packages/php
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!101 Update php version to 8.1.10

Browse Source 
From: @fundawang 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen
This commit is contained in:
openeuler-ci-bot 2022-09-19 03:17:09 +00:00 committed by Gitee
commit d8d44e3f19
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
8 changed files with 87 additions and 527 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
backport-CVE-2021-21708-Fix-81708.patch
View File

@ -1,54 +0,0 @@
From 82f1bf1b6bc3a43aba62214870e6d0931e93a6d9 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Mon, 31 Jan 2022 15:43:24 +0100
Subject: [PATCH] Fix #81708: UAF due to php_filter_float() failing for ints
We must only release the zval, if we actually assign a new zval.
---
ext/filter/logical_filters.c | 2 +-
ext/filter/tests/bug81708.phpt | 20 ++++++++++++++++++++
2 files changed, 21 insertions(+), 1 deletion(-)
create mode 100644 ext/filter/tests/bug81708.phpt
diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c
index 1bf7c00d13c6..95f7a99e34b1 100644
--- a/ext/filter/logical_filters.c
+++ b/ext/filter/logical_filters.c
@@ -436,10 +436,10 @@ void php_filter_float(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */
switch (is_numeric_string(num, p - num, &lval, &dval, 0)) {
case IS_LONG:
- zval_ptr_dtor(value);
if ((min_range_set && (lval < min_range)) || (max_range_set && (lval > max_range))) {
goto error;
}
+ zval_ptr_dtor(value);
ZVAL_DOUBLE(value, (double)lval);
break;
case IS_DOUBLE:
diff --git a/ext/filter/tests/bug81708.phpt b/ext/filter/tests/bug81708.phpt
new file mode 100644
index 000000000000..d0036af13682
--- /dev/null
+++ b/ext/filter/tests/bug81708.phpt
@@ -0,0 +1,20 @@
+--TEST--
+Bug #81708 (UAF due to php_filter_float() failing for ints)
+--SKIPIF--
+<?php
+if (!extension_loaded("filter")) die("skip filter extension not available");
+?>
+--INI--
+opcache.enable_cli=0
+--FILE--
+<?php
+$input = "+" . str_repeat("1", 2); // avoid string interning
+filter_var(
+ $input,
+ FILTER_VALIDATE_FLOAT,
+ ["options" => ['min_range' => -1, 'max_range' => 1]]
+);
+var_dump($input);
+?>
+--EXPECT--
+string(3) "+11"

68
backport-CVE-2022-31625.patch
View File

@ -1,68 +0,0 @@
From 55f6895f4b4c677272fd4ee1113acdbd99c4b5ab Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Tue, 17 May 2022 12:59:23 +0200
Subject: [PATCH] Fix #81720: Uninitialized array in pg_query_params() leading
to RCE
We must not free parameters which we haven't initialized yet.
We also fix the not directly related issue, that we checked for the
wrong value being `NULL`, potentially causing a segfault.
---
ext/pgsql/pgsql.c | 6 +++---
ext/pgsql/tests/bug81720.phpt | 27 +++++++++++++++++++++++++++
2 files changed, 30 insertions(+), 3 deletions(-)
create mode 100644 ext/pgsql/tests/bug81720.phpt
--- a/ext/pgsql/pgsql.c
+++ b/ext/pgsql/pgsql.c
@@ -1201,7 +1201,7 @@ PHP_FUNCTION(pg_query_params)
} else {
zend_string *param_str = zval_try_get_string(tmp);
if (!param_str) {
- _php_pgsql_free_params(params, num_params);
+ _php_pgsql_free_params(params, i);
RETURN_THROWS();
}
params[i] = estrndup(ZSTR_VAL(param_str), ZSTR_LEN(param_str));
@@ -3918,8 +3918,8 @@ PHP_FUNCTION(pg_send_execute)
params[i] = NULL;
} else {
zend_string *tmp_str = zval_try_get_string(tmp);
- if (UNEXPECTED(!tmp)) {
- _php_pgsql_free_params(params, num_params);
+ if (UNEXPECTED(!tmp_str)) {
+ _php_pgsql_free_params(params, i);
return;
}
params[i] = estrndup(ZSTR_VAL(tmp_str), ZSTR_LEN(tmp_str));
--- /dev/null
+++ b/ext/pgsql/tests/bug81720.phpt
@@ -0,0 +1,27 @@
+--TEST--
+Bug #81720 (Uninitialized array in pg_query_params() leading to RCE)
+--SKIPIF--
+<?php include("skipif.inc"); ?>
+--FILE--
+<?php
+include('config.inc');
+
+$conn = pg_connect($conn_str);
+
+try {
+ pg_query_params($conn, 'SELECT $1, $2', [1, new stdClass()]);
+} catch (Throwable $ex) {
+ echo $ex->getMessage(), PHP_EOL;
+}
+
+try {
+ pg_send_prepare($conn, "my_query", 'SELECT $1, $2');
+ pg_get_result($conn);
+ pg_send_execute($conn, "my_query", [1, new stdClass()]);
+} catch (Throwable $ex) {
+ echo $ex->getMessage(), PHP_EOL;
+}
+?>
+--EXPECT--
+Object of class stdClass could not be converted to string
+Object of class stdClass could not be converted to string

