diff options
author | Patrick J Volkerding <volkerdi@slackware.com> | 2023-02-15 03:05:40 +0000 |
---|---|---|
committer | Eric Hameleers <alien@slackware.com> | 2023-02-15 06:50:13 +0100 |
commit | 88d937fb4e8fcda2688596b4c6dc5b24d275eb8d (patch) | |
tree | b67ee802224a725920c55c03054f15f35e5b4466 /source/n | |
parent | 52ac228489887839cc3e509c21dc80b138bb98ed (diff) | |
download | current-88d937fb4e8fcda2688596b4c6dc5b24d275eb8d.tar.gz current-88d937fb4e8fcda2688596b4c6dc5b24d275eb8d.tar.xz |
Wed Feb 15 03:05:40 UTC 202320230215030540
a/kernel-firmware-20230214_a253a37-noarch-1.txz: Upgraded.
a/kernel-generic-6.1.12-x86_64-1.txz: Upgraded.
a/kernel-huge-6.1.12-x86_64-1.txz: Upgraded.
a/kernel-modules-6.1.12-x86_64-1.txz: Upgraded.
d/kernel-headers-6.1.12-x86-1.txz: Upgraded.
d/rust-1.66.1-x86_64-1.txz: Upgraded.
k/kernel-source-6.1.12-noarch-1.txz: Upgraded.
kde/bluedevil-5.27.0-x86_64-1.txz: Upgraded.
kde/breeze-5.27.0-x86_64-1.txz: Upgraded.
kde/breeze-grub-5.27.0-x86_64-1.txz: Upgraded.
kde/breeze-gtk-5.27.0-x86_64-1.txz: Upgraded.
kde/drkonqi-5.27.0-x86_64-1.txz: Upgraded.
kde/kactivitymanagerd-5.27.0-x86_64-1.txz: Upgraded.
kde/kde-cli-tools-5.27.0-x86_64-1.txz: Upgraded.
kde/kde-gtk-config-5.27.0-x86_64-1.txz: Upgraded.
kde/kdecoration-5.27.0-x86_64-1.txz: Upgraded.
kde/kdeplasma-addons-5.27.0-x86_64-1.txz: Upgraded.
kde/kgamma5-5.27.0-x86_64-1.txz: Upgraded.
kde/khotkeys-5.27.0-x86_64-1.txz: Upgraded.
kde/kinfocenter-5.27.0-x86_64-1.txz: Upgraded.
kde/kmenuedit-5.27.0-x86_64-1.txz: Upgraded.
kde/kpipewire-5.27.0-x86_64-1.txz: Upgraded.
kde/kscreen-5.27.0-x86_64-1.txz: Upgraded.
kde/kscreenlocker-5.27.0-x86_64-1.txz: Upgraded.
kde/ksshaskpass-5.27.0-x86_64-1.txz: Upgraded.
kde/ksystemstats-5.27.0-x86_64-1.txz: Upgraded.
kde/kwallet-pam-5.27.0-x86_64-1.txz: Upgraded.
kde/kwayland-integration-5.27.0-x86_64-1.txz: Upgraded.
kde/kwin-5.27.0-x86_64-1.txz: Upgraded.
kde/kwrited-5.27.0-x86_64-1.txz: Upgraded.
kde/layer-shell-qt-5.27.0-x86_64-1.txz: Upgraded.
kde/libkscreen-5.27.0-x86_64-1.txz: Upgraded.
kde/libksysguard-5.27.0-x86_64-1.txz: Upgraded.
kde/milou-5.27.0-x86_64-1.txz: Upgraded.
kde/oxygen-5.27.0-x86_64-1.txz: Upgraded.
kde/oxygen-sounds-5.27.0-x86_64-1.txz: Upgraded.
kde/plasma-browser-integration-5.27.0-x86_64-1.txz: Upgraded.
kde/plasma-desktop-5.27.0-x86_64-1.txz: Upgraded.
kde/plasma-disks-5.27.0-x86_64-1.txz: Upgraded.
kde/plasma-firewall-5.27.0-x86_64-1.txz: Upgraded.
kde/plasma-integration-5.27.0-x86_64-1.txz: Upgraded.
kde/plasma-nm-5.27.0-x86_64-1.txz: Upgraded.
kde/plasma-pa-5.27.0-x86_64-1.txz: Upgraded.
kde/plasma-sdk-5.27.0-x86_64-1.txz: Upgraded.
kde/plasma-systemmonitor-5.27.0-x86_64-1.txz: Upgraded.
