mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-17 04:37:19 +00:00
php: upgrade 8.2.29 -> 8.2.30
Drop patches that are included in this release. Changes: https://www.php.net/ChangeLog-8.php#8.2.30 - Curl: Fix curl build and test failures with version 8.16. - Opcache: Reset global pointers to prevent use-after-free in zend_jit_status(). - PDO: PDO quoting result null deref - CVE-2025-14180 - Null byte termination in dns_get_record() - Heap buffer overflow in array_merge() - CVE-2025-14178 - Information Leak of Memory in getimagesize - CVE-2025-14177 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
committed by
Anuj Mittal
parent
e7a359838c
commit
af2304fcb9
@@ -1,84 +0,0 @@
|
|||||||
From 7aac95c5280ea395ccfcd624cae7e87749ff6eeb Mon Sep 17 00:00:00 2001
|
|
||||||
From: Niels Dossche <7771979+ndossche@users.noreply.github.com>
|
|
||||||
Date: Tue, 25 Nov 2025 23:11:38 +0100
|
|
||||||
Subject: [PATCH] Fix GH-20584: Information Leak of Memory
|
|
||||||
|
|
||||||
The string added had uninitialized memory due to
|
|
||||||
php_read_stream_all_chunks() not moving the buffer position, resulting
|
|
||||||
in the same data always being overwritten instead of new data being
|
|
||||||
added to the end of the buffer.
|
|
||||||
|
|
||||||
This is backport as there is a security impact as described in
|
|
||||||
GHSA-3237-qqm7-mfv7 .
|
|
||||||
|
|
||||||
CVE: CVE-2025-14177
|
|
||||||
Upstream-Status: Backport [https://github.com/php/php-src/commit/c5f28c7cf0a0]
|
|
||||||
|
|
||||||
(cherry picked from commit c5f28c7cf0a052f48e47877c7aa5c5bcc54f1cfc)
|
|
||||||
Signed-off-by: Anil Dongare <adongare@cisco.com>
|
|
||||||
---
|
|
||||||
ext/standard/image.c | 1 +
|
|
||||||
ext/standard/tests/image/gh20584.phpt | 39 +++++++++++++++++++++++++++
|
|
||||||
2 files changed, 40 insertions(+)
|
|
||||||
create mode 100644 ext/standard/tests/image/gh20584.phpt
|
|
||||||
|
|
||||||
diff --git a/ext/standard/image.c b/ext/standard/image.c
|
|
||||||
index 2bd5429efac..15761364c34 100644
|
|
||||||
--- a/ext/standard/image.c
|
|
||||||
+++ b/ext/standard/image.c
|
|
||||||
@@ -403,6 +403,7 @@ static size_t php_read_stream_all_chunks(php_stream *stream, char *buffer, size_
|
|
||||||
if (read_now < stream->chunk_size && read_total != length) {
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
+ buffer += read_now;
|
|
||||||
} while (read_total < length);
|
|
||||||
|
|
||||||
return read_total;
|
|
||||||
diff --git a/ext/standard/tests/image/gh20584.phpt b/ext/standard/tests/image/gh20584.phpt
|
|
||||||
new file mode 100644
|
|
||||||
index 00000000000..d117f218202
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/ext/standard/tests/image/gh20584.phpt
|
|
||||||
@@ -0,0 +1,39 @@
|
|
||||||
+--TEST--
|
|
||||||
+GH-20584 (Information Leak of Memory)
|
|
||||||
+--CREDITS--
|
|
||||||
+Nikita Sveshnikov (Positive Technologies)
|
|
||||||
+--FILE--
|
|
||||||
+<?php
|
|
||||||
+// Minimal PoC: corruption/uninitialized memory leak when reading APP1 via php://filter
|
|
||||||
+$file = __DIR__ . '/gh20584.jpg';
|
|
||||||
+
|
|
||||||
+// Make APP1 large enough so it is read in multiple chunks
|
|
||||||
+$chunk = 8192;
|
|
||||||
+$tail = 123;
|
|
||||||
+$payload = str_repeat('A', $chunk) . str_repeat('B', $chunk) . str_repeat('Z',
|
|
||||||
+$tail);
|
|
||||||
+$app1Len = 2 + strlen($payload);
|
|
||||||
+
|
|
||||||
+// Minimal JPEG: SOI + APP1 + SOF0(1x1) + EOI
|
|
||||||
+$sof = "\xFF\xC0" . pack('n', 11) . "\x08" . pack('n',1) . pack('n',1) .
