diff options
| author |   Patrick J Volkerding <volkerdi@slackware.com> | 2023-02-15 03:05:40 +0000 |
|---|---|---|
| committer |   Eric Hameleers <alien@slackware.com> | 2023-02-16 01:30:36 +0100 |
| commit | ad9ea8bf781935db257f79f0efd1e0744c8e02c2 (patch) | |
| tree | 9da82fc636b78ff4ff4e05b6c586b9f50b49674a /patches | |
| parent | 57c03ef31c0605de681f1b0b851a48985f59baa9 (diff) | |
| download | current-ad9ea8bf781935db257f79f0efd1e0744c8e02c2.tar.gz current-ad9ea8bf781935db257f79f0efd1e0744c8e02c2.tar.xz | |
Wed Feb 15 03:05:40 UTC 202320230215030540_15.0
extra/php80/php80-8.0.28-x86_64-1_slack15.0.txz: Upgraded.
This update fixes security issues:
Core: Password_verify() always return true with some hash.
Core: 1-byte array overrun in common path resolve code.
SAPI: DOS vulnerability when parsing multipart request body.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-0567
https://www.cve.org/CVERecord?id=CVE-2023-0568
https://www.cve.org/CVERecord?id=CVE-2023-0662
(* Security fix *)
extra/php81/php81-8.1.16-x86_64-1_slack15.0.txz: Upgraded.
This update fixes security issues:
Core: Password_verify() always return true with some hash.
Core: 1-byte array overrun in common path resolve code.
SAPI: DOS vulnerability when parsing multipart request body.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-0567
https://www.cve.org/CVERecord?id=CVE-2023-0568
https://www.cve.org/CVERecord?id=CVE-2023-0662
(* Security fix *)
patches/packages/hwdata-0.367-noarch-1_slack15.0.txz: Upgraded.
Upgraded to get information for newer hardware.
Requested by kingbeowulf on LQ.
patches/packages/mozilla-firefox-102.8.0esr-x86_64-1_slack15.0.txz: Upgraded.
This update contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/firefox/102.8.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2023-06/
https://www.cve.org/CVERecord?id=CVE-2023-25728
https://www.cve.org/CVERecord?id=CVE-2023-25730
https://www.cve.org/CVERecord?id=CVE-2023-25743
https://www.cve.org/CVERecord?id=CVE-2023-0767
https://www.cve.org/CVERecord?id=CVE-2023-25735
https://www.cve.org/CVERecord?id=CVE-2023-25737
https://www.cve.org/CVERecord?id=CVE-2023-25738
https://www.cve.org/CVERecord?id=CVE-2023-25739
https://www.cve.org/CVERecord?id=CVE-2023-25729
https://www.cve.org/CVERecord?id=CVE-2023-25732
https://www.cve.org/CVERecord?id=CVE-2023-25734
https://www.cve.org/CVERecord?id=CVE-2023-25742
https://www.cve.org/CVERecord?id=CVE-2023-25746
(* Security fix *)
patches/packages/php-7.4.33-x86_64-3_slack15.0.txz: Rebuilt.
This update fixes security issues:
Core: Password_verify() always return true with some hash.
Core: 1-byte array overrun in common path resolve code.
SAPI: DOS vulnerability when parsing multipart request body.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-0567
https://www.cve.org/CVERecord?id=CVE-2023-0568
https://www.cve.org/CVERecord?id=CVE-2023-0662
(* Security fix *)
Diffstat (limited to 'patches')
| -rw-r--r-- | patches/packages/hwdata-0.367-noarch-1_slack15.0.txt | 11 | ||||
| -rw-r--r-- | patches/packages/mozilla-firefox-102.8.0esr-x86_64-1_slack15.0.txt (renamed from patches/packages/mozilla-firefox-102.7.0esr-x86_64-1_slack15.0.txt) | 0 | ||||
| -rw-r--r-- | patches/packages/php-7.4.33-x86_64-3_slack15.0.txt (renamed from patches/packages/php-7.4.33-x86_64-2_slack15.0.txt) | 0 | ||||
| -rwxr-xr-x | patches/source/hwdata/hwdata.SlackBuild | 122 | ||||
| -rw-r--r-- | patches/source/hwdata/slack-desc | 19 | ||||
| -rw-r--r-- | patches/source/php/CVE-2023-0567.patch | 142 | ||||
| -rw-r--r-- | patches/source/php/CVE-2023-0568.patch | 62 | ||||
| -rw-r--r-- | patches/source/php/CVE-2023-0662.patch | 411 | ||||
| -rwxr-xr-x | patches/source/php/php.SlackBuild | 5 |
