import php-7.3.20-1.module+el8.2.0+7373+b272fdef

.gitignore

@@ -1 +1 @@
-SOURCES/php-7.3.5.tar.xz
+SOURCES/php-7.3.20.tar.xz

.php.metadata

@@ -1 +1 @@
-bd795b6ada8a4e480ae5f3746dbc4972e763036e SOURCES/php-7.3.5.tar.xz
+d0dd05fa421e0f581960eda6cb8a256abb98b920 SOURCES/php-7.3.20.tar.xz

SOURCES/php-5.6.3-embed.patch

@@ -18,7 +18,7 @@ diff -up php-5.5.30/scripts/php-config.in.old php-5.5.30/scripts/php-config.in
  php_cgi_binary=NONE
  configure_options="@CONFIGURE_OPTIONS@"
 -php_sapis="@PHP_INSTALLED_SAPIS@"
-+php_sapis="apache2handler embed fpm @PHP_INSTALLED_SAPIS@"
++php_sapis="apache2handler embed fpm phpdbg @PHP_INSTALLED_SAPIS@"
  
  # Set php_cli_binary and php_cgi_binary if available
  for sapi in $php_sapis; do

SOURCES/php-7.2.4-fixheader.patch

@@ -1,12 +0,0 @@
-diff -up php-7.2.4RC1/configure.ac.fixheader php-7.2.4RC1/configure.ac
---- php-7.2.4RC1/configure.ac.fixheader	2018-03-13 12:42:47.594623100 +0100
-+++ php-7.2.4RC1/configure.ac	2018-03-13 12:43:35.591871825 +0100
-@@ -1275,7 +1275,7 @@ PHP_BUILD_DATE=`date -u +%Y-%m-%d`
- fi
- AC_DEFINE_UNQUOTED(PHP_BUILD_DATE,"$PHP_BUILD_DATE",[PHP build date])
- 
--PHP_UNAME=`uname -a | xargs`
-+PHP_UNAME=`uname | xargs`
- AC_DEFINE_UNQUOTED(PHP_UNAME,"$PHP_UNAME",[uname -a output])
- PHP_OS=`uname | xargs`
- AC_DEFINE_UNQUOTED(PHP_OS,"$PHP_OS",[uname output])

SOURCES/php-7.3.20-fixheader.patch

@@ -0,0 +1,13 @@
+diff -up ./configure.ac.fixheader ./configure.ac
+--- ./configure.ac.fixheader	2020-07-06 16:04:56.069183751 +0200
++++ ./configure.ac	2020-07-06 16:05:52.044046238 +0200
+@@ -1350,7 +1350,8 @@ PHP_BUILD_DATE=`date -u +%Y-%m-%d`
+ fi
+ AC_DEFINE_UNQUOTED(PHP_BUILD_DATE,"$PHP_BUILD_DATE",[PHP build date])
+ 
+-PHP_UNAME=`uname -a | xargs`
++UNAME=`uname -a | xargs`
++PHP_UNAME=${PHP_UNAME:-$UNAME}
+ AC_DEFINE_UNQUOTED(PHP_UNAME,"$PHP_UNAME",[uname -a output])
+ PHP_OS=`uname | xargs`
+ AC_DEFINE_UNQUOTED(PHP_OS,"$PHP_OS",[uname output])

