php7.2: add u12 patchset

master
parent 6ca4be2c6f
commit b01cb26b06
  1. 6
      testing/php7.2/APKBUILD
  2. 59
      testing/php7.2/u12-001-CVE-2022-31625.patch
  3. 23
      testing/php7.2/u12-002-CVE-2022-31626.patch

@ -26,7 +26,7 @@
pkgname=php7.2
_pkgreal=php
pkgver=7.2.34
pkgrel=10
pkgrel=11
_apiver=20170718
_suffix=${pkgname#php}
_suffixA=7
@ -123,6 +123,8 @@ source="https://php.net/distributions/$_pkgreal-$pkgver.tar.xz
u11-004-CVE-2017-9119.patch
u11-005-CVE-2017-9120.patch
u11-006-CVE-2021-21707.patch
u12-001-CVE-2022-31625.patch
u12-002-CVE-2022-31626.patch
"
builddir="$srcdir/$_pkgreal-$pkgver"
@ -722,4 +724,6 @@ e63ae6e3385bc79ba8507d0676483467a3cd67d1134b8613b0561c5dffe0d247af7561b0a5011d6f
02f47153d9873359e01e9155f413e06f3a3a0689e059e2012d3d2b3c81ab32a0d695655f98822c771c1c5867ca27123a06eb33ee6766109e235f0e2ed1851019 u11-004-CVE-2017-9119.patch
fddf6c50682b4d778908130477a9160df68dbd257f33991262d49c3eb05a220ec608a9625ce2b7f00241010aaa4ec7d9c7daa1884d66decda4ac7c4547082a4d u11-005-CVE-2017-9120.patch
64460be7ba985c5192a51badabdbec3e530e6a0818d71612f1ad2b1e5e80eedcb97bb7da3bc2b2daca2c9a610d969336432e89b7babc6aa474153f2dbe5d0451 u11-006-CVE-2021-21707.patch
bdd0212861e5b20d4420546dd20d835ad00f704c744214ba4777a534c156cc53254fd191341a96a3556c1a7ad1455be3beb31edf198a9ead77d92d569847bbdb u12-001-CVE-2022-31625.patch
9f5e5798b22e9ed4c6b9cb0fe10372a457c7cfa2fc11b6eac459a358eef9b7ed4e15682365747be431804370fb6511506728fc13ed001906fb60ee26fb3b31b8 u12-002-CVE-2022-31626.patch
"

@ -0,0 +1,59 @@
Backport of:
From 55f6895f4b4c677272fd4ee1113acdbd99c4b5ab Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Tue, 17 May 2022 12:59:23 +0200
Subject: [PATCH] Fix #81720: Uninitialized array in pg_query_params() leading
to RCE
We must not free parameters which we haven't initialized yet.
We also fix the not directly related issue, that we checked for the
wrong value being `NULL`, potentially causing a segfault.
---
ext/pgsql/pgsql.c | 6 +++---
ext/pgsql/tests/bug81720.phpt | 27 +++++++++++++++++++++++++++
2 files changed, 30 insertions(+), 3 deletions(-)
create mode 100644 ext/pgsql/tests/bug81720.phpt
--- a/ext/pgsql/pgsql.c
+++ b/ext/pgsql/pgsql.c
@@ -1988,7 +1988,7 @@ PHP_FUNCTION(pg_query_params)
if (Z_TYPE(tmp_val) != IS_STRING) {
php_error_docref(NULL, E_WARNING,"Error converting parameter");
zval_ptr_dtor(&tmp_val);
- _php_pgsql_free_params(params, num_params);
+ _php_pgsql_free_params(params, i);
RETURN_FALSE;
}
params[i] = estrndup(Z_STRVAL(tmp_val), Z_STRLEN(tmp_val));
--- /dev/null
+++ b/ext/pgsql/tests/bug81720.phpt
@@ -0,0 +1,27 @@
+--TEST--
+Bug #81720 (Uninitialized array in pg_query_params() leading to RCE)
+--SKIPIF--
+<?php include("skipif.inc"); ?>
+--FILE--
+<?php
+include('config.inc');
+
+$conn = pg_connect($conn_str);
+
+try {
+ pg_query_params($conn, 'SELECT $1, $2', [1, new stdClass()]);
+} catch (Throwable $ex) {
+ echo $ex->getMessage(), PHP_EOL;
+}
+
+try {
+ pg_send_prepare($conn, "my_query", 'SELECT $1, $2');
+ pg_get_result($conn);
+ pg_send_execute($conn, "my_query", [1, new stdClass()]);
+} catch (Throwable $ex) {
+ echo $ex->getMessage(), PHP_EOL;
+}
+?>
+--EXPECT--
+Object of class stdClass could not be converted to string
+Object of class stdClass could not be converted to string

@ -0,0 +1,23 @@
Backport of:
From 58006537fc5f133ae8549efe5118cde418b3ace9 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <smalyshev@gmail.com>
Date: Mon, 6 Jun 2022 00:56:51 -0600
Subject: [PATCH] Fix bug #81719: mysqlnd/pdo password buffer overflow
---
ext/mysqlnd/mysqlnd_wireprotocol.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/ext/mysqlnd/mysqlnd_wireprotocol.c
+++ b/ext/mysqlnd/mysqlnd_wireprotocol.c
@@ -794,7 +794,8 @@ php_mysqlnd_change_auth_response_write(v
MYSQLND_VIO * vio = packet->header.vio;
MYSQLND_STATS * stats = packet->header.stats;
MYSQLND_CONNECTION_STATE * connection_state = packet->header.connection_state;
- zend_uchar * buffer = pfc->cmd_buffer.length >= packet->auth_data_len? pfc->cmd_buffer.buffer : mnd_emalloc(packet->auth_data_len);
+ size_t total_packet_size = packet->auth_data_len + MYSQLND_HEADER_SIZE;
+ zend_uchar * buffer = pfc->cmd_buffer.length >= total_packet_size? pfc->cmd_buffer.buffer : mnd_emalloc(total_packet_size);
zend_uchar * p = buffer + MYSQLND_HEADER_SIZE; /* start after the header */
DBG_ENTER("php_mysqlnd_change_auth_response_write");
Loading…
Cancel
Save