diff --git a/SOURCES/php-CVE-2022-31626.patch b/SOURCES/php-CVE-2022-31626.patch new file mode 100644 index 0000000..7f89dcb --- /dev/null +++ b/SOURCES/php-CVE-2022-31626.patch @@ -0,0 +1,23 @@ +From 58006537fc5f133ae8549efe5118cde418b3ace9 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 6 Jun 2022 00:56:51 -0600 +Subject: [PATCH] Fix bug #81719: mysqlnd/pdo password buffer overflow + +--- + ext/mysqlnd/mysqlnd_wireprotocol.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ext/mysqlnd/mysqlnd_wireprotocol.c b/ext/mysqlnd/mysqlnd_wireprotocol.c +index 87b2e7c31331..e4a298adaea4 100644 +--- a/ext/mysqlnd/mysqlnd_wireprotocol.c ++++ b/ext/mysqlnd/mysqlnd_wireprotocol.c +@@ -771,7 +771,8 @@ php_mysqlnd_change_auth_response_write(MYSQLND_CONN_DATA * conn, void * _packet) + MYSQLND_VIO * vio = conn->vio; + MYSQLND_STATS * stats = conn->stats; + MYSQLND_CONNECTION_STATE * connection_state = &conn->state; +- zend_uchar * const buffer = pfc->cmd_buffer.length >= packet->auth_data_len? pfc->cmd_buffer.buffer : mnd_emalloc(packet->auth_data_len); ++ size_t total_packet_size = packet->auth_data_len + MYSQLND_HEADER_SIZE; ++ zend_uchar * const buffer = pfc->cmd_buffer.length >= total_packet_size? pfc->cmd_buffer.buffer : mnd_emalloc(total_packet_size); + zend_uchar * p = buffer + MYSQLND_HEADER_SIZE; /* start after the header */ + + DBG_ENTER("php_mysqlnd_change_auth_response_write"); diff --git a/SPECS/php.spec b/SPECS/php.spec index 3cb6d5b..25dae18 100644 --- a/SPECS/php.spec +++ b/SPECS/php.spec @@ -60,7 +60,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: %{upver}%{?rcver:~%{rcver}} -Release: 2%{?dist} +Release: 3%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -119,6 +119,7 @@ Patch51: php-8.0.13-crypt.patch # Upstream fixes (100+) # Security fixes (200+) +Patch200: php-CVE-2022-31626.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -709,6 +710,7 @@ in pure PHP. # upstream patches # security patches +%patch200 -p1 -b .cve31626 # Fixes for tests %patch300 -p1 -b .datetests @@ -1504,6 +1506,10 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || : %changelog +* Wed Jun 22 2022 Remi Collet - 8.0.13-3 +- fix password of excessive length triggers buffer overflow leading to RCE + CVE-2022-31626 + * Tue Dec 14 2021 Remi Collet - 8.0.13-2 - refresh provided configuration from upstream