diff --git a/.gitignore b/.gitignore index 9b0b84d..09f8b9e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/php-7.4.19.tar.xz +SOURCES/php-7.4.30.tar.xz SOURCES/php-keyring.gpg diff --git a/.php.metadata b/.php.metadata index 13abf42..cc2c317 100644 --- a/.php.metadata +++ b/.php.metadata @@ -1,2 +1,2 @@ -1007577f0d50a514b16e87e7662306ee4a14225c SOURCES/php-7.4.19.tar.xz +a8ee5fe68907e229fad2939714f99726dfd8198c SOURCES/php-7.4.30.tar.xz 35368de1a0a6ffc21e7154b57cac461d99fba7c2 SOURCES/php-keyring.gpg diff --git a/SOURCES/php-7.3.3-systzdata-v18.patch b/SOURCES/php-7.3.3-systzdata-v19.patch similarity index 86% rename from SOURCES/php-7.3.3-systzdata-v18.patch rename to SOURCES/php-7.3.3-systzdata-v19.patch index eac3cc3..866729b 100644 --- a/SOURCES/php-7.3.3-systzdata-v18.patch +++ b/SOURCES/php-7.3.3-systzdata-v19.patch @@ -5,6 +5,7 @@ Add support for use of the system timezone database, rather than embedding a copy. Discussed upstream but was not desired. History: +r19: retrieve tzdata version from /usr/share/zoneinfo/tzdata.zi r18: adapt for autotool change in 7.3.3RC1 r17: adapt for timelib 2018.01 (in 7.3.2RC1) r16: adapt for timelib 2017.06 (in 7.2.3RC1) @@ -29,10 +30,11 @@ r3: fix a crash if /usr/share/zoneinfo doesn't exist (Raphael Geissert) r2: add filesystem trawl to set up name alias index r1: initial revision -diff -up php-7.3.3RC1/ext/date/config0.m4.systzdata php-7.3.3RC1/ext/date/config0.m4 ---- php-7.3.3RC1/ext/date/config0.m4.systzdata 2019-02-19 14:57:51.314601701 +0100 -+++ php-7.3.3RC1/ext/date/config0.m4 2019-02-19 14:58:29.050812587 +0100 -@@ -9,6 +9,19 @@ io.h +diff --git a/ext/date/config0.m4 b/ext/date/config0.m4 +index 20e4164aaa..a61243646d 100644 +--- a/ext/date/config0.m4 ++++ b/ext/date/config0.m4 +@@ -4,6 +4,19 @@ AC_CHECK_HEADERS([io.h]) dnl Check for strtoll, atoll AC_CHECK_FUNCS(strtoll atoll) @@ -52,10 +54,11 @@ diff -up php-7.3.3RC1/ext/date/config0.m4.systzdata php-7.3.3RC1/ext/date/config PHP_DATE_CFLAGS="-I@ext_builddir@/lib -DZEND_ENABLE_STATIC_TSRMLS_CACHE=1 -DHAVE_TIMELIB_CONFIG_H=1" timelib_sources="lib/astro.c lib/dow.c lib/parse_date.c lib/parse_tz.c lib/timelib.c lib/tm2unixtime.c lib/unixtime2tm.c lib/parse_iso_intervals.c lib/interval.c" -diff -up php-7.3.3RC1/ext/date/lib/parse_tz.c.systzdata php-7.3.3RC1/ext/date/lib/parse_tz.c ---- php-7.3.3RC1/ext/date/lib/parse_tz.c.systzdata 2019-02-19 12:18:27.000000000 +0100 -+++ php-7.3.3RC1/ext/date/lib/parse_tz.c 2019-02-19 14:57:20.397428931 +0100 -@@ -25,8 +25,21 @@ +diff --git a/ext/date/lib/parse_tz.c b/ext/date/lib/parse_tz.c +index 020da3135e..12e68ef043 100644 +--- a/ext/date/lib/parse_tz.c ++++ b/ext/date/lib/parse_tz.c +@@ -26,8 +26,21 @@ #include "timelib.h" #include "timelib_private.h" @@ -77,7 +80,7 @@ diff -up php-7.3.3RC1/ext/date/lib/parse_tz.c.systzdata php-7.3.3RC1/ext/date/li #if (defined(__APPLE__) || defined(__APPLE_CC__)) && (defined(__BIG_ENDIAN__) || defined(__LITTLE_ENDIAN__)) # if defined(__LITTLE_ENDIAN__) -@@ -87,6 +100,11 @@ static int read_php_preamble(const unsig +@@ -88,6 +101,11 @@ static int read_php_preamble(const unsigned char **tzf, timelib_tzinfo *tz) { uint32_t version; @@ -89,7 +92,7 @@ diff -up php-7.3.3RC1/ext/date/lib/parse_tz.c.systzdata php-7.3.3RC1/ext/date/li /* read ID */ version = (*tzf)[3] - '0'; *tzf += 4; -@@ -411,7 +429,429 @@ void timelib_dump_tzinfo(timelib_tzinfo +@@ -412,7 +430,467 @@ void timelib_dump_tzinfo(timelib_tzinfo *tz) } } @@ -320,6 +323,44 @@ diff -up php-7.3.3RC1/ext/date/lib/parse_tz.c.systzdata php-7.3.3RC1/ext/date/li +} + + ++/* Retrieve tzdata version. */ ++static