Open Build Service

php7.changes Changed

@@ -1,8 +1,26 @@
 -------------------------------------------------------------------
-Fri May 31 13:50:46 UTC 2024 - Angelo Grossini <angelo@intercom.it>
+Thu Aug 29 09:38:34 UTC 2024 - Arjen de Korte <suse+build@de-korte.org>
 
-- set session.save_path to /tmp
+- Fix build with GCC14
+
+-------------------------------------------------------------------
+Thu Jun 20 09:38:53 UTC 2024 - pgajdos@suse.com
+
+- drop unmaintained apache-rex usage
+
+-------------------------------------------------------------------
+Thu Jun 20 09:37:22 UTC 2024 - pgajdos@suse.com
+
+- security update
+- added patches
+  fix CVE-2024-2756 bsc#1222857, host/secure cookie bypass due to partial fix
+  + php7-CVE-2024-2756.patch
+  fix CVE-2024-3096 bsc#1222858, password_verify can erroneously return true, opening ATO risk
+  + php7-CVE-2024-3096.patch
+  fix CVE-2024-5458 bsc#1226073, filter bypass in filter_var FILTER_VALIDATE_URL
+  + php7-CVE-2024-5458.patch
 
+-------------------------------------------------------------------
 Thu May 30 19:18:43 UTC 2024 - Arjen de Korte <suse+build@de-korte.org>
 
 - Fix check for newer versions of ICU
@@ -47,6 +65,11 @@
   + php7-CVE-2023-3247.patch
 
 -------------------------------------------------------------------
+Fri May 31 13:50:46 UTC 2024 - Angelo Grossini <angelo@intercom.it>
+
+- set session.save_path to /tmp
+
+-------------------------------------------------------------------
 Thu Apr 20 21:19:59 UTC 2023 - Arjen de Korte <suse+build@de-korte.org>
 
 - The %_restart_on_update macro was removed from systemd-rpm-macros.

php7.spec Changed

@@ -1,7 +1,7 @@
 #
 # spec file
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -70,6 +70,7 @@
 Source11:       %{php_name}.rpmlintrc
 Source12:       php-fpm.tmpfiles.d
 Source100:      build-test.sh
+Patch1000:      session-save-path.patch
 ## SUSE specific patches
 # adjust includedir
 Patch0:         php-phpize.patch
@@ -125,7 +126,12 @@
 Patch30:        php7-CVE-2023-3824.patch
 # PATCH-FIX-UPSTREAM https://github.com/php/php-src/pull/14186
 Patch31:        php7-fix-newer-versions-icu.patch
-Patch1000:      session-save-path.patch
+# CVE-2024-2756 bsc#1222857, host/secure cookie bypass due to partial fix
+Patch32:        php7-CVE-2024-2756.patch
+# CVE-2024-3096 bsc#1222858, password_verify can erroneously return true, opening ATO risk
+Patch33:        php7-CVE-2024-3096.patch
+# CVE-2024-5458 bsc#1226073, filter bypass in filter_var FILTER_VALIDATE_URL
+Patch34:        php7-CVE-2024-5458.patch
 BuildRequires:  apache-rpm-macros
 BuildRequires:  autoconf
 BuildRequires:  bison
@@ -184,11 +190,9 @@
 BuildRequires:  pkgconfig(libargon2)
 %endif
 %if "%{flavor}" == "test"
-BuildRequires:  apache-rex
 BuildRequires:  mod_php_any = %{version}
 BuildRequires:  php-cli = %{version}
 BuildRequires:  php-fpm = %{version}
-%apache_rex_deps
 %endif
 
 %if "%{flavor}" == ""
@@ -1103,8 +1107,8 @@
 ./buildconf --force
 
 # export flags
-CFLAGS="%{optflags} -O3 -fPIE -fPIC -DPIC -D_GNU_SOURCE -fno-strict-aliasing"
-CXXFLAGS="%{optflags} -O3 -fPIE -fPIC -DPIC -D_GNU_SOURCE -fno-strict-aliasing"
+CFLAGS="%{optflags} -O3 -fPIE -fPIC -DPIC -D_GNU_SOURCE -fno-strict-aliasing -fpermissive"
+CXXFLAGS="%{optflags} -O3 -fPIE -fPIC -DPIC -D_GNU_SOURCE -fno-strict-aliasing -fpermissive"
 %if %{build_firebird}
 CFLAGS="$CFLAGS -I/usr/include/firebird"
 CXXFLAGS="$CXXFLAGS -I/usr/include/firebird"
@@ -1315,9 +1319,6 @@
 done
 set -x
 unset NO_INTERACTION REPORT_EXIT_STATUS
-# Apache HTTPD runnable examples test
-%apache_rex_check -m libs mod_php-basic
-%apache_rex_check -m libs -b sapi/fpm mod_proxy_fcgi-php-fpm mod_proxy_fcgi-php-fpm-auth-RewriteRule mod_proxy_fcgi-php-fpm-CGIPassAuth
 exit 0
 %endif

