From c719fadda20ba4cff84a5a94fdfcc4de4e57d717 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jul 04 2022 07:07:46 +0000 Subject: import rh-php73-php-7.3.33-1.el7 --- diff --git a/.gitignore b/.gitignore index 20f5474..bdff374 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/php-7.3.29.tar.xz +SOURCES/php-7.3.33.tar.xz diff --git a/.rh-php73-php.metadata b/.rh-php73-php.metadata index eab30b7..b89d400 100644 --- a/.rh-php73-php.metadata +++ b/.rh-php73-php.metadata @@ -1 +1 @@ -e694c68bf991d06ac6bba0277efce80bc8946c69 SOURCES/php-7.3.29.tar.xz +d28e7e4bcfd2b4d344dde373064865fc63d7dbca SOURCES/php-7.3.33.tar.xz diff --git a/SOURCES/php-CVE-2022-31625.patch b/SOURCES/php-CVE-2022-31625.patch new file mode 100644 index 0000000..4097036 --- /dev/null +++ b/SOURCES/php-CVE-2022-31625.patch @@ -0,0 +1,73 @@ +From 6f979c832c861fb32e2dbad5e0cc29edcee7c500 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Tue, 17 May 2022 12:59:23 +0200 +Subject: [PATCH] Fix #81720: Uninitialized array in pg_query_params() leading + to RCE + +We must not free parameters which we haven't initialized yet. + +We also fix the not directly related issue, that we checked for the +wrong value being `NULL`, potentially causing a segfault. + +(cherry picked from commit 55f6895f4b4c677272fd4ee1113acdbd99c4b5ab) +--- + ext/pgsql/pgsql.c | 4 ++-- + ext/pgsql/tests/bug81720.phpt | 27 +++++++++++++++++++++++++++ + 2 files changed, 29 insertions(+), 2 deletions(-) + create mode 100644 ext/pgsql/tests/bug81720.phpt + +diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c +index 27462bc336..1dd892d359 100644 +--- a/ext/pgsql/pgsql.c ++++ b/ext/pgsql/pgsql.c +@@ -1994,7 +1994,7 @@ PHP_FUNCTION(pg_query_params) + if (Z_TYPE(tmp_val) != IS_STRING) { + php_error_docref(NULL, E_WARNING,"Error converting parameter"); + zval_ptr_dtor(&tmp_val); +- _php_pgsql_free_params(params, num_params); ++ _php_pgsql_free_params(params, i); + RETURN_FALSE; + } + params[i] = estrndup(Z_STRVAL(tmp_val), Z_STRLEN(tmp_val)); +@@ -5179,7 +5179,7 @@ PHP_FUNCTION(pg_send_execute) + if (Z_TYPE(tmp_val) != IS_STRING) { + php_error_docref(NULL, E_WARNING,"Error converting parameter"); + zval_ptr_dtor(&tmp_val); +- _php_pgsql_free_params(params, num_params); ++ _php_pgsql_free_params(params, i); + RETURN_FALSE; + } + params[i] = estrndup(Z_STRVAL(tmp_val), Z_STRLEN(tmp_val)); +diff --git a/ext/pgsql/tests/bug81720.phpt b/ext/pgsql/tests/bug81720.phpt +new file mode 100644 +index 0000000000..d79f1fcdd6 +--- /dev/null ++++ b/ext/pgsql/tests/bug81720.phpt +@@ -0,0 +1,27 @@ ++--TEST-- ++Bug #81720 (Uninitialized array in pg_query_params() leading to RCE) ++--SKIPIF-- ++ ++--FILE-- ++getMessage(), PHP_EOL; ++} ++ ++try { ++ pg_send_prepare($conn, "my_query", 'SELECT $1, $2'); ++ pg_get_result($conn); ++ pg_send_execute($conn, "my_query", [1, new stdClass()]); ++} catch (Throwable $ex) { ++ echo $ex->getMessage(), PHP_EOL; ++} ++?> ++--EXPECT-- ++Object of class stdClass could not be converted to string ++Object of class stdClass could not be converted to string diff --git a/SOURCES/php-CVE-2022-31626.patch b/SOURCES/php-CVE-2022-31626.patch new file mode 100644 index 0000000..0b724e4 --- /dev/null +++ b/SOURCES/php-CVE-2022-31626.patch @@ -0,0 +1,24 @@ +From 9433de72e291db518357fe55531cc15432d43ec4 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 6 Jun 2022 00:56:51 -0600 +Subject: [PATCH] Fix bug #81719: mysqlnd/pdo password buffer overflow + +(cherry picked from commit 58006537fc5f133ae8549efe5118cde418b3ace9) +--- + ext/mysqlnd/mysqlnd_wireprotocol.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ext/mysqlnd/mysqlnd_wireprotocol.c b/ext/mysqlnd/mysqlnd_wireprotocol.c +index 6459fe4964..1aee62c64e 100644 +--- a/ext/mysqlnd/mysqlnd_wireprotocol.c ++++ b/ext/mysqlnd/mysqlnd_wireprotocol.c +@@ -768,7 +768,8 @@ php_mysqlnd_change_auth_response_write(MYSQLND_CONN_DATA * conn, void * _packet) + MYSQLND_VIO * vio = conn->vio; + MYSQLND_STATS * stats = conn->stats; + MYSQLND_CONNECTION_STATE * connection_state = &conn->state; +- zend_uchar * buffer = pfc->cmd_buffer.length >= packet->auth_data_len? pfc->cmd_buffer.buffer : mnd_emalloc(packet->auth_data_len); ++ size_t total_packet_size = packet->auth_data_len + MYSQLND_HEADER_SIZE; ++ zend_uchar * const buffer = pfc->cmd_buffer.length >= total_packet_size? pfc->cmd_buffer.buffer : mnd_emalloc(total_packet_size); + zend_uchar * p = buffer + MYSQLND_HEADER_SIZE; /* start after the header */ + + DBG_ENTER("php_mysqlnd_change_auth_response_write"); diff --git a/SPECS/php.spec b/SPECS/php.spec index b87fe7f..d0d1099 100644 --- a/SPECS/php.spec +++ b/SPECS/php.spec @@ -60,7 +60,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php -Version: 7.3.29 +Version: 7.3.33 Release: 1%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend @@ -113,6 +113,8 @@ Patch48: php-bug80783.patch # Upstream fixes (100+) # Security fixes (200+) +Patch200: php-CVE-2022-31626.patch +Patch201: php-CVE-2022-31625.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -661,6 +663,8 @@ sed -e 's/php-devel/%{?scl_prefix}php-devel/' -i scripts/phpize.in # upstream patches # security patches +%patch200 -p1 -b .cve31626 +%patch201 -p1 -b .cve31625 # Fixes for tests %patch300 -p1 -b .datetests @@ -1457,6 +1461,15 @@ fi %changelog +* Fri Jun 24 2022 Remi Collet - 7.3.33-1 +- rebase to 7.3.33 #2100753 +- fix uninitialized array in pg_query_params() leading to RCE + CVE-2022-31625 + +* Wed Jun 22 2022 Remi Collet - 7.3.29-2 +- fix password of excessive length triggers buffer overflow leading to RCE + CVE-2022-31626 + * Thu Jul 1 2021 Remi Collet - 7.3.29-1 - update to 7.3.29 - fix PDO ODBC truncates BLOB records at every 256th byte #1977764