9 files changed, 771 insertions, 1 deletions
diff --git a/patches/packages/hwdata-0.367-noarch-1_slack15.0.txt b/patches/packages/hwdata-0.367-noarch-1_slack15.0.txt new file mode 100644 index 000000000..7a9b212b6 --- /dev/null +++ b/patches/packages/hwdata-0.367-noarch-1_slack15.0.txt @@ -0,0 +1,11 @@ +hwdata: hwdata (hardware identification and configuration data) +hwdata: +hwdata: hwdata contains various hardware identification and configuration +hwdata: data, such as the pci.ids database and MonitorsDB databases. +hwdata: +hwdata: Homepage: https://github.com/vcrhonek/hwdata +hwdata: +hwdata: +hwdata: +hwdata: +hwdata: diff --git a/patches/packages/mozilla-firefox-102.7.0esr-x86_64-1_slack15.0.txt b/patches/packages/mozilla-firefox-102.8.0esr-x86_64-1_slack15.0.txt index 9d8594319..9d8594319 100644 --- a/patches/packages/mozilla-firefox-102.7.0esr-x86_64-1_slack15.0.txt +++ b/patches/packages/mozilla-firefox-102.8.0esr-x86_64-1_slack15.0.txt diff --git a/patches/packages/php-7.4.33-x86_64-2_slack15.0.txt b/patches/packages/php-7.4.33-x86_64-3_slack15.0.txt index 88937e9e0..88937e9e0 100644 --- a/patches/packages/php-7.4.33-x86_64-2_slack15.0.txt +++ b/patches/packages/php-7.4.33-x86_64-3_slack15.0.txt diff --git a/patches/source/hwdata/hwdata.SlackBuild b/patches/source/hwdata/hwdata.SlackBuild new file mode 100755 index 000000000..93c2e0150 --- /dev/null +++ b/patches/source/hwdata/hwdata.SlackBuild @@ -0,0 +1,122 @@ +#!/bin/bash + +# Slackware build script for hwdata + +# Copyright 2015, 2017 Robby Workman, Tuscaloosa, Alabama, USA +# Copyright 2018, 2022 Patrick J. Volkerding, Sebeka, Minnesota, USA +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +cd $(dirname $0) ; CWD=$(pwd) + +PKGNAM=hwdata +VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} +BUILD=${BUILD:-1_slack15.0} + +if [ -z "$ARCH" ]; then + case "$( uname -m )" in + i?86) ARCH=i586 ;; + arm*) ARCH=arm ;; + *) ARCH=$( uname -m ) ;; + esac +fi + +# If the variable PRINT_PACKAGE_NAME is set, then this script will report what +# the name of the created package would be, and then exit. This information +# could be useful to other scripts. +if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then + echo "$PKGNAM-$VERSION-noarch-$BUILD.txz" + exit 0 +fi + +TMP=${TMP:-/tmp} +PKG=$TMP/package-$PKGNAM + +if [ "$ARCH" = "i586" ]; then + SLKCFLAGS="-O2 -march=i586 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "i686" ]; then + SLKCFLAGS="-O2 -march=i686 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "x86_64" ]; then + SLKCFLAGS="-O2 -fPIC" + LIBDIRSUFFIX="64" +else + SLKCFLAGS="-O2" + LIBDIRSUFFIX="" +fi + +# Override $ARCH, since there are no binaries included at this time: +ARCH=noarch + +rm -rf $PKG +mkdir -p $TMP $PKG +cd $TMP +rm -rf $PKGNAM-$VERSION +tar xvf $CWD/$PKGNAM-$VERSION.tar.?z || exit 1 +cd $PKGNAM-$VERSION || exit 1 +chown -R root:root . +find . \ + \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \ + -exec chmod 755 {} \+ -o \ + \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ + -exec chmod 644 {} \+ + +# Grab latest copies of pci and usb ids: +rm -f usb.ids pci.ids +lftpget https://pci-ids.ucw.cz/v2.2/pci.ids http://www.linux-usb.org/usb.ids + +./configure --libdir=/lib || exit 1 +#make download # grab latest copies of everything +make install DESTDIR=$PKG || exit 1 + +# Put compat symlinks in place for stuff that doesn't know about pkgconfig +for file in iab.txt oui.txt pci.ids pnp.ids usb.ids; do + if [ -r $PKG/usr/share/hwdata/$file ]; then + ln -s hwdata/$file $PKG/usr/share/$file + fi +done + +# Move the provided blacklist stuff to the docs. +# Ideally, we have that info in udev package. +mkdir -p $PKG/usr/doc/$PKGNAM-$VERSION +cp -a \ + COPYING* LICENSE README* \ + $PKG/usr/doc/$PKGNAM-$VERSION +mv $PKG/lib/modprobe.d/dist-blacklist.conf $PKG/usr/doc/$PKGNAM-$VERSION + +# Remove the usused directories /lib/modprobe.d and /lib one at a time +# so we'll notice if anything new is added there: +#rm -rf $PKG/lib +rmdir $PKG/lib/modprobe.d || exit 1 +rmdir $PKG/lib || exit 1 + +# If there's a ChangeLog, installing at least part of the recent history +# is useful, but don't let it get totally out of control: +if [ -r ChangeLog ]; then + DOCSDIR=$(echo $PKG/usr/doc/*-$VERSION) + cat ChangeLog | head -n 1000 > $DOCSDIR/ChangeLog + touch -r ChangeLog $DOCSDIR/ChangeLog +fi + +mkdir -p $PKG/install +cat $CWD/slack-desc > $PKG/install/slack-desc + +cd $PKG +/sbin/makepkg -l y -c n $TMP/$PKGNAM-$VERSION-$ARCH-$BUILD.txz diff --git a/patches/source/hwdata/slack-desc b/patches/source/hwdata/slack-desc new file mode 100644 index 000000000..d776810fd --- /dev/null +++ b/patches/source/hwdata/slack-desc @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. +# Line up the first '|' above the ':' following the base package name, and +# the '|' on the right side marks the last column you can put a character in. +# You must make exactly 11 lines for the formatting to be correct. It's also +# customary to leave one space after the ':' except on otherwise blank lines. + + |-----handy-ruler------------------------------------------------------| +hwdata: hwdata (hardware identification and configuration data) +hwdata: +hwdata: hwdata contains various hardware identification and configuration +hwdata: data, such as the pci.ids database and MonitorsDB databases. +hwdata: +hwdata: Homepage: https://github.com/vcrhonek/hwdata +hwdata: +hwdata: +hwdata: +hwdata: +hwdata: diff --git a/patches/source/php/CVE-2023-0567.patch b/patches/source/php/CVE-2023-0567.patch new file mode 100644 index 000000000..78defd92b --- /dev/null +++ b/patches/source/php/CVE-2023-0567.patch @@ -0,0 +1,142 @@ +From 7882d12ff2d8d8c5a4af821464e0a5ac2cde2002 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@bastelstu.be> +Date: Mon, 23 Jan 2023 21:15:24 +0100 +Subject: [PATCH] crypt: Fix validation of malformed BCrypt hashes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +PHP’s implementation of crypt_blowfish differs from the upstream Openwall +version by adding a “PHP Hack”, which allows one to cut short the BCrypt salt +by including a `$` character within the characters that represent the salt. + +Hashes that are affected by the “PHP Hack” may erroneously validate any +password as valid when used with `password_verify` and when comparing the +return value of `crypt()` against the input. + +The PHP Hack exists since the first version of PHP’s own crypt_blowfish +implementation that was added in 1e820eca02dcf322b41fd2fe4ed2a6b8309f8ab5. + +No clear reason is given for the PHP Hack’s existence. This commit removes it, +because BCrypt hashes containing a `$` character in their salt are not valid +BCrypt hashes. +--- + ext/standard/crypt_blowfish.c | 8 -- + .../tests/crypt/bcrypt_salt_dollar.phpt | 82 +++++++++++++++++++ + 2 files changed, 82 insertions(+), 8 deletions(-) + create mode 100644 ext/standard/tests/crypt/bcrypt_salt_dollar.phpt + +diff --git a/ext/standard/crypt_blowfish.c b/ext/standard/crypt_blowfish.c +index 3806a290aee4..351d40308089 100644 +--- a/ext/standard/crypt_blowfish.c ++++ b/ext/standard/crypt_blowfish.c +@@ -371,7 +371,6 @@ static const unsigned char BF_atoi64[0x60] = { + #define BF_safe_atoi64(dst, src) \ + { \ + tmp = (unsigned char)(src); \ +- if (tmp == '$') break; /* PHP hack */ \ + if ((unsigned int)(tmp -= 0x20) >= 0x60) return -1; \ + tmp = BF_atoi64[tmp]; \ + if (tmp > 63) return -1; \ +@@ -399,13 +398,6 @@ static int BF_decode(BF_word *dst, const char *src, int size) + *dptr++ = ((c3 & 0x03) << 6) | c4; + } while (dptr < end); + +- if (end - dptr == size) { +- return -1; +- } +- +- while (dptr < end) /* PHP hack */ +- *dptr++ = 0; +- + return 0; + } + +diff --git a/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt b/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt +new file mode 100644 +index 000000000000..32e335f4b087 +--- /dev/null ++++ b/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt +@@ -0,0 +1,82 @@ ++--TEST-- ++bcrypt correctly rejects salts containing $ ++--FILE-- ++<?php ++for ($i = 0; $i < 23; $i++) { ++ $salt = '$2y$04$' . str_repeat('0', $i) . '$'; ++ $result = crypt("foo", $salt); ++ var_dump($salt); ++ var_dump($result); ++ var_dump($result === $salt); ++} ++?> ++--EXPECT-- ++string(8) "$2y$04$$" ++string(2) "*0" ++bool(false) ++string(9) "$2y$04$0$" ++string(2) "*0" ++bool(false) ++string(10) "$2y$04$00$" ++string(2) "*0" ++bool(false) ++string(11) "$2y$04$000$" ++string(2) "*0" ++bool(false) ++string(12) "$2y$04$0000$" ++string(2) "*0" ++bool(false) ++string(13) "$2y$04$00000$" ++string(2) "*0" ++bool(false) ++string(14) "$2y$04$000000$" ++string(2) "*0" ++bool(false) ++string(15) "$2y$04$0000000$" ++string(2) "*0" ++bool(false) ++string(16) "$2y$04$00000000$" ++string(2) "*0" ++bool(false) ++string(17) "$2y$04$000000000$" ++string(2) "*0" ++bool(false) ++string(18) "$2y$04$0000000000$" ++string(2) "*0" ++bool(false) ++string(19) "$2y$04$00000000000$" ++string(2) "*0" ++bool(false) ++string(20) "$2y$04$000000000000$" ++string(2) "*0" ++bool(false) ++string(21) "$2y$04$0000000000000$" ++string(2) "*0" ++bool(false) ++string(22) "$2y$04$00000000000000$" ++string(2) "*0" ++bool(false) ++string(23) "$2y$04$000000000000000$" ++string(2) "*0" ++bool(false) ++string(24) "$2y$04$0000000000000000$" ++string(2) "*0" ++bool(false) ++string(25) "$2y$04$00000000000000000$" ++string(2) "*0" ++bool(false) ++string(26) "$2y$04$000000000000000000$" ++string(2) "*0" ++bool(false) ++string(27) "$2y$04$0000000000000000000$" ++string(2) "*0" ++bool(false) ++string(28) "$2y$04$00000000000000000000$" ++string(2) "*0" ++bool(false) ++string(29) "$2y$04$000000000000000000000$" ++string(2) "*0" ++bool(false) ++string(30) "$2y$04$0000000000000000000000$" ++string(60) "$2y$04$000000000000000000000u2a2UpVexIt9k3FMJeAVr3c04F5tcI8K" ++bool(false) diff --git a/patches/source/php/CVE-2023-0568.patch b/patches/source/php/CVE-2023-0568.patch new file mode 100644 index 000000000..3b8440926 --- /dev/null +++ b/patches/source/php/CVE-2023-0568.patch @@ -0,0 +1,62 @@ +From c0fceebfa195b8e56a7108cb731b5ea7afbef70c Mon Sep 17 00:00:00 2001 +From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> +Date: Fri, 27 Jan 2023 19:28:27 +0100 +Subject: [PATCH] Fix array overrun when appending slash to paths + +Fix it by extending the array sizes by one character. As the input is +limited to the maximum path length, there will always be place to append +the slash. As the php_check_specific_open_basedir() simply uses the +strings to compare against each other, no new failures related to too +long paths are introduced. +We'll let the DOM and XML case handle a potentially too long path in the +library code. +--- + ext/dom/document.c | 2 +- + ext/xmlreader/php_xmlreader.c | 2 +- + main/fopen_wrappers.c | 6 +++--- + 3 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/ext/dom/document.c b/ext/dom/document.c +index 4dee5548f188..c60198a3be11 100644 +--- a/ext/dom/document.c ++++ b/ext/dom/document.c +@@ -1182,7 +1182,7 @@ static xmlDocPtr dom_document_parser(zval *id, int mode, char *source, size_t so + int validate, recover, resolve_externals, keep_blanks, substitute_ent; + int