21
backport-CVE-2022-31626.patch
View File

@ -1,21 +0,0 @@
From 58006537fc5f133ae8549efe5118cde418b3ace9 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <smalyshev@gmail.com>
Date: Mon, 6 Jun 2022 00:56:51 -0600
Subject: [PATCH] Fix bug #81719: mysqlnd/pdo password buffer overflow
---
ext/mysqlnd/mysqlnd_wireprotocol.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/ext/mysqlnd/mysqlnd_wireprotocol.c
+++ b/ext/mysqlnd/mysqlnd_wireprotocol.c
@@ -768,7 +768,8 @@ php_mysqlnd_change_auth_response_write(M
MYSQLND_VIO * vio = conn->vio;
MYSQLND_STATS * stats = conn->stats;
MYSQLND_CONNECTION_STATE * connection_state = &conn->state;
- zend_uchar * const buffer = pfc->cmd_buffer.length >= packet->auth_data_len? pfc->cmd_buffer.buffer : mnd_emalloc(packet->auth_data_len);
+ size_t total_packet_size = packet->auth_data_len + MYSQLND_HEADER_SIZE;
+ zend_uchar * const buffer = pfc->cmd_buffer.length >= total_packet_size? pfc->cmd_buffer.buffer : mnd_emalloc(total_packet_size);
zend_uchar * p = buffer + MYSQLND_HEADER_SIZE; /* start after the header */
DBG_ENTER("php_mysqlnd_change_auth_response_write");

