Wed Feb 15 03:05:40 UTC 202320230215030540

a/kernel-firmware-20230214_a253a37-noarch-1.txz:  Upgraded.
a/kernel-generic-6.1.12-x86_64-1.txz:  Upgraded.
a/kernel-huge-6.1.12-x86_64-1.txz:  Upgraded.
a/kernel-modules-6.1.12-x86_64-1.txz:  Upgraded.
d/kernel-headers-6.1.12-x86-1.txz:  Upgraded.
d/rust-1.66.1-x86_64-1.txz:  Upgraded.
k/kernel-source-6.1.12-noarch-1.txz:  Upgraded.
kde/bluedevil-5.27.0-x86_64-1.txz:  Upgraded.
kde/breeze-5.27.0-x86_64-1.txz:  Upgraded.
kde/breeze-grub-5.27.0-x86_64-1.txz:  Upgraded.
kde/breeze-gtk-5.27.0-x86_64-1.txz:  Upgraded.
kde/drkonqi-5.27.0-x86_64-1.txz:  Upgraded.
kde/kactivitymanagerd-5.27.0-x86_64-1.txz:  Upgraded.
kde/kde-cli-tools-5.27.0-x86_64-1.txz:  Upgraded.
kde/kde-gtk-config-5.27.0-x86_64-1.txz:  Upgraded.
kde/kdecoration-5.27.0-x86_64-1.txz:  Upgraded.
kde/kdeplasma-addons-5.27.0-x86_64-1.txz:  Upgraded.
kde/kgamma5-5.27.0-x86_64-1.txz:  Upgraded.
kde/khotkeys-5.27.0-x86_64-1.txz:  Upgraded.
kde/kinfocenter-5.27.0-x86_64-1.txz:  Upgraded.
kde/kmenuedit-5.27.0-x86_64-1.txz:  Upgraded.
kde/kpipewire-5.27.0-x86_64-1.txz:  Upgraded.
kde/kscreen-5.27.0-x86_64-1.txz:  Upgraded.
kde/kscreenlocker-5.27.0-x86_64-1.txz:  Upgraded.
kde/ksshaskpass-5.27.0-x86_64-1.txz:  Upgraded.
kde/ksystemstats-5.27.0-x86_64-1.txz:  Upgraded.
kde/kwallet-pam-5.27.0-x86_64-1.txz:  Upgraded.
kde/kwayland-integration-5.27.0-x86_64-1.txz:  Upgraded.
kde/kwin-5.27.0-x86_64-1.txz:  Upgraded.
kde/kwrited-5.27.0-x86_64-1.txz:  Upgraded.
kde/layer-shell-qt-5.27.0-x86_64-1.txz:  Upgraded.
kde/libkscreen-5.27.0-x86_64-1.txz:  Upgraded.
kde/libksysguard-5.27.0-x86_64-1.txz:  Upgraded.
kde/milou-5.27.0-x86_64-1.txz:  Upgraded.
kde/oxygen-5.27.0-x86_64-1.txz:  Upgraded.
kde/oxygen-sounds-5.27.0-x86_64-1.txz:  Upgraded.
kde/plasma-browser-integration-5.27.0-x86_64-1.txz:  Upgraded.
kde/plasma-desktop-5.27.0-x86_64-1.txz:  Upgraded.
kde/plasma-disks-5.27.0-x86_64-1.txz:  Upgraded.
kde/plasma-firewall-5.27.0-x86_64-1.txz:  Upgraded.
kde/plasma-integration-5.27.0-x86_64-1.txz:  Upgraded.
kde/plasma-nm-5.27.0-x86_64-1.txz:  Upgraded.
kde/plasma-pa-5.27.0-x86_64-1.txz:  Upgraded.
kde/plasma-sdk-5.27.0-x86_64-1.txz:  Upgraded.
kde/plasma-systemmonitor-5.27.0-x86_64-1.txz:  Upgraded.
kde/plasma-vault-5.27.0-x86_64-1.txz:  Upgraded.
kde/plasma-workspace-5.27.0-x86_64-1.txz:  Upgraded.
kde/plasma-workspace-wallpapers-5.27.0-x86_64-1.txz:  Upgraded.
kde/polkit-kde-agent-1-5.27.0-x86_64-1.txz:  Upgraded.
kde/powerdevil-5.27.0-x86_64-1.txz:  Upgraded.
kde/qqc2-breeze-style-5.27.0-x86_64-1.txz:  Upgraded.
kde/sddm-kcm-5.27.0-x86_64-1.txz:  Upgraded.
kde/systemsettings-5.27.0-x86_64-1.txz:  Upgraded.
kde/xdg-desktop-portal-kde-5.27.0-x86_64-1.txz:  Upgraded.
l/mozjs102-102.8.0esr-x86_64-1.txz:  Upgraded.
n/php-7.4.33-x86_64-3.txz:  Rebuilt.