SOURCES/php-7.3.5-CVE-2019-11043.patch

@@ -1,133 +0,0 @@
-From 19e17d3807e6cc0b1ba9443ec5facbd33a61f8fe Mon Sep 17 00:00:00 2001
-From: Jakub Zelenka <bukka@php.net>
-Date: Sat, 12 Oct 2019 15:56:16 +0100
-Subject: [PATCH] Fix bug #78599 (env_path_info underflow can lead to RCE)
- (CVE-2019-11043)
-
-(cherry picked from commit ab061f95ca966731b1c84cf5b7b20155c0a1c06a)
----
- NEWS                                          |  2 +
- sapi/fpm/fpm/fpm_main.c                       |  4 +-
- .../tests/bug78599-path-info-underflow.phpt   | 61 +++++++++++++++++++
- sapi/fpm/tests/tester.inc                     | 11 +++-
- 4 files changed, 74 insertions(+), 4 deletions(-)
- create mode 100644 sapi/fpm/tests/bug78599-path-info-underflow.phpt
-
-diff --git a/sapi/fpm/fpm/fpm_main.c b/sapi/fpm/fpm/fpm_main.c
-index 483fabe9d850..dfc0d8f7413c 100644
---- a/sapi/fpm/fpm/fpm_main.c
-+++ b/sapi/fpm/fpm/fpm_main.c
-@@ -1148,8 +1148,8 @@ static void init_request_info(void)
- 								path_info = script_path_translated + ptlen;
- 								tflag = (slen != 0 && (!orig_path_info || strcmp(orig_path_info, path_info) != 0));
- 							} else {
--								path_info = env_path_info ? env_path_info + pilen - slen : NULL;
--								tflag = (orig_path_info != path_info);
-+								path_info = (env_path_info && pilen > slen) ? env_path_info + pilen - slen : NULL;
-+								tflag = path_info && (orig_path_info != path_info);
- 							}
- 
- 							if (tflag) {
-diff --git a/sapi/fpm/tests/bug78599-path-info-underflow.phpt b/sapi/fpm/tests/bug78599-path-info-underflow.phpt
-new file mode 100644
-index 000000000000..edd4e0d49699
---- /dev/null
-+++ b/sapi/fpm/tests/bug78599-path-info-underflow.phpt
-@@ -0,0 +1,61 @@
-+--TEST--
-+FPM: bug78599 - env_path_info underflow - CVE-2019-11043
-+--SKIPIF--
-+<?php include "skipif.inc"; ?>
-+--FILE--
-+<?php
-+
-+require_once "tester.inc";
-+
-+$cfg = <<<EOT
-+[global]
-+error_log = {{FILE:LOG}}
-+[unconfined]
-+listen = {{ADDR}}
-+pm = dynamic
-+pm.max_children = 5
-+pm.start_servers = 1
-+pm.min_spare_servers = 1
-+pm.max_spare_servers = 3
-+EOT;
-+
-+$code = <<<EOT
-+<?php
-+echo "Test Start\n";
-+var_dump(\$_SERVER["PATH_INFO"]);
-+echo "Test End\n";
-+EOT;
-+
-+$tester = new FPM\Tester($cfg, $code);
-+$tester->start();
-+$tester->expectLogStartNotices();
-+$uri = $tester->makeSourceFile();
-+$tester
-+    ->request(
-+        '',
-+        [
-+            'SCRIPT_FILENAME' => $uri . "/" . str_repeat('A', 35),
-+            'PATH_INFO'       => '',
-+            'HTTP_HUI'        => str_repeat('PTEST', 1000),
-+        ],
-+        $uri
-+    )
-+    ->expectBody(
-+        [
-+            'Test Start',
-+            'string(0) ""',
-+            'Test End'
-+        ]
-+    );
-+$tester->terminate();
-+$tester->close();
-+
-+?>
-+Done
-+--EXPECT--
-+Done
-+--CLEAN--
-+<?php
-+require_once "tester.inc";
-+FPM\Tester::clean();
-+?>
-diff --git a/sapi/fpm/tests/tester.inc b/sapi/fpm/tests/tester.inc
-index 001b7d6a54ea..188fd4885943 100644
---- a/sapi/fpm/tests/tester.inc
-+++ b/sapi/fpm/tests/tester.inc
-@@ -513,7 +513,7 @@ class Tester
-             return new Response(null, true);
-         }
-         if (is_null($uri)) {
--            $uri = $this->makeFile('src.php', $this->code);
-+            $uri = $this->makeSourceFile();
-         }
- 
-         $params = array_merge(
-@@ -538,7 +538,6 @@ class Tester
-             ],
-             $headers
-         );
--
-         try {
-             $this->response = new Response(
-                 $this->getClient($address, $connKeepAlive)->request_data($params, false)
-@@ -944,6 +943,14 @@ class Tester
-         return $filePath;
-     }
- 
-+    /**
-+     * @return string
-+     */
-+    public function makeSourceFile()
-+    {
-+        return $this->makeFile('src.php', $this->code);
-+    }
-+
-     /**
-      * @param string|null $msg
-      */

SPECS/php.spec

@@ -61,13 +61,13 @@
 %global with_tidy     0
 %endif
 
-%global upver        7.3.5
+%global upver        7.3.20
 #global rcver        RC1
 
 Summary: PHP scripting language for creating dynamic web sites
 Name: php
 Version: %{upver}%{?rcver:~%{rcver}}
-Release: 5%{?dist}
+Release: 1%{?dist}
 # All files licensed under PHP version 3.01, except
 # Zend is licensed under Zend
 # TSRM is licensed under BSD
@@ -77,7 +77,7 @@ Release: 5%{?dist}
 License: PHP and Zend and BSD and MIT and ASL 1.0 and NCSA
 URL: http://www.php.net/
 
-Source0: http://www.php.net/distributions/php-%{upver}%{?rcver}.tar.xz
+Source0: https://www.php.net/distributions/php-%{upver}%{?rcver}.tar.xz
 Source1: php.conf
 Source2: php.ini
 Source3: macros.php
@@ -109,14 +109,13 @@ Patch43: php-7.3.0-phpize.patch
 # Use -lldap_r for OpenLDAP
 Patch45: php-7.2.3-ldap_r.patch
 # Make php_config.h constant across builds
-Patch46: php-7.2.4-fixheader.patch
+Patch46: php-7.3.20-fixheader.patch
 # drop "Configure command" from phpinfo output
 Patch47: php-5.6.3-phpinfo.patch
 
 # Upstream fixes (100+)
 
 # Security fixes (200+)
-Patch200: php-7.3.5-CVE-2019-11043.patch
 
 # Fixes for tests (300+)
 # Factory is droped from system tzdata
@@ -722,7 +721,6 @@ low-level PHP extension for the libsodium cryptographic library.
 # upstream patches
 
 # security patches
-%patch200 -p1 -b .cve11043
 
 # Fixes for tests
 %patch300 -p1 -b .datetests
@@ -822,6 +820,7 @@ cp %{SOURCE50} 10-opcache.ini
 %build
 # Set build date from https://reproducible-builds.org/specs/source-date-epoch/
 export SOURCE_DATE_EPOCH=$(date +%s -r NEWS)
+export PHP_UNAME=$(uname)
 
 # aclocal workaround - to be improved
 cat `aclocal --print-ac-dir`/{libtool,ltoptions,ltsugar,ltversion,lt~obsolete}.m4 >>aclocal.m4
@@ -1001,6 +1000,7 @@ popd
 without_shared="--without-gd \
       --disable-dom --disable-dba --without-unixODBC \
       --disable-opcache \
+      --disable-phpdbg \
       --disable-json \
       --disable-xmlreader --disable-xmlwriter \
       --without-sodium \
@@ -1569,6 +1569,9 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || :
 
 
 %changelog
+* Fri Jul 10 2020 Remi Collet <rcollet@redhat.com> - 7.3.20-1
+- update to 7.3.20 #1856655
+
 * Tue Oct 29 2019 Remi Collet <rcollet@redhat.com> - 7.3.5-5
 - fix underflow in env_path_info in fpm_main.c CVE-2019-11043