356
backport-CVE-2022-31627.patch
View File

@ -1,356 +0,0 @@
From ca6d511fa54b34d5b75bf120a86482a1b9e1e686 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Thu, 30 Jun 2022 17:15:22 +0200
Subject: [PATCH] Fix #81723: Memory corruption in finfo_buffer()
We need to use the same memory allocator throughout.
---
ext/fileinfo/libmagic.patch | 112 +++++++++++++++++-------------
ext/fileinfo/libmagic/softmagic.c | 8 +--
ext/fileinfo/tests/bug81723.phpt | 12 ++++
3 files changed, 79 insertions(+), 53 deletions(-)
create mode 100644 ext/fileinfo/tests/bug81723.phpt
diff --git a/ext/fileinfo/libmagic.patch b/ext/fileinfo/libmagic.patch
index 27124692a0..3373ae4519 100644
--- a/ext/fileinfo/libmagic.patch
+++ b/ext/fileinfo/libmagic.patch
@@ -1,6 +1,6 @@
-diff -ur libmagic.orig/apprentice.c libmagic/apprentice.c
+diff -u libmagic.orig/apprentice.c libmagic/apprentice.c
--- libmagic.orig/apprentice.c 2021-02-23 01:51:11.000000000 +0100
-+++ libmagic/apprentice.c 2021-04-06 21:34:57.332978922 +0200
++++ libmagic/apprentice.c 2022-06-16 13:39:41.570984700 +0200
@@ -29,6 +29,8 @@
* apprentice - make one pass through /etc/magic, learning its secrets.
*/
@@ -925,9 +925,9 @@ diff -ur libmagic.orig/apprentice.c libmagic/apprentice.c
m->str_range = swap4(m->str_range);
m->str_flags = swap4(m->str_flags);
}
-diff -ur libmagic.orig/ascmagic.c libmagic/ascmagic.c
+diff -u libmagic.orig/ascmagic.c libmagic/ascmagic.c
--- libmagic.orig/ascmagic.c 2021-02-23 01:49:06.000000000 +0100
-+++ libmagic/ascmagic.c 2021-04-06 21:34:57.332978922 +0200
++++ libmagic/ascmagic.c 2022-06-16 13:39:41.570984700 +0200
@@ -96,7 +96,7 @@
rv = file_ascmagic_with_encoding(ms, &bb,
ubuf, ulen, code, type, text);
@@ -956,9 +956,9 @@ diff -ur libmagic.orig/ascmagic.c libmagic/ascmagic.c
return rv;
}
-diff -ur libmagic.orig/buffer.c libmagic/buffer.c
+diff -u libmagic.orig/buffer.c libmagic/buffer.c
--- libmagic.orig/buffer.c 2021-02-23 01:49:26.000000000 +0100
-+++ libmagic/buffer.c 2021-04-06 21:34:57.332978922 +0200
++++ libmagic/buffer.c 2021-09-21 13:27:27.982716100 +0200
@@ -31,19 +31,23 @@
#endif /* lint */
@@ -1012,9 +1012,9 @@ diff -ur libmagic.orig/buffer.c libmagic/buffer.c
b->ebuf = NULL;
goto out;
}
-diff -ur libmagic.orig/cdf.c libmagic/cdf.c
+diff -u libmagic.orig/cdf.c libmagic/cdf.c
--- libmagic.orig/cdf.c 2021-02-23 01:49:06.000000000 +0100
-+++ libmagic/cdf.c 2021-04-06 21:34:57.332978922 +0200
++++ libmagic/cdf.c 2021-09-21 13:27:27.983695600 +0200
@@ -43,7 +43,17 @@
#include <err.h>
#endif
@@ -1247,9 +1247,9 @@ diff -ur libmagic.orig/cdf.c libmagic/cdf.c
}
#endif
-diff -ur libmagic.orig/cdf.h libmagic/cdf.h
+diff -u libmagic.orig/cdf.h libmagic/cdf.h
--- libmagic.orig/cdf.h 2021-02-23 01:49:06.000000000 +0100
-+++ libmagic/cdf.h 2021-04-06 21:34:57.332978922 +0200
++++ libmagic/cdf.h 2021-09-21 13:27:27.984674900 +0200
@@ -35,10 +35,10 @@
#ifndef _H_CDF_
#define _H_CDF_
@@ -1264,9 +1264,9 @@ diff -ur libmagic.orig/cdf.h libmagic/cdf.h
#endif
#ifdef __DJGPP__
#define timespec timeval
-diff -ur libmagic.orig/cdf_time.c libmagic/cdf_time.c
+diff -u libmagic.orig/cdf_time.c libmagic/cdf_time.c
--- libmagic.orig/cdf_time.c 2021-02-23 01:49:06.000000000 +0100
-+++ libmagic/cdf_time.c 2021-04-06 21:34:57.336978894 +0200
++++ libmagic/cdf_time.c 2021-09-21 13:27:27.985654400 +0200
@@ -23,6 +23,7 @@
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
@@ -1293,9 +1293,9 @@ diff -ur libmagic.orig/cdf_time.c libmagic/cdf_time.c
if (ptr != NULL)
return buf;
(void)snprintf(buf, 26, "*Bad* %#16.16" INT64_T_FORMAT "x\n",
-diff -ur libmagic.orig/compress.c libmagic/compress.c
+diff -u libmagic.orig/compress.c libmagic/compress.c
--- libmagic.orig/compress.c 2021-02-23 01:49:07.000000000 +0100
-+++ libmagic/compress.c 2021-04-06 21:34:57.336978894 +0200
++++ libmagic/compress.c 2022-06-16 13:39:41.586609800 +0200
@@ -51,7 +51,7 @@
#ifndef HAVE_SIG_T
typedef void (*sig_t)(int);
@@ -1430,9 +1430,9 @@ diff -ur libmagic.orig/compress.c libmagic/compress.c
}
#endif
+#endif
-diff -ur libmagic.orig/der.c libmagic/der.c
+diff -u libmagic.orig/der.c libmagic/der.c
--- libmagic.orig/der.c 2021-02-23 01:49:06.000000000 +0100
-+++ libmagic/der.c 2021-04-06 21:34:57.336978894 +0200