kde/plasma-vault-5.27.0-x86_64-1.txz: Upgraded.
kde/plasma-workspace-5.27.0-x86_64-1.txz: Upgraded.
kde/plasma-workspace-wallpapers-5.27.0-x86_64-1.txz: Upgraded.
kde/polkit-kde-agent-1-5.27.0-x86_64-1.txz: Upgraded.
kde/powerdevil-5.27.0-x86_64-1.txz: Upgraded.
kde/qqc2-breeze-style-5.27.0-x86_64-1.txz: Upgraded.
kde/sddm-kcm-5.27.0-x86_64-1.txz: Upgraded.
kde/systemsettings-5.27.0-x86_64-1.txz: Upgraded.
kde/xdg-desktop-portal-kde-5.27.0-x86_64-1.txz: Upgraded.
l/mozjs102-102.8.0esr-x86_64-1.txz: Upgraded.
n/php-7.4.33-x86_64-3.txz: Rebuilt.
This update fixes security issues:
Core: Password_verify() always return true with some hash.
Core: 1-byte array overrun in common path resolve code.
SAPI: DOS vulnerability when parsing multipart request body.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-0567
https://www.cve.org/CVERecord?id=CVE-2023-0568
https://www.cve.org/CVERecord?id=CVE-2023-0662
(* Security fix *)
xap/mozilla-firefox-110.0-x86_64-1.txz: Upgraded.
This update contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/firefox/110.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2023-05/
https://www.cve.org/CVERecord?id=CVE-2023-25728
https://www.cve.org/CVERecord?id=CVE-2023-25730
https://www.cve.org/CVERecord?id=CVE-2023-25743
https://www.cve.org/CVERecord?id=CVE-2023-0767
https://www.cve.org/CVERecord?id=CVE-2023-25735
https://www.cve.org/CVERecord?id=CVE-2023-25737
https://www.cve.org/CVERecord?id=CVE-2023-25738
https://www.cve.org/CVERecord?id=CVE-2023-25739
https://www.cve.org/CVERecord?id=CVE-2023-25729
https://www.cve.org/CVERecord?id=CVE-2023-25732
https://www.cve.org/CVERecord?id=CVE-2023-25734
https://www.cve.org/CVERecord?id=CVE-2023-25740
https://www.cve.org/CVERecord?id=CVE-2023-25731
https://www.cve.org/CVERecord?id=CVE-2023-25733
https://www.cve.org/CVERecord?id=CVE-2023-25736
https://www.cve.org/CVERecord?id=CVE-2023-25741
https://www.cve.org/CVERecord?id=CVE-2023-25742
https://www.cve.org/CVERecord?id=CVE-2023-25744
https://www.cve.org/CVERecord?id=CVE-2023-25745
(* Security fix *)
extra/php80/php80-8.0.28-x86_64-1.txz: Upgraded.
This update fixes security issues:
Core: Password_verify() always return true with some hash.
Core: 1-byte array overrun in common path resolve code.
SAPI: DOS vulnerability when parsing multipart request body.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-0567
https://www.cve.org/CVERecord?id=CVE-2023-0568
https://www.cve.org/CVERecord?id=CVE-2023-0662
(* Security fix *)
extra/php81/php81-8.1.16-x86_64-1.txz: Upgraded.
This update fixes security issues:
Core: Password_verify() always return true with some hash.
Core: 1-byte array overrun in common path resolve code.
SAPI: DOS vulnerability when parsing multipart request body.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-0567
https://www.cve.org/CVERecord?id=CVE-2023-0568
https://www.cve.org/CVERecord?id=CVE-2023-0662
(* Security fix *)
isolinux/initrd.img: Rebuilt.
kernels/*: Upgraded.
testing/packages/rust-1.67.1-x86_64-1.txz: Upgraded.
usb-and-pxe-installers/usbboot.img: Rebuilt.
