summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGyorgy Sarvari <skandigraun@gmail.com>2026-03-10 14:03:23 +0100
committerAnuj Mittal <anuj.mittal@oss.qualcomm.com>2026-03-24 08:52:08 +0530
commitaf2304fcb982055d420bda526e8b30fbcf899339 (patch)
tree20167b90253187eb331a99b4181fbf70041e9ce2
parente7a359838ccdb7dcc1f090d0734d4b422735172b (diff)
downloadmeta-openembedded-af2304fcb982055d420bda526e8b30fbcf899339.tar.gz
php: upgrade 8.2.29 -> 8.2.30
Drop patches that are included in this release. Changes: https://www.php.net/ChangeLog-8.php#8.2.30 - Curl: Fix curl build and test failures with version 8.16. - Opcache: Reset global pointers to prevent use-after-free in zend_jit_status(). - PDO: PDO quoting result null deref - CVE-2025-14180 - Null byte termination in dns_get_record() - Heap buffer overflow in array_merge() - CVE-2025-14178 - Information Leak of Memory in getimagesize - CVE-2025-14177 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
-rw-r--r--meta-oe/recipes-devtools/php/php/CVE-2025-14177.patch84
-rw-r--r--meta-oe/recipes-devtools/php/php/CVE-2025-14178.patch65
-rw-r--r--meta-oe/recipes-devtools/php/php/CVE-2025-14180.patch69
-rw-r--r--meta-oe/recipes-devtools/php/php_8.2.30.bb (renamed from meta-oe/recipes-devtools/php/php_8.2.29.bb)5
4 files changed, 1 insertions, 222 deletions
diff --git a/meta-oe/recipes-devtools/php/php/CVE-2025-14177.patch b/meta-oe/recipes-devtools/php/php/CVE-2025-14177.patch
deleted file mode 100644
index 6b5ffe0029..0000000000
--- a/meta-oe/recipes-devtools/php/php/CVE-2025-14177.patch
+++ /dev/null
@@ -1,84 +0,0 @@
1From 7aac95c5280ea395ccfcd624cae7e87749ff6eeb Mon Sep 17 00:00:00 2001
2From: Niels Dossche <7771979+ndossche@users.noreply.github.com>
3Date: Tue, 25 Nov 2025 23:11:38 +0100
4Subject: [PATCH] Fix GH-20584: Information Leak of Memory
5
6The string added had uninitialized memory due to
7php_read_stream_all_chunks() not moving the buffer position, resulting
8in the same data always being overwritten instead of new data being
9added to the end of the buffer.
10
11This is backport as there is a security impact as described in
12GHSA-3237-qqm7-mfv7 .
13
14CVE: CVE-2025-14177
15Upstream-Status: Backport [https://github.com/php/php-src/commit/c5f28c7cf0a0]
16
17(cherry picked from commit c5f28c7cf0a052f48e47877c7aa5c5bcc54f1cfc)
18Signed-off-by: Anil Dongare <adongare@cisco.com>
19---
20 ext/standard/image.c | 1 +
21 ext/standard/tests/image/gh20584.phpt | 39 +++++++++++++++++++++++++++
22 2 files changed, 40 insertions(+)
23 create mode 100644 ext/standard/tests/image/gh20584.phpt
24
25diff --git a/ext/standard/image.c b/ext/standard/image.c
26index 2bd5429efac..15761364c34 100644
27--- a/ext/standard/image.c
28+++ b/ext/standard/image.c
29@@ -403,6 +403,7 @@ static size_t php_read_stream_all_chunks(php_stream *stream, char *buffer, size_
30 if (read_now < stream->chunk_size && read_total != length) {
31 return 0;
32 }
33+ buffer += read_now;
34 } while (read_total < length);
35
36 return read_total;
37diff --git a/ext/standard/tests/image/gh20584.phpt b/ext/standard/tests/image/gh20584.phpt
38new file mode 100644
39index 00000000000..d117f218202
40--- /dev/null
41+++ b/ext/standard/tests/image/gh20584.phpt
42@@ -0,0 +1,39 @@
43+--TEST--
44+GH-20584 (Information Leak of Memory)
45+--CREDITS--
46+Nikita Sveshnikov (Positive Technologies)
47+--FILE--
48+<?php
49+// Minimal PoC: corruption/uninitialized memory leak when reading APP1 via php://filter
50+$file = __DIR__ . '/gh20584.jpg';
51+
52+// Make APP1 large enough so it is read in multiple chunks
53+$chunk = 8192;
54+$tail = 123;
55+$payload = str_repeat('A', $chunk) . str_repeat('B', $chunk) . str_repeat('Z',
56+$tail);
57+$app1Len = 2 + strlen($payload);
58+
59+// Minimal JPEG: SOI + APP1 + SOF0(1x1) + EOI
60+$sof = "\xFF\xC0" . pack('n', 11) . "\x08" . pack('n',1) . pack('n',1) .