++++ libmagic/der.c 2022-06-16 13:39:41.586609800 +0200
@@ -54,7 +54,9 @@
#include "magic.h"
#include "der.h"
@@ -1443,9 +1443,9 @@ diff -ur libmagic.orig/der.c libmagic/der.c
#include <sys/stat.h>
#include <err.h>
#endif
-diff -ur libmagic.orig/elfclass.h libmagic/elfclass.h
+diff -u libmagic.orig/elfclass.h libmagic/elfclass.h
--- libmagic.orig/elfclass.h 2021-02-23 01:49:06.000000000 +0100
-+++ libmagic/elfclass.h 2021-04-06 21:34:57.336978894 +0200
++++ libmagic/elfclass.h 2021-09-21 13:27:27.989571700 +0200
@@ -41,7 +41,7 @@
return toomany(ms, "program headers", phnum);
flags |= FLAGS_IS_CORE;
@@ -1473,9 +1473,9 @@ diff -ur libmagic.orig/elfclass.h libmagic/elfclass.h
CAST(size_t, elf_getu16(swap, elfhdr.e_shentsize)),
fsize, elf_getu16(swap, elfhdr.e_machine),
CAST(int, elf_getu16(swap, elfhdr.e_shstrndx)),
-diff -ur libmagic.orig/encoding.c libmagic/encoding.c
+diff -u libmagic.orig/encoding.c libmagic/encoding.c
--- libmagic.orig/encoding.c 2021-02-23 01:49:06.000000000 +0100
-+++ libmagic/encoding.c 2021-04-06 21:34:57.336978894 +0200
++++ libmagic/encoding.c 2022-06-16 13:39:41.586609800 +0200
@@ -98,14 +98,14 @@
nbytes = ms->encoding_max;
@@ -1514,9 +1514,9 @@ diff -ur libmagic.orig/encoding.c libmagic/encoding.c
} \
if (u < 3) \
return 0; \
-diff -ur libmagic.orig/file.h libmagic/file.h
+diff -u libmagic.orig/file.h libmagic/file.h
--- libmagic.orig/file.h 2021-02-23 01:49:06.000000000 +0100
-+++ libmagic/file.h 2021-04-06 21:34:57.336978894 +0200
++++ libmagic/file.h 2022-06-16 13:39:41.586609800 +0200
@@ -33,17 +33,14 @@
#ifndef __file_h__
#define __file_h__
@@ -1775,9 +1775,9 @@ diff -ur libmagic.orig/file.h libmagic/file.h
+#endif
+
#endif /* __file_h__ */
-diff -ur libmagic.orig/fsmagic.c libmagic/fsmagic.c
+diff -u libmagic.orig/fsmagic.c libmagic/fsmagic.c
--- libmagic.orig/fsmagic.c 2021-02-23 01:49:06.000000000 +0100
-+++ libmagic/fsmagic.c 2021-04-06 21:34:57.336978894 +0200
++++ libmagic/fsmagic.c 2021-09-21 13:27:27.992511000 +0200
@@ -66,26 +66,10 @@
# define minor(dev) ((dev) & 0xff)
#endif
@@ -2068,9 +2068,9 @@ diff -ur libmagic.orig/fsmagic.c libmagic/fsmagic.c
#ifdef S_IFSOCK
#ifndef __COHERENT__
case S_IFSOCK:
-diff -ur libmagic.orig/funcs.c libmagic/funcs.c
+diff -u libmagic.orig/funcs.c libmagic/funcs.c
--- libmagic.orig/funcs.c 2021-02-23 01:49:06.000000000 +0100
-+++ libmagic/funcs.c 2021-04-06 21:34:57.336978894 +0200
++++ libmagic/funcs.c 2022-06-16 13:39:41.586609800 +0200
@@ -51,6 +51,13 @@
#define SIZE_MAX ((size_t)~0)
#endif
@@ -2388,9 +2388,9 @@ diff -ur libmagic.orig/funcs.c libmagic/funcs.c
protected char *
file_strtrim(char *str)
-diff -ur libmagic.orig/magic.c libmagic/magic.c
+diff -u libmagic.orig/magic.c libmagic/magic.c
--- libmagic.orig/magic.c 2021-02-23 01:49:06.000000000 +0100
-+++ libmagic/magic.c 2021-04-06 21:34:57.336978894 +0200
++++ libmagic/magic.c 2022-06-16 13:39:41.586609800 +0200
@@ -25,11 +25,6 @@
* SUCH DAMAGE.
*/
@@ -2867,9 +2867,9 @@ diff -ur libmagic.orig/magic.c libmagic/magic.c
return NULL;
}
return file_getbuffer(ms);
-diff -ur libmagic.orig/magic.h libmagic/magic.h
---- libmagic.orig/magic.h 2021-04-06 22:37:37.647426536 +0200
-+++ libmagic/magic.h 2021-04-06 21:34:57.336978894 +0200
+diff -u libmagic.orig/magic.h libmagic/magic.h
+--- libmagic.orig/magic.h 2022-06-30 17:16:06.144009900 +0200
++++ libmagic/magic.h 2022-06-16 13:39:41.586609800 +0200
@@ -126,6 +126,7 @@
const char *magic_getpath(const char *, int);
@@ -2878,9 +2878,9 @@ diff -ur libmagic.orig/magic.h libmagic/magic.h
const char *magic_descriptor(magic_t, int);
const char *magic_buffer(magic_t, const void *, size_t);
-diff -ur libmagic.orig/print.c libmagic/print.c
+diff -u libmagic.orig/print.c libmagic/print.c
--- libmagic.orig/print.c 2021-02-23 01:49:07.000000000 +0100
-+++ libmagic/print.c 2021-04-06 21:34:57.340978869 +0200
++++ libmagic/print.c 2021-09-21 13:27:27.998388700 +0200
@@ -28,6 +28,7 @@
/*
* print.c - debugging printout routines
@@ -2943,9 +2943,9 @@ diff -ur libmagic.orig/print.c libmagic/print.c
if (pp == NULL)
goto out;
-diff -ur libmagic.orig/readcdf.c libmagic/readcdf.c
+diff -u libmagic.orig/readcdf.c libmagic/readcdf.c
