From b2c1ad1674ebbf649bc9ceeb946b855335a85149 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 30 Mar 2021 15:29:17 -0400 Subject: [PATCH] import php-7.3.20-1.module+el8.2.0+7373+b272fdef --- .gitignore | 2 +- .php.metadata | 2 +- SOURCES/php-5.6.3-embed.patch | 2 +- SOURCES/php-7.2.4-fixheader.patch | 12 --- SOURCES/php-7.3.20-fixheader.patch | 13 +++ SOURCES/php-7.3.5-CVE-2019-11043.patch | 133 ------------------------- SPECS/php.spec | 15 +-- 7 files changed, 25 insertions(+), 154 deletions(-) delete mode 100644 SOURCES/php-7.2.4-fixheader.patch create mode 100644 SOURCES/php-7.3.20-fixheader.patch delete mode 100644 SOURCES/php-7.3.5-CVE-2019-11043.patch diff --git a/.gitignore b/.gitignore index 12dd0e9..eb3f58e 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/php-7.3.5.tar.xz +SOURCES/php-7.3.20.tar.xz diff --git a/.php.metadata b/.php.metadata index 4d9804a..82c7342 100644 --- a/.php.metadata +++ b/.php.metadata @@ -1 +1 @@ -bd795b6ada8a4e480ae5f3746dbc4972e763036e SOURCES/php-7.3.5.tar.xz +d0dd05fa421e0f581960eda6cb8a256abb98b920 SOURCES/php-7.3.20.tar.xz diff --git a/SOURCES/php-5.6.3-embed.patch b/SOURCES/php-5.6.3-embed.patch index d9c04f6..38eea1d 100644 --- a/SOURCES/php-5.6.3-embed.patch +++ b/SOURCES/php-5.6.3-embed.patch @@ -18,7 +18,7 @@ diff -up php-5.5.30/scripts/php-config.in.old php-5.5.30/scripts/php-config.in php_cgi_binary=NONE configure_options="@CONFIGURE_OPTIONS@" -php_sapis="@PHP_INSTALLED_SAPIS@" -+php_sapis="apache2handler embed fpm @PHP_INSTALLED_SAPIS@" ++php_sapis="apache2handler embed fpm phpdbg @PHP_INSTALLED_SAPIS@" # Set php_cli_binary and php_cgi_binary if available for sapi in $php_sapis; do diff --git a/SOURCES/php-7.2.4-fixheader.patch b/SOURCES/php-7.2.4-fixheader.patch deleted file mode 100644 index 52a4121..0000000 --- a/SOURCES/php-7.2.4-fixheader.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up php-7.2.4RC1/configure.ac.fixheader php-7.2.4RC1/configure.ac ---- php-7.2.4RC1/configure.ac.fixheader 2018-03-13 12:42:47.594623100 +0100 -+++ php-7.2.4RC1/configure.ac 2018-03-13 12:43:35.591871825 +0100 -@@ -1275,7 +1275,7 @@ PHP_BUILD_DATE=`date -u +%Y-%m-%d` - fi - AC_DEFINE_UNQUOTED(PHP_BUILD_DATE,"$PHP_BUILD_DATE",[PHP build date]) - --PHP_UNAME=`uname -a | xargs` -+PHP_UNAME=`uname | xargs` - AC_DEFINE_UNQUOTED(PHP_UNAME,"$PHP_UNAME",[uname -a output]) - PHP_OS=`uname | xargs` - AC_DEFINE_UNQUOTED(PHP_OS,"$PHP_OS",[uname output]) diff --git a/SOURCES/php-7.3.20-fixheader.patch b/SOURCES/php-7.3.20-fixheader.patch new file mode 100644 index 0000000..6bbdfbd --- /dev/null +++ b/SOURCES/php-7.3.20-fixheader.patch @@ -0,0 +1,13 @@ +diff -up ./configure.ac.fixheader ./configure.ac +--- ./configure.ac.fixheader 2020-07-06 16:04:56.069183751 +0200 ++++ ./configure.ac 2020-07-06 16:05:52.044046238 +0200 +@@ -1350,7 +1350,8 @@ PHP_BUILD_DATE=`date -u +%Y-%m-%d` + fi + AC_DEFINE_UNQUOTED(PHP_BUILD_DATE,"$PHP_BUILD_DATE",[PHP build date]) + +-PHP_UNAME=`uname -a | xargs` ++UNAME=`uname -a | xargs` ++PHP_UNAME=${PHP_UNAME:-$UNAME} + AC_DEFINE_UNQUOTED(PHP_UNAME,"$PHP_UNAME",[uname -a output]) + PHP_OS=`uname | xargs` + AC_DEFINE_UNQUOTED(PHP_OS,"$PHP_OS",[uname output]) diff --git a/SOURCES/php-7.3.5-CVE-2019-11043.patch b/SOURCES/php-7.3.5-CVE-2019-11043.patch deleted file mode 100644 index 9539a0e..0000000 --- a/SOURCES/php-7.3.5-CVE-2019-11043.patch +++ /dev/null @@ -1,133 +0,0 @@ -From 19e17d3807e6cc0b1ba9443ec5facbd33a61f8fe Mon Sep 17 00:00:00 2001 -From: Jakub Zelenka -Date: Sat, 12 Oct 2019 15:56:16 +0100 -Subject: [PATCH] Fix bug #78599 (env_path_info underflow can lead to RCE) - (CVE-2019-11043) - -(cherry picked from commit ab061f95ca966731b1c84cf5b7b20155c0a1c06a) ---- - NEWS | 2 + - sapi/fpm/fpm/fpm_main.c | 4 +- - .../tests/bug78599-path-info-underflow.phpt | 61 +++++++++++++++++++ - sapi/fpm/tests/tester.inc | 11 +++- - 4 files changed, 74 insertions(+), 4 deletions(-) - create mode 100644 sapi/fpm/tests/bug78599-path-info-underflow.phpt - -diff --git a/sapi/fpm/fpm/fpm_main.c b/sapi/fpm/fpm/fpm_main.c -index 483fabe9d850..dfc0d8f7413c 100644 ---- a/sapi/fpm/fpm/fpm_main.c -+++ b/sapi/fpm/fpm/fpm_main.c -@@ -1148,8 +1148,8 @@ static void init_request_info(void) - path_info = script_path_translated + ptlen; - tflag = (slen != 0 && (!orig_path_info || strcmp(orig_path_info, path_info) != 0)); - } else { -- path_info = env_path_info ? env_path_info + pilen - slen : NULL; -- tflag = (orig_path_info != path_info); -+ path_info = (env_path_info && pilen > slen) ? env_path_info + pilen - slen : NULL; -+ tflag = path_info && (orig_path_info != path_info); - } - - if (tflag) { -diff --git a/sapi/fpm/tests/bug78599-path-info-underflow.phpt b/sapi/fpm/tests/bug78599-path-info-underflow.phpt -new file mode 100644 -index 000000000000..edd4e0d49699 ---- /dev/null -+++ b/sapi/fpm/tests/bug78599-path-info-underflow.phpt -@@ -0,0 +1,61 @@ -+--TEST-- -+FPM: bug78599 - env_path_info underflow - CVE-2019-11043 -+--SKIPIF-- -+ -+--FILE-- -+start(); -+$tester->expectLogStartNotices(); -+$uri = $tester->makeSourceFile(); -+$tester -+ ->request( -+ '', -+ [ -+ 'SCRIPT_FILENAME' => $uri . "/" . str_repeat('A', 35), -+ 'PATH_INFO' => '', -+ 'HTTP_HUI' => str_repeat('PTEST', 1000), -+ ], -+ $uri -+ ) -+ ->expectBody( -+ [ -+ 'Test Start', -+ 'string(0) ""', -+ 'Test End' -+ ] -+ ); -+$tester->terminate(); -+$tester->close(); -+ -+?