void retrieve_zone_version(timelib_tzdb *db) ++{ ++ static char buf[30]; ++ char path[PATH_MAX]; ++ FILE *fp; ++ ++ strncpy(path, ZONEINFO_PREFIX "/tzdata.zi", sizeof(path)); ++ ++ fp = fopen(path, "r"); ++ if (fp) { ++ if (fgets(buf, sizeof(buf), fp)) { ++ if (!memcmp(buf, "# version ", 10) && ++ isdigit(buf[10]) && ++ isdigit(buf[11]) && ++ isdigit(buf[12]) && ++ isdigit(buf[13]) && ++ islower(buf[14])) { ++ if (buf[14] >= 't') { /* 2022t = 2022.20 */ ++ buf[17] = 0; ++ buf[16] = buf[14] - 't' + '0'; ++ buf[15] = '2'; ++ } else if (buf[14] >= 'j') { /* 2022j = 2022.10 */ ++ buf[17] = 0; ++ buf[16] = buf[14] - 'j' + '0'; ++ buf[15] = '1'; ++ } else { /* 2022a = 2022.1 */ ++ buf[16] = 0; ++ buf[15] = buf[14] - 'a' + '1'; ++ } ++ buf[14] = '.'; ++ db->version = buf+10; ++ } ++ } ++ fclose(fp); ++ } ++} ++ +/* Create the zone identifier index by trawling the filesystem. */ +static void create_zone_index(timelib_tzdb *db) +{ @@ -520,7 +561,7 @@ diff -up php-7.3.3RC1/ext/date/lib/parse_tz.c.systzdata php-7.3.3RC1/ext/date/li { int left = 0, right = tzdb->index_size - 1; -@@ -437,9 +877,48 @@ static int seek_to_tz_position(const uns +@@ -438,9 +916,49 @@ static int seek_to_tz_position(const unsigned char **tzf, char *timezone, const return 0; } @@ -557,6 +598,7 @@ diff -up php-7.3.3RC1/ext/date/lib/parse_tz.c.systzdata php-7.3.3RC1/ext/date/li + tmp->version = "0.system"; + tmp->data = NULL; + create_zone_index(tmp); ++ retrieve_zone_version(tmp); + system_location_table = create_location_table(); + fake_data_segment(tmp, system_location_table); + timezonedb_system = tmp; @@ -569,7 +611,7 @@ diff -up php-7.3.3RC1/ext/date/lib/parse_tz.c.systzdata php-7.3.3RC1/ext/date/li } const timelib_tzdb_index_entry *timelib_timezone_identifiers_list(const timelib_tzdb *tzdb, int *count) -@@ -451,7 +930,30 @@ const timelib_tzdb_index_entry *timelib_ +@@ -452,7 +970,30 @@ const timelib_tzdb_index_entry *timelib_timezone_identifiers_list(const timelib_ int timelib_timezone_id_is_valid(char *timezone, const timelib_tzdb *tzdb) { const unsigned char *tzf; @@ -601,7 +643,7 @@ diff -up php-7.3.3RC1/ext/date/lib/parse_tz.c.systzdata php-7.3.3RC1/ext/date/li } static int skip_64bit_preamble(const unsigned char **tzf, timelib_tzinfo *tz) -@@ -493,12 +995,14 @@ static timelib_tzinfo* timelib_tzinfo_ct +@@ -494,12 +1035,14 @@ static timelib_tzinfo* timelib_tzinfo_ctor(char *name) timelib_tzinfo *timelib_parse_tzfile(char *timezone, const timelib_tzdb *tzdb, int *error_code) { const unsigned char *tzf; @@ -617,7 +659,7 @@ diff -up php-7.3.3RC1/ext/date/lib/parse_tz.c.systzdata php-7.3.3RC1/ext/date/li tmp = timelib_tzinfo_ctor(timezone); version = read_preamble(&tzf, tmp, &type); -@@ -537,11 +1041,36 @@ timelib_tzinfo *timelib_parse_tzfile(cha +@@ -534,11 +1077,36 @@ timelib_tzinfo *timelib_parse_tzfile(char *timezone, const timelib_tzdb *tzdb, i } skip_posix_string(&tzf, tmp); @@ -654,3 +696,19 @@ diff -up php-7.3.3RC1/ext/date/lib/parse_tz.c.systzdata php-7.3.3RC1/ext/date/li } else { *error_code = TIMELIB_ERROR_NO_SUCH_TIMEZONE; tmp = NULL; +diff --git a/ext/date/php_date.c b/ext/date/php_date.c +index e1a427c5ca..465906fa2b 100644 +--- a/ext/date/php_date.c ++++ b/ext/date/php_date.c +@@ -951,7 +951,11 @@ PHP_MINFO_FUNCTION(date) + php_info_print_table_row(2, "date/time support", "enabled"); + php_info_print_table_row(2, "timelib version", TIMELIB_ASCII_VERSION); + php_info_print_table_row(2, "\"Olson\" Timezone Database Version", tzdb->version); ++#ifdef HAVE_SYSTEM_TZDATA ++ php_info_print_table_row(2, "Timezone Database", "system"); ++#else + php_info_print_table_row(2, "Timezone Database", php_date_global_timezone_db_enabled ? "external" : "internal"); ++#endif + php_info_print_table_row(2, "Default timezone", guess_timezone(tzdb)); + php_info_print_table_end(); + diff --git a/SOURCES/php-7.4.19-CVE-2021-21703.patch b/SOURCES/php-7.4.19-CVE-2021-21703.patch deleted file mode 100644 index 0cf437d..0000000 --- a/SOURCES/php-7.4.19-CVE-2021-21703.patch +++ /dev/null @@ -1,396 +0,0 @@ -From 81bf9b1a9f6def4a6f742a6b41ddc92005ab638f Mon Sep 17 00:00:00 2001 -From: Jakub Zelenka -Date: Sat, 2 Oct 2021 22:53:41 +0100 -Subject: [PATCH] Fix bug #81026 (PHP-FPM oob R/W in root process leading to - priv escalation) - -The main change is to store scoreboard procs directly to the variable sized -array rather than indirectly through the pointer. - -Signed-off-by: Stanislav Malyshev ---- - sapi/fpm/fpm/fpm_children.c | 14 ++--- - sapi/fpm/fpm/fpm_request.c | 4 +- - sapi/fpm/fpm/fpm_scoreboard.c | 106 ++++++++++++++++++++------------- - sapi/fpm/fpm/fpm_scoreboard.h | 11 ++-- - sapi/fpm/fpm/fpm_status.c | 4 +- - sapi/fpm/fpm/fpm_worker_pool.c | 2 +- - 6 files changed, 81 insertions(+), 60 deletions(-) - -diff --git a/sapi/fpm/fpm/fpm_children.c b/sapi/fpm/fpm/fpm_children.c -index fd121372f37c..912f77c11aa7 100644 ---- a/sapi/fpm/fpm/fpm_children.c -+++ b/sapi/fpm/fpm/fpm_children.c -@@ -246,7 +246,7 @@ void fpm_children_bury() /* {{{ */ - - fpm_child_unlink(child); - -- fpm_scoreboard_proc_free(wp->scoreboard, child->scoreboard_i); -+ fpm_scoreboard_proc_free(child); - - fpm_clock_get(&tv1); - -@@ -256,9 +256,9 @@ void fpm_children_bury() /* {{{ */ - if (!fpm_pctl_can_spawn_children()) { - severity = ZLOG_DEBUG; - } -- zlog(severity, "[pool %s] child %d exited %s after %ld.%06d seconds from start", child->wp->config->name, (int) pid, buf, tv2.tv_sec, (int) tv2.tv_usec); -+ zlog(severity, "[pool %s] child %d exited %s after %ld.%06d seconds from start", wp->config->name, (int) pid, buf, tv2.tv_sec, (int) tv2.tv_usec); - } else { -- zlog(ZLOG_DEBUG, "[pool %s] child %d has been killed by the process management after %ld.%06d seconds from start", child->wp->config->name, (int) pid, tv2.tv_sec, (int) tv2.tv_usec); -+ zlog(ZLOG_DEBUG, "[pool %s] child %d has been killed by the process management after %ld.%06d seconds from start", wp->config->name, (int) pid, tv2.tv_sec, (int) tv2.tv_usec); - } - - fpm_child_close(child, 1 /* in event_loop */); -@@ -324,7 +324,7 @@ static struct fpm_child_s *fpm_resources_prepare(struct fpm_worker_pool_s *wp) / - return 0; - } - -- if (0 > fpm_scoreboard_proc_alloc(wp->scoreboard, &c->scoreboard_i)) { -+ if (0 > fpm_scoreboard_proc_alloc(c)) { - fpm_stdio_discard_pipes(c); - fpm_child_free(c); - return 0; -@@ -336,7 +336,7 @@ static struct fpm_child_s *fpm_resources_prepare(struct fpm_worker_pool_s *wp) / - - static void fpm_resources_discard(struct fpm_child_s *child) /* {{{ */ - { -- fpm_scoreboard_proc_free(child->wp->scoreboard, child->scoreboard_i); -+ fpm_scoreboard_proc_free(child); - fpm_stdio_discard_pipes(child); - fpm_child_free(child); - } -@@ -349,10 +349,10 @@ static void fpm_child_resources_use(struct fpm_child_s *child) /* {{{ */ - if (wp == child->wp) { - continue; - } -- fpm_scoreboard_free(wp->scoreboard); -+ fpm_scoreboard_free(wp); - } - -- fpm_scoreboard_child_use(child->wp->scoreboard, child->scoreboard_i, getpid()); -+ fpm_scoreboard_child_use(child, getpid()); - fpm_stdio_child_use_pipes(child); - fpm_child_free(child); - } -diff --git a/sapi/fpm/fpm/fpm_request.c b/sapi/fpm/fpm/fpm_request.c -index c80aa144628f..0a6f6a7cfbf0 100644 ---- a/sapi/fpm/fpm/fpm_request.c -+++ b/sapi/fpm/fpm/fpm_request.c -@@ -285,7 +285,7 @@ int fpm_request_is_idle(struct fpm_child_s *child) /* {{{ */ - struct fpm_scoreboard_proc_s *proc; - - /* no need in atomicity here */ -- proc = fpm_scoreboard_proc_get(child->wp->scoreboard, child->scoreboard_i); -+ proc = fpm_scoreboard_proc_get_from_child(child); - if (!proc) { - return 0; - } -@@ -300,7 +300,7 @@ int fpm_request_last_activity(struct fpm_child_s *child, struct timeval *tv) /* - - if (!tv) return -1; - -- proc = fpm_scoreboard_proc_get(child->wp->scoreboard, child->scoreboard_i); -+ proc = fpm_scoreboard_proc_get_from_child(child); - if (!proc) { - return -1; - } -diff --git a/sapi/fpm/fpm/fpm_scoreboard.c b/sapi/fpm/fpm/fpm_scoreboard.c -index 328f999f0c9b..7e9da4d6848a 100644 ---- a/sapi/fpm/fpm/fpm_scoreboard.c -+++ b/sapi/fpm/fpm/fpm_scoreboard.c -@@ -6,6 +6,7 @@ - #include - - #include "fpm_config.h" -+#include "fpm_children.h" - #include "fpm_scoreboard.h" - #include "fpm_shm.h" - #include "fpm_sockets.h" -@@ -23,7 +24,6 @@ static float fpm_scoreboard_tick; - int fpm_scoreboard_init_main() /* {{{ */ - { - struct fpm_worker_pool_s *wp; -- unsigned int i; - - #ifdef HAVE_TIMES - #if (defined(HAVE_SYSCONF) && defined(_SC_CLK_TCK)) -@@ -40,7 +40,7 @@ int fpm_scoreboard_init_main() /* {{{ */ - - - for (wp = fpm_worker_all_pools; wp; wp = wp->next) { -- size_t scoreboard_size, scoreboard_nprocs_size; -+ size_t scoreboard_procs_size; - void *shm_mem; - - if (wp->config->pm_max_children < 1) { -@@ -53,22 +53,15 @@ int fpm_scoreboard_init_main() /* {{{ */ - return -1; - } - -- scoreboard_size = sizeof(struct fpm_scoreboard_s) + (wp->config->pm_max_children) * sizeof(struct fpm_scoreboard_proc_s *); -- scoreboard_nprocs_size = sizeof(struct fpm_scoreboard_proc_s) * wp->config->pm_max_children; -- shm_mem = fpm_shm_alloc(scoreboard_size + scoreboard_nprocs_size); -+ scoreboard_procs_size = sizeof(struct fpm_scoreboard_proc_s) * wp->config->pm_max_children; -+ shm_mem = fpm_shm_alloc(sizeof(struct fpm_scoreboard_s) + scoreboard_procs_size); - - if (!shm_mem) { - return -1; - } -- wp->scoreboard = shm_mem; -+ wp->scoreboard = shm_mem; -+ wp->scoreboard->pm = wp->config->pm; - wp->scoreboard->nprocs = wp->config->pm_max_children; -- shm_mem += scoreboard_size; -- -- for (i = 0; i < wp->scoreboard->nprocs; i++, shm_mem += sizeof(struct fpm_scoreboard_proc_s)) { -- wp->scoreboard->procs[i] = shm_mem; -- } -- -- wp->scoreboard->pm = wp->config->pm; - wp->scoreboard->start_epoch = time(NULL); - strlcpy(wp->scoreboard->pool, wp->config->name, sizeof(wp->scoreboard->pool)); - } -@@ -162,28 +155,48 @@ struct fpm_scoreboard_s *fpm_scoreboard_get() /* {{{*/ - } - /* }}} */ - --struct fpm_scoreboard_proc_s *fpm_scoreboard_proc_get(struct fpm_scoreboard_s *scoreboard, int child_index) /* {{{*/ -+static inline struct fpm_scoreboard_proc_s *fpm_scoreboard_proc_get_ex( -+ struct fpm_scoreboard_s *scoreboard, int child_index, unsigned int nprocs) /* {{{*/ - { - if (!scoreboard) { -- scoreboard = fpm_scoreboard; -+ return NULL; - } - -- if (!scoreboard) { -+ if (child_index < 0 || (unsigned int)child_index >= nprocs) { - return NULL; - } - -+ return &scoreboard->procs[child_index]; -+} -+/* }}} */ -+ -+struct fpm_scoreboard_proc_s *fpm_scoreboard_proc_get( -+ struct fpm_scoreboard_s *scoreboard, int child_index) /* {{{*/ -+{ -+ if (!scoreboard) { -+ scoreboard = fpm_scoreboard; -+ } -+ - if (child_index < 0) { - child_index = fpm_scoreboard_i; - } - -- if (child_index < 0 || (unsigned int)child_index >= scoreboard->nprocs) { -- return NULL; -- } -+ return