--- libmagic.orig/readcdf.c 2021-02-23 01:49:08.000000000 +0100
-+++ libmagic/readcdf.c 2021-04-06 21:34:57.340978869 +0200
++++ libmagic/readcdf.c 2021-09-21 13:27:27.999369100 +0200
@@ -31,7 +31,11 @@
#include <assert.h>
@@ -3067,9 +3067,9 @@ diff -ur libmagic.orig/readcdf.c libmagic/readcdf.c
out0:
/* If we handled it already, return */
if (i != -1)
-diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c
+diff -u libmagic.orig/softmagic.c libmagic/softmagic.c
--- libmagic.orig/softmagic.c 2021-02-23 01:49:06.000000000 +0100
-+++ libmagic/softmagic.c 2021-04-06 21:34:57.340978869 +0200
++++ libmagic/softmagic.c 2022-06-30 16:58:15.521661800 +0200
@@ -43,6 +43,10 @@
#include <time.h>
#include "der.h"
@@ -3247,7 +3247,29 @@ diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c
return rv;
}
-@@ -1845,15 +1847,15 @@
+@@ -1531,11 +1533,7 @@
+ size_t len;
+ *c = ms->c;
+ len = c->len * sizeof(*c->li);
+- ms->c.li = CAST(struct level_info *, malloc(len));
+- if (ms->c.li == NULL) {
+- ms->c = *c;
+- return -1;
+- }
++ ms->c.li = CAST(struct level_info *, emalloc(len));
+ memcpy(ms->c.li, c->li, len);
+ return 0;
+ }
+@@ -1543,7 +1541,7 @@
+ private void
+ restore_cont(struct magic_set *ms, struct cont *c)
+ {
+- free(ms->c.li);
++ efree(ms->c.li);
+ ms->c = *c;
+ }
+
+@@ -1845,15 +1843,15 @@
if ((ms->flags & MAGIC_NODESC) == 0 &&
file_printf(ms, F(ms, m->desc, "%u"), offset) == -1)
{
@@ -3266,7 +3288,7 @@ diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c
return rv;
case FILE_USE:
-@@ -1958,10 +1960,13 @@
+@@ -1958,10 +1956,13 @@
}
else if ((flags & STRING_COMPACT_WHITESPACE) &&
isspace(*a)) {
@@ -3281,7 +3303,7 @@ diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c
b++;
}
else {
-@@ -1997,6 +2002,60 @@
+@@ -1997,6 +1998,60 @@
return file_strncmp(a, b, len, maxlen, flags);
}
@@ -3342,7 +3364,7 @@ diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c
private int
magiccheck(struct magic_set *ms, struct magic *m)
{
-@@ -2176,65 +2235,77 @@
+@@ -2176,65 +2231,77 @@
break;
}
case FILE_REGEX: {
@@ -3471,9 +3493,9 @@ diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c
break;
}
case FILE_USE:
-diff -ur libmagic.orig/strcasestr.c libmagic/strcasestr.c
+diff -u libmagic.orig/strcasestr.c libmagic/strcasestr.c
--- libmagic.orig/strcasestr.c 2021-02-23 01:49:12.000000000 +0100
-+++ libmagic/strcasestr.c 2021-04-06 21:34:57.340978869 +0200
++++ libmagic/strcasestr.c 2021-09-21 13:27:28.002306200 +0200
@@ -39,6 +39,8 @@
#include "file.h"
@@ -3483,7 +3505,3 @@ diff -ur libmagic.orig/strcasestr.c libmagic/strcasestr.c
#include <assert.h>
#include <ctype.h>
#include <string.h>
---- libmagic/config.h 2021-04-06 22:19:57.552120067 +0200
-+++ /dev/null 2021-03-31 20:37:24.776503884 +0200
-@@ -1 +0,0 @@
--#include "php.h"
diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c
index c86524e31e..5132b4ddea 100644
--- a/ext/fileinfo/libmagic/softmagic.c
+++ b/ext/fileinfo/libmagic/softmagic.c
@@ -1533,11 +1533,7 @@ save_cont(struct magic_set *ms, struct cont *c)
size_t len;
*c = ms->c;
len = c->len * sizeof(*c->li);
- ms->c.li = CAST(struct level_info *, malloc(len));
- if (ms->c.li == NULL) {
- ms->c = *c;
- return -1;
- }
+ ms->c.li = CAST(struct level_info *, emalloc(len));
memcpy(ms->c.li, c->li, len);
return 0;
}
@@ -1545,7 +1541,7 @@ save_cont(struct magic_set *ms, struct cont *c)
private void
restore_cont(struct magic_set *ms, struct cont *c)
{
- free(ms->c.li);
+ efree(ms->c.li);
ms->c = *c;
}
diff --git a/ext/fileinfo/tests/bug81723.phpt b/ext/fileinfo/tests/bug81723.phpt
new file mode 100644
index 0000000000..16bfb81f10
--- /dev/null
+++ b/ext/fileinfo/tests/bug81723.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Bug #81723 (Memory corruption in finfo_buffer())
+--EXTENSIONS--
+fileinfo
+--FILE--
+<?php
+$data = hex2bin("00018a7570001097db97979897977d87979797000092001f0051000000000000000000ffff7fff00000000001e0000000000000000000000000c0000000000000000000000000000dc0000000100000000000000004f011900007f0000000000180039000000000000000000000000000000dc0000000100000000000000004f011900007f0000f500000000eeff0000000000000000010000fd00");
+
+$f = finfo_open();
+finfo_buffer($f, $data);
+?>
+--EXPECT--
--
2.27.0