> -+Done -+--EXPECT-- -+Done -+--CLEAN-- -+ -diff --git a/sapi/fpm/tests/tester.inc b/sapi/fpm/tests/tester.inc -index 001b7d6a54ea..188fd4885943 100644 ---- a/sapi/fpm/tests/tester.inc -+++ b/sapi/fpm/tests/tester.inc -@@ -513,7 +513,7 @@ class Tester - return new Response(null, true); - } - if (is_null($uri)) { -- $uri = $this->makeFile('src.php', $this->code); -+ $uri = $this->makeSourceFile(); - } - - $params = array_merge( -@@ -538,7 +538,6 @@ class Tester - ], - $headers - ); -- - try { - $this->response = new Response( - $this->getClient($address, $connKeepAlive)->request_data($params, false) -@@ -944,6 +943,14 @@ class Tester - return $filePath; - } - -+ /** -+ * @return string -+ */ -+ public function makeSourceFile() -+ { -+ return $this->makeFile('src.php', $this->code); -+ } -+ - /** - * @param string|null $msg - */ diff --git a/SPECS/php.spec b/SPECS/php.spec index c9e471d..cbf07cf 100644 --- a/SPECS/php.spec +++ b/SPECS/php.spec @@ -61,13 +61,13 @@ %global with_tidy 0 %endif -%global upver 7.3.5 +%global upver 7.3.20 #global rcver RC1 Summary: PHP scripting language for creating dynamic web sites Name: php Version: %{upver}%{?rcver:~%{rcver}} -Release: 5%{?dist} +Release: 1%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -77,7 +77,7 @@ Release: 5%{?dist} License: PHP and Zend and BSD and MIT and ASL 1.0 and NCSA URL: http://www.php.net/ -Source0: http://www.php.net/distributions/php-%{upver}%{?rcver}.tar.xz +Source0: https://www.php.net/distributions/php-%{upver}%{?rcver}.tar.xz Source1: php.conf Source2: php.ini Source3: macros.php @@ -109,14 +109,13 @@ Patch43: php-7.3.0-phpize.patch # Use -lldap_r for OpenLDAP Patch45: php-7.2.3-ldap_r.patch # Make php_config.h constant across builds -Patch46: php-7.2.4-fixheader.patch +Patch46: php-7.3.20-fixheader.patch # drop "Configure command" from phpinfo output Patch47: php-5.6.3-phpinfo.patch # Upstream fixes (100+) # Security fixes (200+) -Patch200: php-7.3.5-CVE-2019-11043.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -722,7 +721,6 @@ low-level PHP extension for the libsodium cryptographic library. # upstream patches # security patches -%patch200 -p1 -b .cve11043 # Fixes for tests %patch300 -p1 -b .datetests @@ -822,6 +820,7 @@ cp %{SOURCE50} 10-opcache.ini %build # Set build date from https://reproducible-builds.org/specs/source-date-epoch/ export SOURCE_DATE_EPOCH=$(date +%s -r NEWS) +export PHP_UNAME=$(uname) # aclocal workaround - to be improved cat `aclocal --print-ac-dir`/{libtool,ltoptions,ltsugar,ltversion,lt~obsolete}.m4 >>aclocal.m4 @@ -1001,6 +1000,7 @@ popd without_shared="--without-gd \ --disable-dom --disable-dba --without-unixODBC \ --disable-opcache \ + --disable-phpdbg \ --disable-json \ --disable-xmlreader --disable-xmlwriter \ --without-sodium \ @@ -1569,6 +1569,9 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || : %changelog +* Fri Jul 10 2020 Remi Collet - 7.3.20-1 +- update to 7.3.20 #1856655 + * Tue Oct 29 2019 Remi Collet - 7.3.5-5 - fix underflow in env_path_info in fpm_main.c CVE-2019-11043