diff --git a/SOURCES/php-5.4.16-CVE-2018-10547.patch b/SOURCES/php-5.4.16-CVE-2018-10547.patch new file mode 100644 index 0000000..fa05d77 --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2018-10547.patch @@ -0,0 +1,203 @@ +From 6e64aba47f4e41d97c4d010024c68320c0855f45 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Tue, 27 Mar 2018 21:22:28 -0700 +Subject: [PATCH] Fix #76129 - remove more potential unfiltered outputs for + phar + +--- + ext/phar/phar_object.c | 6 ++---- + ext/phar/tests/cache_list/frontcontroller10.phpt | 2 +- + ext/phar/tests/cache_list/frontcontroller6.phpt | 2 +- + ext/phar/tests/cache_list/frontcontroller8.phpt | 2 +- + ext/phar/tests/frontcontroller10.phpt | 2 +- + ext/phar/tests/frontcontroller6.phpt | 2 +- + ext/phar/tests/frontcontroller8.phpt | 2 +- + ext/phar/tests/tar/frontcontroller10.phar.phpt | 2 +- + ext/phar/tests/tar/frontcontroller6.phar.phpt | 2 +- + ext/phar/tests/tar/frontcontroller8.phar.phpt | 2 +- + ext/phar/tests/zip/frontcontroller10.phar.phpt | 2 +- + ext/phar/tests/zip/frontcontroller6.phar.phpt | 2 +- + ext/phar/tests/zip/frontcontroller8.phar.phpt | 2 +- + 13 files changed, 14 insertions(+), 16 deletions(-) + +diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c +index 64d7a6c..a6f56ac 100644 +--- a/ext/phar/phar_object.c ++++ b/ext/phar/phar_object.c +@@ -340,8 +340,7 @@ static void phar_do_403(char *entry, int entry_len TSRMLS_DC) /* {{{ */ + sapi_header_op(SAPI_HEADER_REPLACE, &ctr TSRMLS_CC); + sapi_send_headers(TSRMLS_C); + PHPWRITE("\n \n Access Denied\n \n \n

403 - File ", sizeof("\n \n Access Denied\n \n \n

403 - File ") - 1); +- PHPWRITE(entry, entry_len); +- PHPWRITE(" Access Denied

\n \n", sizeof(" Access Denied\n \n") - 1); ++ PHPWRITE("Access Denied\n \n", sizeof("Access Denied\n \n") - 1); + } + /* }}} */ + +@@ -365,8 +364,7 @@ static void phar_do_404(phar_archive_data *phar, char *fname, int fname_len, cha + sapi_header_op(SAPI_HEADER_REPLACE, &ctr TSRMLS_CC); + sapi_send_headers(TSRMLS_C); + PHPWRITE("\n \n File Not Found\n \n \n

404 - File ", sizeof("\n \n File Not Found\n \n \n

404 - File ") - 1); +- PHPWRITE(entry, entry_len); +- PHPWRITE(" Not Found

\n \n", sizeof(" Not Found\n \n") - 1); ++ PHPWRITE("Not Found\n \n", sizeof("Not Found\n \n") - 1); + } + /* }}} */ + +diff --git a/ext/phar/tests/cache_list/frontcontroller10.phpt b/ext/phar/tests/cache_list/frontcontroller10.phpt +index 00177d4..5fd9868 100644 +--- a/ext/phar/tests/cache_list/frontcontroller10.phpt ++++ b/ext/phar/tests/cache_list/frontcontroller10.phpt +@@ -20,6 +20,6 @@ Status: 403 Access Denied + Access Denied + + +-

403 - File /hi Access Denied

++

403 - File Access Denied

+ + +diff --git a/ext/phar/tests/cache_list/frontcontroller6.phpt b/ext/phar/tests/cache_list/frontcontroller6.phpt +index 2480be4..a79c958 100644 +--- a/ext/phar/tests/cache_list/frontcontroller6.phpt ++++ b/ext/phar/tests/cache_list/frontcontroller6.phpt +@@ -18,6 +18,6 @@ Status: 404 Not Found + File Not Found + + +-

404 - File /notfound.php Not Found

++

404 - File Not Found

+ + +\ No newline at end of file +diff --git a/ext/phar/tests/cache_list/frontcontroller8.phpt b/ext/phar/tests/cache_list/frontcontroller8.phpt +index bf9b390..e04f9e5 100644 +--- a/ext/phar/tests/cache_list/frontcontroller8.phpt ++++ b/ext/phar/tests/cache_list/frontcontroller8.phpt +@@ -18,6 +18,6 @@ Status: 404 Not Found + File Not Found + + +-

404 - File /index.php Not Found

++

404 - File Not Found

+ + +\ No newline at end of file +diff --git a/ext/phar/tests/frontcontroller10.phpt b/ext/phar/tests/frontcontroller10.phpt +index 667d5c2..b3f5e64 100644 +--- a/ext/phar/tests/frontcontroller10.phpt ++++ b/ext/phar/tests/frontcontroller10.phpt +@@ -19,6 +19,6 @@ Status: 403 Access Denied + Access Denied + + +-

403 - File /hi Access Denied

++

403 - File Access Denied

+ + +diff --git a/ext/phar/tests/frontcontroller6.phpt b/ext/phar/tests/frontcontroller6.phpt +index 1a2cc2c..c5dd382 100644 +--- a/ext/phar/tests/frontcontroller6.phpt ++++ b/ext/phar/tests/frontcontroller6.phpt +@@ -16,6 +16,6 @@ Status: 404 Not Found + File Not Found + + +-

404 - File /notfound.php Not Found

++

404 - File Not Found

+ + +\ No newline at end of file +diff --git a/ext/phar/tests/frontcontroller8.phpt b/ext/phar/tests/frontcontroller8.phpt +index 36e3206..77d33da 100644 +--- a/ext/phar/tests/frontcontroller8.phpt ++++ b/ext/phar/tests/frontcontroller8.phpt +@@ -16,6 +16,6 @@ Status: 404 Not Found + File Not Found + + +-

