mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 04:17:25 +00:00
php: Fix CVE-2023-3824
Upstream-Status: Backport from [https://github.com/php/php-src/commit/80316123f3e9dcce8ac419bd9dd43546e2ccb5ef] CVE: CVE-2023-3824 Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
committed by
Armin Kuster
parent
2f4f70a703
commit
0f10a0d394
@@ -0,0 +1,91 @@
|
|||||||
|
From 80316123f3e9dcce8ac419bd9dd43546e2ccb5ef Mon Sep 17 00:00:00 2001
|
||||||
|
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
|
||||||
|
Date: Mon, 10 Jul 2023 13:25:34 +0200
|
||||||
|
Subject: [PATCH] Fix buffer mismanagement in phar_dir_read()
|
||||||
|
|
||||||
|
Fixes GHSA-jqcx-ccgc-xwhv.
|
||||||
|
|
||||||
|
Upstream-Status: Backport from [https://github.com/php/php-src/commit/80316123f3e9dcce8ac419bd9dd43546e2ccb5ef]
|
||||||
|
CVE: CVE-2023-3824
|
||||||
|
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
|
||||||
|
---
|
||||||
|
ext/phar/dirstream.c | 15 ++++++++------
|
||||||
|
ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt | 27 +++++++++++++++++++++++++
|
||||||
|
2 files changed, 36 insertions(+), 6 deletions(-)
|
||||||
|
create mode 100644 ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt
|
||||||
|
|
||||||
|
diff --git a/ext/phar/dirstream.c b/ext/phar/dirstream.c
|
||||||
|
index 4710703c..490b1452 100644
|
||||||
|
--- a/ext/phar/dirstream.c
|
||||||
|
+++ b/ext/phar/dirstream.c
|
||||||
|
@@ -91,25 +91,28 @@ static int phar_dir_seek(php_stream *stream, zend_off_t offset, int whence, zend
|
||||||
|
*/
|
||||||
|
static ssize_t phar_dir_read(php_stream *stream, char *buf, size_t count) /* {{{ */
|
||||||
|
{
|
||||||
|
- size_t to_read;
|
||||||
|
HashTable *data = (HashTable *)stream->abstract;
|
||||||
|
zend_string *str_key;
|
||||||
|
zend_ulong unused;
|
||||||
|
|
||||||
|
+ if (count != sizeof(php_stream_dirent)) {
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (HASH_KEY_NON_EXISTENT == zend_hash_get_current_key(data, &str_key, &unused)) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
zend_hash_move_forward(data);
|
||||||
|
- to_read = MIN(ZSTR_LEN(str_key), count);
|
||||||
|
|
||||||
|
- if (to_read == 0 || count < ZSTR_LEN(str_key)) {
|
||||||
|
+ php_stream_dirent *dirent = (php_stream_dirent *) buf;
|
||||||
|
+
|
||||||
|
+ if (sizeof(dirent->d_name) <= ZSTR_LEN(str_key)) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
- memset(buf, 0, sizeof(php_stream_dirent));
|
||||||
|
- memcpy(((php_stream_dirent *) buf)->d_name, ZSTR_VAL(str_key), to_read);
|
||||||
|
- ((php_stream_dirent *) buf)->d_name[to_read + 1] = '\0';
|
||||||
|
+ memset(dirent, 0, sizeof(php_stream_dirent));
|
||||||
|
+ PHP_STRLCPY(dirent->d_name, ZSTR_VAL(str_key), sizeof(dirent->d_name), ZSTR_LEN(str_key));
|
||||||
|
|
||||||
|
return sizeof(php_stream_dirent);
|
||||||
|
}
|
||||||
|
diff --git a/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt b/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..4e12f05f
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt
|
||||||
|
@@ -0,0 +1,27 @@
|
||||||
|
+--TEST--
|
||||||
|
+GHSA-jqcx-ccgc-xwhv (Buffer overflow and overread in phar_dir_read())
|
||||||
|
+--SKIPIF--
|
||||||
|
+<?php if (!extension_loaded("phar")) die("skip"); ?>
|
||||||
|
+--INI--
|
||||||
|
+phar.readonly=0
|
||||||
|
+--FILE--
|
||||||
|
+<?php
|
||||||
|
+$phar = new Phar(__DIR__. '/GHSA-jqcx-ccgc-xwhv.phar');
|
||||||
|
+$phar->startBuffering();
|
||||||
|
+$phar->addFromString(str_repeat('A', PHP_MAXPATHLEN - 1), 'This is the content of file 1.');
|
||||||
|
+$phar->addFromString(str_repeat('B', PHP_MAXPATHLEN - 1).'C', 'This is the content of file 2.');
|
||||||
|
+$phar->stopBuffering();
|
||||||
|
+
|
||||||
|
+$handle = opendir('phar://' . __DIR__ . '/GHSA-jqcx-ccgc-xwhv.phar');
|
||||||
|
+var_dump(strlen(readdir($handle)));
|
||||||
|
+// Must not be a string of length PHP_MAXPATHLEN+1
|
||||||
|
+var_dump(readdir($handle));
|
||||||
|
+closedir($handle);
|
||||||
|
+?>
|
||||||
|
+--CLEAN--
|
||||||
|
+<?php
|
||||||
|
+unlink(__DIR__. '/GHSA-jqcx-ccgc-xwhv.phar');
|
||||||
|
+?>
|
||||||
|
+--EXPECTF--
|
||||||
|
+int(%d)
|
||||||
|
+bool(false)
|
||||||
|
--
|
||||||
|
2.24.4
|
||||||
|
|
||||||
@@ -16,6 +16,7 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \
|
|||||||
file://debian-php-fixheader.patch \
|
file://debian-php-fixheader.patch \
|
||||||
file://0001-configure.ac-don-t-include-build-libtool.m4.patch \
|
file://0001-configure.ac-don-t-include-build-libtool.m4.patch \
|
||||||
file://0001-php.m4-don-t-unset-cache-variables.patch \
|
file://0001-php.m4-don-t-unset-cache-variables.patch \
|
||||||
|
file://CVE-2023-3824.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
SRC_URI_append_class-target = " \
|
SRC_URI_append_class-target = " \
|
||||||
|
|||||||
Reference in New Issue
Block a user