diff options
| author | Gyorgy Sarvari <skandigraun@gmail.com> | 2026-03-10 14:03:23 +0100 |
|---|---|---|
| committer | Anuj Mittal <anuj.mittal@oss.qualcomm.com> | 2026-03-24 08:52:08 +0530 |
| commit | af2304fcb982055d420bda526e8b30fbcf899339 (patch) | |
| tree | 20167b90253187eb331a99b4181fbf70041e9ce2 | |
| parent | e7a359838ccdb7dcc1f090d0734d4b422735172b (diff) | |
| download | meta-openembedded-af2304fcb982055d420bda526e8b30fbcf899339.tar.gz | |
php: upgrade 8.2.29 -> 8.2.30
Drop patches that are included in this release.
Changes: https://www.php.net/ChangeLog-8.php#8.2.30
- Curl: Fix curl build and test failures with version 8.16.
- Opcache: Reset global pointers to prevent use-after-free in zend_jit_status().
- PDO: PDO quoting result null deref - CVE-2025-14180
- Null byte termination in dns_get_record()
- Heap buffer overflow in array_merge() - CVE-2025-14178
- Information Leak of Memory in getimagesize - CVE-2025-14177
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
| -rw-r--r-- | meta-oe/recipes-devtools/php/php/CVE-2025-14177.patch | 84 | ||||
| -rw-r--r-- | meta-oe/recipes-devtools/php/php/CVE-2025-14178.patch | 65 | ||||
| -rw-r--r-- | meta-oe/recipes-devtools/php/php/CVE-2025-14180.patch | 69 | ||||
| -rw-r--r-- | meta-oe/recipes-devtools/php/php_8.2.30.bb (renamed from meta-oe/recipes-devtools/php/php_8.2.29.bb) | 5 |
4 files changed, 1 insertions, 222 deletions
diff --git a/meta-oe/recipes-devtools/php/php/CVE-2025-14177.patch b/meta-oe/recipes-devtools/php/php/CVE-2025-14177.patch deleted file mode 100644 index 6b5ffe0029..0000000000 --- a/meta-oe/recipes-devtools/php/php/CVE-2025-14177.patch +++ /dev/null | |||
| @@ -1,84 +0,0 @@ | |||
| 1 | From 7aac95c5280ea395ccfcd624cae7e87749ff6eeb Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Niels Dossche <7771979+ndossche@users.noreply.github.com> | ||
| 3 | Date: Tue, 25 Nov 2025 23:11:38 +0100 | ||
| 4 | Subject: [PATCH] Fix GH-20584: Information Leak of Memory | ||
| 5 | |||
| 6 | The string added had uninitialized memory due to | ||
| 7 | php_read_stream_all_chunks() not moving the buffer position, resulting | ||
| 8 | in the same data always being overwritten instead of new data being | ||
| 9 | added to the end of the buffer. | ||
| 10 | |||
| 11 | This is backport as there is a security impact as described in | ||
| 12 | GHSA-3237-qqm7-mfv7 . | ||
| 13 | |||
| 14 | CVE: CVE-2025-14177 | ||
| 15 | Upstream-Status: Backport [https://github.com/php/php-src/commit/c5f28c7cf0a0] | ||
| 16 | |||
| 17 | (cherry picked from commit c5f28c7cf0a052f48e47877c7aa5c5bcc54f1cfc) | ||
| 18 | Signed-off-by: Anil Dongare <adongare@cisco.com> | ||
| 19 | --- | ||
| 20 | ext/standard/image.c | 1 + | ||
| 21 | ext/standard/tests/image/gh20584.phpt | 39 +++++++++++++++++++++++++++ | ||
| 22 | 2 files changed, 40 insertions(+) | ||
| 23 | create mode 100644 ext/standard/tests/image/gh20584.phpt | ||
| 24 | |||
| 25 | diff --git a/ext/standard/image.c b/ext/standard/image.c | ||
| 26 | index 2bd5429efac..15761364c34 100644 | ||
| 27 | --- a/ext/standard/image.c | ||
| 28 | +++ b/ext/standard/image.c | ||
| 29 | @@ -403,6 +403,7 @@ static size_t php_read_stream_all_chunks(php_stream *stream, char *buffer, size_ | ||
| 30 | if (read_now < stream->chunk_size && read_total != length) { | ||
| 31 | return 0; | ||
