1d1654b533
Fix Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI Interface GHSA-4w77-75f9-2c8w Fix Configuring a proxy in a stream context might allow for CRLF injection in URIs CVE-2024-11234 Fix Single byte overread with convert.quoted-printable-decode filter CVE-2024-11233 Fix Leak partial content of the heap through heap buffer over-read CVE-2024-8929 Fix libxml streams use wrong `content-type` header when requesting a redirected resource CVE-2025-1219 Fix Stream HTTP wrapper header check might omit basic auth header CVE-2025-1736 Fix Stream HTTP wrapper truncate redirect location to 1024 bytes CVE-2025-1861 Fix Streams HTTP wrapper does not fail for headers without colon CVE-2025-1734 Fix Header parser of `http` stream wrapper does not handle folded headers CVE-2025-1217 Fix pgsql extension does not check for errors during escaping CVE-2025-1735 Fix NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix CVE-2025-6491 Fix Null byte termination in hostnames CVE-2025-1220 Fix Null byte termination in dns_get_record() GHSA-www2-q4fc-65wf Fix Heap buffer overflow in array_merge() CVE-2025-14178 Fix Information Leak of Memory in getimagesize CVE-2025-14177 Resolves: RHEL-141181
257 lines
8.1 KiB
Diff
257 lines
8.1 KiB
Diff
From 3e9d47f6cc04c9978bb384e2d487cf28d37889f0 Mon Sep 17 00:00:00 2001
|
|
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
|
|
Date: Sat, 6 Sep 2025 21:55:13 +0200
|
|
Subject: [PATCH 4/5] Fix GHSA-www2-q4fc-65wf
|
|
|
|
(cherry picked from commit ed70b1ea43a9b7ffa2f53b3e5d6ba403f37ae81c)
|
|
(cherry picked from commit 52c5762a902e8731b7068ded027fbd780f5a1991)
|
|
---
|
|
ext/standard/basic_functions.c | 12 ++--
|
|
ext/standard/dns.c | 6 +-
|
|
ext/standard/dns_win32.c | 6 +-
|
|
.../tests/network/ghsa-www2-q4fc-65wf.phpt | 71 +++++++++++++++++++
|
|
ext/standard/tests/network/ip_x86_64.phpt | 2 +-
|
|
5 files changed, 84 insertions(+), 13 deletions(-)
|
|
create mode 100644 ext/standard/tests/network/ghsa-www2-q4fc-65wf.phpt
|
|
|
|
diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c
|
|
index 64f27ef5af7..45746335689 100644
|
|
--- a/ext/standard/basic_functions.c
|
|
+++ b/ext/standard/basic_functions.c
|
|
@@ -3960,7 +3960,7 @@ PHP_NAMED_FUNCTION(php_inet_pton)
|
|
char buffer[17];
|
|
|
|
ZEND_PARSE_PARAMETERS_START(1, 1)
|
|
- Z_PARAM_STRING(address, address_len)
|
|
+ Z_PARAM_PATH(address, address_len)
|
|
ZEND_PARSE_PARAMETERS_END_EX(RETURN_FALSE);
|
|
|
|
memset(buffer, 0, sizeof(buffer));
|
|
@@ -3998,7 +3998,7 @@ PHP_FUNCTION(ip2long)
|
|
#endif
|
|
|
|
ZEND_PARSE_PARAMETERS_START(1, 1)
|
|
- Z_PARAM_STRING(addr, addr_len)
|
|
+ Z_PARAM_PATH(addr, addr_len)
|
|
ZEND_PARSE_PARAMETERS_END();
|
|
|
|
#ifdef HAVE_INET_PTON
|
|
@@ -5714,8 +5714,8 @@ PHP_FUNCTION(getservbyname)
|
|
struct servent *serv;
|
|
|
|
ZEND_PARSE_PARAMETERS_START(2, 2)
|
|
- Z_PARAM_STRING(name, name_len)
|
|
- Z_PARAM_STRING(proto, proto_len)
|
|
+ Z_PARAM_PATH(name, name_len)
|
|
+ Z_PARAM_PATH(proto, proto_len)
|
|
ZEND_PARSE_PARAMETERS_END();
|
|
|
|
|
|
@@ -5759,7 +5759,7 @@ PHP_FUNCTION(getservbyport)
|
|
|
|
ZEND_PARSE_PARAMETERS_START(2, 2)
|
|
Z_PARAM_LONG(port)
|
|
- Z_PARAM_STRING(proto, proto_len)
|
|
+ Z_PARAM_PATH(proto, proto_len)
|
|
