diff --git a/SOURCES/php-7.3.5-CVE-2019-11043.patch b/SOURCES/php-7.3.5-CVE-2019-11043.patch new file mode 100644 index 0000000..9539a0e --- /dev/null +++ b/SOURCES/php-7.3.5-CVE-2019-11043.patch @@ -0,0 +1,133 @@ +From 19e17d3807e6cc0b1ba9443ec5facbd33a61f8fe Mon Sep 17 00:00:00 2001 +From: Jakub Zelenka +Date: Sat, 12 Oct 2019 15:56:16 +0100 +Subject: [PATCH] Fix bug #78599 (env_path_info underflow can lead to RCE) + (CVE-2019-11043) + +(cherry picked from commit ab061f95ca966731b1c84cf5b7b20155c0a1c06a) +--- + NEWS | 2 + + sapi/fpm/fpm/fpm_main.c | 4 +- + .../tests/bug78599-path-info-underflow.phpt | 61 +++++++++++++++++++ + sapi/fpm/tests/tester.inc | 11 +++- + 4 files changed, 74 insertions(+), 4 deletions(-) + create mode 100644 sapi/fpm/tests/bug78599-path-info-underflow.phpt + +diff --git a/sapi/fpm/fpm/fpm_main.c b/sapi/fpm/fpm/fpm_main.c +index 483fabe9d850..dfc0d8f7413c 100644 +--- a/sapi/fpm/fpm/fpm_main.c ++++ b/sapi/fpm/fpm/fpm_main.c +@@ -1148,8 +1148,8 @@ static void init_request_info(void) + path_info = script_path_translated + ptlen; + tflag = (slen != 0 && (!orig_path_info || strcmp(orig_path_info, path_info) != 0)); + } else { +- path_info = env_path_info ? env_path_info + pilen - slen : NULL; +- tflag = (orig_path_info != path_info); ++ path_info = (env_path_info && pilen > slen) ? env_path_info + pilen - slen : NULL; ++ tflag = path_info && (orig_path_info != path_info); + } + + if (tflag) { +diff --git a/sapi/fpm/tests/bug78599-path-info-underflow.phpt b/sapi/fpm/tests/bug78599-path-info-underflow.phpt +new file mode 100644 +index 000000000000..edd4e0d49699 +--- /dev/null ++++ b/sapi/fpm/tests/bug78599-path-info-underflow.phpt +@@ -0,0 +1,61 @@ ++--TEST-- ++FPM: bug78599 - env_path_info underflow - CVE-2019-11043 ++--SKIPIF-- ++ ++--FILE-- ++start(); ++$tester->expectLogStartNotices(); ++$uri = $tester->makeSourceFile(); ++$tester ++ ->request( ++ '', ++ [ ++ 'SCRIPT_FILENAME' => $uri . "/" . str_repeat('A', 35), ++ 'PATH_INFO' => '', ++ 'HTTP_HUI' => str_repeat('PTEST', 1000), ++ ], ++ $uri ++ ) ++ ->expectBody( ++ [ ++ 'Test Start', ++ 'string(0) ""', ++ 'Test End' ++ ] ++ ); ++$tester->terminate(); ++$tester->close(); ++ ++?> ++Done ++--EXPECT-- ++Done ++--CLEAN-- ++ +diff --git a/sapi/fpm/tests/tester.inc b/sapi/fpm/tests/tester.inc +index 001b7d6a54ea..188fd4885943 100644 +--- a/sapi/fpm/tests/tester.inc ++++ b/sapi/fpm/tests/tester.inc +@@ -513,7 +513,7 @@ class Tester + return new Response(null, true); + } + if (is_null($uri)) { +- $uri = $this->makeFile('src.php', $this->code); ++ $uri = $this->makeSourceFile(); + } + + $params = array_merge( +@@ -538,7 +538,6 @@ class Tester + ], + $headers + ); +- + try { + $this->response = new Response( + $this->getClient($address, $connKeepAlive)->request_data($params, false) +@@ -944,6 +943,14 @@ class Tester + return $filePath; + } + ++ /** ++ * @return string ++ */ ++ public function makeSourceFile() ++ { ++ return $this->makeFile('src.php', $this->code); ++ } ++ + /** + * @param string|null $msg + */ diff --git a/SPECS/php.spec b/SPECS/php.spec index 685daec..c9e471d 100644 --- a/SPECS/php.spec +++ b/SPECS/php.spec @@ -67,7 +67,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: %{upver}%{?rcver:~%{rcver}} -Release: 2%{?dist} +Release: 5%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -116,6 +116,7 @@ Patch47: php-5.6.3-phpinfo.patch # Upstream fixes (100+) # Security fixes (200+) +Patch200: php-7.3.5-CVE-2019-11043.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -721,6 +722,7 @@ low-level PHP extension for the libsodium cryptographic library. # upstream patches # security patches +%patch200 -p1 -b .cve11043 # Fixes for tests %patch300 -p1 -b .datetests @@ -816,10 +818,6 @@ chmod 644 README.* # Some extensions have their own configuration file cp %{SOURCE50} 10-opcache.ini -%ifarch x86_64 -sed -e '/opcache.huge_code_pages/s/0/1/' -i 10-opcache.ini -%endif - %build # Set build date from https://reproducible-builds.org/specs/source-date-epoch/ @@ -1571,6 +1569,12 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || : %changelog +* Tue Oct 29 2019 Remi Collet - 7.3.5-5 +- fix underflow in env_path_info in fpm_main.c CVE-2019-11043 + +* Mon Jul 1 2019 Remi Collet - 7.3.5-3 +- fix AVC denied httpd_execmem when php-opcache is installed #1725104 + * Tue May 14 2019 Remi Collet - 7.3.5-2 - cleanup php-devel dependencies