rpms/php
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix CVEs up to 8.2.31:

Browse Source 
- Fix XSS within status endpoint  CVE-2026-6735
- Fix Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()  CVE-2026-7259
- Fix Stale SOAP_GLOBAL(ref_map) pointer with Apache Map  CVE-2026-6722
- Fix Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION  CVE-2026-7261
- Fix Broken Apache map value NULL check  CVE-2026-7262
- Fix Signed integer overflow of char array offset  CVE-2026-7568
- Fix Consistently pass unsigned char to ctype.h functions  CVE-2026-7258

Resolves: RHEL-181025
This commit is contained in:
Remi Collet 2026-06-05 15:11:53 +02:00
parent 79b91547ee
commit e6ee411f95
9 changed files with 2637 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

275
php-cve-2025-14179.patch Normal file
View File

@ -0,0 +1,275 @@
From abf5a10618537332f63194f2cf72b019c592029c Mon Sep 17 00:00:00 2001
From: Saki Takamachi <saki@sakiot.com>
Date: Sun, 3 May 2026 19:56:30 +0200
Subject: [PATCH 08/10] GHSA-w476-322c-wpvm: [pdo_firebird] Fix SQL injection
via NUL bytes in quoted strings
Fixes GHSA-w476-322c-wpvm
Fixes CVE-2025-14179
(cherry picked from commit 3f40b65323dd1b85e9bab6878237d3867e449d5c)
(cherry picked from commit 4b0dd469bbba7bf5f25f1a4f694aeb15c3515be4)
---
ext/pdo_firebird/firebird_driver.c | 68 ++++++++++++-------
.../tests/ghsa-w476-322c-wpvm.phpt | 44 ++++++++++++
2 files changed, 88 insertions(+), 24 deletions(-)
create mode 100644 ext/pdo_firebird/tests/ghsa-w476-322c-wpvm.phpt
diff --git a/ext/pdo_firebird/firebird_driver.c b/ext/pdo_firebird/firebird_driver.c
index fb69797850..06a33651d7 100644
--- a/ext/pdo_firebird/firebird_driver.c
+++ b/ext/pdo_firebird/firebird_driver.c
@@ -290,7 +290,7 @@ static FbTokenType getToken(const char** begin, const char* end)
return ret;
}
-int preprocess(const char* sql, int sql_len, char* sql_out, HashTable* named_params)
+int preprocess(const char* sql, int sql_len, char* sql_out, size_t* sql_out_len, HashTable* named_params)
{
zend_bool passAsIs = 1, execBlock = 0;
zend_long pindex = -1;
@@ -321,7 +321,7 @@ int preprocess(const char* sql, int sql_len, char* sql_out, HashTable* named_par
if (l > 252) {
return 0;
}
- strncpy(ident, i, l);
+ memcpy(ident, i, l);
ident[l] = '\0';
if (!strcasecmp(ident, "EXECUTE"))
{
@@ -346,7 +346,7 @@ int preprocess(const char* sql, int sql_len, char* sql_out, HashTable* named_par
if (l > 252) {
return 0;
}
- strncpy(ident2, i2, l);
+ memcpy(ident2, i2, l);
ident2[l] = '\0';
execBlock = !strcasecmp(ident2, "BLOCK");
passAsIs = 0;
@@ -362,11 +362,15 @@ int preprocess(const char* sql, int sql_len, char* sql_out, HashTable* named_par
if (passAsIs)
{
- strcpy(sql_out, sql);
+ memcpy(sql_out, sql, sql_len);
+ sql_out[sql_len] = '\0';
+ *sql_out_len = sql_len;
return 1;
}
- strncat(sql_out, start, p - start);
+ char *sql_out_p = sql_out;
+ memcpy(sql_out_p, start, p - start);
+ sql_out_p += p - start;
while (p < end)
{
@@ -374,10 +378,12 @@ int preprocess(const char* sql, int sql_len, char* sql_out, HashTable* named_par
tok = getToken(&p, end);
switch (tok)
{
- case ttParamMark:
- tok = getToken(&p, end);
+ case ttParamMark: {
+ const char* p_peek = p;
+ tok = getToken(&p_peek, end);
if (tok == ttIdent /*|| tok == ttString*/)
{
+ p = p_peek;
++pindex;
l = p - start;
/* check the length of the identifier */
@@ -386,7 +392,7 @@ int preprocess(const char* sql, int sql_len, char* sql_out, HashTable* named_par
if (l > 253) {
return 0;
}
- strncpy(pname, start, l);
+ memcpy(pname, start, l);
pname[l] = '\0';
if (named_params) {
@@ -395,7 +401,7 @@ int preprocess(const char* sql, int sql_len, char* sql_out, HashTable* named_par
zend_hash_str_update(named_params, pname, l, &tmp);
}
- strcat(sql_out, "?");
+ *sql_out_p++ = '?';
}
else
{
@@ -405,10 +411,11 @@ int preprocess(const char* sql, int sql_len, char* sql_out, HashTable* named_par
return 0;
}
++pindex;
- strncat(sql_out, start, p - start);
+ memcpy(sql_out_p, start, p - start);
+ sql_out_p += p - start;
}
break;
-
+ }
case ttIdent:
if (execBlock)
{
@@ -420,11 +427,14 @@ int preprocess(const char* sql, int sql_len, char* sql_out, HashTable* named_par
if (l > 252) {
return 0;
}
- strncpy(ident, start, l);
+ memcpy(ident, start, l);
ident[l] = '\0';
if (!strcasecmp(ident, "AS"))
{
- strncat(sql_out, start, end - start);
+ memcpy(sql_out_p, start, end - start);