  This update fixes security issues:
  Core: Password_verify() always return true with some hash.
  Core: 1-byte array overrun in common path resolve code.
  SAPI: DOS vulnerability when parsing multipart request body.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-0567
    https://www.cve.org/CVERecord?id=CVE-2023-0568
    https://www.cve.org/CVERecord?id=CVE-2023-0662
  (* Security fix *)
xap/mozilla-firefox-110.0-x86_64-1.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/110.0/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2023-05/
    https://www.cve.org/CVERecord?id=CVE-2023-25728
    https://www.cve.org/CVERecord?id=CVE-2023-25730
    https://www.cve.org/CVERecord?id=CVE-2023-25743
    https://www.cve.org/CVERecord?id=CVE-2023-0767
    https://www.cve.org/CVERecord?id=CVE-2023-25735
    https://www.cve.org/CVERecord?id=CVE-2023-25737
    https://www.cve.org/CVERecord?id=CVE-2023-25738
    https://www.cve.org/CVERecord?id=CVE-2023-25739
    https://www.cve.org/CVERecord?id=CVE-2023-25729
    https://www.cve.org/CVERecord?id=CVE-2023-25732
    https://www.cve.org/CVERecord?id=CVE-2023-25734
    https://www.cve.org/CVERecord?id=CVE-2023-25740
    https://www.cve.org/CVERecord?id=CVE-2023-25731
    https://www.cve.org/CVERecord?id=CVE-2023-25733
    https://www.cve.org/CVERecord?id=CVE-2023-25736
    https://www.cve.org/CVERecord?id=CVE-2023-25741
    https://www.cve.org/CVERecord?id=CVE-2023-25742
    https://www.cve.org/CVERecord?id=CVE-2023-25744
    https://www.cve.org/CVERecord?id=CVE-2023-25745
  (* Security fix *)
extra/php80/php80-8.0.28-x86_64-1.txz:  Upgraded.
  This update fixes security issues:
  Core: Password_verify() always return true with some hash.
  Core: 1-byte array overrun in common path resolve code.
  SAPI: DOS vulnerability when parsing multipart request body.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-0567
    https://www.cve.org/CVERecord?id=CVE-2023-0568
    https://www.cve.org/CVERecord?id=CVE-2023-0662
  (* Security fix *)
extra/php81/php81-8.1.16-x86_64-1.txz:  Upgraded.
  This update fixes security issues:
  Core: Password_verify() always return true with some hash.
  Core: 1-byte array overrun in common path resolve code.
  SAPI: DOS vulnerability when parsing multipart request body.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-0567
    https://www.cve.org/CVERecord?id=CVE-2023-0568
    https://www.cve.org/CVERecord?id=CVE-2023-0662
  (* Security fix *)
isolinux/initrd.img:  Rebuilt.
kernels/*:  Upgraded.
testing/packages/rust-1.67.1-x86_64-1.txz:  Upgraded.
usb-and-pxe-installers/usbboot.img:  Rebuilt.

4 files changed, 619 insertions, 1 deletions

diff --git a/source/n/php/CVE-2023-0567.patch b/source/n/php/CVE-2023-0567.patch
new file mode 100644
index 000000000..78defd92b
--- /dev/null
+++ b/source/n/php/CVE-2023-0567.patch
@@ -0,0 +1,142 @@
+From 7882d12ff2d8d8c5a4af821464e0a5ac2cde2002 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@bastelstu.be>
+Date: Mon, 23 Jan 2023 21:15:24 +0100
+Subject: [PATCH] crypt: Fix validation of malformed BCrypt hashes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+PHP’s implementation of crypt_blowfish differs from the upstream Openwall
+version by adding a “PHP Hack”, which allows one to cut short the BCrypt salt
+by including a `$` character within the characters that represent the salt.
+
+Hashes that are affected by the “PHP Hack” may erroneously validate any
+password as valid when used with `password_verify` and when comparing the
+return value of `crypt()` against the input.
+
+The PHP Hack exists since the first version of PHP’s own crypt_blowfish
+implementation that was added in 1e820eca02dcf322b41fd2fe4ed2a6b8309f8ab5.
+
+No clear reason is given for the PHP Hack’s existence. This commit removes it,
+because BCrypt hashes containing a `$` character in their salt are not valid
+BCrypt hashes.