Diffstat (limited to 'source/n')
-rw-r--r-- | source/n/php/CVE-2023-0567.patch | 142 | ||||
-rw-r--r-- | source/n/php/CVE-2023-0568.patch | 62 | ||||
-rw-r--r-- | source/n/php/CVE-2023-0662.patch | 411 | ||||
-rwxr-xr-x | source/n/php/php.SlackBuild | 5 |
4 files changed, 619 insertions, 1 deletions
diff --git a/source/n/php/CVE-2023-0567.patch b/source/n/php/CVE-2023-0567.patch new file mode 100644 index 000000000..78defd92b --- /dev/null +++ b/source/n/php/CVE-2023-0567.patch @@ -0,0 +1,142 @@ +From 7882d12ff2d8d8c5a4af821464e0a5ac2cde2002 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@bastelstu.be> +Date: Mon, 23 Jan 2023 21:15:24 +0100 +Subject: [PATCH] crypt: Fix validation of malformed BCrypt hashes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +PHP’s implementation of crypt_blowfish differs from the upstream Openwall +version by adding a “PHP Hack”, which allows one to cut short the BCrypt salt +by including a `$` character within the characters that represent the salt. + +Hashes that are affected by the “PHP Hack” may erroneously validate any +password as valid when used with `password_verify` and when comparing the +return value of `crypt()` against the input. + +The PHP Hack exists since the first version of PHP’s own crypt_blowfish +implementation that was added in 1e820eca02dcf322b41fd2fe4ed2a6b8309f8ab5. + +No clear reason is given for the PHP Hack’s existence. This commit removes it, +because BCrypt hashes containing a `$` character in their salt are not valid +BCrypt hashes. +--- + ext/standard/crypt_blowfish.c | 8 -- + .../tests/crypt/bcrypt_salt_dollar.phpt | 82 +++++++++++++++++++ + 2 files changed, 82 insertions(+), 8 deletions(-) + create mode 100644 ext/standard/tests/crypt/bcrypt_salt_dollar.phpt + +diff --git a/ext/standard/crypt_blowfish.c b/ext/standard/crypt_blowfish.c +index 3806a290aee4..351d40308089 100644 +--- a/ext/standard/crypt_blowfish.c ++++ b/ext/standard/crypt_blowfish.c +@@ -371,7 +371,6 @@ static const unsigned char BF_atoi64[0x60] = { + #define BF_safe_atoi64(dst, src) \ + { \ + tmp = (unsigned char)(src); \ +- if (tmp == '$') break; /* PHP hack */ \ + if ((unsigned int)(tmp -= 0x20) >= 0x60) return -1; \ + tmp = BF_atoi64[tmp]; \ + if (tmp > 63) return -1; \ +@@ -399,13 +398,6 @@ static int BF_decode(BF_word *dst, const char *src, int size) + *dptr++ = ((c3 & 0x03) << 6) | c4; + } while (dptr < end); + +- if (end - dptr == size) { +- return -1; +- } +- +- while (dptr < end) /* PHP hack */ +- *dptr++ = 0; +- + return 0; + } + +diff --git a/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt b/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt +new file mode 100644 +index 000000000000..32e335f4b087 +--- /dev/null ++++ b/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt +@@ -0,0 +1,82 @@ ++--TEST-- ++bcrypt correctly rejects salts containing $ ++--FILE-- ++<?php ++for ($i = 0; $i < 23; $i++) { ++ $salt = '$2y$04$' . str_repeat('0', $i) . '$'; ++ $result = crypt("foo", $salt); ++ var_dump($salt); ++ var_dump($result); ++ var_dump($result === $salt); ++} ++?