rpms/php
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix CVEs up to 8.2.31:

Browse Source 
- Fix XSS within status endpoint CVE-2026-6735
- Fix Stale SOAP_GLOBAL(ref_map) pointer with Apache Map CVE-2026-6722
- Fix Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION CVE-2026-7261
- Fix Broken Apache map value NULL check CVE-2026-7262
- Fix Signed integer overflow of char array offset CVE-2026-7568
- Fix Consistently pass unsigned char to ctype.h functions  CVE-2026-7258

Resolves: RHEL-181020
This commit is contained in:
Remi Collet 2026-06-04 09:21:46 +02:00
parent 1d1654b533
commit 0d15d688d2
7 changed files with 2272 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

109
php-cve-2026-6722.patch Normal file
View File

@ -0,0 +1,109 @@
From 6c4b67ca091afea4f436202d7f9db38a129106dc Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Sun, 3 May 2026 19:56:53 +0200
Subject: [PATCH 1/9] GHSA-85c2-q967-79q5: [soap] Fix stale
SOAP_GLOBAL(ref_map) pointer with Apache Map
Fixes GHSA-85c2-q967-79q5
Fixes CVE-2026-6722
(cherry picked from commit aee3b3ac9b816b0def1c462695b483b49a83148e)
(cherry picked from commit 15064460d6682766f91c1a841d27cdfbc38907e8)
(cherry picked from commit bbc1be3fc763b81707ccaa91a4cd1d439b753b12)
---
ext/soap/php_encoding.c | 3 +-
ext/soap/tests/GHSA-85c2-q967-79q5.phpt | 61 +++++++++++++++++++++++++
2 files changed, 63 insertions(+), 1 deletion(-)
create mode 100644 ext/soap/tests/GHSA-85c2-q967-79q5.phpt
diff --git a/ext/soap/php_encoding.c b/ext/soap/php_encoding.c
index 0a6edbf5a41..088d0086472 100644
--- a/ext/soap/php_encoding.c
+++ b/ext/soap/php_encoding.c
@@ -367,6 +367,7 @@ static zend_bool soap_check_xml_ref(zval *data, xmlNodePtr node)
static void soap_add_xml_ref(zval *data, xmlNodePtr node)
{
if (SOAP_GLOBAL(ref_map)) {
+ Z_TRY_ADDREF_P(data);
zend_hash_index_update(SOAP_GLOBAL(ref_map), (zend_ulong)node, data);
}
}
@@ -3433,7 +3434,7 @@ void encode_reset_ns()
} else {
SOAP_GLOBAL(ref_map) = emalloc(sizeof(HashTable));
}
- zend_hash_init(SOAP_GLOBAL(ref_map), 0, NULL, NULL, 0);
+ zend_hash_init(SOAP_GLOBAL(ref_map), 0, NULL, ZVAL_PTR_DTOR, 0);
}
void encode_finish()
diff --git a/ext/soap/tests/GHSA-85c2-q967-79q5.phpt b/ext/soap/tests/GHSA-85c2-q967-79q5.phpt
new file mode 100644
index 00000000000..8bcac26ad18
--- /dev/null
+++ b/ext/soap/tests/GHSA-85c2-q967-79q5.phpt
@@ -0,0 +1,61 @@
+--TEST--
+GHSA-85c2-q967-79q5: Stale SOAP_GLOBAL(ref_map) pointer with Apache Map
+--CREDITS--
+brettgervasoni
+--EXTENSIONS--
+soap
+--FILE--
+<?php
+
+class Handler {
+ public function test(...$args) {
+ $GLOBALS['result'] = $args;
+ }
+}
+
+$envelope = <<<'XML'
+<?xml version="1.0" encoding="UTF-8"?>
+<soapenv:Envelope
+ xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+
+ <soapenv:Body>
+ <test>
+ <map xsi:type="apache:Map" xmlns:apache="http://xml.apache.org/xml-soap">
+ <item>
+ <key>foo</key>
+ <value id="stale"><object>bar</object></value>
+ </item>
+ <item>
+ <key>foo</key>
+ <value>baz</value>
+ </item>
+ </map>
+ <stale href="#stale"/>
+ </test>
+ </soapenv:Body>
+</soapenv:Envelope>
+XML;
+
+$s = new SoapServer(null, ['uri' => 'urn:a']);
+$s->setClass(Handler::class);
+$s->handle($envelope);
+var_dump($result);
+
+?>
+--EXPECTF--
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="urn:a" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:testResponse><return xsi:nil="true"/></ns1:testResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>
+array(2) {
+ [0]=>
+ array(1) {
+ ["foo"]=>
+ string(3) "baz"
+ }
+ [1]=>
+ object(stdClass)#%d (1) {
+ ["object"]=>
+ string(3) "bar"
+ }
+}
--
2.54.0