+---
+ ext/standard/crypt_blowfish.c                 |  8 --
+ .../tests/crypt/bcrypt_salt_dollar.phpt       | 82 +++++++++++++++++++
+ 2 files changed, 82 insertions(+), 8 deletions(-)
+ create mode 100644 ext/standard/tests/crypt/bcrypt_salt_dollar.phpt
+
+diff --git a/ext/standard/crypt_blowfish.c b/ext/standard/crypt_blowfish.c
+index 3806a290aee4..351d40308089 100644
+--- a/ext/standard/crypt_blowfish.c
++++ b/ext/standard/crypt_blowfish.c
+@@ -371,7 +371,6 @@ static const unsigned char BF_atoi64[0x60] = {
+ #define BF_safe_atoi64(dst, src) \
+ { \
+ 	tmp = (unsigned char)(src); \
+-	if (tmp == '$') break; /* PHP hack */ \
+ 	if ((unsigned int)(tmp -= 0x20) >= 0x60) return -1; \
+ 	tmp = BF_atoi64[tmp]; \
+ 	if (tmp > 63) return -1; \
+@@ -399,13 +398,6 @@ static int BF_decode(BF_word *dst, const char *src, int size)
+ 		*dptr++ = ((c3 & 0x03) << 6) | c4;
+ 	} while (dptr < end);
+ 
+-	if (end - dptr == size) {
+-		return -1;
+-	}
+-
+-	while (dptr < end) /* PHP hack */
+-		*dptr++ = 0;
+-
+ 	return 0;
+ }
+ 
+diff --git a/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt b/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt
+new file mode 100644
+index 000000000000..32e335f4b087
+--- /dev/null
++++ b/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt
+@@ -0,0 +1,82 @@
++--TEST--
++bcrypt correctly rejects salts containing $
++--FILE--
++<?php
++for ($i = 0; $i < 23; $i++) {
++	$salt = '$2y$04$' . str_repeat('0', $i) . '$';
++	$result = crypt("foo", $salt);
++	var_dump($salt);
++	var_dump($result);
++	var_dump($result === $salt);
++}
++?>
++--EXPECT--
++string(8) "$2y$04$$"
++string(2) "*0"
++bool(false)
++string(9) "$2y$04$0$"
++string(2) "*0"
++bool(false)
++string(10) "$2y$04$00$"
++string(2) "*0"
++bool(false)
++string(11) "$2y$04$000$"
++string(2) "*0"
++bool(false)
++string(12) "$2y$04$0000$"
++string(2) "*0"
++bool(false)
++string(13) "$2y$04$00000$"
++string(2) "*0"
++bool(false)
++string(14) "$2y$04$000000$"
++string(2) "*0"
++bool(false)
++string(15) "$2y$04$0000000$"
++string(2) "*0"
++bool(false)
++string(16) "$2y$04$00000000$"
++string(2) "*0"
++bool(false)
++string(17) "$2y$04$000000000$"
++string(2) "*0"
++bool(false)
++string(18) "$2y$04$0000000000$"
++string(2) "*0"
++bool(false)
++string(19) "$2y$04$00000000000$"
++string(2) "*0"
++bool(false)
++string(20) "$2y$04$000000000000$"
++string(2) "*0"
++bool(false)
++string(21) "$2y$04$0000000000000$"
++string(2) "*0"
++bool(false)
++string(22) "$2y$04$00000000000000$"
++string(2) "*0"
++bool(false)
++string(23) "$2y$04$000000000000000$"
++string(2) "*0"
++bool(false)
++string(24) "$2y$04$0000000000000000$"
++string(2) "*0"
++bool(false)
++string(25) "$2y$04$00000000000000000$"
++string(2) "*0"
++bool(false)
++string(26) "$2y$04$000000000000000000$"
++string(2) "*0"
++bool(false)
++string(27) "$2y$04$0000000000000000000$"
++string(2) "*0"
++bool(false)
++string(28) "$2y$04$00000000000000000000$"
++string(2) "*0"
++bool(false)
++string(29) "$2y$04$000000000000000000000$"
++string(2) "*0"
++bool(false)
++string(30) "$2y$04$0000000000000000000000$"
++string(60) "$2y$04$000000000000000000000u2a2UpVexIt9k3FMJeAVr3c04F5tcI8K"
++bool(false)
diff --git a/source/n/php/CVE-2023-0568.patch b/source/n/php/CVE-2023-0568.patch
new file mode 100644
index 000000000..3b8440926
--- /dev/null
+++ b/source/n/php/CVE-2023-0568.patch
@@ -0,0 +1,62 @@
+From c0fceebfa195b8e56a7108cb731b5ea7afbef70c Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
+Date: Fri, 27 Jan 2023 19:28:27 +0100
+Subject: [PATCH] Fix array overrun when appending slash to paths
+
+Fix it by extending the array sizes by one character. As the input is
+limited to the maximum path length, there will always be place to append
+the slash. As the php_check_specific_open_basedir() simply uses the
+strings to compare against each other, no new failures related to too
+long paths are introduced.