84
php-8.1.0-systzdata-v21.patch → php-8.1.0-systzdata-v22.patch
View File

@ -5,6 +5,7 @@ Add support for use of the system timezone database, rather
than embedding a copy. Discussed upstream but was not desired.
History:
r22: retrieve tzdata version from /usr/share/zoneinfo/tzdata.zi
r21: adapt for timelib 2021.03 (in 8.1.0)
r20: adapt for timelib 2020.03 (in 8.0.10RC1)
r19: adapt for timelib 2020.02 (in 8.0.0beta2)
@ -32,9 +33,10 @@ r3: fix a crash if /usr/share/zoneinfo doesn't exist (Raphael Geissert)
r2: add filesystem trawl to set up name alias index
r1: initial revision
diff -up php-8.0.0beta3/ext/date/config0.m4.systzdata php-8.0.0beta3/ext/date/config0.m4
--- php-8.0.0beta3/ext/date/config0.m4.systzdata 2020-09-01 19:13:26.000000000 +0200
+++ php-8.0.0beta3/ext/date/config0.m4 2020-09-02 08:07:51.039979873 +0200
diff --git a/ext/date/config0.m4 b/ext/date/config0.m4
index 18b8106bd2..3d1f63c758 100644
--- a/ext/date/config0.m4
+++ b/ext/date/config0.m4
@@ -4,6 +4,19 @@ AC_CHECK_HEADERS([io.h])
dnl Check for strtoll, atoll
AC_CHECK_FUNCS(strtoll atoll)
@ -55,9 +57,10 @@ diff -up php-8.0.0beta3/ext/date/config0.m4.systzdata php-8.0.0beta3/ext/date/co
PHP_DATE_CFLAGS="-Wno-implicit-fallthrough -I@ext_builddir@/lib -DZEND_ENABLE_STATIC_TSRMLS_CACHE=1 -DHAVE_TIMELIB_CONFIG_H=1"
timelib_sources="lib/astro.c lib/dow.c lib/parse_date.c lib/parse_tz.c lib/parse_posix.c
lib/timelib.c lib/tm2unixtime.c lib/unixtime2tm.c lib/parse_iso_intervals.c lib/interval.c"
diff -up php-8.0.0beta3/ext/date/lib/parse_tz.c.systzdata php-8.0.0beta3/ext/date/lib/parse_tz.c
--- php-8.0.0beta3/ext/date/lib/parse_tz.c.systzdata 2020-09-01 19:13:26.000000000 +0200
+++ php-8.0.0beta3/ext/date/lib/parse_tz.c 2020-09-02 08:07:51.039979873 +0200
diff --git a/ext/date/lib/parse_tz.c b/ext/date/lib/parse_tz.c
index e41315efdb..4b6547c0a3 100644
--- a/ext/date/lib/parse_tz.c
+++ b/ext/date/lib/parse_tz.c
@@ -26,9 +26,22 @@
#include "timelib.h"
#include "timelib_private.h"
@ -81,7 +84,7 @@ diff -up php-8.0.0beta3/ext/date/lib/parse_tz.c.systzdata php-8.0.0beta3/ext/dat
#if (defined(__APPLE__) || defined(__APPLE_CC__)) && (defined(__BIG_ENDIAN__) || defined(__LITTLE_ENDIAN__))
# if defined(__LITTLE_ENDIAN__)
@@ -95,6 +108,11 @@ static int read_php_preamble(const unsig
@@ -95,6 +108,11 @@ static int read_php_preamble(const unsigned char **tzf, timelib_tzinfo *tz)
{
uint32_t version;
@ -93,7 +96,7 @@ diff -up php-8.0.0beta3/ext/date/lib/parse_tz.c.systzdata php-8.0.0beta3/ext/dat
/* read ID */
version = (*tzf)[3] - '0';
*tzf += 4;
@@ -577,7 +595,429 @@ void timelib_dump_tzinfo(timelib_tzinfo
@@ -577,7 +595,467 @@ void timelib_dump_tzinfo(timelib_tzinfo *tz)
}
}
@ -323,6 +326,44 @@ diff -up php-8.0.0beta3/ext/date/lib/parse_tz.c.systzdata php-8.0.0beta3/ext/dat
+ return timelib_strcasecmp(alpha->id, beta->id);
+}
+
+/* Retrieve tzdata version. */
+static void retrieve_zone_version(timelib_tzdb *db)
+{
+ static char buf[30];
+ char path[PATH_MAX];
+ FILE *fp;
+
+ strncpy(path, ZONEINFO_PREFIX "/tzdata.zi", sizeof(path));
+
+ fp = fopen(path, "r");
+ if (fp) {
+ if (fgets(buf, sizeof(buf), fp)) {
+ if (!memcmp(buf, "# version ", 10) &&
+ isdigit(buf[10]) &&
+ isdigit(buf[11]) &&
+ isdigit(buf[12]) &&
+ isdigit(buf[13]) &&
+ islower(buf[14])) {
+ if (buf[14] >= 't') { /* 2022t = 2022.20 */
+ buf[17] = 0;
+ buf[16] = buf[14] - 't' + '0';
+ buf[15] = '2';
+ } else if (buf[14] >= 'j') { /* 2022j = 2022.10 */
+ buf[17] = 0;
+ buf[16] = buf[14] - 'j' + '0';
+ buf[15] = '1';
+ } else { /* 2022a = 2022.1 */