140
php-cve-2026-6735.patch Normal file
View File

@ -0,0 +1,140 @@
From aeaf48ca0bceba42b9595dff30d9e96029c54613 Mon Sep 17 00:00:00 2001
From: Jakub Zelenka <bukka@php.net>
Date: Sun, 3 May 2026 20:01:41 +0200
Subject: [PATCH 4/9] GHSA-7qg2-v9fj-4mwv: [fpm] XSS within status endpoint
Fixes GHSA-7qg2-v9fj-4mwv
Fixes CVE-2026-6735
(cherry picked from commit 99a5ad7441de9914246c7863adb6997396008b9d)
(cherry picked from commit cc2960e782eb5cc262d7bd572a7d18979a811954)
(cherry picked from commit 62daef7b73108ceda2545862cde0673f252ba2d2)
---
sapi/fpm/fpm/fpm_status.c | 28 +++++++++--
.../tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt | 48 +++++++++++++++++++
2 files changed, 72 insertions(+), 4 deletions(-)
create mode 100644 sapi/fpm/tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt
diff --git a/sapi/fpm/fpm/fpm_status.c b/sapi/fpm/fpm/fpm_status.c
index de8db9d61a2..9926ebd6b27 100644
--- a/sapi/fpm/fpm/fpm_status.c
+++ b/sapi/fpm/fpm/fpm_status.c
@@ -483,8 +483,8 @@ int fpm_status_handle_request(void) /* {{{ */
if (full_syntax) {
unsigned int i;
int first;
- zend_string *tmp_query_string;
- char *query_string;
+ zend_string *tmp_query_string, *tmp_request_uri_string;
+ char *query_string, *request_uri_string;
struct timeval duration, now;
#ifdef HAVE_FPM_LQ
float cpu;
@@ -511,13 +511,30 @@ int fpm_status_handle_request(void) /* {{{ */
}
}
+ request_uri_string = NULL;
+ tmp_request_uri_string = NULL;
+ if (proc.request_uri[0] != '\0') {
+ if (encode) {
+ tmp_request_uri_string = php_escape_html_entities_ex(
+ (unsigned char*)proc.request_uri,
+ strlen(proc.request_uri), 1, ENT_DISALLOWED | ENT_HTML_DOC_XML1 | ENT_COMPAT,
+ NULL, /* double_encode */ 1);
+ request_uri_string = ZSTR_VAL(tmp_request_uri_string);
+ } else {
+ request_uri_string = proc.request_uri;
+ }
+ }
+
query_string = NULL;
tmp_query_string = NULL;
if (proc.query_string[0] != '\0') {
if (!encode) {
query_string = proc.query_string;
} else {
- tmp_query_string = php_escape_html_entities_ex((unsigned char *)proc.query_string, strlen(proc.query_string), 1, ENT_HTML_IGNORE_ERRORS & ENT_COMPAT, NULL, 1);
+ tmp_query_string = php_escape_html_entities_ex(
+ (unsigned char*)proc.query_string,
+ strlen(proc.query_string), 1, ENT_DISALLOWED | ENT_HTML_DOC_XML1 | ENT_COMPAT,
+ NULL, /* double_encode */ 1);
query_string = ZSTR_VAL(tmp_query_string);
}
}
@@ -545,7 +562,7 @@ int fpm_status_handle_request(void) /* {{{ */
proc.requests,
duration.tv_sec * 1000000UL + duration.tv_usec,
proc.request_method[0] != '\0' ? proc.request_method : "-",
- proc.request_uri[0] != '\0' ? proc.request_uri : "-",
+ request_uri_string ? request_uri_string : "-",
query_string ? "?" : "",
query_string ? query_string : "",
proc.content_length,
@@ -558,6 +575,9 @@ int fpm_status_handle_request(void) /* {{{ */
PUTS(buffer);
efree(buffer);
+ if (tmp_request_uri_string) {
+ zend_string_free(tmp_request_uri_string);
+ }
if (tmp_query_string) {
zend_string_free(tmp_query_string);
}
diff --git a/sapi/fpm/tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt b/sapi/fpm/tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt
new file mode 100644
index 00000000000..475bc130a42
--- /dev/null
+++ b/sapi/fpm/tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt
@@ -0,0 +1,48 @@
+--TEST--
+FPM: GHSA-7qg2-v9fj-4mwv - status xss
+--SKIPIF--
+<?php include "skipif.inc"; ?>
+--FILE--
+<?php
+
+require_once "tester.inc";
+
+$cfg = <<<EOT
+[global]
+error_log = {{FILE:LOG}}
+[unconfined]
+listen = {{ADDR}}
+pm = static
+pm.max_children = 2
+pm.status_path = /status
+catch_workers_output = yes
+EOT;
+
+$code = <<<EOT
+<?php
+usleep(200000);
+EOT;
+
+$tester = new FPM\Tester($cfg, $code);
+$tester->start();
+$tester->expectLogStartNotices();
+$responses = $tester
+ ->multiRequest([
+ ['uri' => '/<script>alert(1)</script>', 'query' => '<script>alert(2)</script>'],
+ ['uri' => '/status', 'query' => 'full&html', 'delay' => 100000],
+ ]);
+var_dump(strpos($responses[1]->getBody(), '<script>'));
+$tester->terminate();
+$tester->expectLogTerminatingNotices();
+$tester->close();
+
+?>
+Done
+--EXPECT--
+bool(false)
+Done
+--CLEAN--
+<?php
+require_once "tester.inc";
+FPM\Tester::clean();
+?>
--
2.54.0