404 - File /index.php Not Found

++

404 - File Not Found

+ + +\ No newline at end of file +diff --git a/ext/phar/tests/tar/frontcontroller10.phar.phpt b/ext/phar/tests/tar/frontcontroller10.phar.phpt +index f1fc6e3..23ce6f3 100644 +--- a/ext/phar/tests/tar/frontcontroller10.phar.phpt ++++ b/ext/phar/tests/tar/frontcontroller10.phar.phpt +@@ -19,6 +19,6 @@ Status: 403 Access Denied + Access Denied + + +-

403 - File /hi Access Denied

++

403 - File Access Denied

+ + +\ No newline at end of file +diff --git a/ext/phar/tests/tar/frontcontroller6.phar.phpt b/ext/phar/tests/tar/frontcontroller6.phar.phpt +index 5375bee..b811f00 100644 +--- a/ext/phar/tests/tar/frontcontroller6.phar.phpt ++++ b/ext/phar/tests/tar/frontcontroller6.phar.phpt +@@ -16,6 +16,6 @@ Status: 404 Not Found + File Not Found + + +-

404 - File /notfound.php Not Found

++

404 - File Not Found

+ + +\ No newline at end of file +diff --git a/ext/phar/tests/tar/frontcontroller8.phar.phpt b/ext/phar/tests/tar/frontcontroller8.phar.phpt +index 19844cb..a180e20 100644 +--- a/ext/phar/tests/tar/frontcontroller8.phar.phpt ++++ b/ext/phar/tests/tar/frontcontroller8.phar.phpt +@@ -16,6 +16,6 @@ Status: 404 Not Found + File Not Found + + +-

404 - File /index.php Not Found

++

404 - File Not Found

+ + +\ No newline at end of file +diff --git a/ext/phar/tests/zip/frontcontroller10.phar.phpt b/ext/phar/tests/zip/frontcontroller10.phar.phpt +index 56d16c2..5bbe9e1 100644 +--- a/ext/phar/tests/zip/frontcontroller10.phar.phpt ++++ b/ext/phar/tests/zip/frontcontroller10.phar.phpt +@@ -19,6 +19,6 @@ Status: 403 Access Denied + Access Denied + + +-

403 - File /hi Access Denied

++

403 - File Access Denied

+ + +\ No newline at end of file +diff --git a/ext/phar/tests/zip/frontcontroller6.phar.phpt b/ext/phar/tests/zip/frontcontroller6.phar.phpt +index 15489f6..63f7c62 100644 +--- a/ext/phar/tests/zip/frontcontroller6.phar.phpt ++++ b/ext/phar/tests/zip/frontcontroller6.phar.phpt +@@ -17,6 +17,6 @@ Status: 404 Not Found + File Not Found + + +-

404 - File /notfound.php Not Found

++

404 - File Not Found

+ + +\ No newline at end of file +diff --git a/ext/phar/tests/zip/frontcontroller8.phar.phpt b/ext/phar/tests/zip/frontcontroller8.phar.phpt +index 1b0d133..d4c3a3f 100644 +--- a/ext/phar/tests/zip/frontcontroller8.phar.phpt ++++ b/ext/phar/tests/zip/frontcontroller8.phar.phpt +@@ -16,6 +16,6 @@ Status: 404 Not Found + File Not Found + + +-