+ buf[16] = 0;
+ buf[15] = buf[14] - 'a' + '1';
+ }
+ buf[14] = '.';
+ db->version = buf+10;
+ }
+ }
+ fclose(fp);
+ }
+}
+
+
+/* Create the zone identifier index by trawling the filesystem. */
+static void create_zone_index(timelib_tzdb *db)
@ -524,7 +565,7 @@ diff -up php-8.0.0beta3/ext/date/lib/parse_tz.c.systzdata php-8.0.0beta3/ext/dat
{
int left = 0, right = tzdb->index_size - 1;
@@ -603,9 +1043,48 @@ static int seek_to_tz_position(const uns
@@ -603,9 +1081,49 @@ static int seek_to_tz_position(const unsigned char **tzf, const char *timezone,
return 0;
}
@ -561,6 +602,7 @@ diff -up php-8.0.0beta3/ext/date/lib/parse_tz.c.systzdata php-8.0.0beta3/ext/dat
+ tmp->version = "0.system";
+ tmp->data = NULL;
+ create_zone_index(tmp);
+ retrieve_zone_version(tmp);
+ system_location_table = create_location_table();
+ fake_data_segment(tmp, system_location_table);
+ timezonedb_system = tmp;
@ -573,7 +615,7 @@ diff -up php-8.0.0beta3/ext/date/lib/parse_tz.c.systzdata php-8.0.0beta3/ext/dat
}
const timelib_tzdb_index_entry *timelib_timezone_identifiers_list(const timelib_tzdb *tzdb, int *count)
@@ -617,7 +1096,30 @@ const timelib_tzdb_index_entry *timelib_
@@ -617,7 +1135,30 @@ const timelib_tzdb_index_entry *timelib_timezone_identifiers_list(const timelib_
int timelib_timezone_id_is_valid(const char *timezone, const timelib_tzdb *tzdb)
{
const unsigned char *tzf;
@ -605,7 +647,7 @@ diff -up php-8.0.0beta3/ext/date/lib/parse_tz.c.systzdata php-8.0.0beta3/ext/dat
}
static int skip_64bit_preamble(const unsigned char **tzf, timelib_tzinfo *tz)
@@ -662,6 +1164,8 @@ static timelib_tzinfo* timelib_tzinfo_ct
@@ -662,6 +1203,8 @@ static timelib_tzinfo* timelib_tzinfo_ctor(const char *name)
timelib_tzinfo *timelib_parse_tzfile(const char *timezone, const timelib_tzdb *tzdb, int *error_code)
{
const unsigned char *tzf;
@ -614,7 +656,7 @@ diff -up php-8.0.0beta3/ext/date/lib/parse_tz.c.systzdata php-8.0.0beta3/ext/dat
timelib_tzinfo *tmp;
int version;
int transitions_result, types_result;
@@ -669,7 +1173,7 @@ timelib_tzinfo *timelib_parse_tzfile(con
@@ -669,7 +1212,7 @@ timelib_tzinfo *timelib_parse_tzfile(const char *timezone, const timelib_tzdb *t
*error_code = TIMELIB_ERROR_NO_ERROR;
@ -623,7 +665,7 @@ diff -up php-8.0.0beta3/ext/date/lib/parse_tz.c.systzdata php-8.0.0beta3/ext/dat
tmp = timelib_tzinfo_ctor(timezone);
version = read_preamble(&tzf, tmp, &type);
@@ -712,11 +1216,36 @@ timelib_tzinfo *timelib_parse_tzfile(con
@@ -712,11 +1255,36 @@ timelib_tzinfo *timelib_parse_tzfile(const char *timezone, const timelib_tzdb *t
return NULL;
}
@ -660,3 +702,19 @@ diff -up php-8.0.0beta3/ext/date/lib/parse_tz.c.systzdata php-8.0.0beta3/ext/dat
} else {
*error_code = TIMELIB_ERROR_NO_SUCH_TIMEZONE;
tmp = NULL;
diff --git a/ext/date/php_date.c b/ext/date/php_date.c
index cf4a11b8a2..cd49abc78d 100644
--- a/ext/date/php_date.c
+++ b/ext/date/php_date.c
@@ -457,7 +457,11 @@ PHP_MINFO_FUNCTION(date)
php_info_print_table_row(2, "date/time support", "enabled");
php_info_print_table_row(2, "timelib version", TIMELIB_ASCII_VERSION);
php_info_print_table_row(2, "\"Olson\" Timezone Database Version", tzdb->version);
+#ifdef HAVE_SYSTEM_TZDATA
+ php_info_print_table_row(2, "Timezone Database", "system");
+#else
php_info_print_table_row(2, "Timezone Database", php_date_global_timezone_db_enabled ? "external" : "internal");
+#endif
php_info_print_table_row(2, "Default timezone", guess_timezone(tzdb));
php_info_print_table_end();

BIN
php-8.1.1.tar.xz → php-8.1.10.tar.xz
View File

Binary file not shown.

