99 lines
3.3 KiB
Diff
99 lines
3.3 KiB
Diff
From 887cd0710ad856a0d22c329b6ea6c71ebd8621ae Mon Sep 17 00:00:00 2001
|
|
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
|
|
Date: Fri, 27 Jan 2023 19:28:27 +0100
|
|
Subject: [PATCH 3/7] Fix array overrun when appending slash to paths
|
|
|
|
Fix it by extending the array sizes by one character. As the input is
|
|
limited to the maximum path length, there will always be place to append
|
|
the slash. As the php_check_specific_open_basedir() simply uses the
|
|
strings to compare against each other, no new failures related to too
|
|
long paths are introduced.
|
|
We'll let the DOM and XML case handle a potentially too long path in the
|
|
library code.
|
|
|
|
(cherry picked from commit ec10b28d64decbc54aa1e585dce580f0bd7a5953)
|
|
---
|
|
ext/dom/document.c | 2 +-
|
|
ext/xmlreader/php_xmlreader.c | 2 +-
|
|
main/fopen_wrappers.c | 6 +++---
|
|
3 files changed, 5 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/ext/dom/document.c b/ext/dom/document.c
|
|
index b478e1a1aab..e683eb8f701 100644
|
|
--- a/ext/dom/document.c
|
|
+++ b/ext/dom/document.c
|
|
@@ -1380,7 +1380,7 @@ static xmlDocPtr dom_document_parser(zval *id, int mode, char *source, size_t so
|
|
int validate, recover, resolve_externals, keep_blanks, substitute_ent;
|
|
int resolved_path_len;
|
|
int old_error_reporting = 0;
|
|
- char *directory=NULL, resolved_path[MAXPATHLEN];
|
|
+ char *directory=NULL, resolved_path[MAXPATHLEN + 1];
|
|
|
|
if (id != NULL) {
|
|
intern = Z_DOMOBJ_P(id);
|
|
diff --git a/ext/xmlreader/php_xmlreader.c b/ext/xmlreader/php_xmlreader.c
|
|
index 06f569949ce..ecc81ad1470 100644
|
|
--- a/ext/xmlreader/php_xmlreader.c
|
|
+++ b/ext/xmlreader/php_xmlreader.c
|
|
@@ -1038,7 +1038,7 @@ PHP_METHOD(xmlreader, XML)
|
|
xmlreader_object *intern = NULL;
|
|
char *source, *uri = NULL, *encoding = NULL;
|
|
int resolved_path_len, ret = 0;
|
|
- char *directory=NULL, resolved_path[MAXPATHLEN];
|
|
+ char *directory=NULL, resolved_path[MAXPATHLEN + 1];
|
|
xmlParserInputBufferPtr inputbfr;
|
|
xmlTextReaderPtr reader;
|
|
|
|
diff --git a/main/fopen_wrappers.c b/main/fopen_wrappers.c
|
|
index 27135020fa3..90de040a218 100644
|
|
--- a/main/fopen_wrappers.c
|
|
+++ b/main/fopen_wrappers.c
|
|
@@ -138,10 +138,10 @@ PHPAPI ZEND_INI_MH(OnUpdateBaseDir)
|
|
*/
|
|
PHPAPI int php_check_specific_open_basedir(const char *basedir, const char *path)
|
|
{
|
|
- char resolved_name[MAXPATHLEN];
|
|
- char resolved_basedir[MAXPATHLEN];
|
|
+ char resolved_name[MAXPATHLEN + 1];
|
|
+ char resolved_basedir[MAXPATHLEN + 1];
|
|
char local_open_basedir[MAXPATHLEN];
|
|
- char path_tmp[MAXPATHLEN];
|
|
+ char path_tmp[MAXPATHLEN + 1];
|
|
char *path_file;
|
|
size_t resolved_basedir_len;
|
|
size_t resolved_name_len;
|
|
--
|
|
2.39.1
|
|
|
|
From 614468ce4056c0ef93aae09532dcffdf65b594b5 Mon Sep 17 00:00:00 2001
|
|
From: Remi Collet <remi@remirepo.net>
|
|
Date: Mon, 13 Feb 2023 11:46:47 +0100
|
|
Subject: [PATCH 4/7] NEWS
|
|
|
|
---
|
|
NEWS | 8 ++++++++
|
|
1 file changed, 8 insertions(+)
|
|
|
|
diff --git a/NEWS b/NEWS
|
|
index 03e8c839c77..8157a20d4b3 100644
|
|
--- a/NEWS
|
|
+++ b/NEWS
|
|
@@ -1,6 +1,14 @@
|
|
PHP NEWS
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
|
+Backported from 8.0.28
|
|
+
|
|
+- Core:
|
|
+ . Fixed bug #81744 (Password_verify() always return true with some hash).
|
|
+ (CVE-2023-0567). (Tim Düsterhus)
|
|
+ . Fixed bug #81746 (1-byte array overrun in common path resolve code).
|
|
+ (CVE-2023-0568). (Niels Dossche)
|
|
+
|
|
Backported from 8.0.27
|
|
|
|
- PDO/SQLite:
|
|
--
|
|
2.39.1
|
|
|