404 - File /index.php Not Found

++

404 - File Not Found

+ + +\ No newline at end of file +-- +2.1.4 + diff --git a/SOURCES/php-5.4.16-CVE-2018-5712.patch b/SOURCES/php-5.4.16-CVE-2018-5712.patch new file mode 100644 index 0000000..f0f3ad5 --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2018-5712.patch @@ -0,0 +1,429 @@ +From 73ca9b37731dd9690ffd9706333b17eaf90ea091 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 2 Jul 2017 13:29:37 -0700 +Subject: [PATCH] Fix bug #74782: remove file name from output to avoid XSS + +--- + ext/phar/shortarc.php | 2 +- + ext/phar/stub.h | 4 ++-- + ext/phar/tests/cache_list/copyonwrite11.phar.phpt | 2 +- + ext/phar/tests/phar_commitwrite.phpt | 2 +- + ext/phar/tests/phar_convert_repeated.phpt | 2 +- + ext/phar/tests/phar_create_in_cwd.phpt | 2 +- + ext/phar/tests/phar_createdefaultstub.phpt | 22 +++++++++++----------- + ext/phar/tests/phar_offset_check.phpt | 4 ++-- + ext/phar/tests/phar_setdefaultstub.phpt | 20 ++++++++++---------- + ext/phar/tests/tar/phar_convert_phar.phpt | 6 +++--- + ext/phar/tests/tar/phar_convert_phar2.phpt | 6 +++--- + ext/phar/tests/tar/phar_convert_phar3.phpt | 6 +++--- + ext/phar/tests/tar/phar_convert_phar4.phpt | 6 +++--- + ext/phar/tests/zip/phar_convert_phar.phpt | 6 +++--- + 14 files changed, 45 insertions(+), 45 deletions(-) + +diff --git a/ext/phar/shortarc.php b/ext/phar/shortarc.php +index 1bf3baa..e5ac8ba 100644 +--- a/ext/phar/shortarc.php ++++ b/ext/phar/shortarc.php +@@ -74,7 +74,7 @@ if (@(isset($_SERVER['REQUEST_URI']) && isset($_SERVER['REQUEST_METHOD']) && ($_ + $a = realpath(Extract_Phar::$temp . DIRECTORY_SEPARATOR . $pt); + if (!$a || strlen(dirname($a)) < strlen(Extract_Phar::$temp)) { + header('HTTP/1.0 404 Not Found'); +- echo "\n \n File Not Found<title>\n </head>\n <body>\n <h1>404 - File ", $pt, " Not Found</h1>\n </body>\n</html>"; ++ echo "<html>\n <head>\n <title>File Not Found<title>\n </head>\n <body>\n <h1>404 - File Not Found</h1>\n </body>\n</html>"; + exit; + } + $b = pathinfo($a); +diff --git a/ext/phar/stub.h b/ext/phar/stub.h +index 2825142..1edbb06 100644 +--- a/ext/phar/stub.h ++++ b/ext/phar/stub.h +@@ -22,13 +22,13 @@ static inline void phar_get_stub(const char *index_php, const char *web, size_t + { + static const char newstub0[] = "<?php\n\n$web = '"; + static const char newstub1_0[] = "';\n\nif (in_array('phar', stream_get_wrappers()) && class_exists('Phar', 0)) {\nPhar::interceptFileFuncs();\nset_include_path('phar://' . __FILE__ . PATH_SEPARATOR . get_include_path());\nPhar::webPhar(null, $web);\ninclude 'phar://' . __FILE__ . '/' . Extract_Phar::START;\nreturn;\n}\n\nif (@(isset($_SERVER['REQUEST_URI']) && isset($_SERVER['REQUEST_METHOD']) && ($_SERVER['REQUEST_METHOD'] == 'GET' || $_SERVER['REQUEST_METHOD'] == 'POST'))) {\nExtract_Phar::go(true);\n$mimes = array(\n'phps' => 2,\n'c' => 'text/plain',\n'cc' => 'text/plain',\n'cpp' => 'text/plain',\n'c++' => 'text/plain',\n'dtd' => 'text/plain',\n'h' => 'text/plain',\n'log' => 'text/plain',\n'rng' => 'text/plain',\n'txt' => 'text/plain',\n'xsd' => 'text/plain',\n'php' => 1,\n'inc' => 1,\n'avi' => 'video/avi',\n'bmp' => 'image/bmp',\n'css' => 'text/css',\n'gif' => 'image/gif',\n'htm' => 'text/html',\n'html' => 'text/html',\n'htmls' => 'text/html',\n'ico' => 'image/x-ico',\n'jpe' => 'image/jpeg',\n'jpg' => 'image/jpeg',\n'jpeg' => 'image/jpeg',\n'js' => 'application/x-javascript',\n'midi' => 'audio/midi',\n'mid' => 'audio/midi',\n'mod' => 'audio/mod',\n'mov' => 'movie/quicktime',\n'mp3' => 'audio/mp3',\n'mpg' => 'video/mpeg',\n'mpeg' => 'video/mpeg',\n'pdf' => 'application/pdf',\n'png' => 'image/png',\n'swf' => 'application/shockwave-flash',\n'tif' => 'image/tiff',\n'tiff' => 'image/tiff',\n'wav' => 'audio/wav',\n'xbm' => 'image/xbm',\n'xml' => 'text/xml',\n);\n\nheader(\"Cache-Control: no-cache, must-revalidate\");\nheader(\"Pragma: no-cache\");\n\n$basename = basename(__FILE__);\nif (!strpos($_SERVER['REQUEST_URI'], $basename)) {\nchdir(Extract_Phar::$temp);\ninclude $web;\nreturn;\n}\n$pt = substr($_SERVER['REQUEST_URI'], strpos($_SERVER['REQUEST_URI'], $basename) + strlen($basename));\nif (!$pt || $pt == '/') {\n$pt = $web;\nheader('HTTP/1.1 301 Moved Permanently');\nheader('Location: ' . $_SERVER['REQUEST_URI'] . '/' . $pt);\nexit;\n}\n$a = realpath(Extract_Phar::$temp . DIRECTORY_SEPARATOR . $pt);\nif (!$a || strlen(dirname($a)) < strlen("; +- static const char newstub1_1[] = "Extract_Phar::$temp)) {\nheader('HTTP/1.0 404 Not Found');\necho \"<html>\\n <head>\\n <title>File Not Found<title>\\n </head>\\n <body>\\n <h1>404 - File \", $pt, \" Not Found</h1>\\n </body>\\n</html>\";\nexit;\n}\n$b = pathinfo($a);\nif (!isset($b['extension'])) {\nheader('Content-Type: text/plain');\nheader('Content-Length: ' . filesize($a));\nreadfile($a);\nexit;\n}\nif (isset($mimes[$b['extension']])) {\nif ($mimes[$b['extension']] === 1) {\ninclude $a;\nexit;\n}\nif ($mimes[$b['extension']] === 2) {\nhighlight_file($a);\nexit;\n}\nheader('Content-Type: ' .