/exif/tests/bug78910.phpt
		33	new file mode 100644
		34	index 00000000..f5b1c32c
		35	--- /dev/null
		36	+++ b/ext/exif/tests/bug78910.phpt
		37	@@ -0,0 +1,17 @@
		38	+--TEST--
		39	+Bug #78910: Heap-buffer-overflow READ in exif (OSS-Fuzz #19044)
		40	+--FILE--
		41	+<?php
		42	+
		43	+var_dump(exif_read_data('data:image/jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN'));
		44	+
		45	+?>
		46	+--EXPECTF--
		47	+Notice: exif_read_data(): Read from TIFF: tag(0x927C, MakerNote ): Illegal format code 0x2020, switching to BYTE in %s on line %d
		48	+
		49	+Warning: exif_read_data(): Process tag(x927C=MakerNote ): Illegal format code 0x2020, suppose BYTE in %s on line %d
		50	+
		51	+Warning: exif_read_data(): IFD data too short: 0x0000 offset 0x000C in %s on line %d
		52	+
		53	+Warning: exif_read_data(): Invalid TIFF file in %s on line %d
		54	+bool(false)
		55	--
		56	2.17.1
		57


diff --git a/meta-oe/recipes-devtools/php/php/CVE-2019-11050.patch b/meta-oe/recipes-devtools/php/php/CVE-2019-11050.patch new file mode 100644 index 000000000..700b99bd9 --- /dev/null +++ b/meta-oe/recipes-devtools/php/php/CVE-2019-11050.patch
@@ -0,0 +1,53 @@
		1	From c14eb8de974fc8a4d74f3515424c293bc7a40fba Mon Sep 17 00:00:00 2001
		2	From: Stanislav Malyshev <stas@php.net>
		3	Date: Mon, 16 Dec 2019 01:14:38 -0800
		4	Subject: [PATCH] Fix bug #78793
		5
		6	Upstream-Status: Accepted
		7	CVE-2019-11050
		8
		9	Reference to upstream patch:
		10	http://git.php.net/?p=php-src.git;a=commit;h=c14eb8de974fc8a4d74f3515424c293bc7a40fba
		11	http://git.php.net/?p=php-src.git;a=commit;h=1b3b4a0d367b6f0b67e9f73d82f53db6c6b722b2
		12	---
		13	ext/exif/exif.c \| 5 +++--
		14	ext/exif/tests/bug78793.phpt \| 12 ++++++++++++
		15	2 files changed, 15 insertions(+), 2 deletions(-)
		16	create mode 100644 ext/exif/tests/bug78793.phpt
		17
		18	diff --git a/ext/exif/exif.c b/ext/exif/exif.c
		19	index c0be05922f..7fe055f381 100644
		20	--- a/ext/exif/exif.c
		21	+++ b/ext/exif/exif.c
		22	@@ -3240,8 +3240,9 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type ImageInfo, char valu
		23	}
		24
		25	for (de=0;de<NumDirEntries;de++) {
		26	- if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de,
		27	- offset_base, data_len, displacement, section_index, 0, maker_note->tag_table)) {
		28	+ size_t offset = 2 + 12 * de;
		29	+ if (!exif_process_IFD_TAG(ImageInfo, dir_start + offset,
		30	+ offset_base, data_len - offset, displacement, section_index, 0, maker_note->tag_table)) {
		31	return FALSE;
		32	}
		33	}
		34	diff --git a/ext/exif/tests/bug78793.phpt b/ext/exif/tests/bug78793.phpt
		35	new file mode 100644
		36	index 0000000000..033f255ace
		37	--- /dev/null
		38	+++ b/ext/exif/tests/bug78793.phpt
		39	@@ -0,0 +1,12 @@
		40	+--TEST--
		41	+Bug #78793: Use-after-free in exif parsing under memory sanitizer
		42	+--FILE--
		43	+<?php
		44	+$f = "ext/exif/tests/bug77950.tiff";
		45	+for ($i = 0; $i < 10; $i++) {
		46	+ @exif_read_data($f);
		47	+}
		48	+?>
		49	+===DONE===
		50	+--EXPECT--
		51	+===DONE===
		52	--
		53	2.11.0


diff --git a/meta-oe/recipes-devtools/php/php_7.3.11.bb b/meta-oe/recipes-devtools/php/php_7.3.11.bb index 8dbaf8922..880ac839b 100644 --- a/meta-oe/recipes-devtools/php/php_7.3.11.bb +++ b/meta-oe/recipes-devtools/php/php_7.3.11.bb
@@ -19,6 +19,10 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \
19	file://debian-php-fixheader.patch \	19	file://debian-php-fixheader.patch \
20	file://CVE-2019-6978.patch \	20	file://CVE-2019-6978.patch \
21	file://CVE-2020-7059.patch \	21	file://CVE-2020-7059.patch \
		22	file://CVE-2019-11045.patch \
		23	file://CVE-2019-11046.patch \
		24	file://CVE-2019-11047.patch \
		25	file://CVE-2019-11050.patch \
22	"	26	"
23		27
24	SRC_URI_append_class-target = " \	28	SRC_URI_append_class-target = " \