- rel 50; backported fix for CVE-2019-11043

author Arkadiusz Miśkiewicz <arekm@maven.pl>

Fri, 25 Oct 2019 12:11:23 +0000 (14:11 +0200)

committer Arkadiusz Miśkiewicz <arekm@maven.pl>

Fri, 25 Oct 2019 12:11:23 +0000 (14:11 +0200)
author Arkadiusz Miśkiewicz <arekm@maven.pl>
Fri, 25 Oct 2019 12:11:23 +0000 (14:11 +0200)
committer Arkadiusz Miśkiewicz <arekm@maven.pl>
Fri, 25 Oct 2019 12:11:23 +0000 (14:11 +0200)
diff --git a/CVE-2019-11043.patch b/CVE-2019-11043.patch

new file mode 100644 (file)

index 0000000..a841677
--- /dev/null
+++ b/CVE-2019-11043.patch
@@ -0,0 +1,22 @@
+commit ab061f95ca966731b1c84cf5b7b20155c0a1c06a
+Author: Jakub Zelenka <bukka@php.net>
+Date:   Sat Oct 12 15:56:16 2019 +0100
+
+    Fix bug #78599 (env_path_info underflow can lead to RCE) (CVE-2019-11043)
+
+diff --git a/sapi/fpm/fpm/fpm_main.c b/sapi/fpm/fpm/fpm_main.c
+index 24a7e5d56a..50f92981f1 100644
+--- a/sapi/fpm/fpm/fpm_main.c
++++ b/sapi/fpm/fpm/fpm_main.c
+@@ -1209,8 +1209,8 @@ static void init_request_info(void)
+                                                               path_info = script_path_translated + ptlen;
+                                                               tflag = (slen != 0 && (!orig_path_info || strcmp(orig_path_info, path_info) != 0));
+                                                       } else {
+-                                                              path_info = env_path_info ? env_path_info + pilen - slen : NULL;
+-                                                              tflag = (orig_path_info != path_info);
++                                                              path_info = (env_path_info && pilen > slen) ? env_path_info + pilen - slen : NULL;
++                                                              tflag = path_info && (orig_path_info != path_info);
+                                                       }
+ 
+                                                       if (tflag) {
+
diff --git a/php.spec b/php.spec

index b33173139ad739b2f06f1dce834df2b9af26ef25..cdbc6b898263aea11e12cac095dac71398e0eafd 100644 (file)
--- a/php.spec
+++ b/php.spec
@@ -143,7 +143,7 @@ ERROR: You need to select at least one Apache SAPI to build shared modules.
  %undefine      with_alternatives
  %endif
  
-%define                rel     49
+%define                rel     50
  %define                orgname php
  %define                ver_suffix 53
  %define                php_suffix %{!?with_default_php:%{ver_suffix}}
@@ -255,6 +255,7 @@ Patch77:    php-icu64.patch
  # https://repo.webtatic.com/yum/centos/5/SRPMS/repoview/php.html
  # also from RHEL6/CentOS7
  Patch220:      php-5.3.3-CVE-2011-4153.patch
+Patch221:      CVE-2019-11043.patch
  
  Patch247:      php-5.3.3-CVE-2014-2497.patch
  
@@ -2153,6 +2154,7 @@ gzip -dc %{SOURCE15} | tar xf - -C sapi/
  %patch77 -p1
  
  %patch220 -p1
+%patch221 -p1
  
  %patch247 -p1
author	Arkadiusz Miśkiewicz <arekm@maven.pl>
	Fri, 25 Oct 2019 12:11:23 +0000 (14:11 +0200)
committer	Arkadiusz Miśkiewicz <arekm@maven.pl>
	Fri, 25 Oct 2019 12:11:23 +0000 (14:11 +0200)
CVE-2019-11043.patch	[new file with mode: 0644]	patch \| blob
php.spec		patch \| blob \| blame \| history