From 7b341858beb888b00e78db688fd70436cc973953 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 24 2022 15:04:17 +0000 Subject: import php-7.4.19-4.module+el8.6.0+16316+906f6c6d --- diff --git a/SOURCES/php-CVE-2022-31625.patch b/SOURCES/php-CVE-2022-31625.patch new file mode 100644 index 0000000..c45fab0 --- /dev/null +++ b/SOURCES/php-CVE-2022-31625.patch @@ -0,0 +1,73 @@ +From 55f6895f4b4c677272fd4ee1113acdbd99c4b5ab Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Tue, 17 May 2022 12:59:23 +0200 +Subject: [PATCH] Fix #81720: Uninitialized array in pg_query_params() leading + to RCE + +We must not free parameters which we haven't initialized yet. + +We also fix the not directly related issue, that we checked for the +wrong value being `NULL`, potentially causing a segfault. +--- + ext/pgsql/pgsql.c | 6 +++--- + ext/pgsql/tests/bug81720.phpt | 27 +++++++++++++++++++++++++++ + 2 files changed, 30 insertions(+), 3 deletions(-) + create mode 100644 ext/pgsql/tests/bug81720.phpt + +diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c +index f52ff884d83c..7dcd56cf1441 100644 +--- a/ext/pgsql/pgsql.c ++++ b/ext/pgsql/pgsql.c +@@ -1994,7 +1994,7 @@ PHP_FUNCTION(pg_query_params) + if (Z_TYPE(tmp_val) != IS_STRING) { + php_error_docref(NULL, E_WARNING,"Error converting parameter"); + zval_ptr_dtor(&tmp_val); +- _php_pgsql_free_params(params, num_params); ++ _php_pgsql_free_params(params, i); + RETURN_FALSE; + } + params[i] = estrndup(Z_STRVAL(tmp_val), Z_STRLEN(tmp_val)); +@@ -5175,8 +5175,8 @@ PHP_FUNCTION(pg_send_execute) + params[i] = NULL; + } else { + zend_string *tmp_str = zval_try_get_string(tmp); +- if (UNEXPECTED(!tmp)) { +- _php_pgsql_free_params(params, num_params); ++ if (UNEXPECTED(!tmp_str)) { ++ _php_pgsql_free_params(params, i); + return; + } + params[i] = estrndup(ZSTR_VAL(tmp_str), ZSTR_LEN(tmp_str)); +diff --git a/ext/pgsql/tests/bug81720.phpt b/ext/pgsql/tests/bug81720.phpt +new file mode 100644 +index 000000000000..d79f1fcdd612 +--- /dev/null ++++ b/ext/pgsql/tests/bug81720.phpt +@@ -0,0 +1,27 @@ ++--TEST-- ++Bug #81720 (Uninitialized array in pg_query_params() leading to RCE) ++--SKIPIF-- ++ ++--FILE-- ++getMessage(), PHP_EOL; ++} ++ ++try { ++ pg_send_prepare($conn, "my_query", 'SELECT $1, $2'); ++ pg_get_result($conn); ++ pg_send_execute($conn, "my_query", [1, new stdClass()]); ++} catch (Throwable $ex) { ++ echo $ex->getMessage(), PHP_EOL; ++} ++?> ++--EXPECT-- ++Object of class stdClass could not be converted to string ++Object of class stdClass could not be converted to string diff --git a/SPECS/php.spec b/SPECS/php.spec index afcefca..76fed93 100644 --- a/SPECS/php.spec +++ b/SPECS/php.spec @@ -60,7 +60,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: %{upver}%{?rcver:~%{rcver}} -Release: 3%{?dist} +Release: 4%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -111,6 +111,7 @@ Patch47: php-5.6.3-phpinfo.patch Patch200: php-7.4.19-CVE-2021-21703.patch Patch201: php-7.4.19-CVE-2021-21705.patch Patch202: php-CVE-2022-31626.patch +Patch203: php-CVE-2022-31625.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -724,6 +725,7 @@ in pure PHP. %patch200 -p1 -b .cve21705 %patch201 -p1 -b .cve21703 %patch202 -p1 -b .cve31626 +%patch203 -p1 -b .cve31625 # Fixes for tests %patch300 -p1 -b .datetests @@ -1515,6 +1517,10 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || : %changelog +* Tue Aug 9 2022 Remi Collet - 7.4.19-4 +- fix uninitialized array in pg_query_params() leading to RCE + CVE-2022-31625 + * Wed Jun 22 2022 Remi Collet - 7.4.19-3 - fix password of excessive length triggers buffer overflow leading to RCE CVE-2022-31626