2
php.modconf
View File

@ -6,7 +6,7 @@
# Cannot load both php5 and php7 modules
<IfModule !mod_php5.c>
<IfModule prefork.c>
LoadModule php7_module modules/libphp7.so
LoadModule php7_module modules/libphp.so
</IfModule>
</IfModule>

29
php.spec
View File

@ -20,13 +20,13 @@
%global with_firebird 0
%global with_imap 0
%global with_freetds 0
%global with_sodium 0
%global with_sodium 1
%global with_pspell 0
%global upver 8.1.1
%global upver 8.1.10
Name: php
Version: %{upver}
Release: 5
Release: 1
Summary: PHP scripting language for creating dynamic web sites
License: PHP and Zend and BSD and MIT and ASL 1.0 and NCSA and Boost
URL: http://www.php.net/
@ -51,15 +51,11 @@ Patch0: php-7.4.0-httpd.patch
Patch1: php-7.2.0-includedir.patch
Patch2: php-8.0.0-embed.patch
Patch3: php-8.1.0-parser.patch
Patch4: php-8.1.0-systzdata-v21.patch
Patch4: php-8.1.0-systzdata-v22.patch
Patch5: php-7.4.0-phpize.patch
Patch6: php-7.4.0-ldap_r.patch
Patch7: php-8.1.0-phpinfo.patch
Patch8: php-7.4.0-datetests.patch
Patch9: backport-CVE-2021-21708-Fix-81708.patch
Patch10: backport-CVE-2022-31625.patch
Patch11: backport-CVE-2022-31626.patch
Patch12: backport-CVE-2022-31627.patch
BuildRequires: bzip2-devel, curl-devel >= 7.9, httpd-devel >= 2.0.46-1, pam-devel, httpd-filesystem, nginx-filesystem
BuildRequires: libstdc++-devel, openssl-devel, sqlite-devel >= 3.6.0, zlib-devel, smtpdaemon, libedit-devel
@ -114,7 +110,6 @@ The php-dbg package contains the interactive PHP debugger.
Summary: PHP FastCGI Process Manager
BuildRequires: libacl-devel
Requires: php-common%{?_isa} = %{version}-%{release}
Requires(pre): /usr/sbin/useradd
BuildRequires: systemd-devel
%{?systemd_requires}
Requires(pre): httpd-filesystem
@ -458,7 +453,7 @@ support for using the enchant library to PHP.
%package sodium
Summary: Wrapper for the Sodium cryptographic library
License: PHP
BuildRequires: pkgconfig(libsodium) >= 1.0.9
BuildRequires: pkgconfig(libsodium) >= 1.0.8
Requires: php-common%{?_isa} = %{version}-%{release}
Obsoletes: php-pecl-libsodium2 < 3
@ -586,9 +581,9 @@ ln -sf ../configure
--enable-rtld-now \
--cache-file=../config.cache --with-libdir=%{_lib} --with-config-file-path=%{_sysconfdir} \
--with-config-file-scan-dir=%{_sysconfdir}/php.d --disable-debug --with-pic --disable-rpath \
--without-pear --with-exec-dir=%{_bindir} --without-gdbm --with-openssl \
--with-system-ciphers --with-pcre-regex=%{_prefix} --with-zlib --with-layout=GNU --with-kerberos \
--with-libxml-dir=%{_prefix} --with-system-tzdata --with-mhash \
--without-pear --without-gdbm --with-openssl \
--with-system-ciphers --with-zlib --with-layout=GNU --with-kerberos \
--with-system-tzdata --with-mhash \
%ifarch riscv64
--without-pcre-jit \
%endif
@ -660,7 +655,7 @@ build --libdir=%{_libdir}/php --enable-pcntl --enable-opcache --enable-phpdbg \
--enable-intl=shared --with-enchant=shared,%{_prefix}
popd
without_shared="--without-gd --disable-dom --disable-dba --without-unixODBC --disable-opcache \
without_shared="--disable-gd --disable-dom --disable-dba --without-unixODBC --disable-opcache \
--disable-opcache --disable-phpdbg --without-ffi \
--disable-xmlreader --disable-xmlwriter --without-sodium --without-sqlite3 --disable-phar --disable-fileinfo \
--without-pspell --without-curl --disable-posix --disable-xml --disable-simplexml --disable-exif \
@ -1093,6 +1088,12 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || :
%changelog
* Sat Sep 17 2022 Funda Wang <fundawang@yeah.net> - 8.1.10-1
- New version 8.1.10
- Sync systzdata with remi's php repo
- enable libsodium sub package
- cleanup unused build switches
* Tue Jul 12 2022 Hugel <gengqihu1@h-partners.com> - 8.1.1-5
- Fix CVE-2022-31627