fpm_scoreboard_proc_get_ex(scoreboard, child_index, scoreboard->nprocs); -+} -+/* }}} */ - -- return scoreboard->procs[child_index]; -+struct fpm_scoreboard_proc_s *fpm_scoreboard_proc_get_from_child(struct fpm_child_s *child) /* {{{*/ -+{ -+ struct fpm_worker_pool_s *wp = child->wp; -+ unsigned int nprocs = wp->config->pm_max_children; -+ struct fpm_scoreboard_s *scoreboard = wp->scoreboard; -+ int child_index = child->scoreboard_i; -+ -+ return fpm_scoreboard_proc_get_ex(scoreboard, child_index, nprocs); - } - /* }}} */ - -+ - struct fpm_scoreboard_s *fpm_scoreboard_acquire(struct fpm_scoreboard_s *scoreboard, int nohang) /* {{{ */ - { - struct fpm_scoreboard_s *s; -@@ -234,28 +247,28 @@ void fpm_scoreboard_proc_release(struct fpm_scoreboard_proc_s *proc) /* {{{ */ - proc->lock = 0; - } - --void fpm_scoreboard_free(struct fpm_scoreboard_s *scoreboard) /* {{{ */ -+void fpm_scoreboard_free(struct fpm_worker_pool_s *wp) /* {{{ */ - { -- size_t scoreboard_size, scoreboard_nprocs_size; -+ size_t scoreboard_procs_size; -+ struct fpm_scoreboard_s *scoreboard = wp->scoreboard; - - if (!scoreboard) { - zlog(ZLOG_ERROR, "**scoreboard is NULL"); - return; - } - -- scoreboard_size = sizeof(struct fpm_scoreboard_s) + (scoreboard->nprocs) * sizeof(struct fpm_scoreboard_proc_s *); -- scoreboard_nprocs_size = sizeof(struct fpm_scoreboard_proc_s) * scoreboard->nprocs; -+ scoreboard_procs_size = sizeof(struct fpm_scoreboard_proc_s) * wp->config->pm_max_children; - -- fpm_shm_free(scoreboard, scoreboard_size + scoreboard_nprocs_size); -+ fpm_shm_free(scoreboard, sizeof(struct fpm_scoreboard_s) + scoreboard_procs_size); - } - /* }}} */ - --void fpm_scoreboard_child_use(struct fpm_scoreboard_s *scoreboard, int child_index, pid_t pid) /* {{{ */ -+void fpm_scoreboard_child_use(struct fpm_child_s *child, pid_t pid) /* {{{ */ - { - struct fpm_scoreboard_proc_s *proc; -- fpm_scoreboard = scoreboard; -- fpm_scoreboard_i = child_index; -- proc = fpm_scoreboard_proc_get(scoreboard, child_index); -+ fpm_scoreboard = child->wp->scoreboard; -+ fpm_scoreboard_i = child->scoreboard_i; -+ proc = fpm_scoreboard_proc_get_from_child(child); - if (!proc) { - return; - } -@@ -264,18 +277,22 @@ void fpm_scoreboard_child_use(struct fpm_scoreboard_s *scoreboard, int child_ind - } - /* }}} */ - --void fpm_scoreboard_proc_free(struct fpm_scoreboard_s *scoreboard, int child_index) /* {{{ */ -+void fpm_scoreboard_proc_free(struct fpm_child_s *child) /* {{{ */ - { -+ struct fpm_worker_pool_s *wp = child->wp; -+ struct fpm_scoreboard_s *scoreboard = wp->scoreboard; -+ int child_index = child->scoreboard_i; -+ - if (!scoreboard) { - return; - } - -- if (child_index < 0 || (unsigned int)child_index >= scoreboard->nprocs) { -+ if (child_index < 0 || child_index >= wp->config->pm_max_children) { - return; - } - -- if (scoreboard->procs[child_index] && scoreboard->procs[child_index]->used > 0) { -- memset(scoreboard->procs[child_index], 0, sizeof(struct fpm_scoreboard_proc_s)); -+ if (scoreboard->procs[child_index].used > 0) { -+ memset(&scoreboard->procs[child_index], 0, sizeof(struct fpm_scoreboard_proc_s)); - } - - /* set this slot as free to avoid search on next alloc */ -@@ -283,41 +300,44 @@ void fpm_scoreboard_proc_free(struct fpm_scoreboard_s *scoreboard, int child_ind - } - /* }}} */ - --int fpm_scoreboard_proc_alloc(struct fpm_scoreboard_s *scoreboard, int *child_index) /* {{{ */ -+int fpm_scoreboard_proc_alloc(struct fpm_child_s *child) /* {{{ */ - { - int i = -1; -+ struct fpm_worker_pool_s *wp = child->wp; -+ struct fpm_scoreboard_s *scoreboard = wp->scoreboard; -+ int nprocs = wp->config->pm_max_children; - -- if (!scoreboard || !child_index) { -+ if (!scoreboard) { - return -1; - } - - /* first try the slot which is supposed to be free */ -- if (scoreboard->free_proc >= 0 && (unsigned int)scoreboard->free_proc < scoreboard->nprocs) { -- if (scoreboard->procs[scoreboard->free_proc] && !scoreboard->procs[scoreboard->free_proc]->used) { -+ if (scoreboard->free_proc >= 0 && scoreboard->free_proc < nprocs) { -+ if (!scoreboard->procs[scoreboard->free_proc].used) { - i = scoreboard->free_proc; - } - } - - if (i < 0) { /* the supposed free slot is not, let's search for a free slot */ - zlog(ZLOG_DEBUG, "[pool %s] the proc->free_slot was not free. Let's search", scoreboard->pool); -- for (i = 0; i < (int)scoreboard->nprocs; i++) { -- if (scoreboard->procs[i] && !scoreboard->procs[i]->used) { /* found */ -+ for (i = 0; i < nprocs; i++) { -+ if (!scoreboard->procs[i].used) { /* found */ - break; - } - } - } - - /* no free slot */ -- if (i < 0 || i >= (int)scoreboard->nprocs) { -+ if (i < 0 || i >= nprocs) { - zlog(ZLOG_ERROR, "[pool %s] no free scoreboard slot", scoreboard->pool); - return -1; - } - -- scoreboard->procs[i]->used = 1; -- *child_index = i; -+ scoreboard->procs[i].used = 1; -+ child->scoreboard_i = i; - - /* supposed next slot is free */ -- if (i + 1 >= (int)scoreboard->nprocs) { -+ if (i + 1 >= nprocs) { - scoreboard->free_proc = 0; - } else { - scoreboard->free_proc = i + 1; -diff --git a/sapi/fpm/fpm/fpm_scoreboard.h b/sapi/fpm/fpm/fpm_scoreboard.h -index 1fecde1d0feb..9d5981e1c739 100644 ---- a/sapi/fpm/fpm/fpm_scoreboard.h -+++ b/sapi/fpm/fpm/fpm_scoreboard.h -@@ -63,7 +63,7 @@ struct fpm_scoreboard_s { - unsigned int nprocs; - int free_proc; - unsigned long int slow_rq; -- struct fpm_scoreboard_proc_s *procs[]; -+ struct fpm_scoreboard_proc_s procs[]; - }; - - int fpm_scoreboard_init_main(); -@@ -72,18 +72,19 @@ int fpm_scoreboard_init_child(struct fpm_worker_pool_s *wp); - void fpm_scoreboard_update(int idle, int active, int lq, int lq_len, int requests, int max_children_reached, int slow_rq, int action, struct fpm_scoreboard_s *scoreboard); - struct fpm_scoreboard_s *fpm_scoreboard_get(); - struct fpm_scoreboard_proc_s *fpm_scoreboard_proc_get(struct fpm_scoreboard_s *scoreboard, int child_index); -+struct fpm_scoreboard_proc_s *fpm_scoreboard_proc_get_from_child(struct fpm_child_s *child); - - struct fpm_scoreboard_s *fpm_scoreboard_acquire(struct fpm_scoreboard_s *scoreboard, int nohang); - void fpm_scoreboard_release(struct fpm_scoreboard_s *scoreboard); - struct fpm_scoreboard_proc_s *fpm_scoreboard_proc_acquire(struct fpm_scoreboard_s *scoreboard, int child_index, int nohang); - void fpm_scoreboard_proc_release(struct fpm_scoreboard_proc_s *proc); - --void fpm_scoreboard_free(struct fpm_scoreboard_s *scoreboard); -+void fpm_scoreboard_free(struct fpm_worker_pool_s *wp); - --void fpm_scoreboard_child_use(struct fpm_scoreboard_s *scoreboard, int child_index, pid_t pid); -+void fpm_scoreboard_child_use(struct fpm_child_s *child, pid_t pid); - --void fpm_scoreboard_proc_free(struct fpm_scoreboard_s *scoreboard, int child_index); --int fpm_scoreboard_proc_alloc(struct fpm_scoreboard_s *scoreboard, int *child_index); -+void fpm_scoreboard_proc_free(struct fpm_child_s *child); -+int fpm_scoreboard_proc_alloc(struct fpm_child_s *child); - - #ifdef HAVE_TIMES - float fpm_scoreboard_get_tick(); -diff --git a/sapi/fpm/fpm/fpm_status.c b/sapi/fpm/fpm/fpm_status.c -index 36d224063583..de8db9d61a25 100644 ---- a/sapi/fpm/fpm/fpm_status.c -+++ b/sapi/fpm/fpm/fpm_status.c -@@ -498,10 +498,10 @@ int