import php-7.2.11-4.module+el8.1.0+4555+f5cb8e18

This commit is contained in:
CentOS Sources 2019-11-06 08:16:49 -05:00 committed by Andrew Lukoshko
parent 250af3cb52
commit 9b15c6be93
2 changed files with 140 additions and 1 deletions

View File

@ -0,0 +1,134 @@
From 7a990257a05c725d53ca91bc9d080c99102f4e5e Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 21 Oct 2019 13:17:09 -0700
Subject: [PATCH] Merge branch 'PHP-7.1' into PHP-7.2
* PHP-7.1:
Fix bug #78599 (env_path_info underflow can lead to RCE) (CVE-2019-11043)
bump versions after release
set versions for release
---
sapi/fpm/fpm/fpm_main.c | 4 +-
.../tests/bug78599-path-info-underflow.phpt | 61 +++++++++++++++++++
sapi/fpm/tests/tester.inc | 11 +++-
3 files changed, 72 insertions(+), 4 deletions(-)
create mode 100644 sapi/fpm/tests/bug78599-path-info-underflow.phpt
diff --git a/sapi/fpm/fpm/fpm_main.c b/sapi/fpm/fpm/fpm_main.c
index f0cc3a07a485..b0e6226d9ad8 100644
--- a/sapi/fpm/fpm/fpm_main.c
+++ b/sapi/fpm/fpm/fpm_main.c
@@ -1209,8 +1209,8 @@ static void init_request_info(void)
path_info = script_path_translated + ptlen;
tflag = (slen != 0 && (!orig_path_info || strcmp(orig_path_info, path_info) != 0));
} else {
- path_info = env_path_info ? env_path_info + pilen - slen : NULL;
- tflag = (orig_path_info != path_info);
+ path_info = (env_path_info && pilen > slen) ? env_path_info + pilen - slen : NULL;
+ tflag = path_info && (orig_path_info != path_info);
}
if (tflag) {
diff --git a/sapi/fpm/tests/bug78599-path-info-underflow.phpt b/sapi/fpm/tests/bug78599-path-info-underflow.phpt
new file mode 100644
index 000000000000..edd4e0d49699
--- /dev/null
+++ b/sapi/fpm/tests/bug78599-path-info-underflow.phpt
@@ -0,0 +1,61 @@
+--TEST--
+FPM: bug78599 - env_path_info underflow - CVE-2019-11043
+--SKIPIF--
+<?php include "skipif.inc"; ?>
+--FILE--
+<?php
+
+require_once "tester.inc";
+
+$cfg = <<<EOT
+[global]
+error_log = {{FILE:LOG}}
+[unconfined]
+listen = {{ADDR}}
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 1
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+EOT;
+
+$code = <<<EOT
+<?php
+echo "Test Start\n";
+var_dump(\$_SERVER["PATH_INFO"]);
+echo "Test End\n";
+EOT;
+
+$tester = new FPM\Tester($cfg, $code);
+$tester->start();
+$tester->expectLogStartNotices();
+$uri = $tester->makeSourceFile();
+$tester
+ ->request(
+ '',
+ [
+ 'SCRIPT_FILENAME' => $uri . "/" . str_repeat('A', 35),
+ 'PATH_INFO' => '',
+ 'HTTP_HUI' => str_repeat('PTEST', 1000),
+ ],
+ $uri
+ )
+ ->expectBody(
+ [
+ 'Test Start',
+ 'string(0) ""',
+ 'Test End'
+ ]
+ );
+$tester->terminate();
+$tester->close();
+
+?>
+Done
+--EXPECT--
+Done
+--CLEAN--
+<?php
+require_once "tester.inc";
+FPM\Tester::clean();
+?>
diff --git a/sapi/fpm/tests/tester.inc b/sapi/fpm/tests/tester.inc
index 70c03ad70f1c..3b6702866cc1 100644
--- a/sapi/fpm/tests/tester.inc
+++ b/sapi/fpm/tests/tester.inc
@@ -513,7 +513,7 @@ class Tester
return new Response(null, true);
}
if (is_null($uri)) {
- $uri = $this->makeFile('src.php', $this->code);
+ $uri = $this->makeSourceFile();
}
$params = array_merge(
@@ -538,7 +538,6 @@ class Tester
],
$headers
);
-
try {
$this->response = new Response(
$this->getClient($address, $connKeepAlive)->request_data($params, false)
@@ -944,6 +943,14 @@ class Tester
return $filePath;
}
+ /**
+ * @return string
+ */
+ public function makeSourceFile()
+ {
+ return $this->makeFile('src.php', $this->code);
+ }
+
/**
* @param string|null $msg
*/

View File

@ -66,7 +66,7 @@
Summary: PHP scripting language for creating dynamic web sites Summary: PHP scripting language for creating dynamic web sites
Name: php Name: php
Version: %{upver}%{?rcver:~%{rcver}} Version: %{upver}%{?rcver:~%{rcver}}
Release: 2%{?dist} Release: 4%{?dist}
# All files licensed under PHP version 3.01, except # All files licensed under PHP version 3.01, except
# Zend is licensed under Zend # Zend is licensed under Zend
# TSRM is licensed under BSD # TSRM is licensed under BSD
@ -116,6 +116,7 @@ Patch48: php-7.2.7-getallheaders.patch
# Upstream fixes (100+) # Upstream fixes (100+)
# Security fixes (200+) # Security fixes (200+)
Patch200: php-7.2.11-CVE-2019-11043.patch
# Fixes for tests (300+) # Fixes for tests (300+)
# Factory is droped from system tzdata # Factory is droped from system tzdata
@ -718,6 +719,7 @@ low-level PHP extension for the libsodium cryptographic library.
# upstream patches # upstream patches
# security patches # security patches
%patch200 -p1 -b .cve11043
# Fixes for tests # Fixes for tests
%patch300 -p1 -b .datetests %patch300 -p1 -b .datetests
@ -1565,6 +1567,9 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || :
%changelog %changelog
* Tue Oct 29 2019 Remi Collet <rcollet@redhat.com> - 7.2.11-4
- fix underflow in env_path_info in fpm_main.c CVE-2019-11043
* Wed May 15 2019 Joe Orton <jorton@redhat.com> - 7.2.11-2 * Wed May 15 2019 Joe Orton <jorton@redhat.com> - 7.2.11-2
- rebuild (#1695587) - rebuild (#1695587)