php7-CVE-2024-2756.patch Added

@@ -0,0 +1,73 @@
+Index: php-7.4.33/main/php_variables.c
+===================================================================
+--- php-7.4.33.orig/main/php_variables.c
++++ php-7.4.33/main/php_variables.c
+@@ -65,6 +65,21 @@ static zend_always_inline void php_regis
+ 	zend_string_release_ex(key, 0);
+ }
+ 
++/* Discard variable if mangling made it start with __Host-, where pre-mangling it did not start with __Host-
++ * Discard variable if mangling made it start with __Secure-, where pre-mangling it did not start with __Secure- */
++static int php_is_forbidden_variable_name(const char *mangled_name, size_t mangled_name_len, const char *pre_mangled_name)
++{
++	if (mangled_name_len >= sizeof("__Host-")-1 && strncmp(mangled_name, "__Host-", sizeof("__Host-")-1) == 0 && strncmp(pre_mangled_name, "__Host-", sizeof("__Host-")-1) != 0) {
++		return 1;
++	}
++
++	if (mangled_name_len >= sizeof("__Secure-")-1 && strncmp(mangled_name, "__Secure-", sizeof("__Secure-")-1) == 0 && strncmp(pre_mangled_name, "__Secure-", sizeof("__Secure-")-1) != 0) {
++		return 1;
++	}
++
++	return 0;
++}
++
+ PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars_array)
+ {
+ 	char *p = NULL;
+@@ -115,20 +130,6 @@ PHPAPI void php_register_variable_ex(cha
+ 	}
+ 	var_len = p - var;
+ 
+-	/* Discard variable if mangling made it start with __Host-, where pre-mangling it did not start with __Host- */
+-	if (strncmp(var, "__Host-", sizeof("__Host-")-1) == 0 && strncmp(var_name, "__Host-", sizeof("__Host-")-1) != 0) {
+-		zval_ptr_dtor_nogc(val);
+-		free_alloca(var_orig, use_heap);
+-		return;
+-	}
+-
+-	/* Discard variable if mangling made it start with __Secure-, where pre-mangling it did not start with __Secure- */
+-	if (strncmp(var, "__Secure-", sizeof("__Secure-")-1) == 0 && strncmp(var_name, "__Secure-", sizeof("__Secure-")-1) != 0) {
+-		zval_ptr_dtor_nogc(val);
+-		free_alloca(var_orig, use_heap);
+-		return;
+-	}
+-
+ 	if (var_len==0) { /* empty variable name, or variable name with a space in it */
+ 		zval_ptr_dtor_nogc(val);
+ 		free_alloca(var_orig, use_heap);
+@@ -226,6 +227,12 @@ PHPAPI void php_register_variable_ex(cha
+ 					return;
+ 				}
+ 			} else {
++				if (php_is_forbidden_variable_name(index, index_len, var_name)) {
++					zval_ptr_dtor_nogc(val);
++					free_alloca(var_orig, use_heap);
++					return;
++				}
++
+ 				gpc_element_p = zend_symtable_str_find(symtable1, index, index_len);
+ 				if (!gpc_element_p) {
+ 					zval tmp;
+@@ -263,6 +270,12 @@ plain_var:
+ 				zval_ptr_dtor_nogc(val);
+ 			}
+ 		} else {
++			if (php_is_forbidden_variable_name(index, index_len, var_name)) {
++				zval_ptr_dtor_nogc(val);
++				free_alloca(var_orig, use_heap);
++				return;
++			}
++
+ 			zend_ulong idx;
+ 
+ 			/*