resolved_path_len; + int old_error_reporting = 0; +- char *directory=NULL, resolved_path[MAXPATHLEN]; ++ char *directory=NULL, resolved_path[MAXPATHLEN + 1]; + + if (id != NULL) { + intern = Z_DOMOBJ_P(id); +diff --git a/ext/xmlreader/php_xmlreader.c b/ext/xmlreader/php_xmlreader.c +index c17884d960cb..39141c8c1223 100644 +--- a/ext/xmlreader/php_xmlreader.c ++++ b/ext/xmlreader/php_xmlreader.c +@@ -1017,7 +1017,7 @@ PHP_METHOD(XMLReader, XML) + xmlreader_object *intern = NULL; + char *source, *uri = NULL, *encoding = NULL; + int resolved_path_len, ret = 0; +- char *directory=NULL, resolved_path[MAXPATHLEN]; ++ char *directory=NULL, resolved_path[MAXPATHLEN + 1]; + xmlParserInputBufferPtr inputbfr; + xmlTextReaderPtr reader; + +diff --git a/main/fopen_wrappers.c b/main/fopen_wrappers.c +index f6ce26e104be..12cc9c8b10c0 100644 +--- a/main/fopen_wrappers.c ++++ b/main/fopen_wrappers.c +@@ -129,10 +129,10 @@ PHPAPI ZEND_INI_MH(OnUpdateBaseDir) + */ + PHPAPI int php_check_specific_open_basedir(const char *basedir, const char *path) + { +- char resolved_name[MAXPATHLEN]; +- char resolved_basedir[MAXPATHLEN]; ++ char resolved_name[MAXPATHLEN + 1]; ++ char resolved_basedir[MAXPATHLEN + 1]; + char local_open_basedir[MAXPATHLEN]; +- char path_tmp[MAXPATHLEN]; ++ char path_tmp[MAXPATHLEN + 1]; + char *path_file; + size_t resolved_basedir_len; + size_t resolved_name_len; diff --git a/patches/source/php/CVE-2023-0662.patch b/patches/source/php/CVE-2023-0662.patch new file mode 100644 index 000000000..e9cada2c9 --- /dev/null +++ b/patches/source/php/CVE-2023-0662.patch @@ -0,0 +1,411 @@ +From 716de0cff539f46294ef70fe75d548cd66766370 Mon Sep 17 00:00:00 2001 +From: Jakub Zelenka <bukka@php.net> +Date: Thu, 19 Jan 2023 14:31:25 +0000 +Subject: [PATCH] Introduce max_multipart_body_parts INI + +This fixes GHSA-54hq-v5wp-fqgv DOS vulnerabality by limitting number of +parsed multipart body parts as currently all parts were always parsed. +--- + main/main.c | 1 + + main/rfc1867.c | 11 ++ + ...-54hq-v5wp-fqgv-max-body-parts-custom.phpt | 53 +++++++++ + ...54hq-v5wp-fqgv-max-body-parts-default.phpt | 54 +++++++++ + .../ghsa-54hq-v5wp-fqgv-max-file-uploads.phpt | 52 +++++++++ + sapi/fpm/tests/tester.inc | 106 +++++++++++++++--- + 6 files changed, 262 insertions(+), 15 deletions(-) + create mode 100644 sapi/fpm/tests/ghsa-54hq-v5wp-fqgv-max-body-parts-custom.phpt + create mode 100644 sapi/fpm/tests/ghsa-54hq-v5wp-fqgv-max-body-parts-default.phpt + create mode 100644 sapi/fpm/tests/ghsa-54hq-v5wp-fqgv-max-file-uploads.phpt + +diff --git a/main/main.c b/main/main.c +index 40684f32dc14..c58ea58bf5ac 100644 +--- a/main/main.c ++++ b/main/main.c +@@ -751,6 +751,7 @@ PHP_INI_BEGIN() + PHP_INI_ENTRY("disable_functions", "", PHP_INI_SYSTEM, NULL) + PHP_INI_ENTRY("disable_classes", "", PHP_INI_SYSTEM, NULL) + PHP_INI_ENTRY("max_file_uploads", "20", PHP_INI_SYSTEM|PHP_INI_PERDIR, NULL) ++ PHP_INI_ENTRY("max_multipart_body_parts", "-1", PHP_INI_SYSTEM|PHP_INI_PERDIR, NULL) + + STD_PHP_INI_BOOLEAN("allow_url_fopen", "1", PHP_INI_SYSTEM, OnUpdateBool, allow_url_fopen, php_core_globals, core_globals) + STD_PHP_INI_BOOLEAN("allow_url_include", "0", PHP_INI_SYSTEM, OnUpdateBool, allow_url_include, php_core_globals, core_globals) +diff --git a/main/rfc1867.c b/main/rfc1867.c +index b43cfae5a1e2..3086e8da3dbe 100644 +--- a/main/rfc1867.c ++++ b/main/rfc1867.c +@@ -687,6 +687,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */ + void *event_extra_data = NULL; + unsigned int llen = 0; + int upload_cnt = INI_INT("max_file_uploads"); ++ int body_parts_cnt = INI_INT("max_multipart_body_parts"); + const zend_encoding *internal_encoding = zend_multibyte_get_internal_encoding(); + php_rfc1867_getword_t