ZEND_PARSE_PARAMETERS_END();
|
|
|
|
serv = getservbyport(htons((unsigned short) port), proto);
|
|
@@ -5783,7 +5783,7 @@ PHP_FUNCTION(getprotobyname)
|
|
struct protoent *ent;
|
|
|
|
ZEND_PARSE_PARAMETERS_START(1, 1)
|
|
- Z_PARAM_STRING(name, name_len)
|
|
+ Z_PARAM_PATH(name, name_len)
|
|
ZEND_PARSE_PARAMETERS_END();
|
|
|
|
ent = getprotobyname(name);
|
|
diff --git a/ext/standard/dns.c b/ext/standard/dns.c
|
|
index dc85c45e1d7..698ad4f661d 100644
|
|
--- a/ext/standard/dns.c
|
|
+++ b/ext/standard/dns.c
|
|
@@ -377,7 +377,7 @@ PHP_FUNCTION(dns_check_record)
|
|
#endif
|
|
|
|
ZEND_PARSE_PARAMETERS_START(1, 2)
|
|
- Z_PARAM_STRING(hostname, hostname_len)
|
|
+ Z_PARAM_PATH(hostname, hostname_len)
|
|
Z_PARAM_OPTIONAL
|
|
Z_PARAM_STRING(rectype, rectype_len)
|
|
ZEND_PARSE_PARAMETERS_END();
|
|
@@ -825,7 +825,7 @@ PHP_FUNCTION(dns_get_record)
|
|
zend_bool raw = 0;
|
|
|
|
ZEND_PARSE_PARAMETERS_START(1, 5)
|
|
- Z_PARAM_STRING(hostname, hostname_len)
|
|
+ Z_PARAM_PATH(hostname, hostname_len)
|
|
Z_PARAM_OPTIONAL
|
|
Z_PARAM_LONG(type_param)
|
|
Z_PARAM_ZVAL(authns)
|
|
@@ -1065,7 +1065,7 @@ PHP_FUNCTION(dns_get_mx)
|
|
#endif
|
|
|
|
ZEND_PARSE_PARAMETERS_START(2, 3)
|
|
- Z_PARAM_STRING(hostname, hostname_len)
|
|
+ Z_PARAM_PATH(hostname, hostname_len)
|
|
Z_PARAM_ZVAL(mx_list)
|
|
Z_PARAM_OPTIONAL
|
|
Z_PARAM_ZVAL(weight_list)
|
|
diff --git a/ext/standard/dns_win32.c b/ext/standard/dns_win32.c
|
|
index 466d927ea3e..f5b6e03a128 100644
|
|
--- a/ext/standard/dns_win32.c
|
|
+++ b/ext/standard/dns_win32.c
|
|
@@ -50,7 +50,7 @@ PHP_FUNCTION(dns_get_mx) /* {{{ */
|
|
DNS_STATUS status; /* Return value of DnsQuery_A() function */
|
|
PDNS_RECORD pResult, pRec; /* Pointer to DNS_RECORD structure */
|
|
|
|
- if (zend_parse_parameters(ZEND_NUM_ARGS(), "sz|z", &hostname, &hostname_len, &mx_list, &weight_list) == FAILURE) {
|
|
+ if (zend_parse_parameters(ZEND_NUM_ARGS(), "pz|z", &hostname, &hostname_len, &mx_list, &weight_list) == FAILURE) {
|
|
return;
|
|
}
|
|
|
|
@@ -104,7 +104,7 @@ PHP_FUNCTION(dns_check_record)
|
|
DNS_STATUS status; /* Return value of DnsQuery_A() function */
|
|
PDNS_RECORD pResult; /* Pointer to DNS_RECORD structure */
|
|
|
|
- if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|s", &hostname, &hostname_len, &rectype, &rectype_len) == FAILURE) {
|
|
+ if (zend_parse_parameters(ZEND_NUM_ARGS(), "p|s", &hostname, &hostname_len, &rectype, &rectype_len) == FAILURE) {
|
|
return;
|
|
}
|
|
|
|
@@ -357,7 +357,7 @@ PHP_FUNCTION(dns_get_record)
|
|
int type, type_to_fetch, first_query = 1, store_results = 1;
|
|
zend_bool raw = 0;
|
|
|
|
- if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|lz!z!b",
|
|
+ if (zend_parse_parameters(ZEND_NUM_ARGS(), "p|lz!z!b",
|
|
&hostname, &hostname_len, &type_param, &authns, &addtl, &raw) == FAILURE) {
|
|
return;
|
|
}
|
|
diff --git a/ext/standard/tests/network/ghsa-www2-q4fc-65wf.phpt b/ext/standard/tests/network/ghsa-www2-q4fc-65wf.phpt
|
|
new file mode 100644
|
|
index 00000000000..b14c8ca719b
|
|
--- /dev/null
|
|
+++ b/ext/standard/tests/network/ghsa-www2-q4fc-65wf.phpt
|
|
@@ -0,0 +1,71 @@
|
|
+--TEST--
|
|
+GHSA-www2-q4fc-65wf
|
|
+--DESCRIPTION--
|
|
+This is a ZPP test but *keep* this as it is security-sensitive!