|
|
||||||
+"\x01\x11\x00";
|
|
||||||
+$jpeg = "\xFF\xD8" . "\xFF\xE1" . pack('n', $app1Len) . $payload . $sof .
|
|
||||||
+"\xFF\xD9";
|
|
||||||
+file_put_contents($file, $jpeg);
|
|
||||||
+
|
|
||||||
+// Read through a filter to enforce multiple reads
|
|
||||||
+$src = 'php://filter/read=string.rot13|string.rot13/resource=' . $file;
|
|
||||||
+$info = null;
|
|
||||||
+@getimagesize($src, $info);
|
|
||||||
+$exp = $payload;
|
|
||||||
+$ret = $info['APP1'];
|
|
||||||
+
|
|
||||||
+var_dump($ret === $exp);
|
|
||||||
+
|
|
||||||
+?>
|
|
||||||
+--CLEAN--
|
|
||||||
+<?php
|
|
||||||
+@unlink(__DIR__ . '/gh20584.jpg');
|
|
||||||
+?>
|
|
||||||
+--EXPECT--
|
|
||||||
+bool(true)
|
|
||||||
--
|
|
||||||
2.43.5
|
|
||||||
|
|
||||||
@@ -1,65 +0,0 @@
|
|||||||
From a46c3692d37f8c539b3b00ea4ab7ebc2d7db5507 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Niels Dossche <7771979+ndossche@users.noreply.github.com>
|
|
||||||
Date: Sun, 9 Nov 2025 13:23:11 +0100
|
|
||||||
Subject: [PATCH] Fix GHSA-h96m-rvf9-jgm2
|
|
||||||
|
|
||||||
CVE: CVE-2025-14178
|
|
||||||
Upstream-Status: Backport [https://github.com/php/php-src/commit/c4268c15e361]
|
|
||||||
|
|
||||||
(cherry picked from commit c4268c15e361ccd79289a3909f332ab2153f72e7)
|
|
||||||
Signed-off-by: Anil Dongare <adongare@cisco.com>
|
|
||||||
---
|
|
||||||
ext/standard/array.c | 7 ++++++-
|
|
||||||
.../tests/array/GHSA-h96m-rvf9-jgm2.phpt | 16 ++++++++++++++++
|
|
||||||
2 files changed, 22 insertions(+), 1 deletion(-)
|
|
||||||
create mode 100644 ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt
|
|
||||||
|
|
||||||
diff --git a/ext/standard/array.c b/ext/standard/array.c
|
|
||||||
index a1a92934084..30b9a425b20 100644
|
|
||||||
--- a/ext/standard/array.c
|
|
||||||
+++ b/ext/standard/array.c
|
|
||||||
@@ -3903,7 +3903,7 @@ static zend_always_inline void php_array_merge_wrapper(INTERNAL_FUNCTION_PARAMET
|
|
||||||
int argc, i;
|
|
||||||
zval *src_entry;
|
|
||||||
HashTable *src, *dest;
|
|
||||||
- uint32_t count = 0;
|
|
||||||
+ uint64_t count = 0;
|
|
||||||
|
|
||||||
ZEND_PARSE_PARAMETERS_START(0, -1)
|
|
||||||
Z_PARAM_VARIADIC('+', args, argc)
|
|
||||||
@@ -3923,6 +3923,11 @@ static zend_always_inline void php_array_merge_wrapper(INTERNAL_FUNCTION_PARAMET
|
|
||||||
count += zend_hash_num_elements(Z_ARRVAL_P(arg));
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (UNEXPECTED(count >= HT_MAX_SIZE)) {
|
|
||||||
+ zend_throw_error(NULL, "The total number of elements must be lower than %u", HT_MAX_SIZE);
|
|
||||||
+ RETURN_THROWS();
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (argc == 2) {