getword; + php_rfc1867_getword_conf_t getword_conf; +@@ -708,6 +709,11 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */ + return; + } + ++ if (body_parts_cnt < 0) { ++ body_parts_cnt = PG(max_input_vars) + upload_cnt; ++ } ++ int body_parts_limit = body_parts_cnt; ++ + /* Get the boundary */ + boundary = strstr(content_type_dup, "boundary"); + if (!boundary) { +@@ -792,6 +798,11 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */ + char *pair = NULL; + int end = 0; + ++ if (--body_parts_cnt < 0) { ++ php_error_docref(NULL, E_WARNING, "Multipart body parts limit exceeded %d. To increase the limit change max_multipart_body_parts in php.ini.", body_parts_limit); ++ goto fileupload_done; ++ } ++ + while (isspace(*cd)) { + ++cd; + } +#diff --git a/sapi/fpm/tests/ghsa-54hq-v5wp-fqgv-max-body-parts-custom.phpt b/sapi/fpm/tests/ghsa-54hq-v5wp-fqgv-max-body-parts-custom.phpt +#new file mode 100644 +#index 000000000000..d2239ac3c410 +#--- /dev/null +#+++ b/sapi/fpm/tests/ghsa-54hq-v5wp-fqgv-max-body-parts-custom.phpt +#@@ -0,0 +1,53 @@ +#+--TEST-- +#+FPM: GHSA-54hq-v5wp-fqgv - max_multipart_body_parts ini custom value +#+--SKIPIF-- +#+<?php include "skipif.inc"; ?> +#+--FILE-- +#+<?php +#+ +#+require_once "tester.inc"; +#+ +#+$cfg = <<<EOT +#+[global] +#+error_log = {{FILE:LOG}} +#+[unconfined] +#+listen = {{ADDR}} +#+pm = dynamic +#+pm.max_children = 5 +#+pm.start_servers = 1 +#+pm.min_spare_servers = 1 +#+pm.max_spare_servers = 3 +#+php_admin_value[html_errors] = false +#+php_admin_value[max_input_vars] = 20 +#+php_admin_value[max_file_uploads] = 5 +#+php_admin_value[max_multipart_body_parts] = 10 +#+php_flag[display_errors] = On +#+EOT; +#+ +#+$code = <<<EOT +#+<?php +#+var_dump(count(\$_POST)); +#+EOT; +#+ +#+$tester = new FPM\Tester($cfg, $code); +#+$tester->start(); +#+$tester->expectLogStartNotices(); +#+echo $tester +#+ ->request(stdin: [ +#+ 'parts' => [ +#+ 'count' => 30, +#+ ] +#+ ]) +#+ ->getBody(); +#+$tester->terminate(); +#+$tester->close(); +#+ +#+?> +#+--EXPECT-- +#+Warning: Unknown: Multipart body parts limit exceeded 10. To increase the limit change max_multipart_body_parts in php.ini. in Unknown on line 0 +#+int(10) +#+--CLEAN-- +#+<?php +#+require_once "tester.inc"; +#+FPM\Tester::clean(); +#+?> +#diff --git a/sapi/fpm/tests/ghsa-54hq-v5wp-fqgv-max-body-parts-default.phpt b/sapi/fpm/tests/ghsa-54hq-v5wp-fqgv-max-body-parts-default.phpt +#new file mode 100644 +#index 000000000000..42b5afbf9ee7 +#--- /dev/null +#+++ b/sapi/fpm/tests/ghsa-54hq-v5wp-fqgv-max-body-parts-default.phpt +#@@ -0,0 +1,54 @@ +#+--TEST-- +#+FPM: GHSA-54hq-v5wp-fqgv - max_multipart_body_parts ini default +#+--SKIPIF-- +#+<?php include "skipif.inc"; ?> +#+--FILE-- +#+<?php +#+ +#+require_once "tester.inc"; +#+ +#+$cfg = <<<EOT +#+[global] +#+error_log = {{FILE:LOG}} +#+[unconfined] +#+listen = {{ADDR}} +#+pm = dynamic +#+pm.max_children = 5 +#+pm.start_servers = 1 +#+pm.min_spare_servers = 1 +#+pm.max_spare_servers = 3 +#+php_admin_value[html_errors] = false +#+php_admin_value[max_input_vars] = 20 +#+php_admin_value[max_file_uploads] = 5 +#+php_flag[display_errors] = On +#+EOT; +#+ +#+$code = <<<EOT +#+<?php +#+var_dump(count(\$_POST)); +#+EOT; +#+ +#+$tester = new FPM\Tester($cfg, $code); +#+$tester->start(); +#+$tester->expectLogStartNotices(); +#+echo $tester +#+ ->request(stdin: [ +#+ 'parts' => [ +#+ 'count' => 30, +#+ ] +#+ ]) +#+ ->getBody(); +#+$tester->terminate(); +#+$tester->close(); +#+ +#+?> +#+--EXPECT-- +#+Warning: Unknown: Input variables exceeded 20. To increase the limit change max_input_vars in php.ini. in Unknown on line 0 +#+ +#+Warning: Unknown: Multipart body parts limit exceeded 25. To increase the limit change max_multipart_body_parts in php.ini. in Unknown on line 0 +#+int(20) +#+--CLEAN-- +#+<?php +#+require_once "tester.inc"; +#+FPM\Tester::clean(); +#+?