+We'll let the DOM and XML case handle a potentially too long path in the
+library code.
+---
+ ext/dom/document.c            | 2 +-
+ ext/xmlreader/php_xmlreader.c | 2 +-
+ main/fopen_wrappers.c         | 6 +++---
+ 3 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/ext/dom/document.c b/ext/dom/document.c
+index 4dee5548f188..c60198a3be11 100644
+--- a/ext/dom/document.c
++++ b/ext/dom/document.c
+@@ -1182,7 +1182,7 @@ static xmlDocPtr dom_document_parser(zval *id, int mode, char *source, size_t so
+ 	int validate, recover, resolve_externals, keep_blanks, substitute_ent;
+ 	int resolved_path_len;
+ 	int old_error_reporting = 0;
+-	char *directory=NULL, resolved_path[MAXPATHLEN];
++	char *directory=NULL, resolved_path[MAXPATHLEN + 1];
+ 
+ 	if (id != NULL) {
+ 		intern = Z_DOMOBJ_P(id);
+diff --git a/ext/xmlreader/php_xmlreader.c b/ext/xmlreader/php_xmlreader.c
+index c17884d960cb..39141c8c1223 100644
+--- a/ext/xmlreader/php_xmlreader.c
++++ b/ext/xmlreader/php_xmlreader.c
+@@ -1017,7 +1017,7 @@ PHP_METHOD(XMLReader, XML)
+ 	xmlreader_object *intern = NULL;
+ 	char *source, *uri = NULL, *encoding = NULL;
+ 	int resolved_path_len, ret = 0;
+-	char *directory=NULL, resolved_path[MAXPATHLEN];
++	char *directory=NULL, resolved_path[MAXPATHLEN + 1];
+ 	xmlParserInputBufferPtr inputbfr;
+ 	xmlTextReaderPtr reader;
+ 
+diff --git a/main/fopen_wrappers.c b/main/fopen_wrappers.c
+index f6ce26e104be..12cc9c8b10c0 100644
+--- a/main/fopen_wrappers.c
++++ b/main/fopen_wrappers.c
+@@ -129,10 +129,10 @@ PHPAPI ZEND_INI_MH(OnUpdateBaseDir)
+ */
+ PHPAPI int php_check_specific_open_basedir(const char *basedir, const char *path)
+ {
+-	char resolved_name[MAXPATHLEN];
+-	char resolved_basedir[MAXPATHLEN];
++	char resolved_name[MAXPATHLEN + 1];
++	char resolved_basedir[MAXPATHLEN + 1];
+ 	char local_open_basedir[MAXPATHLEN];
+-	char path_tmp[MAXPATHLEN];
++	char path_tmp[MAXPATHLEN + 1];
+ 	char *path_file;
+ 	size_t resolved_basedir_len;
+ 	size_t resolved_name_len;
diff --git a/source/n/php/CVE-2023-0662.patch b/source/n/php/CVE-2023-0662.patch
new file mode 100644
index 000000000..e9cada2c9
--- /dev/null
+++ b/source/n/php/CVE-2023-0662.patch
@@ -0,0 +1,411 @@
+From 716de0cff539f46294ef70fe75d548cd66766370 Mon Sep 17 00:00:00 2001
+From: Jakub Zelenka <bukka@php.net>
+Date: Thu, 19 Jan 2023 14:31:25 +0000
+Subject: [PATCH] Introduce max_multipart_body_parts INI
+
+This fixes GHSA-54hq-v5wp-fqgv DOS vulnerabality by limitting number of
+parsed multipart body parts as currently all parts were always parsed.