> ++--EXPECT-- ++string(8) "$2y$04$$" ++string(2) "*0" ++bool(false) ++string(9) "$2y$04$0$" ++string(2) "*0" ++bool(false) ++string(10) "$2y$04$00$" ++string(2) "*0" ++bool(false) ++string(11) "$2y$04$000$" ++string(2) "*0" ++bool(false) ++string(12) "$2y$04$0000$" ++string(2) "*0" ++bool(false) ++string(13) "$2y$04$00000$" ++string(2) "*0" ++bool(false) ++string(14) "$2y$04$000000$" ++string(2) "*0" ++bool(false) ++string(15) "$2y$04$0000000$" ++string(2) "*0" ++bool(false) ++string(16) "$2y$04$00000000$" ++string(2) "*0" ++bool(false) ++string(17) "$2y$04$000000000$" ++string(2) "*0" ++bool(false) ++string(18) "$2y$04$0000000000$" ++string(2) "*0" ++bool(false) ++string(19) "$2y$04$00000000000$" ++string(2) "*0" ++bool(false) ++string(20) "$2y$04$000000000000$" ++string(2) "*0" ++bool(false) ++string(21) "$2y$04$0000000000000$" ++string(2) "*0" ++bool(false) ++string(22) "$2y$04$00000000000000$" ++string(2) "*0" ++bool(false) ++string(23) "$2y$04$000000000000000$" ++string(2) "*0" ++bool(false) ++string(24) "$2y$04$0000000000000000$" ++string(2) "*0" ++bool(false) ++string(25) "$2y$04$00000000000000000$" ++string(2) "*0" ++bool(false) ++string(26) "$2y$04$000000000000000000$" ++string(2) "*0" ++bool(false) ++string(27) "$2y$04$0000000000000000000$" ++string(2) "*0" ++bool(false) ++string(28) "$2y$04$00000000000000000000$" ++string(2) "*0" ++bool(false) ++string(29) "$2y$04$000000000000000000000$" ++string(2) "*0" ++bool(false) ++string(30) "$2y$04$0000000000000000000000$" ++string(60) "$2y$04$000000000000000000000u2a2UpVexIt9k3FMJeAVr3c04F5tcI8K" ++bool(false) diff --git a/source/n/php/CVE-2023-0568.patch b/source/n/php/CVE-2023-0568.patch new file mode 100644 index 000000000..3b8440926 --- /dev/null +++ b/source/n/php/CVE-2023-0568.patch @@ -0,0 +1,62 @@ +From c0fceebfa195b8e56a7108cb731b5ea7afbef70c Mon Sep 17 00:00:00 2001 +From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> +Date: Fri, 27 Jan 2023 19:28:27 +0100 +Subject: [PATCH] Fix array overrun when appending slash to paths + +Fix it by extending the array sizes by one character. As the input is +limited to the maximum path length, there will always be place to append +the slash. As the php_check_specific_open_basedir() simply uses the +strings to compare against each other, no new failures related to too +long paths are introduced. +We'll let the DOM and XML case handle a potentially too long path in the +library code. +--- + ext/dom/document.c | 2 +- + ext/xmlreader/php_xmlreader.c | 2 +- + main/fopen_wrappers.c | 6 +++--- + 3 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/ext/dom/document.c b/ext/dom/document.c +index 4dee5548f188..c60198a3be11 100644 +--- a/ext/dom/document.c ++++ b/ext/dom/document.c +@@ -1182,7 +1182,7 @@ static xmlDocPtr dom_document_parser(zval *id, int mode, char *source, size_t so + int validate, recover, resolve_externals, keep_blanks, substitute_ent; + int resolved_path_len; + int old_error_reporting = 0; +- char *directory=NULL, resolved_path[MAXPATHLEN]; ++ char *directory=NULL, resolved_path[MAXPATHLEN + 1]; + + if (id != NULL) { + intern = Z_DOMOBJ_P(id); +diff --git a/ext/xmlreader/php_xmlreader.c b/ext/xmlreader/php_xmlreader.c +index c17884d960cb..39141c8c1223 100644 +--- a/ext/xmlreader/php_xmlreader.c ++++ b/ext/xmlreader/php_xmlreader.c +@@ -1017,7 +1017,7 @@ PHP_METHOD(XMLReader, XML) + xmlreader_object *intern = NULL; + char *source, *uri = NULL, *encoding = NULL; + int resolved_path_len, ret = 0; +- char *directory=NULL, resolved_path[MAXPATHLEN]; ++ char *directory=NULL, resolved_path[MAXPATHLEN + 1]; + xmlParserInputBufferPtr inputbfr; + xmlTextReaderPtr reader; + +diff --git a/main/fopen_wrappers.c b/main/fopen_wrappers.c +index f6ce26e104be..12cc9c8b10c0 100644 +--- a/main/fopen_wrappers.c ++++ b/main/fopen_wrappers.c +@@ -129,10 +129,10 @@ PHPAPI