1698
php-cve-2026-7258.patch Normal file
View File

File diff suppressed because it is too large Load Diff

113
php-cve-2026-7261.patch Normal file
View File

@ -0,0 +1,113 @@
From dd14d36e31dd99b7589f917924840fe4f46ca022 Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Sun, 3 May 2026 19:57:16 +0200
Subject: [PATCH 2/9] GHSA-m33r-qmcv-p97q: [soap] Fix use-after-free after
header parsing failure with SOAP_PERSISTENCE_SESSION
Fixes GHSA-m33r-qmcv-p97q
Fixes CVE-2026-7261
(cherry picked from commit db2a7f9348fd5dda5fd162061786a664c417bf5b)
(cherry picked from commit 5dd8dd8493d49bb6fcd810a6e9d2ffb6fdc15714)
(cherry picked from commit 63cf032e9675d7d2bbc007c8c787597187a7567b)
---
ext/soap/soap.c | 12 ++++-
ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt | 58 +++++++++++++++++++++++++
2 files changed, 68 insertions(+), 2 deletions(-)
create mode 100644 ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt
diff --git a/ext/soap/soap.c b/ext/soap/soap.c
index 94f1db526c6..ccc21d13af1 100644
--- a/ext/soap/soap.c
+++ b/ext/soap/soap.c
@@ -1807,13 +1807,21 @@ PHP_METHOD(SoapServer, handle)
php_output_discard();
soap_server_fault_ex(function, &h->retval, h);
efree(fn_name);
- if (service->type == SOAP_CLASS && soap_obj) {zval_ptr_dtor(soap_obj);}
+ if (service->type == SOAP_CLASS && soap_obj) {
+ if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION) {
+ zval_ptr_dtor(soap_obj);
+ }
+ }
goto fail;
} else if (EG(exception)) {
php_output_discard();
_soap_server_exception(service, function, ZEND_THIS);
efree(fn_name);
- if (service->type == SOAP_CLASS && soap_obj) {zval_ptr_dtor(soap_obj);}
+ if (service->type == SOAP_CLASS && soap_obj) {
+ if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION) {
+ zval_ptr_dtor(soap_obj);
+ }
+ }
goto fail;
}
} else if (h->mustUnderstand) {
diff --git a/ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt b/ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt
new file mode 100644
index 00000000000..bcf441ccd18
--- /dev/null
+++ b/ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt
@@ -0,0 +1,58 @@
+--TEST--
+GHSA-m33r-qmcv-p97q: Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION
+--CREDITS--
+Ilia Alshanetsky (iliaal)
+--EXTENSIONS--
+soap
+session
+--FILE--
+<?php
+
+class Handler {
+ public function return() {
+ return new SoapFault('Server', 'denied');
+ }
+ public function throw() {
+ throw new SoapFault('Server', 'denied');
+ }
+ public function hello() {
+ return 'ok';
+ }
+}
+
+session_start();
+
+$srv = new SoapServer(null, ['uri' => 'urn:a']);
+$srv->setClass(Handler::class);
+$srv->setPersistence(SOAP_PERSISTENCE_SESSION);
+
+$srv->handle(<<<XML
+<?xml version="1.0" encoding="UTF-8"?>
+<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="urn:a">
+ <soap:Header>
+ <a:return/>
+ </soap:Header>
+ <soap:Body>
+ <a:hello/>