fpm_status_handle_request(void) /* {{{ */ - - first = 1; - for (i=0; inprocs; i++) { -- if (!scoreboard_p->procs[i] || !scoreboard_p->procs[i]->used) { -+ if (!scoreboard_p->procs[i].used) { - continue; - } -- proc = *scoreboard_p->procs[i]; -+ proc = scoreboard_p->procs[i]; - - if (first) { - first = 0; -diff --git a/sapi/fpm/fpm/fpm_worker_pool.c b/sapi/fpm/fpm/fpm_worker_pool.c -index d04528f4e0d0..65a9b226b1ae 100644 ---- a/sapi/fpm/fpm/fpm_worker_pool.c -+++ b/sapi/fpm/fpm/fpm_worker_pool.c -@@ -54,7 +54,7 @@ static void fpm_worker_pool_cleanup(int which, void *arg) /* {{{ */ - fpm_worker_pool_config_free(wp->config); - fpm_children_free(wp->children); - if ((which & FPM_CLEANUP_CHILD) == 0 && fpm_globals.parent_pid == getpid()) { -- fpm_scoreboard_free(wp->scoreboard); -+ fpm_scoreboard_free(wp); - } - fpm_worker_pool_free(wp); - } diff --git a/SOURCES/php-7.4.19-CVE-2021-21705.patch b/SOURCES/php-7.4.19-CVE-2021-21705.patch deleted file mode 100644 index c1c65ec..0000000 --- a/SOURCES/php-7.4.19-CVE-2021-21705.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 5cea97e083448aaa2352320612541c895178b3b5 Mon Sep 17 00:00:00 2001 -From: "Christoph M. Becker" -Date: Mon, 14 Jun 2021 13:22:27 +0200 -Subject: [PATCH] Fix #81122: SSRF bypass in FILTER_VALIDATE_URL - -We need to ensure that the password detected by parse_url() is actually -a valid password; we can re-use is_userinfo_valid() for that. ---- - ext/filter/logical_filters.c | 4 +++- - ext/filter/tests/bug81122.phpt | 21 +++++++++++++++++++++ - 2 files changed, 24 insertions(+), 1 deletion(-) - create mode 100644 ext/filter/tests/bug81122.phpt - -diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c -index ba2e7e527e76..721da45d532d 100644 ---- a/ext/filter/logical_filters.c -+++ b/ext/filter/logical_filters.c -@@ -632,7 +632,9 @@ void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */ - RETURN_VALIDATION_FAILED - } - -- if (url->user != NULL && !is_userinfo_valid(url->user)) { -+ if (url->user != NULL && !is_userinfo_valid(url->user) -+ || url->pass != NULL && !is_userinfo_valid(url->pass) -+ ) { - php_url_free(url); - RETURN_VALIDATION_FAILED - -diff --git a/ext/filter/tests/bug81122.phpt b/ext/filter/tests/bug81122.phpt -new file mode 100644 -index 000000000000..d89d4114a547 ---- /dev/null -+++ b/ext/filter/tests/bug81122.phpt -@@ -0,0 +1,21 @@ -+--TEST-- -+Bug #81122 (SSRF bypass in FILTER_VALIDATE_URL) -+--SKIPIF-- -+ -+--FILE-- -+ -+--EXPECT-- -+bool(false) -+bool(false) -+bool(false) diff --git a/SOURCES/php-7.4.19.tar.xz.asc b/SOURCES/php-7.4.19.tar.xz.asc deleted file mode 100644 index 518111d..0000000 --- a/SOURCES/php-7.4.19.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEWlKIB4H3VWCL+BX8kQ3rRvU+oxIFAmCRK6EACgkQkQ3rRvU+ -oxIK6xAA6F+gXg4rh61svifxkt8J0w1L8vDSjFr+9V8v5pFa3qORK+e1AQ9DjySK -BmtjcjlWCO+QYl65mopliZFkuf4GmexxR4pBc2CRp8IeS2eTu97kzyfwzuWsGKVN -zu1lwVtyzk171QzOUfVTa37LL+fWoDFp+srtPZCfHw8Kw1R2zuSh9IMO9zXLvxLF -1RulR05yfv3wEbE91NqlS0obhLcvjVPdzS2bh94UdrvQd+oCSU0DSlc9Hzml6TbI -Ypk4EqiO4O53qfQBp1qehCfVtMrfod9h874jYSQuM+3szZJw5y2OLi4d+GMTWDCd -FZXJYnpSS9qPSsMrRFnKEbm/3w3cTD+y8ys82ONekNaNPYQeOCeq+mee+GkSwF5P -jElw997uxvR7qZmDheXvZkXLtRoGt7TJtL88uedzqMY78PgLcW9+PLyV32aqAi7v -W7GFLfVpqhEmImwsuvOwckAgt+y1B+g6wDpJ7hitOKLq6x8gydxBos4iBYsicKW7 -o2UXoS1Hkwha0EZf3hBmBQ7jKivZ1rM6zAFDMYepFQ8lVAzo48WbxCiBvvUuVin6 -TM1kivfYA2OOlD3d77oyHY7suwU7/NHg+HhSmAs8VgBaIdrER1vY1UK2GXhD29Rr -R550ofXcRsGwiFS+/IzVL22QVil71QmUodRcGp/7E5QuwrNoBfI= -=NYzh ------END PGP SIGNATURE----- diff --git a/SOURCES/php-7.4.30.tar.xz.asc b/SOURCES/php-7.4.30.tar.xz.asc new file mode 100644 index 0000000..c1bb5ba --- /dev/null +++ b/SOURCES/php-7.4.30.