$mimes[$b['extension']]);\nheader('Content-Length: ' . filesize($a));\nreadfile($a);\nexit;\n}\n}\n\nclass Extract_Phar\n{\nstatic $temp;\nstatic $origdir;\nconst GZ = 0x1000;\nconst BZ2 = 0x2000;\nconst MASK = 0x3000;\nconst START = '"; ++ static const char newstub1_1[] = "Extract_Phar::$temp)) {\nheader('HTTP/1.0 404 Not Found');\necho \"<html>\\n <head>\\n <title>File Not Found<title>\\n </head>\\n <body>\\n <h1>404 - File Not Found</h1>\\n </body>\\n</html>\";\nexit;\n}\n$b = pathinfo($a);\nif (!isset($b['extension'])) {\nheader('Content-Type: text/plain');\nheader('Content-Length: ' . filesize($a));\nreadfile($a);\nexit;\n}\nif (isset($mimes[$b['extension']])) {\nif ($mimes[$b['extension']] === 1) {\ninclude $a;\nexit;\n}\nif ($mimes[$b['extension']] === 2) {\nhighlight_file($a);\nexit;\n}\nheader('Content-Type: ' .$mimes[$b['extension']]);\nheader('Content-Length: ' . filesize($a));\nreadfile($a);\nexit;\n}\n}\n\nclass Extract_Phar\n{\nstatic $temp;\nstatic $origdir;\nconst GZ = 0x1000;\nconst BZ2 = 0x2000;\nconst MASK = 0x3000;\nconst START = '"; + static const char newstub2[] = "';\nconst LEN = "; + static const char newstub3_0[] = ";\n\nstatic function go($return = false)\n{\n$fp = fopen(__FILE__, 'rb');\nfseek($fp, self::LEN);\n$L = unpack('V', $a = (binary)fread($fp, 4));\n$m = (binary)'';\n\ndo {\n$read = 8192;\nif ($L[1] - strlen($m) < 8192) {\n$read = $L[1] - strlen($m);\n}\n$last = (binary)fread($fp, $read);\n$m .= $last;\n} while (strlen($last) && strlen($m) < $L[1]);\n\nif (strlen($m) < $L[1]) {\ndie('ERROR: manifest length read was \"' .\nstrlen($m) .'\" should be \"' .\n$L[1] . '\"');\n}\n\n$info = self::_unpack($m);\n$f = $info['c'];\n\nif ($f & self::GZ) {\nif (!function_exists('gzinflate')) {\ndie('Error: zlib extension is not enabled -' .\n' gzinflate() function needed for zlib-compressed .phars');\n}\n}\n\nif ($f & self::BZ2) {\nif (!function_exists('bzdecompress')) {\ndie('Error: bzip2 extension is not enabled -' .\n' bzdecompress() function needed for bz2-compressed .phars');\n}\n}\n\n$temp = self::tmpdir();\n\nif (!$temp || !is_writable($temp)) {\n$sessionpath = session_save_path();\nif (strpos ($sessionpath, \";\") !== false)\n$sessionpath = substr ($sessionpath, strpos ($sessionpath, \";\")+1);\nif (!file_exists($sessionpath) || !is_dir($sessionpath)) {\ndie('Could not locate temporary directory to extract phar');\n}\n$temp = $sessionpath;\n}\n\n$temp .= '/pharextract/'.basename(__FILE__, '.phar');\nself::$temp = $temp;\nself::$origdir = getcwd();\n@mkdir($temp, 0777, true);\n$temp = realpath($temp);\n\nif (!file_exists($temp . DIRECTORY_SEPARATOR . md5_file(__FILE__))) {\nself::_removeTmpFiles($temp, getcwd());\n@mkdir($temp, 0777, true);\n@file_put_contents($temp . '/' . md5_file(__FILE__), '');\n\nforeach ($info['m'] as $path => $file) {\n$a = !file_exists(dirname($temp . '/' . $path));\n@mkdir(dirname($temp . '/' . $path), 0777, true);\nclearstatcache();\n\nif ($path[strlen($path) - 1] == '/') {\n@mkdir($temp . '/' . $path, 0777);\n} else {\nfile_put_contents($temp . '/' . $path, self::extractFile($path, $file, $fp));\n@chmod($temp . '/' . $path, 0666);\n}\n}\n}\n\nchdir($temp);\n\nif (!$return) {\ninclude self::ST"; + static const char newstub3_1[] = "ART;\n}\n}\n\nstatic function tmpdir()\n{\nif (strpos(PHP_OS, 'WIN') !== false) {\nif ($var = getenv('TMP') ? getenv('TMP') : getenv('TEMP')) {\nreturn $var;\n}\nif (is_dir('/temp') || mkdir('/temp')) {\nreturn realpath('/temp');\n}\nreturn false;\n}\nif ($var = getenv('TMPDIR')) {\nreturn $var;\n}\nreturn realpath('/tmp');\n}\n\nstatic function _unpack($m)\n{\n$info = unpack('V', substr($m, 0, 4));\n $l = unpack('V', substr($m, 10, 4));\n$m = substr($m, 14 + $l[1]);\n$s = unpack('V', substr($m, 0, 4));\n$o = 0;\n$start = 4 + $s[1];\n$ret['c'] = 0;\n\nfor ($i = 0; $i < $info[1]; $i++) {\n $len = unpack('V', substr($m, $start, 4));\n$start += 4;\n $savepath = substr($m, $start, $len[1]);\n$start += $len[1];\n $ret['m'][$savepath] = array_values(unpack('Va/Vb/Vc/Vd/Ve/Vf', substr($m, $start, 24)));\n$ret['m'][$savepath][3] = sprintf('%u', $ret['m'][$savepath][3]\n& 0xffffffff);\n$ret['m'][$savepath][7] = $o;\n$o += $ret['m'][$savepath][2];\n$start += 24 + $ret['m'][$savepath][5];\n$ret['c'] |= $ret['m'][$savepath][4] & self::MASK;\n}\nreturn $ret;\n}\n\nstatic function extractFile($path, $entry, $fp)\n{\n$data = '';\n$c = $entry[2];\n\nwhile ($c) {\nif ($c < 8192) {\n$data .= @fread($fp, $c);\n$c = 0;\n} else {\n$c -= 8192;\n$data .