+ </soap:Body>
+</soap:Envelope>
+XML);
+
+$srv->handle(<<<XML
+<?xml version="1.0" encoding="UTF-8"?>
+<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="urn:a">
+ <soap:Header>
+ <a:throw/>
+ </soap:Header>
+ <soap:Body>
+ <a:hello/>
+ </soap:Body>
+</soap:Envelope>
+XML);
+
+?>
+--EXPECT--
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>denied</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>denied</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
--
2.54.0

79
php-cve-2026-7262.patch Normal file
View File

@ -0,0 +1,79 @@
From b41a11a9786cc5b6b343b47c37ad8c1fdc2dbf33 Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Sat, 25 Apr 2026 00:44:37 +0200
Subject: [PATCH 3/9] GHSA-hmxp-6pc4-f3vv: [soap] Fix broken Apache map value
NULL check
Fixes GHSA-hmxp-6pc4-f3vv
Fixes CVE-2026-7262
(cherry picked from commit 79551ab8b1a97760c739e372f9bc359619f3554d)
(cherry picked from commit aed3e63e282235b32a07ca28cc20728eedfcfec3)
(cherry picked from commit 8c897384b867a573d52a04b455fe2da30671d0ea)
---
ext/soap/php_encoding.c | 2 +-
ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt | 39 +++++++++++++++++++++++++
2 files changed, 40 insertions(+), 1 deletion(-)
create mode 100644 ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt
diff --git a/ext/soap/php_encoding.c b/ext/soap/php_encoding.c
index 088d0086472..9fb65cfb3f0 100644
--- a/ext/soap/php_encoding.c
+++ b/ext/soap/php_encoding.c
@@ -2706,7 +2706,7 @@ static zval *to_zval_map(zval *ret, encodeTypePtr type, xmlNodePtr data)
}
xmlValue = get_node(item->children, "value");
- if (!xmlKey) {
+ if (!xmlValue) {
soap_error0(E_ERROR, "Encoding: Can't decode apache map, missing value");
}
diff --git a/ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt b/ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt
new file mode 100644
index 00000000000..e46ab2e4607
--- /dev/null
+++ b/ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt
@@ -0,0 +1,39 @@
+--TEST--
+GHSA-hmxp-6pc4-f3vv: Null pointer dereference on missing Apache map value
+--CREDITS--
+Ilia Alshanetsky (iliaal)
+--EXTENSIONS--
+soap
+--FILE--
+<?php
+
+$request = <<<XML
+<?xml version="1.0" encoding="UTF-8"?>
+<soap:Envelope
+ xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+ xmlns:apache="http://xml.apache.org/xml-soap">
+
+ <soap:Body>
+ <test>
+ <map xsi:type="apache:Map">
+ <item><key>hello</key></item>
+ </map>
+ </test>
+ </soap:Body>
+</soap:Envelope>
+XML;
+
+$server = new SoapServer(null, [
+ 'uri' => 'urn:test',
+ 'typemap' => [['type_name' => 'anything']],
+]);
+$server->addFunction('test');
+function test($m) { return null; }
+$server->handle($request);
+
+?>
+--EXPECT--
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>SOAP-ERROR: Encoding: Can't decode apache map, missing value</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
--
2.54.0

