rpms/php
7
0
Fork 0
Code Issues Pull Requests Releases Activity
0d15d688d2
php/php-cve-2026-6722.patch
Remi Collet 0d15d688d2 Fix CVEs up to 8.2.31: 
- Fix XSS within status endpoint CVE-2026-6735
- Fix Stale SOAP_GLOBAL(ref_map) pointer with Apache Map CVE-2026-6722
- Fix Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION CVE-2026-7261
- Fix Broken Apache map value NULL check CVE-2026-7262
- Fix Signed integer overflow of char array offset CVE-2026-7568
- Fix Consistently pass unsigned char to ctype.h functions  CVE-2026-7258

Resolves: RHEL-181020
2026-06-04 09:21:46 +02:00

110 lines
3.4 KiB
Diff
Raw Blame History

From 6c4b67ca091afea4f436202d7f9db38a129106dc Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Sun, 3 May 2026 19:56:53 +0200
Subject: [PATCH 1/9] GHSA-85c2-q967-79q5: [soap] Fix stale
SOAP_GLOBAL(ref_map) pointer with Apache Map
Fixes GHSA-85c2-q967-79q5
Fixes CVE-2026-6722
(cherry picked from commit aee3b3ac9b816b0def1c462695b483b49a83148e)
(cherry picked from commit 15064460d6682766f91c1a841d27cdfbc38907e8)
(cherry picked from commit bbc1be3fc763b81707ccaa91a4cd1d439b753b12)
---
ext/soap/php_encoding.c | 3 +-
ext/soap/tests/GHSA-85c2-q967-79q5.phpt | 61 +++++++++++++++++++++++++
2 files changed, 63 insertions(+), 1 deletion(-)
create mode 100644 ext/soap/tests/GHSA-85c2-q967-79q5.phpt
diff --git a/ext/soap/php_encoding.c b/ext/soap/php_encoding.c
index 0a6edbf5a41..088d0086472 100644
--- a/ext/soap/php_encoding.c
+++ b/ext/soap/php_encoding.c
@@ -367,6 +367,7 @@ static zend_bool soap_check_xml_ref(zval *data, xmlNodePtr node)
static void soap_add_xml_ref(zval *data, xmlNodePtr node)
{
if (SOAP_GLOBAL(ref_map)) {
+ Z_TRY_ADDREF_P(data);
zend_hash_index_update(SOAP_GLOBAL(ref_map), (zend_ulong)node, data);
}
}
@@ -3433,7 +3434,7 @@ void encode_reset_ns()
} else {
SOAP_GLOBAL(ref_map) = emalloc(sizeof(HashTable));
}
- zend_hash_init(SOAP_GLOBAL(ref_map), 0, NULL, NULL, 0);
+ zend_hash_init(SOAP_GLOBAL(ref_map), 0, NULL, ZVAL_PTR_DTOR, 0);
}
void encode_finish()
diff --git a/ext/soap/tests/GHSA-85c2-q967-79q5.phpt b/ext/soap/tests/GHSA-85c2-q967-79q5.phpt
new file mode 100644
index 00000000000..8bcac26ad18
--- /dev/null
+++ b/ext/soap/tests/GHSA-85c2-q967-79q5.phpt
@@ -0,0 +1,61 @@
+--TEST--
+GHSA-85c2-q967-79q5: Stale SOAP_GLOBAL(ref_map) pointer with Apache Map
+--CREDITS--
+brettgervasoni
+--EXTENSIONS--
+soap
+--FILE--
+<?php
+
+class Handler {
+ public function test(...$args) {
+ $GLOBALS['result'] = $args;
+ }
+}
+
+$envelope = <<<'XML'
+<?xml version="1.0" encoding="UTF-8"?>
+<soapenv:Envelope
+ xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+
+ <soapenv:Body>
+ <test>
+ <map xsi:type="apache:Map" xmlns:apache="http://xml.apache.org/xml-soap">
+ <item>
+ <key>foo</key>
+ <value id="stale"><object>bar</object></value>
+ </item>
+ <item>
+ <key>foo</key>
+ <value>baz</value>
+ </item>
+ </map>
+ <stale href="#stale"/>
+ </test>
+ </soapenv:Body>
+</soapenv:Envelope>
+XML;
+
+$s = new SoapServer(null, ['uri' => 'urn:a']);
+$s->setClass(Handler::class);
+$s->handle($envelope);
+var_dump($result);
+
+?>
+--EXPECTF--
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="urn:a" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:testResponse><return xsi:nil="true"/></ns1:testResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>
+array(2) {
+ [0]=>
+ array(1) {
+ ["foo"]=>
+ string(3) "baz"
+ }
+ [1]=>
+ object(stdClass)#%d (1) {
+ ["object"]=>
+ string(3) "bar"
+ }
+}
--
2.54.0
Reference in New Issue View Git Blame Copy Permalink