ZEND_INI_MH(OnUpdateBaseDir) + */ + PHPAPI int php_check_specific_open_basedir(const char *basedir, const char *path) + { +- char resolved_name[MAXPATHLEN]; +- char resolved_basedir[MAXPATHLEN]; ++ char resolved_name[MAXPATHLEN + 1]; ++ char resolved_basedir[MAXPATHLEN + 1]; + char local_open_basedir[MAXPATHLEN]; +- char path_tmp[MAXPATHLEN]; ++ char path_tmp[MAXPATHLEN + 1]; + char *path_file; + size_t resolved_basedir_len; + size_t resolved_name_len; diff --git a/source/n/php/CVE-2023-0662.patch b/source/n/php/CVE-2023-0662.patch new file mode 100644 index 000000000..e9cada2c9 --- /dev/null +++ b/source/n/php/CVE-2023-0662.patch @@ -0,0 +1,411 @@ +From 716de0cff539f46294ef70fe75d548cd66766370 Mon Sep 17 00:00:00 2001 +From: Jakub Zelenka <bukka@php.net> +Date: Thu, 19 Jan 2023 14:31:25 +0000 +Subject: [PATCH] Introduce max_multipart_body_parts INI + +This fixes GHSA-54hq-v5wp-fqgv DOS vulnerabality by limitting number of +parsed multipart body parts as currently all parts were always parsed. +--- + main/main.c | 1 + + main/rfc1867.c | 11 ++ + ...-54hq-v5wp-fqgv-max-body-parts-custom.phpt | 53 +++++++++ + ...54hq-v5wp-fqgv-max-body-parts-default.phpt | 54 +++++++++ + .../ghsa-54hq-v5wp-fqgv-max-file-uploads.phpt | 52 +++++++++ + sapi/fpm/tests/tester.inc | 106 +++++++++++++++--- + 6 files changed, 262 insertions(+), 15 deletions(-) + create mode 100644 sapi/fpm/tests/ghsa-54hq-v5wp-fqgv-max-body-parts-custom.phpt + create mode 100644 sapi/fpm/tests/ghsa-54hq-v5wp-fqgv-max-body-parts-default.phpt + create mode 100644 sapi/fpm/tests/ghsa-54hq-v5wp-fqgv-max-file-uploads.phpt + +diff --git a/main/main.c b/main/main.c +index 40684f32dc14..c58ea58bf5ac 100644 +--- a/main/main.c ++++ b/main/main.c +@@ -751,6 +751,7 @@ PHP_INI_BEGIN() + PHP_INI_ENTRY("disable_functions", "", PHP_INI_SYSTEM, NULL) + PHP_INI_ENTRY("disable_classes", "", PHP_INI_SYSTEM, NULL) + PHP_INI_ENTRY("max_file_uploads", "20", PHP_INI_SYSTEM|PHP_INI_PERDIR, NULL) ++ PHP_INI_ENTRY("max_multipart_body_parts", "-1", PHP_INI_SYSTEM|PHP_INI_PERDIR, NULL) + + STD_PHP_INI_BOOLEAN("allow_url_fopen", "1", PHP_INI_SYSTEM, OnUpdateBool, allow_url_fopen, php_core_globals, core_globals) + STD_PHP_INI_BOOLEAN("allow_url_include", "0", PHP_INI_SYSTEM, OnUpdateBool, allow_url_include, php_core_globals, core_globals) +diff --git a/main/rfc1867.c b/main/rfc1867.c +index b43cfae5a1e2..3086e8da3dbe 100644 +--- a/main/rfc1867.c ++++ b/main/rfc1867.c +@@ -687,6 +687,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */ + void *event_extra_data = NULL; + unsigned int llen = 0; + int upload_cnt = INI_INT("max_file_uploads"); ++ int body_parts_cnt = INI_INT("max_multipart_body_parts"); + const zend_encoding *internal_encoding = zend_multibyte_get_internal_encoding(); + php_rfc1867_getword_t getword; + php_rfc1867_getword_conf_t getword_conf; +@@ -708,6 +709,11 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */ + return; + } + ++ if (body_parts_cnt < 0) { ++ body_parts_cnt = PG(max_input_vars) + upload_cnt; ++ } ++ int body_parts_limit = body_parts_cnt; ++ + /* Get the boundary */ + boundary = strstr(content_type_dup, "boundary"); + if (!boundary) { +@@ -792,6 +798,11 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */ + char *pair = NULL; + int end = 0; + ++ if (--body_parts_cnt < 0) { ++ php_error_docref(NULL, E_WARNING, "Multipart body parts limit exceeded %d. To increase the limit change max_multipart_body_parts in php.ini.", body_parts_limit); ++ goto fileupload_done; ++ } ++ + while (isspace(*cd)) { + ++cd; + } +#diff --git a/sapi/fpm/tests/ghsa-54hq-v5wp-fqgv-max-body-parts-custom.phpt b/sapi/fpm/tests/ghsa-54hq-v5wp-fqgv-max-body-parts-custom.phpt +#new file mode 100644 +#index 000000000000..d2239ac3c410 +#--- /dev/null +#+++ b/sapi/fpm/tests/ghsa-54hq-v5wp-fqgv-max-body-parts-custom.phpt +#@@ -0,0 +1,53 @@ +#+--TEST-- +#+FPM: GHSA-54hq-v5wp-fqgv - max_multipart_body_parts ini custom value +#+--SKIPIF-- +#+<?php include "skipif.inc"; ?