105
php-cve-2026-7568.patch Normal file
View File

@ -0,0 +1,105 @@
From 909c2acc64d72bd57123b30e711c02aef0c08d14 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@tideways-gmbh.com>
Date: Sun, 3 May 2026 20:02:57 +0200
Subject: [PATCH 6/9] GHSA-96wq-48vp-hh57: [metaphone] Fix signed integer
overflow of char array offset
Fixes GHSA-96wq-48vp-hh57
Fixes CVE-2026-7568
(cherry picked from commit 47def8ce1db1fdbffcfc1f5bb11877a0e22d4b32)
(cherry picked from commit e4fc187a011d91f26178f6dfbccdb07041b99153)
(cherry picked from commit 53de456406a6db5a8bcded8a4b242789ae5b2690)
---
ext/standard/metaphone.c | 6 +++---
ext/standard/tests/GHSA-96wq-48vp-hh57.phpt | 22 +++++++++++++++++++++
2 files changed, 25 insertions(+), 3 deletions(-)
create mode 100644 ext/standard/tests/GHSA-96wq-48vp-hh57.phpt
diff --git a/ext/standard/metaphone.c b/ext/standard/metaphone.c
index 16fd1495713..448e9b75d37 100644
--- a/ext/standard/metaphone.c
+++ b/ext/standard/metaphone.c
@@ -122,10 +122,10 @@ static const char _codes[26] =
/* Allows us to safely look ahead an arbitrary # of letters */
/* I probably could have just used strlen... */
-static char Lookahead(char *word, int how_far)
+static char Lookahead(char *word, size_t how_far)
{
char letter_ahead = '\0'; /* null by default */
- int idx;
+ size_t idx;
for (idx = 0; word[idx] != '\0' && idx < how_far; idx++);
/* Edge forward in the string... */
@@ -167,7 +167,7 @@ static char Lookahead(char *word, int how_far)
*/
static int metaphone(unsigned char *word, size_t word_len, zend_long max_phonemes, zend_string **phoned_word, int traditional)
{
- int w_idx = 0; /* point in the phonization we're at. */
+ size_t w_idx = 0; /* point in the phonization we're at. */
size_t p_idx = 0; /* end of the phoned phrase */
size_t max_buffer_len = 0; /* maximum length of the destination buffer */
diff --git a/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt b/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt
new file mode 100644
index 00000000000..79c6b656733
--- /dev/null
+++ b/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt
@@ -0,0 +1,22 @@
+--TEST--
+GHSA-96wq-48vp-hh57: signed integer overflow of char array offset
+--CREDITS--
+012git012
+--INI--
+memory_limit=3G
+--SKIPIF--
+<?php
+if (!getenv('RUN_RESOURCE_HEAVY_TESTS')) die('skip resource-heavy test');
+if (getenv('SKIP_SLOW_TESTS')) die('skip slow test');
+if (PHP_INT_SIZE != 8) echo 'skip 64-bit only';
+?>
+--FILE--
+<?php
+
+$str = str_repeat('0', 2 * (1024 ** 3) - 2) . 'AE';
+metaphone($str, 1);
+
+?>
+===DONE===
+--EXPECT--
+===DONE===
--
2.54.0
From b40b656c0fe8080f9cd097bf77b7a3681ea3e7a0 Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Wed, 6 May 2026 16:33:44 +0200
Subject: [PATCH 7/9] [skip ci] Adjust credits for GHSA-96wq-48vp-hh57.phpt
As requested by the reporter.
(cherry picked from commit fee84dd8c7699e4e7f9b2e864a393ee5a372f974)
(cherry picked from commit 101e93900888ef43d42ec0e33866bca3824f51a8)
(cherry picked from commit 41134d0746a524d7265b67d3d8d0fd433fd7479a)
---
ext/standard/tests/GHSA-96wq-48vp-hh57.phpt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt b/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt
index 79c6b656733..cf9a40062f8 100644
--- a/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt
+++ b/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt
@@ -1,7 +1,7 @@
--TEST--
GHSA-96wq-48vp-hh57: signed integer overflow of char array offset
--CREDITS--
-012git012
+Aleksey Solovev (Positive Technologies)
--INI--
memory_limit=3G
--SKIPIF--
--
2.54.0