61+"\x01\x11\x00";
62+$jpeg = "\xFF\xD8" . "\xFF\xE1" . pack('n', $app1Len) . $payload . $sof .
63+"\xFF\xD9";
64+file_put_contents($file, $jpeg);
65+
66+// Read through a filter to enforce multiple reads
67+$src = 'php://filter/read=string.rot13|string.rot13/resource=' . $file;
68+$info = null;
69+@getimagesize($src, $info);
70+$exp = $payload;
71+$ret = $info['APP1'];
72+
73+var_dump($ret === $exp);
74+
75+?>
76+--CLEAN--
77+<?php
78+@unlink(__DIR__ . '/gh20584.jpg');
79+?>
80+--EXPECT--
81+bool(true)
82--
832.43.5
84
diff --git a/meta-oe/recipes-devtools/php/php/CVE-2025-14178.patch b/meta-oe/recipes-devtools/php/php/CVE-2025-14178.patch
deleted file mode 100644
index 46fa8679e8..0000000000
--- a/meta-oe/recipes-devtools/php/php/CVE-2025-14178.patch
+++ /dev/null
@@ -1,65 +0,0 @@
1From a46c3692d37f8c539b3b00ea4ab7ebc2d7db5507 Mon Sep 17 00:00:00 2001
2From: Niels Dossche <7771979+ndossche@users.noreply.github.com>
3Date: Sun, 9 Nov 2025 13:23:11 +0100
4Subject: [PATCH] Fix GHSA-h96m-rvf9-jgm2
5
6CVE: CVE-2025-14178
7Upstream-Status: Backport [https://github.com/php/php-src/commit/c4268c15e361]
8
9(cherry picked from commit c4268c15e361ccd79289a3909f332ab2153f72e7)
10Signed-off-by: Anil Dongare <adongare@cisco.com>
11---
12 ext/standard/array.c | 7 ++++++-
13 .../tests/array/GHSA-h96m-rvf9-jgm2.phpt | 16 ++++++++++++++++
14 2 files changed, 22 insertions(+), 1 deletion(-)
15 create mode 100644 ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt
16
17diff --git a/ext/standard/array.c b/ext/standard/array.c
18index a1a92934084..30b9a425b20 100644
19--- a/ext/standard/array.c
20+++ b/ext/standard/array.c
21@@ -3903,7 +3903,7 @@ static zend_always_inline void php_array_merge_wrapper(INTERNAL_FUNCTION_PARAMET
22 int argc, i;
23 zval *src_entry;
24 HashTable *src, *dest;
25- uint32_t count = 0;
26+ uint64_t count = 0;
27
28 ZEND_PARSE_PARAMETERS_START(0, -1)
29 Z_PARAM_VARIADIC('+', args, argc)
30@@ -3923,6 +3923,11 @@ static zend_always_inline void php_array_merge_wrapper(INTERNAL_FUNCTION_PARAMET
31 count += zend_hash_num_elements(Z_ARRVAL_P(arg));
32 }
33
34+ if (UNEXPECTED(count >= HT_MAX_SIZE)) {
35+ zend_throw_error(NULL, "The total number of elements must be lower than %u", HT_MAX_SIZE);
36+ RETURN_THROWS();
37+ }
38+
39 if (argc == 2) {
40 zval *ret = NULL;
41
42diff --git a/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt b/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt
43new file mode 100644
44index 00000000000..2e3e85357e1
45--- /dev/null
46+++ b/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt
47@@ -0,0 +1,16 @@
48+--TEST--
49+GHSA-h96m-rvf9-jgm2
50+--FILE--
51+<?php
52+
53+$power = 20; // Chosen to be well within a memory_limit
54+$arr = range(0, 2**$power);
55+try {
56+ array_merge(...array_fill(0, 2**(32-$power), $arr));
57+} catch (Error $e) {
58+ echo $e->getMessage(), "\n";
59+}
60+
61+?>
62+--EXPECTF--
63+The total number of elements must be lower than %d
64--
652.43.7
diff --git a/meta-oe/recipes-devtools/php/php/CVE-2025-14180.patch b/meta-oe/recipes-devtools/php/php/CVE-2025-14180.patch
deleted file mode 100644
index 110ba99b15..0000000000
--- a/meta-oe/recipes-devtools/php/php/CVE-2025-14180.patch
+++ /dev/null
@@ -1,69 +0,0 @@
1From 86f18141dd016a7927083cc122c71f1a8877b414 Mon Sep 17 00:00:00 2001
2From: Jakub Zelenka <bukka@php.net>
3Date: Sat, 11 Oct 2025 19:37:26 +0200
4Subject: [PATCH] Fix GHSA-8xr5-qppj-gvwj: PDO quoting result null deref
5
6CVE: CVE-2025-14180