+ sql_out_p += end - start;
+ *sql_out_p = '\0';
+ *sql_out_len = sql_out_p - sql_out;
return 1;
}
}
@@ -433,7 +443,8 @@ int preprocess(const char* sql, int sql_len, char* sql_out, HashTable* named_par
case ttComment:
case ttString:
case ttOther:
- strncat(sql_out, start, p - start);
+ memcpy(sql_out_p, start, p - start);
+ sql_out_p += p - start;
break;
case ttBrokenComment:
@@ -451,6 +462,8 @@ int preprocess(const char* sql, int sql_len, char* sql_out, HashTable* named_par
break;
}
}
+ *sql_out_p = '\0';
+ *sql_out_len = sql_out_p - sql_out;
return 1;
}
@@ -664,7 +677,7 @@ static int firebird_handle_quoter(pdo_dbh_t *dbh, const char *unquoted, size_t u
char **quoted, size_t *quotedlen, enum pdo_param_type paramtype)
{
size_t qcount = 0;
- char const *co, *l, *r;
+ char const *co, *l;
char *c;
if (!unquotedlen) {
@@ -674,9 +687,15 @@ static int firebird_handle_quoter(pdo_dbh_t *dbh, const char *unquoted, size_t u
return 1;
}
+ const char * const end = unquoted + unquotedlen;
+
/* Firebird only requires single quotes to be doubled if string lengths are used */
/* count the number of ' characters */
- for (co = unquoted; (co = strchr(co,'\'')); qcount++, co++);
+ for (co = unquoted; co < end; co++) {
+ if (*co == '\'') {
+ qcount++;
+ }
+ }
if (UNEXPECTED(unquotedlen + 2 > ZSTR_MAX_LEN - qcount)) {
return 0;
@@ -687,15 +706,15 @@ static int firebird_handle_quoter(pdo_dbh_t *dbh, const char *unquoted, size_t u
*c++ = '\'';
/* foreach (chunk that ends in a quote) */
- for (l = unquoted; (r = strchr(l,'\'')); l = r+1) {
- strncpy(c, l, r-l+1);
- c += (r-l+1);
- /* add the second quote */
- *c++ = '\'';
+ for (l = unquoted; l < end; l++) {
+ *c++ = *l;
+ if (*l == '\'') {
+ /* add the second quote */
+ *c++ = '\'';
+ }
}
/* copy the remainder */
- strncpy(c, l, *quotedlen-(c-*quoted)-1);
(*quoted)[*quotedlen-1] = '\'';
(*quoted)[*quotedlen] = '\0';
@@ -788,6 +807,7 @@ static int firebird_alloc_prepare_stmt(pdo_dbh_t *dbh, const char *sql, size_t s
{
pdo_firebird_db_handle *H = (pdo_firebird_db_handle *)dbh->driver_data;
char *new_sql;
+ size_t new_sql_len;
/* Firebird allows SQL statements up to 64k, so bail if it doesn't fit */
if (sql_len > 65536) {
@@ -815,14 +835,14 @@ static int firebird_alloc_prepare_stmt(pdo_dbh_t *dbh, const char *sql, size_t s
we need to replace :foo by ?, and store the name we just replaced */
new_sql = emalloc(sql_len+1);
new_sql[0] = '\0';
- if (!preprocess(sql, sql_len, new_sql, named_params)) {
+ if (!preprocess(sql, sql_len, new_sql, &new_sql_len, named_params)) {
strcpy(dbh->error_code, "07000");
efree(new_sql);
return 0;
}
/* prepare the statement */
- if (isc_dsql_prepare(H->isc_status, &H->tr, s, 0, new_sql, H->sql_dialect, out_sqlda)) {
+ if (isc_dsql_prepare(H->isc_status, &H->tr, s, new_sql_len, new_sql, H->sql_dialect, out_sqlda)) {
RECORD_ERROR(dbh);
efree(new_sql);
return 0;
diff --git a/ext/pdo_firebird/tests/ghsa-w476-322c-wpvm.phpt b/ext/pdo_firebird/tests/ghsa-w476-322c-wpvm.phpt
new file mode 100644
index 0000000000..41c1125e9b
--- /dev/null
+++ b/ext/pdo_firebird/tests/ghsa-w476-322c-wpvm.phpt
@@ -0,0 +1,44 @@
+--TEST--
+GHSA-w476-322c-wpvm: SQL injection in pdo_firebird via NUL bytes in quoted strings
+--EXTENSIONS--
+pdo_firebird
+--SKIPIF--
+<?php require('skipif.inc'); ?>
+--XLEAK--
+A bug in firebird causes a memory leak when calling `isc_attach_database()`.
+See https://github.com/FirebirdSQL/firebird/issues/7849
+--FILE--
+<?php
+
+require("testdb.inc");
+
+$dbh->exec('CREATE TABLE ghsa_w476_322c_wpvm (name VARCHAR(255))');
+
+$param = $dbh->quote("\0");
+$param2 = $dbh->quote('or 1=1--');
+var_export($param);
+echo("\n");
+
+echo "prepare: ";
+$stmt = $dbh->prepare("SELECT * FROM ghsa_w476_322c_wpvm WHERE name = {$param} AND name = {$param2}");
+$stmt->execute();
+echo json_encode($stmt->fetchAll(PDO::FETCH_ASSOC)) . "\n";
+
+echo "query: ";
+$stmt = $dbh->query("SELECT * FROM ghsa_w476_322c_wpvm WHERE name = {$param} AND name = {$param2}");
+echo json_encode($stmt->fetchAll(PDO::FETCH_ASSOC)) . "\n";
+
+echo "exec: ";
+$affectedRows = $dbh->exec("UPDATE ghsa_w476_322c_wpvm SET name = 'updated' WHERE name = {$param} AND name = {$param2}");
+echo $affectedRows . "\n";
+?>
+--CLEAN--
+<?php
+require 'testdb.inc';
+$dbh->exec("DROP TABLE ghsa_w476_322c_wpvm");
+?>
+--EXPECT--
+'\'' . "\0" . '\''
+prepare: []
+query: []
+exec: 0
--
2.54.0