| 32 | } | ||
| 33 | + buffer += read_now; | ||
| 34 | } while (read_total < length); | ||
| 35 | |||
| 36 | return read_total; | ||
| 37 | diff --git a/ext/standard/tests/image/gh20584.phpt b/ext/standard/tests/image/gh20584.phpt | ||
| 38 | new file mode 100644 | ||
| 39 | index 00000000000..d117f218202 | ||
| 40 | --- /dev/null | ||
| 41 | +++ b/ext/standard/tests/image/gh20584.phpt | ||
| 42 | @@ -0,0 +1,39 @@ | ||
| 43 | +--TEST-- | ||
| 44 | +GH-20584 (Information Leak of Memory) | ||
| 45 | +--CREDITS-- | ||
| 46 | +Nikita Sveshnikov (Positive Technologies) | ||
| 47 | +--FILE-- | ||
| 48 | +<?php | ||
| 49 | +// Minimal PoC: corruption/uninitialized memory leak when reading APP1 via php://filter | ||
| 50 | +$file = __DIR__ . '/gh20584.jpg'; | ||
| 51 | + | ||
| 52 | +// Make APP1 large enough so it is read in multiple chunks | ||
| 53 | +$chunk = 8192; | ||
| 54 | +$tail = 123; | ||
| 55 | +$payload = str_repeat('A', $chunk) . str_repeat('B', $chunk) . str_repeat('Z', | ||
| 56 | +$tail); | ||
| 57 | +$app1Len = 2 + strlen($payload); | ||
| 58 | + | ||
| 59 | +// Minimal JPEG: SOI + APP1 + SOF0(1x1) + EOI | ||
| 60 | +$sof = "\xFF\xC0" . pack('n', 11) . "\x08" . pack('n',1) . pack('n',1) . | ||
| 61 | +"\x01\x11\x00"; | ||
| 62 | +$jpeg = "\xFF\xD8" . "\xFF\xE1" . pack('n', $app1Len) . $payload . $sof . | ||
| 63 | +"\xFF\xD9"; | ||
| 64 | +file_put_contents($file, $jpeg); | ||
| 65 | + | ||
| 66 | +// Read through a filter to enforce multiple reads | ||
| 67 | +$src = 'php://filter/read=string.rot13|string.rot13/resource=' . $file; | ||
| 68 | +$info = null; | ||
| 69 | +@getimagesize($src, $info); | ||
| 70 | +$exp = $payload; | ||
| 71 | +$ret = $info['APP1']; | ||
| 72 | + | ||
| 73 | +var_dump($ret === $exp); | ||
| 74 | + | ||
| 75 | +?> | ||
| 76 | +--CLEAN-- | ||
| 77 | +<?php | ||
| 78 | +@unlink(__DIR__ . '/gh20584.jpg'); | ||
| 79 | +?> | ||
| 80 | +--EXPECT-- | ||
| 81 | +bool(true) | ||
| 82 | -- | ||
| 83 | 2.43.5 | ||
| 84 | |||
diff --git a/meta-oe/recipes-devtools/php/php/CVE-2025-14178.patch b/meta-oe/recipes-devtools/php/php/CVE-2025-14178.patch deleted file mode 100644 index 46fa8679e8..0000000000 --- a/meta-oe/recipes-devtools/php/php/CVE-2025-14178.patch +++ /dev/null | |||
| @@ -1,65 +0,0 @@ | |||
| 1 | From a46c3692d37f8c539b3b00ea4ab7ebc2d7db5507 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Niels Dossche <7771979+ndossche@users.noreply.github.com> | ||
| 3 | Date: Sun, 9 Nov 2025 13:23:11 +0100 | ||
| 4 | Subject: [PATCH] Fix GHSA-h96m-rvf9-jgm2 | ||
| 5 | |||
| 6 | CVE: CVE-2025-14178 | ||
| 7 | Upstream-Status: Backport [https://github.com/php/php-src/commit/c4268c15e361] | ||
| 8 | |||
| 9 | (cherry picked from commit c4268c15e361ccd79289a3909f332ab2153f72e7) | ||
| 10 | Signed-off-by: Anil Dongare <adongare@cisco.com> | ||
| 11 | --- | ||
| 12 | ext/standard/array.c | 7 ++++++- | ||
| 13 | .../tests/array/GHSA-h96m-rvf9-jgm2.phpt | 16 ++++++++++++++++ | ||
| 14 | 2 files changed, 22 insertions(+), 1 deletion(-) | ||
| 15 | create mode 100644 ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt | ||
| 16 | |||
| 17 | diff --git a/ext/standard/array.c b/ext/standard/array.c | ||
| 18 | index a1a92934084..30b9a425b20 100644 | ||
| 19 | --- a/ext/standard/array.c | ||
| 20 | +++ b/ext/standard/array.c | ||