> +#+--FILE-- +#+<?php +#+ +#+require_once "tester.inc"; +#+ +#+$cfg = <<<EOT +#+[global] +#+error_log = {{FILE:LOG}} +#+[unconfined] +#+listen = {{ADDR}} +#+pm = dynamic +#+pm.max_children = 5 +#+pm.start_servers = 1 +#+pm.min_spare_servers = 1 +#+pm.max_spare_servers = 3 +#+php_admin_value[html_errors] = false +#+php_admin_value[max_input_vars] = 20 +#+php_admin_value[max_file_uploads] = 5 +#+php_admin_value[max_multipart_body_parts] = 10 +#+php_flag[display_errors] = On +#+EOT; +#+ +#+$code = <<<EOT +#+<?php +#+var_dump(count(\$_POST)); +#+EOT; +#+ +#+$tester = new FPM\Tester($cfg, $code); +#+$tester->start(); +#+$tester->expectLogStartNotices(); +#+echo $tester +#+ ->request(stdin: [ +#+ 'parts' => [ +#+ 'count' => 30, +#+ ] +#+ ]) +#+ ->getBody(); +#+$tester->terminate(); +#+$tester->close(); +#+ +#+?> +#+--EXPECT-- +#+Warning: Unknown: Multipart body parts limit exceeded 10. To increase the limit change max_multipart_body_parts in php.ini. in Unknown on line 0 +#+int(10) +#+--CLEAN-- +#+<?php +#+require_once "tester.inc"; +#+FPM\Tester::clean(); +#+?> +#diff --git a/sapi/fpm/tests/ghsa-54hq-v5wp-fqgv-max-body-parts-default.phpt b/sapi/fpm/tests/ghsa-54hq-v5wp-fqgv-max-body-parts-default.phpt +#new file mode 100644 +#index 000000000000..42b5afbf9ee7 +#--- /dev/null +#+++ b/sapi/fpm/tests/ghsa-54hq-v5wp-fqgv-max-body-parts-default.phpt +#@@ -0,0 +1,54 @@ +#+--TEST-- +#+FPM: GHSA-54hq-v5wp-fqgv - max_multipart_body_parts ini default +#+--SKIPIF-- +#+<?php include "skipif.inc"; ?> +#+--FILE-- +#+<?php +#+ +#+require_once "tester.inc"; +#+ +#+$cfg = <<<EOT +#+[global] +#+error_log = {{FILE:LOG}} +#+[unconfined] +#+listen = {{ADDR}} +#+pm = dynamic +#+pm.max_children = 5 +#+pm.start_servers = 1 +#+pm.min_spare_servers = 1 +#+pm.max_spare_servers = 3 +#+php_admin_value[html_errors] = false +#+php_admin_value[max_input_vars] = 20 +#+php_admin_value[max_file_uploads] = 5 +#+php_flag[display_errors] = On +#+EOT; +#+ +#+$code = <<<EOT +#+<?php +#+var_dump(count(\$_POST)); +#+EOT; +#+ +#+$tester = new FPM\Tester($cfg, $code); +#+$tester->start(); +#+$tester->expectLogStartNotices(); +#+echo $tester +#+ ->request(stdin: [ +#+ 'parts' => [ +#+ 'count' => 30, +#+ ] +#+ ]) +#+ ->getBody(); +#+$tester->terminate(); +#+$tester->close(); +#+ +#+?> +#+--EXPECT-- +#+Warning: Unknown: Input variables exceeded 20. To increase the limit change max_input_vars in php.ini. in Unknown on line 0 +#+ +#+Warning: Unknown: Multipart body parts limit exceeded 25. To increase the limit change max_multipart_body_parts in php.ini. in Unknown on line 0 +#+int(20) +#+--CLEAN-- +#+<?php +#+require_once "tester.inc"; +#+FPM\Tester::clean(); +#+?> +#diff --git a/sapi/fpm/tests/ghsa-54hq-v5wp-fqgv-max-file-uploads.phpt b/sapi/fpm/tests/ghsa-54hq-v5wp-fqgv-max-file-uploads.phpt +#new file mode 100644 +#index 000000000000..da81174c7280 +#--- /dev/null +#+++ b/sapi/fpm/tests/ghsa-54hq-v5wp-fqgv-max-file-uploads.phpt +#@@ -0,0 +1,52 @@ +#+--TEST-- +#+FPM: GHSA-54hq-v5wp-fqgv - exceeding max_file_uploads +#+--SKIPIF-- +#+<?php include "skipif.inc"; ?