+---
+ main/main.c                                   |   1 +
+ main/rfc1867.c                                |  11 ++
+ ...-54hq-v5wp-fqgv-max-body-parts-custom.phpt |  53 +++++++++
+ ...54hq-v5wp-fqgv-max-body-parts-default.phpt |  54 +++++++++
+ .../ghsa-54hq-v5wp-fqgv-max-file-uploads.phpt |  52 +++++++++
+ sapi/fpm/tests/tester.inc                     | 106 +++++++++++++++---
+ 6 files changed, 262 insertions(+), 15 deletions(-)
+ create mode 100644 sapi/fpm/tests/ghsa-54hq-v5wp-fqgv-max-body-parts-custom.phpt
+ create mode 100644 sapi/fpm/tests/ghsa-54hq-v5wp-fqgv-max-body-parts-default.phpt
+ create mode 100644 sapi/fpm/tests/ghsa-54hq-v5wp-fqgv-max-file-uploads.phpt
+
+diff --git a/main/main.c b/main/main.c
+index 40684f32dc14..c58ea58bf5ac 100644
+--- a/main/main.c
++++ b/main/main.c
+@@ -751,6 +751,7 @@ PHP_INI_BEGIN()
+ 	PHP_INI_ENTRY("disable_functions",			"",			PHP_INI_SYSTEM,		NULL)
+ 	PHP_INI_ENTRY("disable_classes",			"",			PHP_INI_SYSTEM,		NULL)
+ 	PHP_INI_ENTRY("max_file_uploads",			"20",			PHP_INI_SYSTEM|PHP_INI_PERDIR,		NULL)
++	PHP_INI_ENTRY("max_multipart_body_parts",	"-1",			PHP_INI_SYSTEM|PHP_INI_PERDIR,		NULL)
+ 
+ 	STD_PHP_INI_BOOLEAN("allow_url_fopen",		"1",		PHP_INI_SYSTEM,		OnUpdateBool,		allow_url_fopen,		php_core_globals,		core_globals)
+ 	STD_PHP_INI_BOOLEAN("allow_url_include",	"0",		PHP_INI_SYSTEM,		OnUpdateBool,		allow_url_include,		php_core_globals,		core_globals)
+diff --git a/main/rfc1867.c b/main/rfc1867.c
+index b43cfae5a1e2..3086e8da3dbe 100644
+--- a/main/rfc1867.c
++++ b/main/rfc1867.c
+@@ -687,6 +687,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
+ 	void *event_extra_data = NULL;
+ 	unsigned int llen = 0;
+ 	int upload_cnt = INI_INT("max_file_uploads");
++	int body_parts_cnt = INI_INT("max_multipart_body_parts");
+ 	const zend_encoding *internal_encoding = zend_multibyte_get_internal_encoding();
+ 	php_rfc1867_getword_t getword;
+ 	php_rfc1867_getword_conf_t getword_conf;
+@@ -708,6 +709,11 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
+ 		return;
+ 	}
+ 
++	if (body_parts_cnt < 0) {
++		body_parts_cnt = PG(max_input_vars) + upload_cnt;
++	}
++	int body_parts_limit = body_parts_cnt;
++
+ 	/* Get the boundary */
+ 	boundary = strstr(content_type_dup, "boundary");
+ 	if (!boundary) {
+@@ -792,6 +798,11 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
+ 			char *pair = NULL;
+ 			int end = 0;
+ 
++			if (--body_parts_cnt < 0) {
++				php_error_docref(NULL, E_WARNING, "Multipart body parts limit exceeded %d. To increase the limit change max_multipart_body_parts in php.ini.", body_parts_limit);
++				goto fileupload_done;
++			}
++
+ 			while (isspace(*cd)) {
+ 				++cd;
+ 			}
+#diff --git a/sapi/fpm/tests/ghsa-54hq-v5wp-fqgv-max-body-parts-custom.phpt b/sapi/fpm/tests/ghsa-54hq-v5wp-fqgv-max-body-parts-custom.phpt
+#new file mode 100644
+#index 000000000000..d2239ac3c410
+#--- /dev/null
+#+++ b/sapi/fpm/tests/ghsa-54hq-v5wp-fqgv-max-body-parts-custom.phpt
+#@@ -0,0 +1,53 @@
+#+--TEST--
+#+FPM: GHSA-54hq-v5wp-fqgv - max_multipart_body_parts ini custom value
+#+--SKIPIF--
+#+<?php include "skipif.inc"; ?>
+#+--FILE--
+#+<?php
+#+
+#+require_once "tester.inc";
+#+
+#+$cfg = <<<EOT
+#+[global]
+#+error_log = {{FILE:LOG}}
+#+[unconfined]
+#+listen = {{ADDR}}
+#+pm = dynamic
+#+pm.max_children = 5
+#+pm.start_servers = 1
+#+pm.min_spare_servers = 1
+#+pm.max_spare_servers = 3
+#+php_admin_value[html_errors] = false
+#+php_admin_value[max_input_vars] = 20
+#+php_admin_value[max_file_uploads] = 5
+#+php_admin_value[max_multipart_body_parts] = 10
+#+php_flag[display_errors] = On
+#+EOT;
+#+
+#+$code = <<<EOT
+#+<?php
+#+var_dump(count(\$_POST));
+#+EOT;
+#+
+#+$tester = new FPM\Tester($cfg, $code);
+#+$tester->start();
+#+$tester->expectLogStartNotices();
+#+echo $tester
+#+    ->request(stdin: [
+#+        'parts' => [
+#+            'count' => 30,