| 21 | @@ -3903,7 +3903,7 @@ static zend_always_inline void php_array_merge_wrapper(INTERNAL_FUNCTION_PARAMET | ||
| 22 | int argc, i; | ||
| 23 | zval *src_entry; | ||
| 24 | HashTable *src, *dest; | ||
| 25 | - uint32_t count = 0; | ||
| 26 | + uint64_t count = 0; | ||
| 27 | |||
| 28 | ZEND_PARSE_PARAMETERS_START(0, -1) | ||
| 29 | Z_PARAM_VARIADIC('+', args, argc) | ||
| 30 | @@ -3923,6 +3923,11 @@ static zend_always_inline void php_array_merge_wrapper(INTERNAL_FUNCTION_PARAMET | ||
| 31 | count += zend_hash_num_elements(Z_ARRVAL_P(arg)); | ||
| 32 | } | ||
| 33 | |||
| 34 | + if (UNEXPECTED(count >= HT_MAX_SIZE)) { | ||
| 35 | + zend_throw_error(NULL, "The total number of elements must be lower than %u", HT_MAX_SIZE); | ||
| 36 | + RETURN_THROWS(); | ||
| 37 | + } | ||
| 38 | + | ||
| 39 | if (argc == 2) { | ||
| 40 | zval *ret = NULL; | ||
| 41 | |||
| 42 | diff --git a/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt b/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt | ||
| 43 | new file mode 100644 | ||
| 44 | index 00000000000..2e3e85357e1 | ||
| 45 | --- /dev/null | ||
| 46 | +++ b/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt | ||
| 47 | @@ -0,0 +1,16 @@ | ||
| 48 | +--TEST-- | ||
| 49 | +GHSA-h96m-rvf9-jgm2 | ||
| 50 | +--FILE-- | ||
| 51 | +<?php | ||
| 52 | + | ||
| 53 | +$power = 20; // Chosen to be well within a memory_limit | ||
| 54 | +$arr = range(0, 2**$power); | ||
| 55 | +try { | ||
| 56 | + array_merge(...array_fill(0, 2**(32-$power), $arr)); | ||
| 57 | +} catch (Error $e) { | ||
| 58 | + echo $e->getMessage(), "\n"; | ||
| 59 | +} | ||
| 60 | + | ||
| 61 | +?> | ||
| 62 | +--EXPECTF-- | ||
| 63 | +The total number of elements must be lower than %d | ||
| 64 | -- | ||
| 65 | 2.43.7 | ||
diff --git a/meta-oe/recipes-devtools/php/php/CVE-2025-14180.patch b/meta-oe/recipes-devtools/php/php/CVE-2025-14180.patch deleted file mode 100644 index 110ba99b15..0000000000 --- a/meta-oe/recipes-devtools/php/php/CVE-2025-14180.patch +++ /dev/null | |||
| @@ -1,69 +0,0 @@ | |||
| 1 | From 86f18141dd016a7927083cc122c71f1a8877b414 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Jakub Zelenka <bukka@php.net> | ||
| 3 | Date: Sat, 11 Oct 2025 19:37:26 +0200 | ||
| 4 | Subject: [PATCH] Fix GHSA-8xr5-qppj-gvwj: PDO quoting result null deref | ||
| 5 | |||
| 6 | CVE: CVE-2025-14180 | ||
| 7 | Upstream-Status: Backport [https://github.com/php/php-src/commit/5797b94652c3] | ||
| 8 | |||
| 9 | (cherry picked from commit 5797b94652c366521bff55f8e1a26ed6188f31b8) | ||
| 10 | Signed-off-by: Anil Dongare <adongare@cisco.com> | ||
| 11 | --- | ||
| 12 | ext/pdo/pdo_sql_parser.re | 6 +++++ | ||
| 13 | ext/pdo_pgsql/tests/ghsa-8xr5-qppj-gvwj.phpt | 28 ++++++++++++++++++++ | ||
| 14 | 2 files changed, 34 insertions(+) | ||
| 15 | create mode 100644 ext/pdo_pgsql/tests/ghsa-8xr5-qppj-gvwj.phpt | ||
| 16 | |||
| 17 | diff --git a/ext/pdo/pdo_sql_parser.re b/ext/pdo/pdo_sql_parser.re | ||
| 18 | index 6bb0837fb31..7f4721d12a6 100644 | ||
| 19 | --- a/ext/pdo/pdo_sql_parser.re | ||
| 20 | +++ b/ext/pdo/pdo_sql_parser.re | ||
| 21 | @@ -287,6 +287,12 @@ safe: | ||
| 22 | } | ||
| 23 | |||
| 24 | plc->quoted = stmt->dbh->methods->quoter(stmt->dbh, buf, param_type); | ||
| 25 | + if (plc->quoted == NULL) { | ||
| 26 | + /* bork */ | ||
| 27 | + ret = -1; | ||