> +#+--FILE-- +#+<?php +#+ +#+require_once "tester.inc"; +#+ +#+$cfg = <<<EOT +#+[global] +#+error_log = {{FILE:LOG}} +#+[unconfined] +#+listen = {{ADDR}} +#+pm = dynamic +#+pm.max_children = 5 +#+pm.start_servers = 1 +#+pm.min_spare_servers = 1 +#+pm.max_spare_servers = 3 +#+php_admin_value[html_errors] = false +#+php_admin_value[max_file_uploads] = 5 +#+php_flag[display_errors] = On +#+EOT; +#+ +#+$code = <<<EOT +#+<?php +#+var_dump(count(\$_FILES)); +#+EOT; +#+ +#+$tester = new FPM\Tester($cfg, $code); +#+$tester->start(); +#+$tester->expectLogStartNotices(); +#+echo $tester +#+ ->request(stdin: [ +#+ 'parts' => [ +#+ 'count' => 10, +#+ 'param' => 'filename' +#+ ] +#+ ]) +#+ ->getBody(); +#+$tester->terminate(); +#+$tester->close(); +#+ +#+?> +#+--EXPECT-- +#+Warning: Maximum number of allowable file uploads has been exceeded in Unknown on line 0 +#+int(5) +#+--CLEAN-- +#+<?php +#+require_once "tester.inc"; +#+FPM\Tester::clean(); +#+?> +##diff --git a/sapi/fpm/tests/tester.inc b/sapi/fpm/tests/tester.inc +##index 6197cdba53f5..e51aa0f69143 100644 +##--- a/sapi/fpm/tests/tester.inc +##+++ b/sapi/fpm/tests/tester.inc +#@@ -567,13 +567,17 @@ class Tester +# * @param string $query +# * @param array $headers +# * @param string|null $uri +#+ * @param string|null $scriptFilename +#+ * @param string|null $stdin +# * +# * @return array +# */ +# private function getRequestParams( +# string $query = '', +# array $headers = [], +#- string $uri = null +#+ string $uri = null, +#+ string $scriptFilename = null, +#+ ?string $stdin = null +# ): array { +# if (is_null($uri)) { +# $uri = $this->makeSourceFile(); +3@@ -582,8 +586,8 @@ class Tester +# $params = array_merge( +# [ +# 'GATEWAY_INTERFACE' => 'FastCGI/1.0', +#- 'REQUEST_METHOD' => 'GET', +#- 'SCRIPT_FILENAME' => $uri, +#+ 'REQUEST_METHOD' => is_null($stdin) ? 'GET' : 'POST', +#+ 'SCRIPT_FILENAME' => $scriptFilename ?: $uri, +# 'SCRIPT_NAME' => $uri, +# 'QUERY_STRING' => $query, +# 'REQUEST_URI' => $uri . ($query ? '?' . $query : ""), +#@@ -597,7 +601,7 @@ class Tester +# 'SERVER_PROTOCOL' => 'HTTP/1.1', +# 'DOCUMENT_ROOT' => __DIR__, +# 'CONTENT_TYPE' => '', +#- 'CONTENT_LENGTH' => 0 +#+ 'CONTENT_LENGTH' => strlen($stdin ?? "") // Default to 0 +# ], +# $headers +# ); +#@@ -607,20 +611,86 @@ class Tester +# }); +# } +# +#+ /** +#+ * Parse stdin and generate data for multipart config. +#+ * +#+ * @param array $stdin +#+ * @param array $headers +#+ * +#+ * @return void +#+ * @throws \Exception +#+ */ +#+ private function parseStdin(array $stdin, array &$headers) +#+ { +#+ $parts = $stdin['parts'] ?? null; +#+ if (empty($parts)) { +#+ throw new \Exception('The stdin array needs to contain parts'); +#+ } +#+ $boundary = $stdin['boundary'] ?? 'AaB03x'; +#+ if ( ! isset($headers['CONTENT_TYPE'])) { +#+ $headers['CONTENT_TYPE'] = 'multipart/form-data; boundary=' . $boundary; +#+ } +#+ $count = $parts['count'] ?? null; +#+ if ( ! is_null($count)) { +#+ $dispositionType = $parts['disposition'] ?? 'form-data'; +#+ $dispositionParam = $parts['param'] ?? 'name'; +#+ $namePrefix = $parts['prefix'] ?? 'f'; +#+ $nameSuffix = $parts['suffix'] ?? ''; +#+ $value = $parts['value'] ?? 