rpms/php
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import php-7.4.19-3.module+el8.6.0+15726+994cde98

Browse Source
This commit is contained in:
CentOS Sources 2022-06-30 18:21:09 -04:00 committed by Stepan Oksanichenko
parent 6e1a8bf340
commit 415eac45a8
2 changed files with 30 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
SOURCES/php-CVE-2022-31626.patch Normal file
View File

@ -0,0 +1,23 @@
From 58006537fc5f133ae8549efe5118cde418b3ace9 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <smalyshev@gmail.com>
Date: Mon, 6 Jun 2022 00:56:51 -0600
Subject: [PATCH] Fix bug #81719: mysqlnd/pdo password buffer overflow
---
ext/mysqlnd/mysqlnd_wireprotocol.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ext/mysqlnd/mysqlnd_wireprotocol.c b/ext/mysqlnd/mysqlnd_wireprotocol.c
index 87b2e7c31331..e4a298adaea4 100644
--- a/ext/mysqlnd/mysqlnd_wireprotocol.c
+++ b/ext/mysqlnd/mysqlnd_wireprotocol.c
@@ -771,7 +771,8 @@ php_mysqlnd_change_auth_response_write(MYSQLND_CONN_DATA * conn, void * _packet)
MYSQLND_VIO * vio = conn->vio;
MYSQLND_STATS * stats = conn->stats;
MYSQLND_CONNECTION_STATE * connection_state = &conn->state;
- zend_uchar * const buffer = pfc->cmd_buffer.length >= packet->auth_data_len? pfc->cmd_buffer.buffer : mnd_emalloc(packet->auth_data_len);
+ size_t total_packet_size = packet->auth_data_len + MYSQLND_HEADER_SIZE;
+ zend_uchar * const buffer = pfc->cmd_buffer.length >= total_packet_size? pfc->cmd_buffer.buffer : mnd_emalloc(total_packet_size);
zend_uchar * p = buffer + MYSQLND_HEADER_SIZE; /* start after the header */
DBG_ENTER("php_mysqlnd_change_auth_response_write");

8
SPECS/php.spec
View File

@ -60,7 +60,7 @@
Summary: PHP scripting language for creating dynamic web sites Summary: PHP scripting language for creating dynamic web sites
Name: php Name: php
Version: %{upver}%{?rcver:~%{rcver}} Version: %{upver}%{?rcver:~%{rcver}}
Release: 2%{?dist} Release: 3%{?dist}
# All files licensed under PHP version 3.01, except # All files licensed under PHP version 3.01, except
# Zend is licensed under Zend # Zend is licensed under Zend
# TSRM is licensed under BSD # TSRM is licensed under BSD
@ -110,6 +110,7 @@ Patch47: php-5.6.3-phpinfo.patch
# Security fixes (200+) # Security fixes (200+)
Patch200: php-7.4.19-CVE-2021-21703.patch Patch200: php-7.4.19-CVE-2021-21703.patch
Patch201: php-7.4.19-CVE-2021-21705.patch Patch201: php-7.4.19-CVE-2021-21705.patch
Patch202: php-CVE-2022-31626.patch
# Fixes for tests (300+) # Fixes for tests (300+)
# Factory is droped from system tzdata # Factory is droped from system tzdata
@ -722,6 +723,7 @@ in pure PHP.
# security patches # security patches
%patch200 -p1 -b .cve21705 %patch200 -p1 -b .cve21705
%patch201 -p1 -b .cve21703 %patch201 -p1 -b .cve21703
%patch202 -p1 -b .cve31626
# Fixes for tests # Fixes for tests
%patch300 -p1 -b .datetests %patch300 -p1 -b .datetests
@ -1513,6 +1515,10 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || :
%changelog %changelog
* Wed Jun 22 2022 Remi Collet <rcollet@redhat.com> - 7.4.19-3
- fix password of excessive length triggers buffer overflow leading to RCE
CVE-2022-31626
* Wed Jan 19 2022 Remi Collet <rcollet@redhat.com> - 7.4.19-2 * Wed Jan 19 2022 Remi Collet <rcollet@redhat.com> - 7.4.19-2
- fix SSRF bypass in FILTER_VALIDATE_URL - fix SSRF bypass in FILTER_VALIDATE_URL
CVE-2021-21705 CVE-2021-21705