|
|
||||||
zval *ret = NULL;
|
|
||||||
|
|
||||||
diff --git a/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt b/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt
|
|
||||||
new file mode 100644
|
|
||||||
index 00000000000..2e3e85357e1
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt
|
|
||||||
@@ -0,0 +1,16 @@
|
|
||||||
+--TEST--
|
|
||||||
+GHSA-h96m-rvf9-jgm2
|
|
||||||
+--FILE--
|
|
||||||
+<?php
|
|
||||||
+
|
|
||||||
+$power = 20; // Chosen to be well within a memory_limit
|
|
||||||
+$arr = range(0, 2**$power);
|
|
||||||
+try {
|
|
||||||
+ array_merge(...array_fill(0, 2**(32-$power), $arr));
|
|
||||||
+} catch (Error $e) {
|
|
||||||
+ echo $e->getMessage(), "\n";
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+?>
|
|
||||||
+--EXPECTF--
|
|
||||||
+The total number of elements must be lower than %d
|
|
||||||
--
|
|
||||||
2.43.7
|
|
||||||
@@ -1,69 +0,0 @@
|
|||||||
From 86f18141dd016a7927083cc122c71f1a8877b414 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Zelenka <bukka@php.net>
|
|
||||||
Date: Sat, 11 Oct 2025 19:37:26 +0200
|
|
||||||
Subject: [PATCH] Fix GHSA-8xr5-qppj-gvwj: PDO quoting result null deref
|
|
||||||
|
|
||||||
CVE: CVE-2025-14180
|
|
||||||
Upstream-Status: Backport [https://github.com/php/php-src/commit/5797b94652c3]
|
|
||||||
|
|
||||||
(cherry picked from commit 5797b94652c366521bff55f8e1a26ed6188f31b8)
|
|
||||||
Signed-off-by: Anil Dongare <adongare@cisco.com>
|
|
||||||
---
|
|
||||||
ext/pdo/pdo_sql_parser.re | 6 +++++
|
|
||||||
ext/pdo_pgsql/tests/ghsa-8xr5-qppj-gvwj.phpt | 28 ++++++++++++++++++++
|
|
||||||
2 files changed, 34 insertions(+)
|
|
||||||
create mode 100644 ext/pdo_pgsql/tests/ghsa-8xr5-qppj-gvwj.phpt
|
|
||||||
|
|
||||||
diff --git a/ext/pdo/pdo_sql_parser.re b/ext/pdo/pdo_sql_parser.re
|
|
||||||
index 6bb0837fb31..7f4721d12a6 100644
|
|
||||||
--- a/ext/pdo/pdo_sql_parser.re
|
|
||||||
+++ b/ext/pdo/pdo_sql_parser.re
|
|
||||||
@@ -287,6 +287,12 @@ safe:
|
|
||||||
}
|
|
||||||
|
|
||||||
plc->quoted = stmt->dbh->methods->quoter(stmt->dbh, buf, param_type);
|
|
||||||
+ if (plc->quoted == NULL) {
|
|
||||||
+ /* bork */
|
|
||||||
+ ret = -1;
|
|
||||||
+ strncpy(stmt->error_code, stmt->dbh->error_code, 6);
|
|
||||||
+ goto clean_up;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/ext/pdo_pgsql/tests/ghsa-8xr5-qppj-gvwj.phpt b/ext/pdo_pgsql/tests/ghsa-8xr5-qppj-gvwj.phpt
|
|
||||||
new file mode 100644
|
|
||||||
index 00000000000..736354cab13
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/ext/pdo_pgsql/tests/ghsa-8xr5-qppj-gvwj.phpt
|
|
||||||
