diff --git a/SOURCES/php-CVE-2022-31626.patch b/SOURCES/php-CVE-2022-31626.patch new file mode 100644 index 0000000..7f89dcb --- /dev/null +++ b/SOURCES/php-CVE-2022-31626.patch @@ -0,0 +1,23 @@ +From 58006537fc5f133ae8549efe5118cde418b3ace9 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <smalyshev@gmail.com> +Date: Mon, 6 Jun 2022 00:56:51 -0600 +Subject: [PATCH] Fix bug #81719: mysqlnd/pdo password buffer overflow + +--- + ext/mysqlnd/mysqlnd_wireprotocol.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ext/mysqlnd/mysqlnd_wireprotocol.c b/ext/mysqlnd/mysqlnd_wireprotocol.c +index 87b2e7c31331..e4a298adaea4 100644 +--- a/ext/mysqlnd/mysqlnd_wireprotocol.c ++++ b/ext/mysqlnd/mysqlnd_wireprotocol.c +@@ -771,7 +771,8 @@ php_mysqlnd_change_auth_response_write(MYSQLND_CONN_DATA * conn, void * _packet) + MYSQLND_VIO * vio = conn->vio; + MYSQLND_STATS * stats = conn->stats; + MYSQLND_CONNECTION_STATE * connection_state = &conn->state; +- zend_uchar * const buffer = pfc->cmd_buffer.length >= packet->auth_data_len? pfc->cmd_buffer.buffer : mnd_emalloc(packet->auth_data_len); ++ size_t total_packet_size = packet->auth_data_len + MYSQLND_HEADER_SIZE; ++ zend_uchar * const buffer = pfc->cmd_buffer.length >= total_packet_size? pfc->cmd_buffer.buffer : mnd_emalloc(total_packet_size); + zend_uchar * p = buffer + MYSQLND_HEADER_SIZE; /* start after the header */ + + DBG_ENTER("php_mysqlnd_change_auth_response_write"); diff --git a/SPECS/php.spec b/SPECS/php.spec index 1c7996e..afcefca 100644 --- a/SPECS/php.spec +++ b/SPECS/php.spec @@ -60,7 +60,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: %{upver}%{?rcver:~%{rcver}} -Release: 2%{?dist} +Release: 3%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -110,6 +110,7 @@ Patch47: php-5.6.3-phpinfo.patch # Security fixes (200+) Patch200: php-7.4.19-CVE-2021-21703.patch Patch201: php-7.4.19-CVE-2021-21705.patch +Patch202: php-CVE-2022-31626.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -722,6 +723,7 @@ in pure PHP. # security patches %patch200 -p1 -b .cve21705 %patch201 -p1 -b .cve21703 +%patch202 -p1 -b .cve31626 # Fixes for tests %patch300 -p1 -b .datetests @@ -1513,6 +1515,10 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || : %changelog +* Wed Jun 22 2022 Remi Collet <rcollet@redhat.com> - 7.4.19-3 +- fix password of excessive length triggers buffer overflow leading to RCE + CVE-2022-31626 + * Wed Jan 19 2022 Remi Collet <rcollet@redhat.com> - 7.4.19-2 - fix SSRF bypass in FILTER_VALIDATE_URL CVE-2021-21705