php7-CVE-2024-3096.patch Added

php7-CVE-2024-5458.patch Added

@@ -0,0 +1,98 @@
+From 5c6d47372cff9ac01113763cce5bdc097bb90f33 Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
+Date: Wed, 22 May 2024 22:25:02 +0200
+Subject: PATCH Fix GHSA-w8qr-v226-r27w
+
+We should not early-out with success status if we found an ipv6
+hostname, we should keep checking the rest of the conditions.
+Because integrating the if-check of the ipv6 hostname in the
+"Validate domain" if-check made the code hard to read, I extracted the
+condition out to a separate function. This also required to make
+a few pointers const in order to have some clean code.
+---
+ ext/filter/logical_filters.c              | 35 ++++++++++---------
+ ext/filter/tests/ghsa-w8qr-v226-r27w.phpt | 41 +++++++++++++++++++++++
+ 2 files changed, 61 insertions(+), 15 deletions(-)
+ create mode 100644 ext/filter/tests/ghsa-w8qr-v226-r27w.phpt
+
+Index: php-7.4.33/ext/filter/logical_filters.c
+===================================================================
+--- php-7.4.33.orig/ext/filter/logical_filters.c
++++ php-7.4.33/ext/filter/logical_filters.c
+@@ -91,7 +91,7 @@
+ #define FORMAT_IPV4    4
+ #define FORMAT_IPV6    6
+ 
+-static int _php_filter_validate_ipv6(char *str, size_t str_len, int ip8);
++static int _php_filter_validate_ipv6(const char *str, size_t str_len, int ip8);
+ 
+ static int php_filter_parse_int(const char *str, size_t str_len, zend_long *ret) { /* {{{ */
+ 	zend_long ctx_value;
+@@ -571,6 +571,14 @@ static int is_userinfo_valid(zend_string
+ 	return 1;
+ }
+ 
++static int php_filter_is_valid_ipv6_hostname(const char *s, size_t l)
++{
++	const char *e = s + l;
++	const char *t = e - 1;
++
++	return *s == '' && *t == '' && _php_filter_validate_ipv6(s + 1, l - 2, NULL);
++}
++
+ void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */
+ {
+ 	php_url *url;
+@@ -596,7 +604,7 @@ void php_filter_validate_url(PHP_INPUT_F
+ 
+ 	if (url->scheme != NULL &&
+ 		(zend_string_equals_literal_ci(url->scheme, "http") || zend_string_equals_literal_ci(url->scheme, "https"))) {
+-		char *e, *s, *t;
++		const char *s;
+ 		size_t l;
+ 
+ 		if (url->host == NULL) {
+@@ -605,17 +613,14 @@ void php_filter_validate_url(PHP_INPUT_F
+ 
+ 		s = ZSTR_VAL(url->host);
+ 		l = ZSTR_LEN(url->host);
+-		e = s + l;
+-		t = e - 1;
+-
+-		/* An IPv6 enclosed by square brackets is a valid hostname */
+-		if (*s == '' && *t == '' && _php_filter_validate_ipv6((s + 1), l - 2, NULL)) {
+-			php_url_free(url);
+-			return;
+-		}
+ 
+-		// Validate domain
+-		if (!_php_filter_validate_domain(ZSTR_VAL(url->host), l, FILTER_FLAG_HOSTNAME)) {
++		if (
++			/* An IPv6 enclosed by square brackets is a valid hostname.*/
++			!php_filter_is_valid_ipv6_hostname(s, l) &&
++			/* Validate domain.
++			 * This includes a loose check for an IPv4 address. */
++			!_php_filter_validate_domain(ZSTR_VAL(url->host), l, FILTER_FLAG_HOSTNAME)
++		) {
+ 			php_url_free(url);
+ 			RETURN_VALIDATION_FAILED
+ 		}
+@@ -749,15 +754,15 @@ static int _php_filter_validate_ipv4(cha
+ }
+ /* }}} */
+ 
+-static int _php_filter_validate_ipv6(char *str, size_t str_len, int ip8) /* {{{ */
++static int _php_filter_validate_ipv6(const char *str, size_t str_len, int ip8) /* {{{ */
+ {
+ 	int compressed_pos = -1;
+ 	int blocks = 0;
+ 	int num, n, i;
+ 	char *ipv4;
+-	char *end;
++	const char *end;
+ 	int ip4elm4;
+-	char *s = str;
++	const char *s = str;
+ 
+ 	if (!memchr(str, ':', str_len)) {
+ 		return 0;

_link Changed

Changes of Revision 12