108
php-cve-2026-6722.patch Normal file
View File

@ -0,0 +1,108 @@
From bbc1be3fc763b81707ccaa91a4cd1d439b753b12 Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Sun, 3 May 2026 19:56:53 +0200
Subject: [PATCH 01/10] GHSA-85c2-q967-79q5: [soap] Fix stale
SOAP_GLOBAL(ref_map) pointer with Apache Map
Fixes GHSA-85c2-q967-79q5
Fixes CVE-2026-6722
(cherry picked from commit aee3b3ac9b816b0def1c462695b483b49a83148e)
(cherry picked from commit 15064460d6682766f91c1a841d27cdfbc38907e8)
---
ext/soap/php_encoding.c | 3 +-
ext/soap/tests/GHSA-85c2-q967-79q5.phpt | 61 +++++++++++++++++++++++++
2 files changed, 63 insertions(+), 1 deletion(-)
create mode 100644 ext/soap/tests/GHSA-85c2-q967-79q5.phpt
diff --git a/ext/soap/php_encoding.c b/ext/soap/php_encoding.c
index 2634d2c7db..d1e97d0cb3 100644
--- a/ext/soap/php_encoding.c
+++ b/ext/soap/php_encoding.c
@@ -365,6 +365,7 @@ static zend_bool soap_check_xml_ref(zval *data, xmlNodePtr node)
static void soap_add_xml_ref(zval *data, xmlNodePtr node)
{
if (SOAP_GLOBAL(ref_map)) {
+ Z_TRY_ADDREF_P(data);
zend_hash_index_update(SOAP_GLOBAL(ref_map), (zend_ulong)node, data);
}
}
@@ -3431,7 +3432,7 @@ void encode_reset_ns()
} else {
SOAP_GLOBAL(ref_map) = emalloc(sizeof(HashTable));
}
- zend_hash_init(SOAP_GLOBAL(ref_map), 0, NULL, NULL, 0);
+ zend_hash_init(SOAP_GLOBAL(ref_map), 0, NULL, ZVAL_PTR_DTOR, 0);
}
void encode_finish()
diff --git a/ext/soap/tests/GHSA-85c2-q967-79q5.phpt b/ext/soap/tests/GHSA-85c2-q967-79q5.phpt
new file mode 100644
index 0000000000..8bcac26ad1
--- /dev/null
+++ b/ext/soap/tests/GHSA-85c2-q967-79q5.phpt
@@ -0,0 +1,61 @@
+--TEST--
+GHSA-85c2-q967-79q5: Stale SOAP_GLOBAL(ref_map) pointer with Apache Map
+--CREDITS--
+brettgervasoni
+--EXTENSIONS--
+soap
+--FILE--
+<?php
+
+class Handler {
+ public function test(...$args) {
+ $GLOBALS['result'] = $args;
+ }
+}
+
+$envelope = <<<'XML'
+<?xml version="1.0" encoding="UTF-8"?>
+<soapenv:Envelope
+ xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+
+ <soapenv:Body>
+ <test>
+ <map xsi:type="apache:Map" xmlns:apache="http://xml.apache.org/xml-soap">
+ <item>
+ <key>foo</key>
+ <value id="stale"><object>bar</object></value>
+ </item>
+ <item>
+ <key>foo</key>
+ <value>baz</value>
+ </item>
+ </map>
+ <stale href="#stale"/>
+ </test>
+ </soapenv:Body>
+</soapenv:Envelope>
+XML;
+
+$s = new SoapServer(null, ['uri' => 'urn:a']);
+$s->setClass(Handler::class);
+$s->handle($envelope);
+var_dump($result);
+
+?>
+--EXPECTF--
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="urn:a" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:testResponse><return xsi:nil="true"/></ns1:testResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>
+array(2) {
+ [0]=>
+ array(1) {
+ ["foo"]=>
+ string(3) "baz"
+ }
+ [1]=>
+ object(stdClass)#%d (1) {
+ ["object"]=>
+ string(3) "bar"
+ }
+}
--
2.54.0