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEWlKIB4H3VWCL+BX8kQ3rRvU+oxIFAmKfDuIACgkQkQ3rRvU+ +oxIC7w/9H/dRdiWbNSzsyVpOR103q9iETyQX9DnweJiEqd7Ij296g4t1NRiMzjKD +UNi+LjZF85OWbtLeDWr1icdwlJJ4/4512ujl4JX+IHexa9bQzF/IZhKJElCs2q7B +wH5A/zOZS1gKNPtoum1VwRikVcDYCgXdTG77k4Y/k6LWymCea1HuJaOqVULM4vpX +1dCdZHbSnrILgpDQPgvyUSvIxuLxeRBGD8iL0N4Wk9v6OMTdIFaAoYnUFX3m4Ovm +TqToTpBPrHsgEb6Adeh2k72I6uvcBzwSlGgq0ZGKmK9CljNPVAeKy4uWi2d37zXE +H0m4pOgp8mRppYYNbulTnW3oYuJUdlRTOSlSpcmEP1IKKQPKp+9tGfmW7CXnD2cf +ozqxwLnJ1TiCpmiK+PGm0W46bw/swAgm7XTRgeWCuGig2GRMpUMUmutJOyfxiKOT +1xsG9IrptgdOjRr9dJcEzD0nYBWa8r5CMe5d7NCcy44eB4qPaL5F8QDxzLeb2+EO +OjfNvNxQpB8USkyRLxmnCNgkUOgZ17On15NvnMv37VGXs3bI+0PeSdWCz+k6fnYv +oa1FX06lUCwjqMHYX48hvn1vh+mSsUFdbHqKfGSJwFIhAPke9HOfmfH0zB/n1N04 +dOvvMruqotMhe6g9vChB8h5hashDPWlzYRap1VSUuBxqcoGNjfc= +=cOPw +-----END PGP SIGNATURE----- diff --git a/SPECS/php.spec b/SPECS/php.spec index 1c7996e..f316479 100644 --- a/SPECS/php.spec +++ b/SPECS/php.spec @@ -54,13 +54,13 @@ %global with_tidy 0 %endif -%global upver 7.4.19 +%global upver 7.4.30 #global rcver RC1 Summary: PHP scripting language for creating dynamic web sites Name: php Version: %{upver}%{?rcver:~%{rcver}} -Release: 2%{?dist} +Release: 1%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -97,7 +97,7 @@ Patch6: php-7.4.0-embed.patch Patch8: php-7.2.0-libdb.patch # Functional changes -Patch42: php-7.3.3-systzdata-v18.patch +Patch42: php-7.3.3-systzdata-v19.patch # See http://bugs.php.net/53436 Patch43: php-7.4.0-phpize.patch # Use -lldap_r for OpenLDAP @@ -108,8 +108,6 @@ Patch47: php-5.6.3-phpinfo.patch # Upstream fixes (100+) # Security fixes (200+) -Patch200: php-7.4.19-CVE-2021-21703.patch -Patch201: php-7.4.19-CVE-2021-21705.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -215,7 +213,6 @@ Summary: PHP FastCGI Process Manager BuildRequires: libacl-devel BuildRequires: pkgconfig(libsystemd) >= 209 Requires: php-common%{?_isa} = %{version}-%{release} -Requires(pre): /usr/sbin/useradd %{?systemd_requires} # To ensure correct /var/lib/php/session ownership: Requires(pre): httpd-filesystem @@ -720,15 +717,13 @@ in pure PHP. # upstream patches # security patches -%patch200 -p1 -b .cve21705 -%patch201 -p1 -b .cve21703 # Fixes for tests %patch300 -p1 -b .datetests # Prevent %%doc confusion over LICENSE files -cp Zend/LICENSE Zend/ZEND_LICENSE +cp Zend/LICENSE ZEND_LICENSE cp TSRM/LICENSE TSRM_LICENSE cp sapi/fpm/LICENSE fpm_LICENSE cp ext/mbstring/libmbfl/LICENSE libmbfl_LICENSE @@ -749,8 +744,6 @@ mkdir build-cgi build-embedded \ # ----- Manage known as failed test ------- # affected by systzdata patch rm ext/date/tests/timezone_location_get.phpt -rm ext/date/tests/timezone_version_get.phpt -rm ext/date/tests/timezone_version_get_basic1.phpt # fails sometime rm ext/sockets/tests/mcast_ipv?_recv.phpt # cause stack exhausion @@ -1375,7 +1368,7 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || : %files common -f files.common %doc EXTENSIONS NEWS UPGRADING* README.REDIST.BINS *md docs -%license LICENSE TSRM_LICENSE +%license LICENSE TSRM_LICENSE ZEND_LICENSE %license libmagic_LICENSE %license timelib_LICENSE %doc php.ini-* @@ -1513,6 +1506,13 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || : %changelog +* Thu Jul 7 2022 Remi Collet - 7.4.30-1 +- rebase to 7.4.30 #2099615 + +* Wed Jun 22 2022 Remi Collet - 7.4.19-3 +- fix password of excessive length triggers buffer overflow leading to RCE + CVE-2022-31626 + * Wed Jan 19 2022 Remi Collet - 7.4.19-2 - fix SSRF bypass in FILTER_VALIDATE_URL CVE-2021-21705