+#+        ]
+#+    ])
+#+    ->getBody();
+#+$tester->terminate();
+#+$tester->close();
+#+
+#+?>
+#+--EXPECT--
+#+Warning: Unknown: Multipart body parts limit exceeded 10. To increase the limit change max_multipart_body_parts in php.ini. in Unknown on line 0
+#+int(10)
+#+--CLEAN--
+#+<?php
+#+require_once "tester.inc";
+#+FPM\Tester::clean();
+#+?>
+#diff --git a/sapi/fpm/tests/ghsa-54hq-v5wp-fqgv-max-body-parts-default.phpt b/sapi/fpm/tests/ghsa-54hq-v5wp-fqgv-max-body-parts-default.phpt
+#new file mode 100644
+#index 000000000000..42b5afbf9ee7
+#--- /dev/null
+#+++ b/sapi/fpm/tests/ghsa-54hq-v5wp-fqgv-max-body-parts-default.phpt
+#@@ -0,0 +1,54 @@
+#+--TEST--
+#+FPM: GHSA-54hq-v5wp-fqgv - max_multipart_body_parts ini default
+#+--SKIPIF--
+#+<?php include "skipif.inc"; ?>
+#+--FILE--
+#+<?php
+#+
+#+require_once "tester.inc";
+#+
+#+$cfg = <<<EOT
+#+[global]
+#+error_log = {{FILE:LOG}}
+#+[unconfined]
+#+listen = {{ADDR}}
+#+pm = dynamic
+#+pm.max_children = 5
+#+pm.start_servers = 1
+#+pm.min_spare_servers = 1
+#+pm.max_spare_servers = 3
+#+php_admin_value[html_errors] = false
+#+php_admin_value[max_input_vars] = 20
+#+php_admin_value[max_file_uploads] = 5
+#+php_flag[display_errors] = On
+#+EOT;
+#+
+#+$code = <<<EOT
+#+<?php
+#+var_dump(count(\$_POST));
+#+EOT;
+#+
+#+$tester = new FPM\Tester($cfg, $code);
+#+$tester->start();
+#+$tester->expectLogStartNotices();
+#+echo $tester
+#+    ->request(stdin: [
+#+        'parts' => [
+#+            'count' => 30,
+#+        ]
+#+    ])
+#+    ->getBody();
+#+$tester->terminate();
+#+$tester->close();
+#+
+#+?>
+#+--EXPECT--
+#+Warning: Unknown: Input variables exceeded 20. To increase the limit change max_input_vars in php.ini. in Unknown on line 0
+#+
+#+Warning: Unknown: Multipart body parts limit exceeded 25. To increase the limit change max_multipart_body_parts in php.ini. in Unknown on line 0
+#+int(20)
+#+--CLEAN--
+#+<?php
+#+require_once "tester.inc";
+#+FPM\Tester::clean();
+#+?>
+#diff --git a/sapi/fpm/tests/ghsa-54hq-v5wp-fqgv-max-file-uploads.phpt b/sapi/fpm/tests/ghsa-54hq-v5wp-fqgv-max-file-uploads.phpt
+#new file mode 100644
+#index 000000000000..da81174c7280
+#--- /dev/null
+#+++ b/sapi/fpm/tests/ghsa-54hq-v5wp-fqgv-max-file-uploads.phpt
+#@@ -0,0 +1,52 @@
+#+--TEST--
+#+FPM: GHSA-54hq-v5wp-fqgv - exceeding max_file_uploads
+#+--SKIPIF--
+#+<?php include "skipif.inc"; ?>
+#+--FILE--
+#+<?php
+#+
+#+require_once "tester.inc";
+#+
+#+$cfg = <<<EOT
+#+[global]
+#+error_log = {{FILE:LOG}}
+#+[unconfined]
+#+listen = {{ADDR}}
+#+pm = dynamic
+#+pm.max_children = 5
+#+pm.start_servers = 1
+#+pm.min_spare_servers = 1
+#+pm.max_spare_servers = 3
+#+php_admin_value[html_errors] = false
+#+php_admin_value[max_file_uploads] = 5
+#+php_flag[display_errors] = On
+#+EOT;
+#+
+#+$code = <<<EOT
+#+<?php
+#+var_dump(count(\$_FILES));
+#+EOT;
+#+
+#+$tester = new FPM\Tester($cfg, $code);
+#+$tester->start();
+#+$tester->expectLogStartNotices();
+#+echo $tester
+#+    ->request(stdin: [
+#+        'parts' => [
+#+            'count' => 10,
+#+            'param' => 'filename'
+#+        ]
+#+    ])
+#+    ->getBody();
+#+$tester->terminate();
+#+$tester->close();
+#+
+#+?>
+#+--EXPECT--
+#+Warning: Maximum number of allowable file uploads has been exceeded in Unknown on line 0
+#+int(5)
+#+--CLEAN--
+#+<?php
+#+require_once "tester.inc";
+#+FPM\Tester::clean();
+#+?>
+##diff --git a/sapi/fpm/tests/tester.inc b/sapi/fpm/tests/tester.inc
+##index 6197cdba53f5..e51aa0f69143 100644
+##--- a/sapi/fpm/tests/tester.inc
+##+++ b/sapi/fpm/tests/tester.inc
+#@@ -567,13 +567,17 @@ class Tester
+#      * @param string      $query
+#      * @param array       $headers
+#      * @param string|null $uri
+#+     * @param string|null $scriptFilename
+#+     * @param string|null $stdin
+#      *
+#      * @return array
+#      */
+#     private function getRequestParams(