@@ -0,0 +1,28 @@
|
|
||||||
+--TEST--
|
|
||||||
+#GHSA-8xr5-qppj-gvwj: NULL Pointer Derefernce for failed user input quoting
|
|
||||||
+--EXTENSIONS--
|
|
||||||
+pdo
|
|
||||||
+pdo_pgsql
|
|
||||||
+--SKIPIF--
|
|
||||||
+<?php
|
|
||||||
+require_once dirname(__FILE__) . '/../../../ext/pdo/tests/pdo_test.inc';
|
|
||||||
+require_once dirname(__FILE__) . '/config.inc';
|
|
||||||
+PDOTest::skip();
|
|
||||||
+?>
|
|
||||||
+--FILE--
|
|
||||||
+<?php
|
|
||||||
+require_once dirname(__FILE__) . '/../../../ext/pdo/tests/pdo_test.inc';
|
|
||||||
+require_once dirname(__FILE__) . '/config.inc';
|
|
||||||
+$db = PDOTest::test_factory(dirname(__FILE__) . '/common.phpt');
|
|
||||||
+$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
|
|
||||||
+$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, true);
|
|
||||||
+
|
|
||||||
+$sql = "SELECT * FROM users where username = :username";
|
|
||||||
+$stmt = $db->prepare($sql);
|
|
||||||
+
|
|
||||||
+$p1 = "alice\x99";
|
|
||||||
+var_dump($stmt->execute(['username' => $p1]));
|
|
||||||
+
|
|
||||||
+?>
|
|
||||||
+--EXPECT--
|
|
||||||
+bool(false)
|
|
||||||
--
|
|
||||||
2.43.7
|
|
||||||
+1
-4
@@ -20,9 +20,6 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \
|
|||||||
file://0009-php-don-t-use-broken-wrapper-for-mkdir.patch \
|
file://0009-php-don-t-use-broken-wrapper-for-mkdir.patch \
|
||||||
file://0010-iconv-fix-detection.patch \
|
file://0010-iconv-fix-detection.patch \
|
||||||
file://0001-Change-whether-to-inline-XXH3_hashLong_withSecret-to.patch \
|
file://0001-Change-whether-to-inline-XXH3_hashLong_withSecret-to.patch \
|
||||||
file://CVE-2025-14177.patch \
|
|
||||||
file://CVE-2025-14178.patch \
|
|
||||||
file://CVE-2025-14180.patch \
|
|
||||||
"
|
"
|
||||||
|
|
||||||
SRC_URI:append:class-target = " \
|
SRC_URI:append:class-target = " \
|
||||||
@@ -37,7 +34,7 @@ SRC_URI:append:class-target = " \
|
|||||||
"
|
"
|
||||||
|
|
||||||
S = "${WORKDIR}/php-${PV}"
|
S = "${WORKDIR}/php-${PV}"
|
||||||
SRC_URI[sha256sum] = "51979e8d198cbade2aad4ffe9f53dd3f04f9602d3089e5979985e058ade4267c"
|
SRC_URI[sha256sum] = "104820b6c8fc959dde4b3342135f42bdabf246e86918a16381a17d8447c866fa"
|
||||||
|
|
||||||
CVE_STATUS_GROUPS += "CVE_STATUS_PHP"
|
CVE_STATUS_GROUPS += "CVE_STATUS_PHP"
|
||||||
CVE_STATUS_PHP[status] = "fixed-version: The name of this product is exactly the same as github.com/emlog/emlog. CVE can be safely ignored."
|
CVE_STATUS_PHP[status] = "fixed-version: The name of this product is exactly the same as github.com/emlog/emlog. CVE can be safely ignored."
|
||||||
Reference in New Issue
Block a user