| 28 | + strncpy(stmt->error_code, stmt->dbh->error_code, 6); | ||
| 29 | + goto clean_up; | ||
| 30 | + } | ||
| 31 | } | ||
| 32 | } | ||
| 33 | |||
| 34 | diff --git a/ext/pdo_pgsql/tests/ghsa-8xr5-qppj-gvwj.phpt b/ext/pdo_pgsql/tests/ghsa-8xr5-qppj-gvwj.phpt | ||
| 35 | new file mode 100644 | ||
| 36 | index 00000000000..736354cab13 | ||
| 37 | --- /dev/null | ||
| 38 | +++ b/ext/pdo_pgsql/tests/ghsa-8xr5-qppj-gvwj.phpt | ||
| 39 | @@ -0,0 +1,28 @@ | ||
| 40 | +--TEST-- | ||
| 41 | +#GHSA-8xr5-qppj-gvwj: NULL Pointer Derefernce for failed user input quoting | ||
| 42 | +--EXTENSIONS-- | ||
| 43 | +pdo | ||
| 44 | +pdo_pgsql | ||
| 45 | +--SKIPIF-- | ||
| 46 | +<?php | ||
| 47 | +require_once dirname(__FILE__) . '/../../../ext/pdo/tests/pdo_test.inc'; | ||
| 48 | +require_once dirname(__FILE__) . '/config.inc'; | ||
| 49 | +PDOTest::skip(); | ||
| 50 | +?> | ||
| 51 | +--FILE-- | ||
| 52 | +<?php | ||
| 53 | +require_once dirname(__FILE__) . '/../../../ext/pdo/tests/pdo_test.inc'; | ||
| 54 | +require_once dirname(__FILE__) . '/config.inc'; | ||
| 55 | +$db = PDOTest::test_factory(dirname(__FILE__) . '/common.phpt'); | ||
| 56 | +$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); | ||
| 57 | +$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, true); | ||
| 58 | + | ||
| 59 | +$sql = "SELECT * FROM users where username = :username"; | ||
| 60 | +$stmt = $db->prepare($sql); | ||
| 61 | + | ||
| 62 | +$p1 = "alice\x99"; | ||
| 63 | +var_dump($stmt->execute(['username' => $p1])); | ||
| 64 | + | ||
| 65 | +?> | ||
| 66 | +--EXPECT-- | ||
| 67 | +bool(false) | ||
| 68 | -- | ||
| 69 | 2.43.7 | ||
diff --git a/meta-oe/recipes-devtools/php/php_8.2.29.bb b/meta-oe/recipes-devtools/php/php_8.2.30.bb index 08e7e80c84..13403855d7 100644 --- a/meta-oe/recipes-devtools/php/php_8.2.29.bb +++ b/meta-oe/recipes-devtools/php/php_8.2.30.bb | |||
| @@ -20,9 +20,6 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \ | |||
| 20 | file://0009-php-don-t-use-broken-wrapper-for-mkdir.patch \ | 20 | file://0009-php-don-t-use-broken-wrapper-for-mkdir.patch \ |
| 21 | file://0010-iconv-fix-detection.patch \ | 21 | file://0010-iconv-fix-detection.patch \ |
| 22 | file://0001-Change-whether-to-inline-XXH3_hashLong_withSecret-to.patch \ | 22 | file://0001-Change-whether-to-inline-XXH3_hashLong_withSecret-to.patch \ |
| 23 | file://CVE-2025-14177.patch \ | ||
| 24 | file://CVE-2025-14178.patch \ | ||
| 25 | file://CVE-2025-14180.patch \ | ||
| 26 | " | 23 | " |
| 27 | 24 | ||
| 28 | SRC_URI:append:class-target = " \ | 25 | SRC_URI:append:class-target = " \ |
| @@ -37,7 +34,7 @@ SRC_URI:append:class-target = " \ | |||
| 37 | " | 34 | " |
| 38 | 35 | ||
| 39 | S = "${WORKDIR}/php-${PV}" | 36 | S = "${WORKDIR}/php-${PV}" |
| 40 | SRC_URI[sha256sum] = "51979e8d198cbade2aad4ffe9f53dd3f04f9602d3089e5979985e058ade4267c" | 37 | SRC_URI[sha256sum] = "104820b6c8fc959dde4b3342135f42bdabf246e86918a16381a17d8447c866fa" |
| 41 | 38 | ||
| 42 | CVE_STATUS_GROUPS += "CVE_STATUS_PHP" | 39 | CVE_STATUS_GROUPS += "CVE_STATUS_PHP" |
| 43 | CVE_STATUS_PHP[status] = "fixed-version: The name of this product is exactly the same as github.com/emlog/emlog. CVE can be safely ignored." | 40 | CVE_STATUS_PHP[status] = "fixed-version: The name of this product is exactly the same as github.com/emlog/emlog. CVE can be safely ignored." |