= @fread($fp, 8192);\n}\n}\n\nif ($entry[4] & self::GZ) {\n$data = gzinflate($data);\n} elseif ($entry[4] & self::BZ2) {\n$data = bzdecompress($data);\n}\n\nif (strlen($data) != $entry[0]) {\ndie(\"Invalid internal .phar file (size error \" . strlen($data) . \" != \" .\n$stat[7] . \")\");\n}\n\nif ($entry[3] != sprintf(\"%u\", crc32((binary)$data) & 0xffffffff)) {\ndie(\"Invalid internal .phar file (checksum error)\");\n}\n\nreturn $data;\n}\n\nstatic function _removeTmpFiles($temp, $origdir)\n{\nchdir($temp);\n\nforeach (glob('*') as $f) {\nif (file_exists($f)) {\nis_dir($f) ? @rmdir($f) : @unlink($f);\nif (file_exists($f) && is_dir($f)) {\nself::_removeTmpFiles($f, getcwd());\n}\n}\n}\n\n@rmdir($temp);\nclearstatcache();\nchdir($origdir);\n}\n}\n\nExtract_Phar::go();\n__HALT_COMPIL"; + static const char newstub3_2[] = "ER(); ?>"; + +- static const int newstub_len = 6665; ++ static const int newstub_len = 6655; + + *len = spprintf(stub, name_len + web_len + newstub_len, "%s%s%s%s%s%s%d%s%s%s", newstub0, web, newstub1_0, newstub1_1, index_php, newstub2, name_len + web_len + newstub_len, newstub3_0, newstub3_1, newstub3_2); + } +diff --git a/ext/phar/tests/cache_list/copyonwrite11.phar.phpt b/ext/phar/tests/cache_list/copyonwrite11.phar.phpt +index 6538816..c3489e4 100644 +--- a/ext/phar/tests/cache_list/copyonwrite11.phar.phpt ++++ b/ext/phar/tests/cache_list/copyonwrite11.phar.phpt +@@ -18,5 +18,5 @@ echo strlen($p2->getStub()),"\n"; + echo "ok\n"; + __HALT_COMPILER(); ?> + " +-6685 ++6675 + ok +\ No newline at end of file +diff --git a/ext/phar/tests/phar_commitwrite.phpt b/ext/phar/tests/phar_commitwrite.phpt +index 36d473e..00343ca 100644 +--- a/ext/phar/tests/phar_commitwrite.phpt ++++ b/ext/phar/tests/phar_commitwrite.phpt +@@ -29,7 +29,7 @@ unlink(dirname(__FILE__) . '/brandnewphar.phar'); + __HALT_COMPILER(); + ?> + --EXPECT-- +-int(6683) ++int(6673) + string(200) "<?php + function __autoload($class) + { +diff --git a/ext/phar/tests/phar_convert_repeated.phpt b/ext/phar/tests/phar_convert_repeated.phpt +index e4b1fe4..7880bf4 100644 +--- a/ext/phar/tests/phar_convert_repeated.phpt ++++ b/ext/phar/tests/phar_convert_repeated.phpt +@@ -123,7 +123,7 @@ NULL + bool(true) + bool(false) + bool(false) +-int(6683) ++int(6673) + NULL + ================= convertToZip() ===================== + bool(false) +diff --git a/ext/phar/tests/phar_create_in_cwd.phpt b/ext/phar/tests/phar_create_in_cwd.phpt +index 4b0e659..57b2432 100644 +--- a/ext/phar/tests/phar_create_in_cwd.phpt ++++ b/ext/phar/tests/phar_create_in_cwd.phpt +@@ -32,7 +32,7 @@ __HALT_COMPILER(); + unlink(dirname(__FILE__) . '/brandnewphar.phar'); + ?> + --EXPECT-- +-int(6683) ++int(6673) + string(200) "<?php + function __autoload($class) + { +diff --git a/ext/phar/tests/phar_createdefaultstub.phpt b/ext/phar/tests/phar_createdefaultstub.phpt +index abc9ad8..f2ee297 100644 +--- a/ext/phar/tests/phar_createdefaultstub.phpt ++++ b/ext/phar/tests/phar_createdefaultstub.phpt +@@ -34,7 +34,7 @@ echo $e->getMessage() . "\n"; + ?> + ===DONE=== + --EXPECT-- +-string(6683) "<?php ++string(6673) "<?php + + $web = 'index.php'; + +@@ -110,7 +110,7 @@ exit; + $a = realpath(Extract_Phar::$temp . DIRECTORY_SEPARATOR . $pt); + if (!$a || strlen(dirname($a)) < strlen(Extract_Phar::$temp)) { + header('HTTP/1.0 404 Not Found'); +-echo "<html>\n <head>\n <title>File Not Found<title>\n </head>\n <body>\n <h1>404 - File ", $pt, " Not Found</h1>\n </body>\n</html>"; ++echo "<html>\n <head>\n <title>File Not Found<title>\n </head>\n <body>\n <h1>404 - File Not Found</h1>\n </body>\n</html>"; + exit; + } + $b = pathinfo($a); +@@ -144,7 +144,7 @@ const GZ = 0x1000; + const BZ2 = 0x2000; + const MASK = 0x3000; + const START = 'index.php'; +-const LEN = 6685; ++const LEN = 6675; + + static function go($return = false) + { +@@ -328,7 +328,7 @@ Extract_Phar::go(); + __HALT_COMPILER(); ?>" + ============================================================================ + ============================================================================ +-string(6694) "<?php ++string(6684) "<?php + + $web = 'index.php'; + +@@ -404,7 +404,7 @@ exit; + $a = realpath(Extract_Phar::$temp . DIRECTORY_SEPARATOR . $pt); + if (!$a || strlen(dirname($a)) < strlen(Extract_Phar::$temp)) { + header('HTTP/1.0 404 Not Found'); +-echo "<html>\n <head>\n <title>File Not Found<title>\n </head>\n <body>\n <h1>404 - File ", $pt, " Not Found</h1>\n </body>\n</html>"; ++echo "<html>\n <head>\n <title>File Not Found<title>\n </head>\n <body>\n <h1>404 - File Not Found</h1>\n </body>\n</html>"; + exit; + } + $b = pathinfo($a); +@@ -438,7 +438,7 @@ const GZ = 0x1000; + const BZ2 = 0x2000; + const MASK = 0x3000; + const START = 'my/custom/thingy.php'; +-const LEN = 6696; ++const LEN = 6686; + + static function go($return = false) + { +@@ -622,7 +622,7 @@ Extract_Phar::go(); + __HALT_COMPILER(); ?