- rel 7; backported fix for CVE-2019-11043

author Arkadiusz Miśkiewicz <arekm@maven.pl>

Fri, 25 Oct 2019 12:06:38 +0000 (14:06 +0200)

committer Arkadiusz Miśkiewicz <arekm@maven.pl>

Fri, 25 Oct 2019 12:06:38 +0000 (14:06 +0200)
author Arkadiusz Miśkiewicz <arekm@maven.pl>
Fri, 25 Oct 2019 12:06:38 +0000 (14:06 +0200)
committer Arkadiusz Miśkiewicz <arekm@maven.pl>
Fri, 25 Oct 2019 12:06:38 +0000 (14:06 +0200)
diff --git a/CVE-2019-11043.patch b/CVE-2019-11043.patch

new file mode 100644 (file)

index 0000000..a841677
--- /dev/null
+++ b/CVE-2019-11043.patch
@@ -0,0 +1,22 @@
+commit ab061f95ca966731b1c84cf5b7b20155c0a1c06a
+Author: Jakub Zelenka <bukka@php.net>
+Date:   Sat Oct 12 15:56:16 2019 +0100
+
+    Fix bug #78599 (env_path_info underflow can lead to RCE) (CVE-2019-11043)
+
+diff --git a/sapi/fpm/fpm/fpm_main.c b/sapi/fpm/fpm/fpm_main.c
+index 24a7e5d56a..50f92981f1 100644
+--- a/sapi/fpm/fpm/fpm_main.c
++++ b/sapi/fpm/fpm/fpm_main.c
+@@ -1209,8 +1209,8 @@ static void init_request_info(void)
+                                                               path_info = script_path_translated + ptlen;
+                                                               tflag = (slen != 0 && (!orig_path_info || strcmp(orig_path_info, path_info) != 0));
+                                                       } else {
+-                                                              path_info = env_path_info ? env_path_info + pilen - slen : NULL;
+-                                                              tflag = (orig_path_info != path_info);
++                                                              path_info = (env_path_info && pilen > slen) ? env_path_info + pilen - slen : NULL;
++                                                              tflag = path_info && (orig_path_info != path_info);
+                                                       }
+ 
+                                                       if (tflag) {
+
diff --git a/php.spec b/php.spec

index 98a3cf326793e6476869281fff08ddc5ec2a2de0..ba0028e8a2fc3ac833efefa1ee4d7b71a6614742 100644 (file)
--- a/php.spec
+++ b/php.spec
@@ -155,7 +155,7 @@ ERROR: You need to select at least one Apache SAPI to build shared modules.
  %undefine      with_filter
  %endif
  
-%define                rel     6
+%define                rel     7
  %define                orgname php
  %define                ver_suffix 56
  %define                php_suffix %{!?with_default_php:%{ver_suffix}}
@@ -234,7 +234,7 @@ Patch62:    mcrypt-libs.patch
  Patch65:       system-libzip.patch
  Patch66:       php-db.patch
  Patch67:       mysql-lib-ver-mismatch.patch
-
+Patch68:       CVE-2019-11043.patch
  Patch69:       fpm-conf-split.patch
  Patch70:       mysqlnd-ssl.patch
  Patch72:       phar-hash-shared.patch
@@ -2148,7 +2148,7 @@ exit 1
  %{?with_system_libzip:%patch65 -p1}
  %patch66 -p1
  %patch67 -p1
-
+%patch68 -p1
  %patch70 -p1
  %patch72 -p1
  %patch73 -p1
author	Arkadiusz Miśkiewicz <arekm@maven.pl>
	Fri, 25 Oct 2019 12:06:38 +0000 (14:06 +0200)
committer	Arkadiusz Miśkiewicz <arekm@maven.pl>
	Fri, 25 Oct 2019 12:06:38 +0000 (14:06 +0200)
CVE-2019-11043.patch	[new file with mode: 0644]	patch \| blob
php.spec		patch \| blob \| blame \| history