139
php-cve-2026-6735.patch Normal file
View File

@ -0,0 +1,139 @@
From 62daef7b73108ceda2545862cde0673f252ba2d2 Mon Sep 17 00:00:00 2001
From: Jakub Zelenka <bukka@php.net>
Date: Sun, 3 May 2026 20:01:41 +0200
Subject: [PATCH 04/10] GHSA-7qg2-v9fj-4mwv: [fpm] XSS within status endpoint
Fixes GHSA-7qg2-v9fj-4mwv
Fixes CVE-2026-6735
(cherry picked from commit 99a5ad7441de9914246c7863adb6997396008b9d)
(cherry picked from commit cc2960e782eb5cc262d7bd572a7d18979a811954)
---
sapi/fpm/fpm/fpm_status.c | 28 +++++++++--
.../tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt | 48 +++++++++++++++++++
2 files changed, 72 insertions(+), 4 deletions(-)
create mode 100644 sapi/fpm/tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt
diff --git a/sapi/fpm/fpm/fpm_status.c b/sapi/fpm/fpm/fpm_status.c
index b77c7fb700..b5e969288c 100644
--- a/sapi/fpm/fpm/fpm_status.c
+++ b/sapi/fpm/fpm/fpm_status.c
@@ -448,8 +448,8 @@ int fpm_status_handle_request(void) /* {{{ */
if (full_syntax) {
unsigned int i;
int first;
- zend_string *tmp_query_string;
- char *query_string;
+ zend_string *tmp_query_string, *tmp_request_uri_string;
+ char *query_string, *request_uri_string;
struct timeval duration, now;
float cpu;
@@ -474,13 +474,30 @@ int fpm_status_handle_request(void) /* {{{ */
}
}
+ request_uri_string = NULL;
+ tmp_request_uri_string = NULL;
+ if (proc->request_uri[0] != '\0') {
+ if (encode) {
+ tmp_request_uri_string = php_escape_html_entities_ex(
+ (const unsigned char *) proc->request_uri,
+ strlen(proc->request_uri), 1, ENT_DISALLOWED | ENT_HTML_DOC_XML1 | ENT_COMPAT,
+ NULL, /* double_encode */ 1, /* quiet */ 0);
+ request_uri_string = ZSTR_VAL(tmp_request_uri_string);
+ } else {
+ request_uri_string = proc->request_uri;
+ }
+ }
+
query_string = NULL;
tmp_query_string = NULL;
if (proc->query_string[0] != '\0') {
if (!encode) {
query_string = proc->query_string;
} else {
- tmp_query_string = php_escape_html_entities_ex((const unsigned char *) proc->query_string, strlen(proc->query_string), 1, ENT_HTML_IGNORE_ERRORS & ENT_COMPAT, NULL, /* double_encode */ 1, /* quiet */ 0);
+ tmp_query_string = php_escape_html_entities_ex(
+ (const unsigned char *) proc->query_string,
+ strlen(proc->query_string), 1, ENT_DISALLOWED | ENT_HTML_DOC_XML1 | ENT_COMPAT,
+ NULL, /* double_encode */ 1, /* quiet */ 0);
query_string = ZSTR_VAL(tmp_query_string);
}
}
@@ -506,7 +523,7 @@ int fpm_status_handle_request(void) /* {{{ */
proc->requests,
duration.tv_sec * 1000000UL + duration.tv_usec,
proc->request_method[0] != '\0' ? proc->request_method : "-",
- proc->request_uri[0] != '\0' ? proc->request_uri : "-",
+ request_uri_string ? request_uri_string : "-",
query_string ? "?" : "",
query_string ? query_string : "",
proc->content_length,
@@ -517,6 +534,9 @@ int fpm_status_handle_request(void) /* {{{ */
PUTS(buffer);
efree(buffer);
+ if (tmp_request_uri_string) {
+ zend_string_free(tmp_request_uri_string);
+ }
if (tmp_query_string) {
zend_string_free(tmp_query_string);
}
diff --git a/sapi/fpm/tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt b/sapi/fpm/tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt
new file mode 100644
index 0000000000..475bc130a4
--- /dev/null
+++ b/sapi/fpm/tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt
@@ -0,0 +1,48 @@
+--TEST--
+FPM: GHSA-7qg2-v9fj-4mwv - status xss
+--SKIPIF--
+<?php include "skipif.inc"; ?>
+--FILE--
+<?php
+
+require_once "tester.inc";
+
+$cfg = <<<EOT
+[global]
+error_log = {{FILE:LOG}}
+[unconfined]
+listen = {{ADDR}}
+pm = static
+pm.max_children = 2
+pm.status_path = /status
+catch_workers_output = yes
+EOT;
+
+$code = <<<EOT
+<?php
+usleep(200000);
+EOT;
+
+$tester = new FPM\Tester($cfg, $code);
+$tester->start();
+$tester->expectLogStartNotices();
+$responses = $tester
+ ->multiRequest([
+ ['uri' => '/<script>alert(1)</script>', 'query' => '<script>alert(2)</script>'],
+ ['uri' => '/status', 'query' => 'full&html', 'delay' => 100000],
+ ]);
+var_dump(strpos($responses[1]->getBody(), '<script>'));
+$tester->terminate();
+$tester->expectLogTerminatingNotices();
+$tester->close();
+
+?>
+Done
+--EXPECT--
+bool(false)
+Done
+--CLEAN--
+<?php
+require_once "tester.inc";
+FPM\Tester::clean();
+?>
--
2.54.0