+#         string $query = '',
+#         array $headers = [],
+#-        string $uri = null
+#+        string $uri = null,
+#+        string $scriptFilename = null,
+#+        ?string $stdin = null
+#     ): array {
+#         if (is_null($uri)) {
+#             $uri = $this->makeSourceFile();
+3@@ -582,8 +586,8 @@ class Tester
+#         $params = array_merge(
+#             [
+#                 'GATEWAY_INTERFACE' => 'FastCGI/1.0',
+#-                'REQUEST_METHOD'    => 'GET',
+#-                'SCRIPT_FILENAME'   => $uri,
+#+                'REQUEST_METHOD'    => is_null($stdin) ? 'GET' : 'POST',
+#+                'SCRIPT_FILENAME'   => $scriptFilename ?: $uri,
+#                 'SCRIPT_NAME'       => $uri,
+#                 'QUERY_STRING'      => $query,
+#                 'REQUEST_URI'       => $uri . ($query ? '?' . $query : ""),
+#@@ -597,7 +601,7 @@ class Tester
+#                 'SERVER_PROTOCOL'   => 'HTTP/1.1',
+#                 'DOCUMENT_ROOT'     => __DIR__,
+#                 'CONTENT_TYPE'      => '',
+#-                'CONTENT_LENGTH'    => 0
+#+                'CONTENT_LENGTH'    => strlen($stdin ?? "") // Default to 0
+#             ],
+#             $headers
+#         );
+#@@ -607,20 +611,86 @@ class Tester
+#         });
+#     }
+# 
+#+    /**
+#+     * Parse stdin and generate data for multipart config.
+#+     *
+#+     * @param array $stdin
+#+     * @param array $headers
+#+     *
+#+     * @return void
+#+     * @throws \Exception
+#+     */
+#+    private function parseStdin(array $stdin, array &$headers)
+#+    {
+#+        $parts = $stdin['parts'] ?? null;
+#+        if (empty($parts)) {
+#+            throw new \Exception('The stdin array needs to contain parts');
+#+        }
+#+        $boundary = $stdin['boundary'] ?? 'AaB03x';
+#+        if ( ! isset($headers['CONTENT_TYPE'])) {
+#+            $headers['CONTENT_TYPE'] = 'multipart/form-data; boundary=' . $boundary;
+#+        }
+#+        $count = $parts['count'] ?? null;
+#+        if ( ! is_null($count)) {
+#+            $dispositionType  = $parts['disposition'] ?? 'form-data';
+#+            $dispositionParam = $parts['param'] ?? 'name';
+#+            $namePrefix       = $parts['prefix'] ?? 'f';
+#+            $nameSuffix       = $parts['suffix'] ?? '';
+#+            $value            = $parts['value'] ?? 'test';
+#+            $parts            = [];
+#+            for ($i = 0; $i < $count; $i++) {
+#+                $parts[] = [
+#+                    'disposition' => $dispositionType,
+#+                    'param'       => $dispositionParam,
+#+                    'name'        => "$namePrefix$i$nameSuffix",
+#+                    'value'       => $value
+#+                ];
+#+            }
+#+        }
+#+        $out = '';
+#+        $nl  = "\r\n";
+#+        foreach ($parts as $part) {
+#+            if (!is_array($part)) {
+#+                $part = ['name' => $part];
+#+            } elseif ( ! isset($part['name'])) {
+#+                throw new \Exception('Each part has to have a name');
+#+            }
+#+            $name             = $part['name'];
+#+            $dispositionType  = $part['disposition'] ?? 'form-data';
+#+            $dispositionParam = $part['param'] ?? 'name';
+#+            $value            = $part['value'] ?? 'test';
+#+            $partHeaders          = $part['headers'] ?? [];
+#+
+#+            $out .= "--$boundary$nl";
+#+            $out .= "Content-disposition: $dispositionType; $dispositionParam=\"$name\"$nl";
+#+            foreach ($partHeaders as $headerName => $headerValue) {
+#+                $out .= "$headerName: $headerValue$nl";
+#+            }
+#+            $out .= $nl;
+#+            $out .= "$value$nl";
+#+        }
+#+        $out .= "--$boundary--$nl";
+#+
+#+        return $out;
+#+    }
+#+
+#     /**
+#      * Execute request.