7Upstream-Status: Backport [https://github.com/php/php-src/commit/5797b94652c3]
8
9(cherry picked from commit 5797b94652c366521bff55f8e1a26ed6188f31b8)
10Signed-off-by: Anil Dongare <adongare@cisco.com>
11---
12 ext/pdo/pdo_sql_parser.re | 6 +++++
13 ext/pdo_pgsql/tests/ghsa-8xr5-qppj-gvwj.phpt | 28 ++++++++++++++++++++
14 2 files changed, 34 insertions(+)
15 create mode 100644 ext/pdo_pgsql/tests/ghsa-8xr5-qppj-gvwj.phpt
16
17diff --git a/ext/pdo/pdo_sql_parser.re b/ext/pdo/pdo_sql_parser.re
18index 6bb0837fb31..7f4721d12a6 100644
19--- a/ext/pdo/pdo_sql_parser.re
20+++ b/ext/pdo/pdo_sql_parser.re
21@@ -287,6 +287,12 @@ safe:
22 }
23
24 plc->quoted = stmt->dbh->methods->quoter(stmt->dbh, buf, param_type);
25+ if (plc->quoted == NULL) {
26+ /* bork */
27+ ret = -1;
28+ strncpy(stmt->error_code, stmt->dbh->error_code, 6);
29+ goto clean_up;
30+ }
31 }
32 }
33
34diff --git a/ext/pdo_pgsql/tests/ghsa-8xr5-qppj-gvwj.phpt b/ext/pdo_pgsql/tests/ghsa-8xr5-qppj-gvwj.phpt
35new file mode 100644
36index 00000000000..736354cab13
37--- /dev/null
38+++ b/ext/pdo_pgsql/tests/ghsa-8xr5-qppj-gvwj.phpt
39@@ -0,0 +1,28 @@
40+--TEST--
41+#GHSA-8xr5-qppj-gvwj: NULL Pointer Derefernce for failed user input quoting
42+--EXTENSIONS--
43+pdo
44+pdo_pgsql
45+--SKIPIF--
46+<?php
47+require_once dirname(__FILE__) . '/../../../ext/pdo/tests/pdo_test.inc';
48+require_once dirname(__FILE__) . '/config.inc';
49+PDOTest::skip();
50+?>
51+--FILE--
52+<?php
53+require_once dirname(__FILE__) . '/../../../ext/pdo/tests/pdo_test.inc';
54+require_once dirname(__FILE__) . '/config.inc';
55+$db = PDOTest::test_factory(dirname(__FILE__) . '/common.phpt');
56+$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
57+$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, true);
58+
59+$sql = "SELECT * FROM users where username = :username";
60+$stmt = $db->prepare($sql);
61+
62+$p1 = "alice\x99";
63+var_dump($stmt->execute(['username' => $p1]));
64+
65+?>
66+--EXPECT--
67+bool(false)
68--
692.43.7
diff --git a/meta-oe/recipes-devtools/php/php_8.2.29.bb b/meta-oe/recipes-devtools/php/php_8.2.30.bb
index 08e7e80c84..13403855d7 100644
--- a/meta-oe/recipes-devtools/php/php_8.2.29.bb
+++ b/meta-oe/recipes-devtools/php/php_8.2.30.bb
@@ -20,9 +20,6 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \
20 file://0009-php-don-t-use-broken-wrapper-for-mkdir.patch \ 20 file://0009-php-don-t-use-broken-wrapper-for-mkdir.patch \
21 file://0010-iconv-fix-detection.patch \ 21 file://0010-iconv-fix-detection.patch \
22 file://0001-Change-whether-to-inline-XXH3_hashLong_withSecret-to.patch \ 22 file://0001-Change-whether-to-inline-XXH3_hashLong_withSecret-to.patch \
23 file://CVE-2025-14177.patch \
24 file://CVE-2025-14178.patch \
25 file://CVE-2025-14180.patch \
26 " 23 "
27 24
28SRC_URI:append:class-target = " \ 25SRC_URI:append:class-target = " \
@@ -37,7 +34,7 @@ SRC_URI:append:class-target = " \
37 " 34 "
38 35
39S = "${WORKDIR}/php-${PV}" 36S = "${WORKDIR}/php-${PV}"
40SRC_URI[sha256sum] = "51979e8d198cbade2aad4ffe9f53dd3f04f9602d3089e5979985e058ade4267c" 37SRC_URI[sha256sum] = "104820b6c8fc959dde4b3342135f42bdabf246e86918a16381a17d8447c866fa"
41 38
42CVE_STATUS_GROUPS += "CVE_STATUS_PHP" 39CVE_STATUS_GROUPS += "CVE_STATUS_PHP"
43CVE_STATUS_PHP[status] = "fixed-version: The name of this product is exactly the same as github.com/emlog/emlog. CVE can be safely ignored." 40CVE_STATUS_PHP[status] = "fixed-version: The name of this product is exactly the same as github.com/emlog/emlog. CVE can be safely ignored."