1721
php-cve-2026-7258.patch Normal file
View File

File diff suppressed because it is too large Load Diff

67
php-cve-2026-7259.patch Normal file
View File

@ -0,0 +1,67 @@
From 4ed31ebb88b580446f2d70b760c29643fcfa0da5 Mon Sep 17 00:00:00 2001
From: vi3tL0u1s <luuviethoang.attt@gmail.com>
Date: Sun, 3 May 2026 20:02:21 +0200
Subject: [PATCH 05/10] GHSA-wm6j-2649-pv75: [mbstring] Fix null pointer
dereference in php_mb_check_encoding() via mb_ereg_search_init()
Fixes GHSA-wm6j-2649-pv75
Fixes CVE-2026-7259
(cherry picked from commit 79a054eae016c56409432e69aebc8ca908a88838)
(cherry picked from commit 785bcb5dd5980a4f3173ab0b80c70a5602bc9339)
---
Zend/tests/GHSA-wm6j-2649-pv75.phpt | 22 ++++++++++++++++++++++
ext/mbstring/php_mbregex.c | 7 ++++++-
2 files changed, 28 insertions(+), 1 deletion(-)
create mode 100644 Zend/tests/GHSA-wm6j-2649-pv75.phpt
diff --git a/Zend/tests/GHSA-wm6j-2649-pv75.phpt b/Zend/tests/GHSA-wm6j-2649-pv75.phpt
new file mode 100644
index 0000000000..7257af27cb
--- /dev/null
+++ b/Zend/tests/GHSA-wm6j-2649-pv75.phpt
@@ -0,0 +1,22 @@
+--TEST--
+GHSA-wm6j-2649-pv75: Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()
+--CREDITS--
+vi3tL0u1s
+--EXTENSIONS--
+mbstring
+--SKIPIF--
+<?php
+if (!function_exists('mb_regex_encoding')) die('skip No mbregex support');
+?>
+--FILE--
+<?php
+// iso-8859-11 is supported by Oniguruma but not by mbfl
+mb_regex_encoding('iso-8859-11');
+mb_ereg_search_init('x');
+?>
+--EXPECTF--
+Fatal error: Uncaught ValueError: mb_regex_encoding(): Argument #1 ($encoding) must be a valid encoding, "iso-8859-11" given in %s:%d
+Stack trace:
+#0 %s(%d): mb_regex_encoding('iso-8859-11')
+#1 {main}
+ thrown in %s on line %d
diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
index e87a7c6131..f0216b2a2d 100644
--- a/ext/mbstring/php_mbregex.c
+++ b/ext/mbstring/php_mbregex.c
@@ -409,8 +409,13 @@ int php_mb_regex_set_mbctype(const char *encname)
if (mbctype == ONIG_ENCODING_UNDEF) {
return FAILURE;
}
+ const mbfl_encoding *mbfl_enc = mbfl_name2encoding(encname);
+ if (mbfl_enc == NULL) {
+ /* Encoding supported by Oniguruma but not by mbfl */
+ return FAILURE;
+ }
MBREX(current_mbctype) = mbctype;
- MBREX(current_mbctype_mbfl_encoding) = mbfl_name2encoding(encname);
+ MBREX(current_mbctype_mbfl_encoding) = mbfl_enc;
return SUCCESS;
}
/* }}} */
--
2.54.0