+#      *
+#-     * @param string      $query
+#-     * @param array       $headers
+#-     * @param string|null $uri
+#-     * @param string|null $address
+#-     * @param string|null $successMessage
+#-     * @param string|null $errorMessage
+#-     * @param bool        $connKeepAlive
+#-     * @param bool        $expectError
+#-     * @param int         $readLimit
+#+     * @param string            $query
+#+     * @param array             $headers
+#+     * @param string|null       $uri
+#+     * @param string|null       $address
+#+     * @param string|null       $successMessage
+#+     * @param string|null       $errorMessage
+#+     * @param bool              $connKeepAlive
+#+     * @param string|null       $scriptFilename = null
+#+     * @param string|array|null $stdin          = null
+#+     * @param bool              $expectError
+#+     * @param int               $readLimit
+#      *
+#      * @return Response
+#+     * @throws \Exception
+#      */
+#     public function request(
+#         string $query = '',
+#@@ -630,6 +700,8 @@ class Tester
+#         string $successMessage = null,
+#         string $errorMessage = null,
+#         bool $connKeepAlive = false,
+#+        string $scriptFilename = null,
+#+        string|array $stdin = null,
+#         bool $expectError = false,
+#         int $readLimit = -1,
+#     ): Response {
+#@@ -637,12 +709,16 @@ class Tester
+#             return new Response(null, true);
+#         }
+# 
+#-        $params = $this->getRequestParams($query, $headers, $uri);
+#+        if (is_array($stdin)) {
+#+            $stdin = $this->parseStdin($stdin, $headers);
+#+        }
+#+
+#+        $params = $this->getRequestParams($query, $headers, $uri, $scriptFilename, $stdin);
+#         $this->trace('Request params', $params);
+# 
+#         try {
+#             $this->response = new Response(
+#-                $this->getClient($address, $connKeepAlive)->request_data($params, false, $readLimit)
+#+                $this->getClient($address, $connKeepAlive)->request_data($params, $stdin, $readLimit)
+#             );
+#             if ($expectError) {
+#                 $this->error('Expected request error but the request was successful');
diff --git a/source/n/php/php.SlackBuild b/source/n/php/php.SlackBuild
index 7109f9586..c54694b16 100755
--- a/source/n/php/php.SlackBuild
+++ b/source/n/php/php.SlackBuild
@@ -28,7 +28,7 @@ cd $(dirname $0) ; CWD=$(pwd)
 PKGNAM=php
 VERSION=${VERSION:-$(echo php-*.tar.xz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
 ALPINE=2.26
-BUILD=${BUILD:-2}
+BUILD=${BUILD:-3}
 
 # Automatically determine the architecture we're building on:
 if [ -z "$ARCH" ]; then
@@ -128,6 +128,9 @@ tar xvf $CWD/php-$VERSION.tar.xz || exit 1
 cd php-$VERSION || exit 1
 
 zcat $CWD/CVE-2022-31631.patch.gz | patch -p1 --verbose || exit 1
+zcat $CWD/CVE-2023-0567.patch.gz | patch -p1 --verbose || exit 1
+zcat $CWD/CVE-2023-0568.patch.gz | patch -p1 --verbose || exit 1
+zcat $CWD/CVE-2023-0662.patch.gz | patch -p1 --verbose || exit 1
 
 # cleanup:
 find . -name "*.orig" -delete