29
php.spec
View File

@ -60,7 +60,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: php
Version: %{upver}%{?rcver:~%{rcver}}
Release: 3%{?dist}
Release: 4%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@ -108,6 +108,7 @@ Patch47: php-5.6.3-phpinfo.patch
# Upstream fixes (100+)
# Security fixes (200+)
# From https://github.com/remicollet/php-src-security/tree/PHP-7.4-security-backports
Patch200: php-cve-2022-31631.patch
Patch201: php-cve-2023-0567.patch
Patch202: php-cve-2023-0568.patch
@ -139,6 +140,12 @@ Patch227: php-cve-2025-1735.patch
Patch228: php-cve-2025-14177.patch
Patch229: php-cve-2025-14178.patch
Patch230: php-ghsa-www2-q4fc-65wf.patch
Patch231: php-cve-2026-6722.patch
Patch232: php-cve-2026-7261.patch
Patch233: php-cve-2026-7262.patch
Patch234: php-cve-2026-6735.patch
Patch235: php-cve-2026-7568.patch
Patch236: php-cve-2026-7258.patch
# Fixes for tests (300+)
# Factory is droped from system tzdata
@ -779,6 +786,12 @@ in pure PHP.
%patch -P228 -p1 -b .cve14177
%patch -P229 -p1 -b .cve14178
%patch -P230 -p1 -b .ghsawwww2
%patch -P231 -p1 -b .cve6722
%patch -P232 -p1 -b .cve7261
%patch -P233 -p1 -b .cve7262
%patch -P234 -p1 -b .cve6735
%patch -P235 -p1 -b .cve7268
%patch -P236 -p1 -b .cve7258
# Fixes for tests
%patch -P300 -p1 -b .datetests
@ -1568,6 +1581,20 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || :
%changelog
* Thu Jun 4 2026 Remi Collet <rcollet@redhat.com> - 7.4.33-4
- Fix XSS within status endpoint
CVE-2026-6735
- Fix Stale SOAP_GLOBAL(ref_map) pointer with Apache Map
CVE-2026-6722
- Fix Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION
CVE-2026-7261
- Fix Broken Apache map value NULL check
CVE-2026-7262
- Fix Signed integer overflow of char array offset
CVE-2026-7568
- Fix Consistently pass unsigned char to ctype.h functions
CVE-2026-7258
* Mon Jan 19 2026 Remi Collet <rcollet@redhat.com> - 7.4.33-3
- Fix Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI Interface
GHSA-4w77-75f9-2c8w