'test'; +#+ $parts = []; +#+ for ($i = 0; $i < $count; $i++) { +#+ $parts[] = [ +#+ 'disposition' => $dispositionType, +#+ 'param' => $dispositionParam, +#+ 'name' => "$namePrefix$i$nameSuffix", +#+ 'value' => $value +#+ ]; +#+ } +#+ } +#+ $out = ''; +#+ $nl = "\r\n"; +#+ foreach ($parts as $part) { +#+ if (!is_array($part)) { +#+ $part = ['name' => $part]; +#+ } elseif ( ! isset($part['name'])) { +#+ throw new \Exception('Each part has to have a name'); +#+ } +#+ $name = $part['name']; +#+ $dispositionType = $part['disposition'] ?? 'form-data'; +#+ $dispositionParam = $part['param'] ?? 'name'; +#+ $value = $part['value'] ?? 'test'; +#+ $partHeaders = $part['headers'] ?? []; +#+ +#+ $out .= "--$boundary$nl"; +#+ $out .= "Content-disposition: $dispositionType; $dispositionParam=\"$name\"$nl"; +#+ foreach ($partHeaders as $headerName => $headerValue) { +#+ $out .= "$headerName: $headerValue$nl"; +#+ } +#+ $out .= $nl; +#+ $out .= "$value$nl"; +#+ } +#+ $out .= "--$boundary--$nl"; +#+ +#+ return $out; +#+ } +#+ +# /** +# * Execute request. +# * +#- * @param string $query +#- * @param array $headers +#- * @param string|null $uri +#- * @param string|null $address +#- * @param string|null $successMessage +#- * @param string|null $errorMessage +#- * @param bool $connKeepAlive +#- * @param bool $expectError +#- * @param int $readLimit +#+ * @param string $query +#+ * @param array $headers +#+ * @param string|null $uri +#+ * @param string|null $address +#+ * @param string|null $successMessage +#+ * @param string|null $errorMessage +#+ * @param bool $connKeepAlive +#+ * @param string|null $scriptFilename = null +#+ * @param string|array|null $stdin = null +#+ * @param bool $expectError +#+ * @param int $readLimit +# * +# * @return Response +#+ * @throws \Exception +# */ +# public function request( +# string $query = '', +#@@ -630,6 +700,8 @@ class Tester +# string $successMessage = null, +# string $errorMessage = null, +# bool $connKeepAlive = false, +#+ string $scriptFilename = null, +#+ string|array $stdin = null, +# bool $expectError = false, +# int $readLimit = -1, +# ): Response { +#@@ -637,12 +709,16 @@ class Tester +# return new Response(null, true); +# } +# +#- $params = $this->getRequestParams($query, $headers, $uri); +#+ if (is_array($stdin)) { +#+ $stdin = $this->parseStdin($stdin, $headers); +#+ } +#+ +#+ $params = $this->getRequestParams($query, $headers, $uri, $scriptFilename, $stdin); +# $this->trace('Request params', $params); +# +# try { +# $this->response = new Response( +#- $this->getClient($address, $connKeepAlive)->request_data($params, false, $readLimit) +#+ $this->getClient($address, $connKeepAlive)->request_data($params, $stdin, $readLimit) +# ); +# if ($expectError) { +# $this->error('Expected request error but the request was successful'); diff --git a/source/n/php/php.SlackBuild b/source/n/php/php.SlackBuild index 7109f9586..c54694b16 100755 --- a/source/n/php/php.SlackBuild +++ b/source/n/php/php.SlackBuild @@ -28,7 +28,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=php VERSION=${VERSION:-$(echo php-*.tar.xz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} ALPINE=2.26 -BUILD=${BUILD:-2} +BUILD=${BUILD:-3} # Automatically determine the architecture we're building on: if [ -z "$ARCH" ]; then @@ -128,6 +128,9 @@ tar xvf $CWD/php-$VERSION.tar.xz || exit 1 cd php-$VERSION || exit 1 zcat $CWD/CVE-2022-31631.patch.gz | patch -p1 --verbose || exit 1 +zcat $CWD/CVE-2023-0567.patch.gz | patch -p1 --verbose || exit 1 +zcat $CWD/CVE-2023-0568.patch.gz | patch -p1 --verbose || exit 1 +zcat $CWD/CVE-2023-0662.patch.gz | patch -p1 --verbose || exit 1 # cleanup: find . -name "*.orig" -delete |