112
php-cve-2026-7261.patch Normal file
View File

@ -0,0 +1,112 @@
From 63cf032e9675d7d2bbc007c8c787597187a7567b Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Sun, 3 May 2026 19:57:16 +0200
Subject: [PATCH 02/10] GHSA-m33r-qmcv-p97q: [soap] Fix use-after-free after
header parsing failure with SOAP_PERSISTENCE_SESSION
Fixes GHSA-m33r-qmcv-p97q
Fixes CVE-2026-7261
(cherry picked from commit db2a7f9348fd5dda5fd162061786a664c417bf5b)
(cherry picked from commit 5dd8dd8493d49bb6fcd810a6e9d2ffb6fdc15714)
---
ext/soap/soap.c | 12 ++++-
ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt | 58 +++++++++++++++++++++++++
2 files changed, 68 insertions(+), 2 deletions(-)
create mode 100644 ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt
diff --git a/ext/soap/soap.c b/ext/soap/soap.c
index 08d6f285d2..9c8bd0ae86 100644
--- a/ext/soap/soap.c
+++ b/ext/soap/soap.c
@@ -1527,13 +1527,21 @@ PHP_METHOD(SoapServer, handle)
php_output_discard();
soap_server_fault_ex(function, &h->retval, h);
efree(fn_name);
- if (service->type == SOAP_CLASS && soap_obj) {zval_ptr_dtor(soap_obj);}
+ if (service->type == SOAP_CLASS && soap_obj) {
+ if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION) {
+ zval_ptr_dtor(soap_obj);
+ }
+ }
goto fail;
} else if (EG(exception)) {
php_output_discard();
_soap_server_exception(service, function, ZEND_THIS);
efree(fn_name);
- if (service->type == SOAP_CLASS && soap_obj) {zval_ptr_dtor(soap_obj);}
+ if (service->type == SOAP_CLASS && soap_obj) {
+ if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION) {
+ zval_ptr_dtor(soap_obj);
+ }
+ }
goto fail;
}
} else if (h->mustUnderstand) {
diff --git a/ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt b/ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt
new file mode 100644
index 0000000000..bcf441ccd1
--- /dev/null
+++ b/ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt
@@ -0,0 +1,58 @@
+--TEST--
+GHSA-m33r-qmcv-p97q: Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION
+--CREDITS--
+Ilia Alshanetsky (iliaal)
+--EXTENSIONS--
+soap
+session
+--FILE--
+<?php
+
+class Handler {
+ public function return() {
+ return new SoapFault('Server', 'denied');
+ }
+ public function throw() {
+ throw new SoapFault('Server', 'denied');
+ }
+ public function hello() {
+ return 'ok';
+ }
+}
+
+session_start();
+
+$srv = new SoapServer(null, ['uri' => 'urn:a']);
+$srv->setClass(Handler::class);
+$srv->setPersistence(SOAP_PERSISTENCE_SESSION);
+
+$srv->handle(<<<XML
+<?xml version="1.0" encoding="UTF-8"?>
+<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="urn:a">
+ <soap:Header>
+ <a:return/>
+ </soap:Header>
+ <soap:Body>
+ <a:hello/>
+ </soap:Body>
+</soap:Envelope>
+XML);
+
+$srv->handle(<<<XML
+<?xml version="1.0" encoding="UTF-8"?>
+<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="urn:a">
+ <soap:Header>
+ <a:throw/>
+ </soap:Header>
+ <soap:Body>
+ <a:hello/>
+ </soap:Body>
+</soap:Envelope>
+XML);
+
+?>
+--EXPECT--
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>denied</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>denied</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
--
2.54.0