> +#diff --git a/sapi/fpm/tests/ghsa-54hq-v5wp-fqgv-max-file-uploads.phpt b/sapi/fpm/tests/ghsa-54hq-v5wp-fqgv-max-file-uploads.phpt +#new file mode 100644 +#index 000000000000..da81174c7280 +#--- /dev/null +#+++ b/sapi/fpm/tests/ghsa-54hq-v5wp-fqgv-max-file-uploads.phpt +#@@ -0,0 +1,52 @@ +#+--TEST-- +#+FPM: GHSA-54hq-v5wp-fqgv - exceeding max_file_uploads +#+--SKIPIF-- +#+<?php include "skipif.inc"; ?> +#+--FILE-- +#+<?php +#+ +#+require_once "tester.inc"; +#+ +#+$cfg = <<<EOT +#+[global] +#+error_log = {{FILE:LOG}} +#+[unconfined] +#+listen = {{ADDR}} +#+pm = dynamic +#+pm.max_children = 5 +#+pm.start_servers = 1 +#+pm.min_spare_servers = 1 +#+pm.max_spare_servers = 3 +#+php_admin_value[html_errors] = false +#+php_admin_value[max_file_uploads] = 5 +#+php_flag[display_errors] = On +#+EOT; +#+ +#+$code = <<<EOT +#+<?php +#+var_dump(count(\$_FILES)); +#+EOT; +#+ +#+$tester = new FPM\Tester($cfg, $code); +#+$tester->start(); +#+$tester->expectLogStartNotices(); +#+echo $tester +#+ ->request(stdin: [ +#+ 'parts' => [ +#+ 'count' => 10, +#+ 'param' => 'filename' +#+ ] +#+ ]) +#+ ->getBody(); +#+$tester->terminate(); +#+$tester->close(); +#+ +#+?> +#+--EXPECT-- +#+Warning: Maximum number of allowable file uploads has been exceeded in Unknown on line 0 +#+int(5) +#+--CLEAN-- +#+<?php +#+require_once "tester.inc"; +#+FPM\Tester::clean(); +#+?> +##diff --git a/sapi/fpm/tests/tester.inc b/sapi/fpm/tests/tester.inc +##index 6197cdba53f5..e51aa0f69143 100644 +##--- a/sapi/fpm/tests/tester.inc +##+++ b/sapi/fpm/tests/tester.inc +#@@ -567,13 +567,17 @@ class Tester +# * @param string $query +# * @param array $headers +# * @param string|null $uri +#+ * @param string|null $scriptFilename +#+ * @param string|null $stdin +# * +# * @return array +# */ +# private function getRequestParams( +# string $query = '', +# array $headers = [], +#- string $uri = null +#+ string $uri = null, +#+ string $scriptFilename = null, +#+ ?string $stdin = null +# ): array { +# if (is_null($uri)) { +# $uri = $this->makeSourceFile(); +3@@ -582,8 +586,8 @@ class Tester +# $params = array_merge( +# [ +# 'GATEWAY_INTERFACE' => 'FastCGI/1.0', +#- 'REQUEST_METHOD' => 'GET', +#- 'SCRIPT_FILENAME' => $uri, +#+ 'REQUEST_METHOD' => is_null($stdin) ? 'GET' : 'POST', +#+ 'SCRIPT_FILENAME' => $scriptFilename ?: $uri, +# 'SCRIPT_NAME' => $uri, +# 'QUERY_STRING' => $query, +# 'REQUEST_URI' => $uri . ($query ? '?' . $query : ""), +#@@ -597,7 +601,7 @@ class Tester +# 'SERVER_PROTOCOL' => 'HTTP/1.1', +# 'DOCUMENT_ROOT' => __DIR__, +# 'CONTENT_TYPE' => '', +#- 'CONTENT_LENGTH' => 0 +#+ 'CONTENT_LENGTH' => strlen($stdin ?? "") // Default to 0 +# ], +# $headers +# ); +#@@ -607,20 +611,86 @@ class Tester +# }); +# } +# +#+ /** +#+ * Parse stdin and generate data for multipart config. +#+ * +#+ * @param array $stdin +#+ * @param array $headers +#+ * +#+ * @return void +#+ * @throws \Exception +#+ */ +#+ private function parseStdin(array $stdin, array &$headers) +#+ { +#+ $parts = $stdin['parts'] ?? null; +#+ if (empty($parts)) { +#+ throw new \Exception('The stdin array needs to contain parts'); +#+ } +#+ $boundary = $stdin['boundary'] ?? 'AaB03x'; +#+ if ( ! isset($headers['CONTENT_TYPE'])) { +#+ $headers['CONTENT_TYPE'] = 'multipart/form-data; boundary=' . $boundary; +#+ } +#+ $count = $parts['count'] ?? null; +#+ if ( ! is_null($count)) { +#+ $dispositionType = $parts['disposition'] ?? 'form-data'; +#+ $dispositionParam = $parts['param'] ?? 'name'; +#+ $namePrefix = $parts['prefix'] ?? 'f'; +#+ $nameSuffix = $parts['suffix'] ?? ''; +#+ $value = $parts['value'] ?? 