>" + ============================================================================ + ============================================================================ +-int(7074) ++int(7064) + ============================================================================ + ============================================================================ + Illegal filename passed in for stub creation, was 401 characters long, and only 400 or less is allowed +@@ -630,7 +630,7 @@ Illegal filename passed in for stub creation, was 401 characters long, and only + ============================================================================ + ============================================================================ + ============================================================================ +-string(6696) "<?php ++string(6686) "<?php + + $web = 'the/web.php'; + +@@ -706,7 +706,7 @@ exit; + $a = realpath(Extract_Phar::$temp . DIRECTORY_SEPARATOR . $pt); + if (!$a || strlen(dirname($a)) < strlen(Extract_Phar::$temp)) { + header('HTTP/1.0 404 Not Found'); +-echo "<html>\n <head>\n <title>File Not Found<title>\n </head>\n <body>\n <h1>404 - File ", $pt, " Not Found</h1>\n </body>\n</html>"; ++echo "<html>\n <head>\n <title>File Not Found<title>\n </head>\n <body>\n <h1>404 - File Not Found</h1>\n </body>\n</html>"; + exit; + } + $b = pathinfo($a); +@@ -740,7 +740,7 @@ const GZ = 0x1000; + const BZ2 = 0x2000; + const MASK = 0x3000; + const START = 'my/custom/thingy.php'; +-const LEN = 6698; ++const LEN = 6688; + + static function go($return = false) + { +@@ -924,6 +924,6 @@ Extract_Phar::go(); + __HALT_COMPILER(); ?>" + ============================================================================ + ============================================================================ +-int(7074) ++int(7064) + Illegal web filename passed in for stub creation, was 401 characters long, and only 400 or less is allowed + ===DONE=== +diff --git a/ext/phar/tests/phar_offset_check.phpt b/ext/phar/tests/phar_offset_check.phpt +index fe12534..303fed1 100644 +--- a/ext/phar/tests/phar_offset_check.phpt ++++ b/ext/phar/tests/phar_offset_check.phpt +@@ -70,8 +70,8 @@ var_dump($phar->getAlias()); + Entry .phar/stub.php does not exist + Entry .phar/alias.txt does not exist + Cannot set stub ".phar/stub.php" directly in phar "%sphar_offset_check.phar.php", use setStub +-int(6685) +-int(6685) ++int(6675) ++int(6675) + Cannot set alias ".phar/alias.txt" directly in phar "%sphar_offset_check.phar.php", use setAlias + string(5) "susan" + string(5) "susan" +diff --git a/ext/phar/tests/phar_setdefaultstub.phpt b/ext/phar/tests/phar_setdefaultstub.phpt +index 434e647..c8d12e9 100644 +--- a/ext/phar/tests/phar_setdefaultstub.phpt ++++ b/ext/phar/tests/phar_setdefaultstub.phpt +@@ -54,7 +54,7 @@ try { + unlink(dirname(__FILE__) . '/' . basename(__FILE__, '.clean.php') . '.phar'); + ?> + --EXPECT-- +-string(6685) "<?php ++string(6675) "<?php + + $web = 'index.php'; + +@@ -130,7 +130,7 @@ exit; + $a = realpath(Extract_Phar::$temp . DIRECTORY_SEPARATOR . $pt); + if (!$a || strlen(dirname($a)) < strlen(Extract_Phar::$temp)) { + header('HTTP/1.0 404 Not Found'); +-echo "<html>\n <head>\n <title>File Not Found<title>\n </head>\n <body>\n <h1>404 - File ", $pt, " Not Found</h1>\n </body>\n</html>"; ++echo "<html>\n <head>\n <title>File Not Found<title>\n </head>\n <body>\n <h1>404 - File Not Found</h1>\n </body>\n</html>"; + exit; + } + $b = pathinfo($a); +@@ -164,7 +164,7 @@ const GZ = 0x1000; + const BZ2 = 0x2000; + const MASK = 0x3000; + const START = 'index.php'; +-const LEN = 6685; ++const LEN = 6675; + + static function go($return = false) + { +@@ -349,7 +349,7 @@ __HALT_COMPILER(); ?> + " + ============================================================================ + ============================================================================ +-string(6696) "<?php ++string(6686) "<?php + + $web = 'index.php'; + +@@ -425,7 +425,7 @@ exit; + $a = realpath(Extract_Phar::$temp . DIRECTORY_SEPARATOR . $pt); + if (!$a || strlen(dirname($a)) < strlen(Extract_Phar::$temp)) { + header('HTTP/1.0 404 Not Found'); +-echo "<html>\n <head>\n <title>File Not Found<title>\n </head>\n <body>\n <h1>404 - File ", $pt, " Not Found</h1>\n </body>\n</html>"; ++echo "<html>\n <head>\n <title>File Not Found<title>\n </head>\n <body>\n <h1>404 - File Not Found</h1>\n </body>\n</html>"; + exit; + } + $b = pathinfo($a); +@@ -459,7 +459,7 @@ const GZ = 0x1000; + const BZ2 = 0x2000; + const MASK = 0x3000; + const START = 'my/custom/thingy.php'; +-const LEN = 6696; ++const LEN = 6686; + + static function go($return = false) + { +@@ -644,7 +644,7 @@ __HALT_COMPILER(); ?