78
php-cve-2026-7262.patch Normal file
View File

@ -0,0 +1,78 @@
From 8c897384b867a573d52a04b455fe2da30671d0ea Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Sat, 25 Apr 2026 00:44:37 +0200
Subject: [PATCH 03/10] GHSA-hmxp-6pc4-f3vv: [soap] Fix broken Apache map value
NULL check
Fixes GHSA-hmxp-6pc4-f3vv
Fixes CVE-2026-7262
(cherry picked from commit 79551ab8b1a97760c739e372f9bc359619f3554d)
(cherry picked from commit aed3e63e282235b32a07ca28cc20728eedfcfec3)
---
ext/soap/php_encoding.c | 2 +-
ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt | 39 +++++++++++++++++++++++++
2 files changed, 40 insertions(+), 1 deletion(-)
create mode 100644 ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt
diff --git a/ext/soap/php_encoding.c b/ext/soap/php_encoding.c
index d1e97d0cb3..4d6e95b94a 100644
--- a/ext/soap/php_encoding.c
+++ b/ext/soap/php_encoding.c
@@ -2704,7 +2704,7 @@ static zval *to_zval_map(zval *ret, encodeTypePtr type, xmlNodePtr data)
}
xmlValue = get_node(item->children, "value");
- if (!xmlKey) {
+ if (!xmlValue) {
soap_error0(E_ERROR, "Encoding: Can't decode apache map, missing value");
}
diff --git a/ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt b/ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt
new file mode 100644
index 0000000000..e46ab2e460
--- /dev/null
+++ b/ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt
@@ -0,0 +1,39 @@
+--TEST--
+GHSA-hmxp-6pc4-f3vv: Null pointer dereference on missing Apache map value
+--CREDITS--
+Ilia Alshanetsky (iliaal)
+--EXTENSIONS--
+soap
+--FILE--
+<?php
+
+$request = <<<XML
+<?xml version="1.0" encoding="UTF-8"?>
+<soap:Envelope
+ xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+ xmlns:apache="http://xml.apache.org/xml-soap">
+
+ <soap:Body>
+ <test>
+ <map xsi:type="apache:Map">
+ <item><key>hello</key></item>
+ </map>
+ </test>
+ </soap:Body>
+</soap:Envelope>
+XML;
+
+$server = new SoapServer(null, [
+ 'uri' => 'urn:test',
+ 'typemap' => [['type_name' => 'anything']],
+]);
+$server->addFunction('test');
+function test($m) { return null; }
+$server->handle($request);
+
+?>
+--EXPECT--
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>SOAP-ERROR: Encoding: Can't decode apache map, missing value</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
--
2.54.0

103
php-cve-2026-7568.patch Normal file
View File

@ -0,0 +1,103 @@
From 53de456406a6db5a8bcded8a4b242789ae5b2690 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@tideways-gmbh.com>
Date: Sun, 3 May 2026 20:02:57 +0200
Subject: [PATCH 06/10] GHSA-96wq-48vp-hh57: [metaphone] Fix signed integer
overflow of char array offset
Fixes GHSA-96wq-48vp-hh57
Fixes CVE-2026-7568
(cherry picked from commit 47def8ce1db1fdbffcfc1f5bb11877a0e22d4b32)
(cherry picked from commit e4fc187a011d91f26178f6dfbccdb07041b99153)
---
ext/standard/metaphone.c | 6 +++---
ext/standard/tests/GHSA-96wq-48vp-hh57.phpt | 22 +++++++++++++++++++++
2 files changed, 25 insertions(+), 3 deletions(-)
create mode 100644 ext/standard/tests/GHSA-96wq-48vp-hh57.phpt
diff --git a/ext/standard/metaphone.c b/ext/standard/metaphone.c
index 573bf9a4b0..5b76fac52e 100644
--- a/ext/standard/metaphone.c
+++ b/ext/standard/metaphone.c
@@ -117,10 +117,10 @@ static const char _codes[26] =
/* Allows us to safely look ahead an arbitrary # of letters */
/* I probably could have just used strlen... */
-static char Lookahead(char *word, int how_far)
+static char Lookahead(char *word, size_t how_far)
{
char letter_ahead = '\0'; /* null by default */
- int idx;
+ size_t idx;
for (idx = 0; word[idx] != '\0' && idx < how_far; idx++);
/* Edge forward in the string... */
@@ -161,7 +161,7 @@ static char Lookahead(char *word, int how_far)
/* {{{ metaphone */
static void metaphone(unsigned char *word, size_t word_len, zend_long max_phonemes, zend_string **phoned_word, int traditional)
{
- int w_idx = 0; /* point in the phonization we're at. */
+ size_t w_idx = 0; /* point in the phonization we're at. */
size_t p_idx = 0; /* end of the phoned phrase */
size_t max_buffer_len = 0; /* maximum length of the destination buffer */
ZEND_ASSERT(word != NULL);
diff --git a/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt b/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt
new file mode 100644
index 0000000000..79c6b65673
--- /dev/null
+++ b/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt
@@ -0,0 +1,22 @@
+--TEST--
+GHSA-96wq-48vp-hh57: signed integer overflow of char array offset
+--CREDITS--
+012git012
+--INI--
+memory_limit=3G
+--SKIPIF--
+<?php
+if (!getenv('RUN_RESOURCE_HEAVY_TESTS')) die('skip resource-heavy test');
+if (getenv('SKIP_SLOW_TESTS')) die('skip slow test');
+if (PHP_INT_SIZE != 8) echo 'skip 64-bit only';
+?>
+--FILE--
+<?php
+
+$str = str_repeat('0', 2 * (1024 ** 3) - 2) . 'AE';
+metaphone($str, 1);
+
+?>
+===DONE===
+--EXPECT--
+===DONE===
--
2.54.0
From 41134d0746a524d7265b67d3d8d0fd433fd7479a Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Wed, 6 May 2026 16:33:44 +0200
Subject: [PATCH 07/10] [skip ci] Adjust credits for GHSA-96wq-48vp-hh57.phpt
As requested by the reporter.
(cherry picked from commit fee84dd8c7699e4e7f9b2e864a393ee5a372f974)
(cherry picked from commit 101e93900888ef43d42ec0e33866bca3824f51a8)
---
ext/standard/tests/GHSA-96wq-48vp-hh57.phpt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt b/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt
index 79c6b65673..cf9a40062f 100644
--- a/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt
+++ b/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt
@@ -1,7 +1,7 @@
--TEST--
GHSA-96wq-48vp-hh57: signed integer overflow of char array offset
--CREDITS--
-012git012
+Aleksey Solovev (Positive Technologies)
--INI--
memory_limit=3G
--SKIPIF--
--
2.54.0

