diff --git a/php-cve-2026-14355.patch b/php-cve-2026-14355.patch new file mode 100644 index 0000000..04acf37 --- /dev/null +++ b/php-cve-2026-14355.patch @@ -0,0 +1,119 @@ +From 2a73e91a9f9136fbbfcc9177573b6af71e3d5dce Mon Sep 17 00:00:00 2001 +From: David Carlier +Date: Fri, 29 May 2026 21:44:14 +0100 +Subject: [PATCH] ext/openssl: openssl_encrypt() zend mm heap overflow on + AES-WRAP-PAD mode. + +Fix #22186 + +close GH-22187 + +(cherry picked from commit cbc0489126a7682796aad1e5fb4e51de74af162c) +(cherry picked from commit 95e9851111d249e43948b76663cff1baeb5e758d) +--- + NEWS | 6 ++++++ + ext/openssl/openssl.c | 17 +++++++++++++++-- + ext/openssl/tests/gh22186.phpt | 32 ++++++++++++++++++++++++++++++++ + 3 files changed, 53 insertions(+), 2 deletions(-) + create mode 100644 ext/openssl/tests/gh22186.phpt + +diff --git a/NEWS b/NEWS +index eb31a08afd..e3cb991135 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,12 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 8.2.32 ++ ++- OpenSSL: ++ . Fixed bug GH-22187 (Memory corruption (zend_mm_heap corrupted) in ++ openssl_encrypt with AES-WRAP-PAD). (David Carlier) ++ + Backported from 8.2.31 + + - FPM: +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index 45a7e79440..73d4f6f699 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -7155,6 +7155,7 @@ static int php_openssl_cipher_update(const EVP_CIPHER *cipher_type, + const char *aad, size_t aad_len, int enc) /* {{{ */ + { + int i = 0; ++ size_t outlen = data_len + EVP_CIPHER_block_size(cipher_type); + + if (mode->is_single_run_aead && !EVP_CipherUpdate(cipher_ctx, NULL, &i, NULL, (int)data_len)) { + php_openssl_store_errors(); +@@ -7168,7 +7169,19 @@ static int php_openssl_cipher_update(const EVP_CIPHER *cipher_type, + return FAILURE; + } + +- *poutbuf = zend_string_alloc((int)data_len + EVP_CIPHER_block_size(cipher_type), 0); ++#ifdef EVP_CIPH_WRAP_MODE ++ if ((EVP_CIPHER_mode(cipher_type)) == EVP_CIPH_WRAP_MODE) { ++ /* ++ * RFC 5649 wrap-with-padding rounds the input up to the block size ++ * and prepends an integrity block, we reserve one extra block. ++ * See EVP_EncryptUpdate(3): wrap mode may write up to ++ * inl + cipher_block_size bytes. ++ */ ++ outlen += EVP_CIPHER_block_size(cipher_type); ++ } ++#endif ++ ++ *poutbuf = zend_string_alloc(outlen, false); + + if (!EVP_CipherUpdate(cipher_ctx, (unsigned char*)ZSTR_VAL(*poutbuf), + &i, (const unsigned char *)data, (int)data_len)) { +@@ -7180,7 +7193,7 @@ static int php_openssl_cipher_update(const EVP_CIPHER *cipher_type, + } + */ + php_openssl_store_errors(); +- zend_string_release_ex(*poutbuf, 0); ++ zend_string_release_ex(*poutbuf, false); + return FAILURE; + } + +diff --git a/ext/openssl/tests/gh22186.phpt b/ext/openssl/tests/gh22186.phpt +new file mode 100644 +index 0000000000..8f28e6c45b +--- /dev/null ++++ b/ext/openssl/tests/gh22186.phpt +@@ -0,0 +1,32 @@ ++--TEST-- ++GH-22186 (Heap buffer overflow in openssl_encrypt with AES-WRAP-PAD) ++--EXTENSIONS-- ++openssl ++--SKIPIF-- ++ ++--FILE-- ++ ++--EXPECT-- ++done +-- +2.54.0 + diff --git a/php.spec b/php.spec index 0583f0b..967dfcf 100644 --- a/php.spec +++ b/php.spec @@ -62,7 +62,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: %{upver}%{?rcver:~%{rcver}} -Release: 6%{?dist} +Release: 7%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -162,6 +162,8 @@ Patch228: php-cve-2026-6735.patch Patch229: php-cve-2026-7259.patch Patch230: php-cve-2026-7568.patch Patch231: php-cve-2026-7258.patch +# from 8.2.32 +Patch232: php-cve-2026-14355.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -798,6 +800,7 @@ rm ext/openssl/tests/p12_with_extra_certs.p12 %patch -P229 -p1 -b .cve7259 %patch -P230 -p1 -b .cve7268 %patch -P231 -p1 -b .cve7258 +%patch -P232 -p1 -b .cve14355 # Fixes for tests %patch -P300 -p1 -b .datetests @@ -1606,6 +1609,10 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || : %changelog +* Thu Jul 9 2026 Remi Collet - 8.0.30-7 +- Fix Memory corruption (zend_mm_heap corrupted) in openssl_encrypt with AES-WRAP-PAD + CVE-2026-14355 + * Fri Jun 5 2026 Remi Collet - 8.0.30-6 - Fix XSS within status endpoint CVE-2026-6735