rpms/php
7
0
Fork 0
Code Issues Pull Requests Releases Activity
1d1654b533
php/php-ghsa-4w77-75f9-2c8w.patch
Remi Collet 1d1654b533 Fix CVEs up to 8.1.34: 
Fix Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI Interface  GHSA-4w77-75f9-2c8w
Fix Configuring a proxy in a stream context might allow for CRLF injection in URIs  CVE-2024-11234
Fix Single byte overread with convert.quoted-printable-decode filter  CVE-2024-11233
Fix Leak partial content of the heap through heap buffer over-read  CVE-2024-8929
Fix libxml streams use wrong `content-type` header when requesting a redirected resource  CVE-2025-1219
Fix Stream HTTP wrapper header check might omit basic auth header  CVE-2025-1736
Fix Stream HTTP wrapper truncate redirect location to 1024 bytes  CVE-2025-1861
Fix Streams HTTP wrapper does not fail for headers without colon  CVE-2025-1734
Fix Header parser of `http` stream wrapper does not handle folded headers  CVE-2025-1217
Fix pgsql extension does not check for errors during escaping  CVE-2025-1735
Fix NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix  CVE-2025-6491
Fix Null byte termination in hostnames  CVE-2025-1220
Fix Null byte termination in dns_get_record()  GHSA-www2-q4fc-65wf
Fix Heap buffer overflow in array_merge()  CVE-2025-14178
Fix Information Leak of Memory in getimagesize  CVE-2025-14177

Resolves: RHEL-141181
2026-01-19 08:43:37 +01:00

136 lines
4.5 KiB
Diff
Raw Blame History

From 56488a8a4ec68e58eecc9e78dd75e41adf56984c Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Sat, 9 Nov 2024 15:29:52 +0100
Subject: [PATCH 6/7] Fix GHSA-4w77-75f9-2c8w
(cherry picked from commit 7dd336ae838bbf2c62dc47e3c900d657d3534c02)
(cherry picked from commit 462092a48aa0dbad24d9fa8a4a9d418faa14d309)
---
sapi/cli/php_cli_server.c | 6 +---
sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt | 41 +++++++++++++++++++++++++
2 files changed, 42 insertions(+), 5 deletions(-)
create mode 100644 sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt
diff --git a/sapi/cli/php_cli_server.c b/sapi/cli/php_cli_server.c
index c3097861e3f..8717dc57418 100644
--- a/sapi/cli/php_cli_server.c
+++ b/sapi/cli/php_cli_server.c
@@ -1923,8 +1923,6 @@ static size_t php_cli_server_client_send_through(php_cli_server_client *client,
static void php_cli_server_client_populate_request_info(const php_cli_server_client *client, sapi_request_info *request_info) /* {{{ */
{
- char *val;
-
request_info->request_method = php_http_method_str(client->request.request_method);
request_info->proto_num = client->request.protocol_version;
request_info->request_uri = client->request.request_uri;
@@ -1932,9 +1930,7 @@ static void php_cli_server_client_populate_request_info(const php_cli_server_cli
request_info->query_string = client->request.query_string;
request_info->content_length = client->request.content_len;
request_info->auth_user = request_info->auth_password = request_info->auth_digest = NULL;
- if (NULL != (val = zend_hash_str_find_ptr(&client->request.headers, "content-type", sizeof("content-type")-1))) {
- request_info->content_type = val;
- }
+ request_info->content_type = zend_hash_str_find_ptr(&client->request.headers, "content-type", sizeof("content-type")-1);
} /* }}} */
static void destroy_request_info(sapi_request_info *request_info) /* {{{ */
diff --git a/sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt b/sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt
new file mode 100644
index 00000000000..80944c3d14f
--- /dev/null
+++ b/sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt
@@ -0,0 +1,41 @@
+--TEST--
+GHSA-4w77-75f9-2c8w (Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI Interface)
+--INI--
+allow_url_fopen=1
+--SKIPIF--
+<?php
+include "skipif.inc";
+?>
+--FILE--
+<?php
+include "php_cli_server.inc";
+
+$serverCode = <<<'CODE'
+var_dump(file_get_contents('php://input'));
+CODE;
+
+php_cli_server_start($serverCode, null, []);
+
+$options = [
+ "http" => [
+ "method" => "POST",
+ "header" => "Content-Type: application/x-www-form-urlencoded",
+ "content" => "AAAAA",
+ ],
+];
+$context = stream_context_create($options);
+
+echo file_get_contents("http://" . PHP_CLI_SERVER_ADDRESS . "/", false, $context);
+
+$options = [
+ "http" => [
+ "method" => "POST",
+ ],
+];
+$context = stream_context_create($options);
+
+echo file_get_contents("http://" . PHP_CLI_SERVER_ADDRESS . "/", false, $context);
+?>
+--EXPECT--
+string(5) "AAAAA"
+string(0) ""
--
2.47.0
From d8d682d3d6a4d027771806c8fc77128cae078d29 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Fri, 22 Nov 2024 08:58:10 +0100
Subject: [PATCH 7/7] NEWS for 8.1.31 backports
(cherry picked from commit 22bdb43da0ecd6e72d63b63aa6c1f3a25d1bca3a)
---
NEWS | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/NEWS b/NEWS
index 62616d6312d..f600d6aea65 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,30 @@
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+Backported from 8.1.31
+
+- CLI:
+ . Fixed bug GHSA-4w77-75f9-2c8w (Heap-Use-After-Free in sapi_read_post_data
+ Processing in CLI SAPI Interface). (nielsdos)
+
+- LDAP:
+ . Fixed bug GHSA-g665-fm4p-vhff (OOB access in ldap_escape). (CVE-2024-8932)
+ (nielsdos)
+
+- PDO DBLIB:
+ . Fixed bug GHSA-5hqh-c84r-qjcv (Integer overflow in the dblib quoter causing
+ OOB writes). (CVE-2024-11236) (nielsdos)
+
+- PDO Firebird:
+ . Fixed bug GHSA-5hqh-c84r-qjcv (Integer overflow in the firebird quoter
+ causing OOB writes). (CVE-2024-11236) (nielsdos)
+
+- Streams:
+ . Fixed bug GHSA-c5f2-jwm7-mmq2 (Configuring a proxy in a stream context
+ might allow for CRLF injection in URIs). (CVE-2024-11234) (Jakub Zelenka)
+ . Fixed bug GHSA-r977-prxv-hc43 (Single byte overread with
+ convert.quoted-printable-decode filter). (CVE-2024-11233) (nielsdos)
+
Backported from 8.1.30
- CGI:
--
2.47.0
Reference in New Issue View Git Blame Copy Permalink