36
php.spec
View File

@ -62,7 +62,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: php
Version: %{upver}%{?rcver:~%{rcver}}
Release: 5%{?dist}
Release: 6%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@ -129,7 +129,7 @@ Patch53: php-8.0.30-ldap.patch
# Upstream fixes (100+)
# Security fixes (200+)
# From https://github.com/remicollet/php-src-security
# From https://github.com/remicollet/php-src-security/tree/PHP-8.0-security-backports
Patch200: php-cve-2024-2756.patch
Patch201: php-cve-2024-3096.patch
Patch202: php-cve-2024-5458.patch
@ -154,6 +154,14 @@ Patch220: php-cve-2025-1735.patch
Patch221: php-cve-2025-14177.patch
Patch222: php-cve-2025-14178.patch
Patch223: php-ghsa-www2-q4fc-65wf.patch
Patch224: php-cve-2025-14179.patch
Patch225: php-cve-2026-6722.patch
Patch226: php-cve-2026-7261.patch
Patch227: php-cve-2026-7262.patch
Patch228: php-cve-2026-6735.patch
Patch229: php-cve-2026-7259.patch
Patch230: php-cve-2026-7568.patch
Patch231: php-cve-2026-7258.patch
# Fixes for tests (300+)
# Factory is droped from system tzdata
@ -782,6 +790,14 @@ rm ext/openssl/tests/p12_with_extra_certs.p12
%patch -P221 -p1 -b .cve14177
%patch -P222 -p1 -b .cve14178
%patch -P223 -p1 -b .ghsawwww2
%patch -P224 -p1 -b .cve14179
%patch -P225 -p1 -b .cve6722
%patch -P226 -p1 -b .cve7261
%patch -P227 -p1 -b .cve7262
%patch -P228 -p1 -b .cve6735
%patch -P229 -p1 -b .cve7259
%patch -P230 -p1 -b .cve7268
%patch -P231 -p1 -b .cve7258
# Fixes for tests
%patch -P300 -p1 -b .datetests
@ -1590,6 +1606,22 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || :
%changelog
* Fri Jun 5 2026 Remi Collet <rcollet@redhat.com> - 8.0.30-6
- Fix XSS within status endpoint
CVE-2026-6735
- Fix Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()
CVE-2026-7259
- Fix Stale SOAP_GLOBAL(ref_map) pointer with Apache Map
CVE-2026-6722
- Fix Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION
CVE-2026-7261
- Fix Broken Apache map value NULL check
CVE-2026-7262
- Fix Signed integer overflow of char array offset
CVE-2026-7568
- Fix Consistently pass unsigned char to ctype.h functions
CVE-2026-7258
* Fri Jan 16 2026 Remi Collet <rcollet@redhat.com> - 8.0.30-5
- Fix Null byte termination in dns_get_record()
GHSA-www2-q4fc-65wf