|
|
+--FILE--
|
|
+<?php
|
|
+try {
|
|
+ dns_check_record("\0");
|
|
+} catch (ValueError $e) {
|
|
+ echo $e->getMessage(), "\n";
|
|
+}
|
|
+try {
|
|
+ dns_get_mx("\0", $out);
|
|
+} catch (ValueError $e) {
|
|
+ echo $e->getMessage(), "\n";
|
|
+}
|
|
+try {
|
|
+ dns_get_record("\0");
|
|
+} catch (ValueError $e) {
|
|
+ echo $e->getMessage(), "\n";
|
|
+}
|
|
+try {
|
|
+ getprotobyname("\0");
|
|
+} catch (ValueError $e) {
|
|
+ echo $e->getMessage(), "\n";
|
|
+}
|
|
+try {
|
|
+ getservbyname("\0", "tcp");
|
|
+} catch (ValueError $e) {
|
|
+ echo $e->getMessage(), "\n";
|
|
+}
|
|
+try {
|
|
+ getservbyname("x", "tcp\0");
|
|
+} catch (ValueError $e) {
|
|
+ echo $e->getMessage(), "\n";
|
|
+}
|
|
+try {
|
|
+ getservbyport(0, "tcp\0");
|
|
+} catch (ValueError $e) {
|
|
+ echo $e->getMessage(), "\n";
|
|
+}
|
|
+try {
|
|
+ inet_pton("\0");
|
|
+} catch (ValueError $e) {
|
|
+ echo $e->getMessage(), "\n";
|
|
+}
|
|
+try {
|
|
+ ip2long("\0");
|
|
+} catch (ValueError $e) {
|
|
+ echo $e->getMessage(), "\n";
|
|
+}
|
|
+?>
|
|
+--EXPECTF--
|
|
+Warning: dns_check_record() expects parameter 1 to be a valid path, string given in %s
|
|
+
|
|
+Warning: dns_get_mx() expects parameter 1 to be a valid path, string given in %s
|
|
+
|
|
+Warning: dns_get_record() expects parameter 1 to be a valid path, string given in %s
|
|
+
|
|
+Warning: getprotobyname() expects parameter 1 to be a valid path, string given in %s
|
|
+
|
|
+Warning: getservbyname() expects parameter 1 to be a valid path, string given in %s
|
|
+
|
|
+Warning: getservbyname() expects parameter 2 to be a valid path, string given in %s
|
|
+
|
|
+Warning: getservbyport() expects parameter 2 to be a valid path, string given in %s
|
|
+
|
|
+Warning: inet_pton() expects parameter 1 to be a valid path, string given in %s
|
|
+
|
|
+Warning: ip2long() expects parameter 1 to be a valid path, string given in %s
|
|
+
|
|
diff --git a/ext/standard/tests/network/ip_x86_64.phpt b/ext/standard/tests/network/ip_x86_64.phpt
|
|
index 3c530b83713..2158e289bae 100644
|
|
--- a/ext/standard/tests/network/ip_x86_64.phpt
|
|
+++ b/ext/standard/tests/network/ip_x86_64.phpt
|
|
@@ -54,7 +54,7 @@ bool(false)
|
|
bool(false)
|
|
int(1869573999)
|
|
|
|
-Warning: ip2long() expects parameter 1 to be string, array given in %sip_x86_64.php on line %d
|
|
+Warning: ip2long() expects parameter 1 to be a valid path, array given in %sip_x86_64.php on line %d
|
|
NULL
|
|
|
|
Warning: long2ip() expects exactly 1 parameter, 0 given in %sip_x86_64.php on line %d
|
|
--
|
|
2.52.0
|
|
|
|
From f2cb8ad2342a7b58b8e467ed60233bb9be30f42e Mon Sep 17 00:00:00 2001
|
|
From: Remi Collet <remi@remirepo.net>
|
|
Date: Thu, 18 Dec 2025 07:17:43 +0100
|
|
Subject: [PATCH 5/5] NEWS from 8.1.34
|
|
|
|
(cherry picked from commit 52b3bdaa74078e4ea8abd9696cdbdc35a8091446)
|
|
---
|
|
NEWS | 10 ++++++++++
|
|
1 file changed, 10 insertions(+)
|
|
|
|
diff --git a/NEWS b/NEWS
|
|
index a9dd716c003..f212d40b2e9 100644
|
|
--- a/NEWS
|
|
+++ b/NEWS
|
|
@@ -1,6 +1,16 @@
|
|
PHP NEWS
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
|
+Backported from 8.1.34
|
|
+
|
|
+- Standard:
|
|
+ . Fixed GHSA-www2-q4fc-65wf (Null byte termination in dns_get_record()).
|
|
+ (ndossche)
|
|
+ . Fixed GHSA-h96m-rvf9-jgm2 (Heap buffer overflow in array_merge()).
|
|
+ (CVE-2025-14178) (ndossche)
|
|
+ . Fixed GHSA-3237-qqm7-mfv7 (Information Leak of Memory in getimagesize).
|
|
+ (CVE-2025-14177) (ndossche)
|
|
+
|
|
Backported from 8.1.33
|
|
|
|
- PGSQL:
|
|
--
|
|
2.52.0
|
|
|