> + " + ============================================================================ + ============================================================================ +-string(6698) "<?php ++string(6688) "<?php + + $web = 'the/web.php'; + +@@ -720,7 +720,7 @@ exit; + $a = realpath(Extract_Phar::$temp . DIRECTORY_SEPARATOR . $pt); + if (!$a || strlen(dirname($a)) < strlen(Extract_Phar::$temp)) { + header('HTTP/1.0 404 Not Found'); +-echo "<html>\n <head>\n <title>File Not Found<title>\n </head>\n <body>\n <h1>404 - File ", $pt, " Not Found</h1>\n </body>\n</html>"; ++echo "<html>\n <head>\n <title>File Not Found<title>\n </head>\n <body>\n <h1>404 - File Not Found</h1>\n </body>\n</html>"; + exit; + } + $b = pathinfo($a); +@@ -754,7 +754,7 @@ const GZ = 0x1000; + const BZ2 = 0x2000; + const MASK = 0x3000; + const START = 'my/custom/thingy.php'; +-const LEN = 6698; ++const LEN = 6688; + + static function go($return = false) + { +@@ -939,6 +939,6 @@ __HALT_COMPILER(); ?> + " + ============================================================================ + ============================================================================ +-int(7076) ++int(7066) + Illegal filename passed in for stub creation, was 401 characters long, and only 400 or less is allowed + ===DONE=== +diff --git a/ext/phar/tests/tar/phar_convert_phar.phpt b/ext/phar/tests/tar/phar_convert_phar.phpt +index d754ac1..b700f4a 100644 +--- a/ext/phar/tests/tar/phar_convert_phar.phpt ++++ b/ext/phar/tests/tar/phar_convert_phar.phpt +@@ -47,12 +47,12 @@ __HALT_COMPILER(); + ?> + --EXPECT-- + bool(false) +-int(6683) ++int(6673) + bool(true) + string(60) "<?php // tar-based phar archive stub file + __HALT_COMPILER();" + bool(true) +-int(6683) ++int(6673) + bool(true) +-int(6683) ++int(6673) + ===DONE=== +diff --git a/ext/phar/tests/tar/phar_convert_phar2.phpt b/ext/phar/tests/tar/phar_convert_phar2.phpt +index 58901ca..c3a38bd 100644 +--- a/ext/phar/tests/tar/phar_convert_phar2.phpt ++++ b/ext/phar/tests/tar/phar_convert_phar2.phpt +@@ -49,14 +49,14 @@ __HALT_COMPILER(); + ?> + --EXPECT-- + bool(false) +-int(6683) ++int(6673) + bool(true) + string(60) "<?php // tar-based phar archive stub file + __HALT_COMPILER();" + bool(true) + int(4096) +-int(6683) ++int(6673) + bool(true) + bool(true) +-int(6683) ++int(6673) + ===DONE=== +diff --git a/ext/phar/tests/tar/phar_convert_phar3.phpt b/ext/phar/tests/tar/phar_convert_phar3.phpt +index 543c89b..b6f7a160 100644 +--- a/ext/phar/tests/tar/phar_convert_phar3.phpt ++++ b/ext/phar/tests/tar/phar_convert_phar3.phpt +@@ -49,14 +49,14 @@ __HALT_COMPILER(); + ?> + --EXPECT-- + bool(false) +-int(6683) ++int(6673) + bool(true) + string(60) "<?php // tar-based phar archive stub file + __HALT_COMPILER();" + bool(true) + int(8192) +-int(6683) ++int(6673) + bool(true) + bool(true) +-int(6683) ++int(6673) + ===DONE=== +diff --git a/ext/phar/tests/tar/phar_convert_phar4.phpt b/ext/phar/tests/tar/phar_convert_phar4.phpt +index 9b095f1..3fcfd6c 100644 +--- a/ext/phar/tests/tar/phar_convert_phar4.phpt ++++ b/ext/phar/tests/tar/phar_convert_phar4.phpt +@@ -54,7 +54,7 @@ __HALT_COMPILER(); + ?> + --EXPECT-- + bool(false) +-int(6683) ++int(6673) + string(2) "hi" + bool(true) + string(60) "<?php // tar-based phar archive stub file +@@ -62,10 +62,10 @@ __HALT_COMPILER();" + string(2) "hi" + bool(true) + int(4096) +-int(6683) ++int(6673) + string(2) "hi" + bool(true) + bool(true) +-int(6683) ++int(6673) + string(2) "hi" + ===DONE=== +diff --git a/ext/phar/tests/zip/phar_convert_phar.phpt b/ext/phar/tests/zip/phar_convert_phar.phpt +index cad6d9f..f3c6b73 100644 +--- a/ext/phar/tests/zip/phar_convert_phar.phpt ++++ b/ext/phar/tests/zip/phar_convert_phar.phpt +@@ -46,12 +46,12 @@ __HALT_COMPILER(); + ?> + --EXPECT-- + bool(false) +-int(6683) ++int(6673) + bool(true) + string(60) "<?php // zip-based phar archive stub file + __HALT_COMPILER();" + bool(true) +-int(6683) ++int(6673) + bool(true) +-int(6683) ++int(6673) + ===DONE=== +-- +2.1.4 + diff --git a/SOURCES/php-5.4.16-CVE-2018-5784.patch b/SOURCES/php-5.4.16-CVE-2018-5784.patch new file mode 100644 index 0000000..dd92569 --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2018-5784.patch @@ -0,0 +1,68 @@ +From 7cf491b661ee57a11b79f99416c6296bae2f27a0 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Tue, 20 Feb 2018 15:34:43 -0800 +Subject: [PATCH] Fix bug #75981: prevent reading beyond buffer start + +--- + ext/standard/http_fopen_wrapper.c | 4 ++-- + ext/standard/tests/http/bug75981.phpt | 32 ++++++++++++++++++++++++++++++++ + 2 files changed, 34 insertions(+), 2 deletions(-) + create mode 100644 ext/standard/tests/http/bug75981.phpt + +diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c +index f6b0368..75d21c0 100644 +--- a/ext/standard/http_fopen_wrapper.c ++++ b/ext/standard/http_fopen_wrapper.c +@@ -691,9 +691,9 @@ finish: + tmp_line, response_code); + } + } +- if (tmp_line[tmp_line_len - 1] == '\n') { ++ if (tmp_line_len >= 1 && tmp_line[tmp_line_len - 1] == '\n') { + --tmp_line_len; +- if (tmp_line[tmp_line_len - 1] == '\r') { ++ if (tmp_line_len >= 1 &&tmp_line[tmp_line_len - 1] == '\r') { + --tmp_line_len; + } + } +diff --git a/ext/standard/tests/http/bug75981.phpt b/ext/standard/tests/http/bug75981.phpt +new file mode 100644 +index 0000000..d415de6 +--- /dev/null ++++ b/ext/standard/tests/http/bug75981.phpt +@@ -0,0 +1,32 @@ ++--TEST-- ++Bug #75981 (stack-buffer-overflow while parsing HTTP response) ++--INI-- ++allow_url_fopen=1 ++--SKIPIF-- ++<?php require 'server.inc'; http_server_skipif('tcp://127.0.0.1:12342'); ?> ++--FILE-- ++<?php ++require 'server.inc'; ++ ++$options = [ ++ 'http' => [ ++ 'protocol_version' => '1.1', ++ 'header' => 'Connection: Close' ++ ], ++]; ++ ++$ctx = stream_context_create($options); ++ ++$responses = [ ++ "data://text/plain,000000000100\xA\xA" ++]; ++$pid = http_server('tcp://127.0.0.1:12342', $responses); ++ ++echo @file_get_contents('http://127.0.0.1:12342/', false, $ctx); ++ ++http_server_kill($pid); ++ ++?> ++DONE ++--EXPECT-- ++DONE +-- +2.1.4 + diff --git a/SOURCES/php-5.4.16-CVE-2019-9024.patch b/SOURCES/php-5.4.16-CVE-2019-9024.patch new file mode 100644 index 0000000..1234143 --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2019-9024.patch @@ -0,0 +1,51 @@ +From 4feb9e66ff9636ad44bc23a91b7ebd37d83ddf1d Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Tue, 1 Jan 2019 17:15:20 -0800 +Subject: [PATCH] Fix bug #77380 (Global out of bounds read in xmlrpc base64 + code) + +--- + ext/xmlrpc/libxmlrpc/base64.c | 4 ++-- + ext/xmlrpc/tests/bug77380.phpt | 17 +++++++++++++++++ + 2 files changed, 19 insertions(+), 2 deletions(-) + create mode 100644 ext/xmlrpc/tests/bug77380.phpt + +diff --git a/ext/xmlrpc/libxmlrpc/base64.c b/ext/xmlrpc/libxmlrpc/base64.c +index 5ebdf31..a4fa193 100644 +--- a/ext/xmlrpc/libxmlrpc/base64.c ++++ b/ext/xmlrpc/libxmlrpc/base64.c +@@ -165,7 +165,7 @@ void base64_decode_xmlrpc(struct buffer_st *bfr, const char *source, int length) + return; + } + +- if (dtable[c] & 0x80) { ++ if (dtable[(unsigned char)c] & 0x80) { + /* + fprintf(stderr, "Offset %i length %i\n", offset, length); + fprintf(stderr, "character '%c:%x:%c' in input file.\n", c, c, dtable[c]); +diff --git a/ext/xmlrpc/tests/bug77380.phpt b/ext/xmlrpc/tests/bug77380.phpt +new file mode 100644 +index 0000000..8559c07 +--- /dev/null ++++ b/ext/xmlrpc/tests/bug77380.phpt +@@ -0,0 +1,17 @@ ++--TEST-- ++Bug #77380 (Global out of bounds read in xmlrpc base64 code) ++--SKIPIF-- ++<?php ++if (!extension_loaded("xmlrpc")) print "skip"; ++?> ++--FILE-- ++<?php ++var_dump(xmlrpc_decode(base64_decode("PGJhc2U2ND7CkzwvYmFzZTY0Pgo="))); ++?> ++--EXPECT-- ++object(stdClass)#1 (2) { ++ ["scalar"]=> ++ string(0) "" ++ ["xmlrpc_type"]=> ++ string(6) "base64" ++} +-- +2.1.4 + diff --git a/SPECS/php.spec b/SPECS/php.spec index e260650..a6c0adf 100644 --- a/SPECS/php.spec +++ b/SPECS/php.spec @@ -69,7 +69,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: 5.4.16 -Release: 46.1%{?dist} +Release: 48%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -213,6 +213,10 @@ Patch159: php-5.4.16-CVE-2016-5399.patch Patch160: php-5.4.16-CVE-2016-10167.patch Patch161: php-5.4.16-CVE-2016-10168.patch Patch162: php-5.4.16-CVE-2017-7890.patch +Patch163: php-5.4.16-CVE-2018-5784.patch +Patch164: php-5.4.16-CVE-2019-9024.patch +Patch165: php-5.4.16-CVE-2018-5712.patch +Patch166: php-5.4.16-CVE-2018-10547.patch Patch167: php-5.4.16-CVE-2019-11043.patch @@ -797,6 +801,10 @@ support for using the enchant library to PHP. %patch160 -p1 -b .cve10167 %patch161 -p1 -b .cve10168 %patch162 -p1 -b .cve7890 +%patch163 -p1 -b .cve7584 +%patch164 -p1 -b .cve9024 +%patch165 -p1 -b .cve5712 +%patch166 -p1 -b .cve10547 %patch167 -p1 -b .cve11043 @@ -1569,9 +1577,15 @@ fi %changelog -* Tue Oct 29 2019 Remi Collet <rcollet@redhat.com> - 5.4.16-46.1 +* Tue Oct 29 2019 Remi Collet <rcollet@redhat.com> - 5.4.16-48 - fix underflow in env_path_info in fpm_main.c CVE-2019-11043 +* Wed Aug 21 2019 Remi Collet <rcollet@redhat.com> - 5.4.16-47 +- fix stack-buffer-overflow while parsing HTTP response CVE-2018-7584 +- fix out-of-bounds read in base64_decode_xmlrpc CVE-2019-9024 +- fix reflected XSS in phar 404 page CVE-2018-5712 +- fix reflected XSS in phar 403 and 404 error pages CVE-2018-10547 + * Tue Jun 19 2018 Remi Collet <rcollet@redhat.com> - 5.4.16-46 - load openssl configuration file on startup #1408301