'test'; +#+ $parts = []; +#+ for ($i = 0; $i < $count; $i++) { +#+ $parts[] = [ +#+ 'disposition' => $dispositionType, +#+ 'param' => $dispositionParam, +#+ 'name' => "$namePrefix$i$nameSuffix", +#+ 'value' => $value +#+ ]; +#+ } +#+ } +#+ $out = ''; +#+ $nl = "\r\n"; +#+ foreach ($parts as $part) { +#+ if (!is_array($part)) { +#+ $part = ['name' => $part]; +#+ } elseif ( ! isset($part['name'])) { +#+ throw new \Exception('Each part has to have a name'); +#+ } +#+ $name = $part['name']; +#+ $dispositionType = $part['disposition'] ?? 'form-data'; +#+ $dispositionParam = $part['param'] ?? 'name'; +#+ $value = $part['value'] ?? 'test'; +#+ $partHeaders = $part['headers'] ?? []; +#+ +#+ $out .= "--$boundary$nl"; +#+ $out .= "Content-disposition: $dispositionType; $dispositionParam=\"$name\"$nl"; +#+ foreach ($partHeaders as $headerName => $headerValue) { +#+ $out .= "$headerName: $headerValue$nl"; +#+ } +#+ $out .= $nl; +#+ $out .= "$value$nl"; +#+ } +#+ $out .= "--$boundary--$nl"; +#+ +#+ return $out; +#+ } +#+ +# /** +# * Execute request. +# * +#- * @param string $query +#- * @param array $headers +#- * @param string|null $uri +#- * @param string|null $address +#- * @param string|null $successMessage +#- * @param string|null $errorMessage +#- * @param bool $connKeepAlive +#- * @param bool $expectError +#- * @param int $readLimit +#+ * @param string $query +#+ * @param array $headers +#+ * @param string|null $uri +#+ * @param string|null $address +#+ * @param string|null $successMessage +#+ * @param string|null $errorMessage +#+ * @param bool $connKeepAlive +#+ * @param string|null $scriptFilename = null +#+ * @param string|array|null $stdin = null +#+ * @param bool $expectError +#+ * @param int $readLimit +# * +# * @return Response +#+ * @throws \Exception +# */ +# public function request( +# string $query = '', +#@@ -630,6 +700,8 @@ class Tester +# string $successMessage = null, +# string $errorMessage = null, +# bool $connKeepAlive = false, +#+ string $scriptFilename = null, +#+ string|array $stdin = null, +# bool $expectError = false, +# int $readLimit = -1, +# ): Response { +#@@ -637,12 +709,16 @@ class Tester +# return new Response(null, true); +# } +# +#- $params = $this->getRequestParams($query, $headers, $uri); +#+ if (is_array($stdin)) { +#+ $stdin = $this->parseStdin($stdin, $headers); +#+ } +#+ +#+ $params = $this->getRequestParams($query, $headers, $uri, $scriptFilename, $stdin); +# $this->trace('Request params', $params); +# +# try { +# $this->response = new Response( +#- $this->getClient($address, $connKeepAlive)->request_data($params, false, $readLimit) +#+ $this->getClient($address, $connKeepAlive)->request_data($params, $stdin, $readLimit) +# ); +# if ($expectError) { +# $this->error('Expected request error but the request was successful'); diff --git a/patches/source/php/php.SlackBuild b/patches/source/php/php.SlackBuild index 8773717c8..34f88d84f 100755 --- a/patches/source/php/php.SlackBuild +++ b/patches/source/php/php.SlackBuild @@ -28,7 +28,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=php VERSION=${VERSION:-$(echo php-*.tar.xz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} ALPINE=2.26 -BUILD=${BUILD:-2_slack15.0} +BUILD=${BUILD:-3_slack15.0} # Automatically determine the architecture we're building on: if [ -z "$ARCH" ]; then @@ -128,6 +128,9 @@ tar xvf $CWD/php-$VERSION.tar.xz || exit 1 cd php-$VERSION || exit 1 zcat $CWD/CVE-2022-31631.patch.gz | patch -p1 --verbose || exit 1 +zcat $CWD/CVE-2023-0567.patch.gz | patch -p1 --verbose || exit 1 +zcat $CWD/CVE-2023-0568.patch.gz | patch -p1 --verbose || exit 1 +zcat $CWD/CVE-2023-0662.patch.gz | patch -p1 --verbose || exit 1 # cleanup: find . -name "*.orig" -delete |