Fix cves

CVE-2018-19518.patch

@@ -0,0 +1,103 @@
+From 336d2086a9189006909ae06c7e95902d7d5ff77e Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 18 Nov 2018 17:10:43 -0800
+Subject: [PATCH] Disable rsh/ssh functionality in imap by default (bug #77153)
+
+---
+ NEWS                         |  4 ++++
+ UPGRADING                    |  7 +++++++
+ ext/imap/php_imap.c          | 17 +++++++++++++++++
+ ext/imap/php_imap.h          |  1 +
+ ext/imap/tests/bug77153.phpt | 24 ++++++++++++++++++++++++
+ 5 files changed, 53 insertions(+)
+ create mode 100644 ext/imap/tests/bug77153.phpt
+
+index ec2d8f46ed..52968a3857 100644
+
+diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c
+index e1adcf2264..42e7d8611c 100644
+--- a/ext/imap/php_imap.c
++++ b/ext/imap/php_imap.c
+@@ -562,6 +562,15 @@ static const zend_module_dep imap_deps[] = {
+ };
+ /* }}} */
+ 
++
++/* {{{ PHP_INI
++ */
++PHP_INI_BEGIN()
++STD_PHP_INI_BOOLEAN("imap.enable_insecure_rsh", "0", PHP_INI_SYSTEM, OnUpdateBool, enable_rsh, zend_imap_globals, imap_globals)
++PHP_INI_END()
++/* }}} */
++
++
+ /* {{{ imap_module_entry
+  */
+ zend_module_entry imap_module_entry = {
+@@ -832,6 +841,8 @@ PHP_MINIT_FUNCTION(imap)
+ {
+ 	unsigned long sa_all =	SA_MESSAGES | SA_RECENT | SA_UNSEEN | SA_UIDNEXT | SA_UIDVALIDITY;
+ 
++	REGISTER_INI_ENTRIES();
++
+ #ifndef PHP_WIN32
+ 	mail_link(&unixdriver);		/* link in the unix driver */
+ 	mail_link(&mhdriver);		/* link in the mh driver */
+@@ -1049,6 +1060,12 @@ PHP_MINIT_FUNCTION(imap)
+ 	GC_TEXTS               texts
+ 	*/
+ 
++	if (!IMAPG(enable_rsh)) {
++		/* disable SSH and RSH, see https://bugs.php.net/bug.php?id=77153 */
++		mail_parameters (NIL, SET_RSHTIMEOUT, 0);
++		mail_parameters (NIL, SET_SSHTIMEOUT, 0);
++	}
++
+ 	le_imap = zend_register_list_destructors_ex(mail_close_it, NULL, "imap", module_number);
+ 	return SUCCESS;
+ }
+diff --git a/ext/imap/php_imap.h b/ext/imap/php_imap.h
+index 7691d1fdd7..556163ed2d 100644
+--- a/ext/imap/php_imap.h
++++ b/ext/imap/php_imap.h
+@@ -231,6 +231,7 @@ ZEND_BEGIN_MODULE_GLOBALS(imap)
+ #endif
+ 	/* php_stream for php_mail_gets() */
+ 	php_stream *gets_stream;
++	zend_bool enable_rsh;
+ ZEND_END_MODULE_GLOBALS(imap)
+ 
+ #ifdef ZTS
+diff --git a/ext/imap/tests/bug77153.phpt b/ext/imap/tests/bug77153.phpt
+new file mode 100644
+index 0000000000..63590aee1d
+--- /dev/null
++++ b/ext/imap/tests/bug77153.phpt
+@@ -0,0 +1,24 @@
++--TEST--                                 
++Bug #77153 (imap_open allows to run arbitrary shell commands via mailbox parameter)
++--SKIPIF--
++<?php
++        if (!extension_loaded("imap")) { 
++                die("skip imap extension not available");  
++        }
++?>
++--FILE--
++<?php
++$payload = "echo 'BUG'> " . __DIR__ . '/__bug';
++$payloadb64 = base64_encode($payload);
++$server = "x -oProxyCommand=echo\t$payloadb64|base64\t-d|sh}";
++@imap_open('{'.$server.':143/imap}INBOX', '', '');
++// clean
++imap_errors();
++var_dump(file_exists(__DIR__ . '/__bug'));
++?>
++--EXPECT--
++bool(false)
++--CLEAN--
++<?php
++if(file_exists(__DIR__ . '/__bug')) unlink(__DIR__ . '/__bug');
++?>
+\ No newline at end of file
+-- 
+2.11.0

CVE-2019-6977.patch

@@ -0,0 +1,59 @@
+From a15af81b5f0058e020eda0f109f51a3c863f5212 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Sun, 30 Dec 2018 13:59:26 +0100
+Subject: [PATCH] Fix #77270: imagecolormatch Out Of Bounds Write on Heap
+
+At least some of the image reading functions may return images which
+use color indexes greater than or equal to im->colorsTotal.  We cater
+to this by always using a buffer size which is sufficient for
+`gdMaxColors` in `gdImageColorMatch()`.
+
+(cherry picked from commit 7a12dad4dd6c370835b13afae214b240082c7538)
+---
+ NEWS                          |  1 +
+ ext/gd/libgd/gd_color_match.c |  4 ++--
+ ext/gd/tests/bug77270.phpt    | 18 ++++++++++++++++++
+ 3 files changed, 21 insertions(+), 2 deletions(-)
+ create mode 100644 ext/gd/tests/bug77270.phpt
+
+diff --git a/ext/gd/libgd/gd_color_match.c b/ext/gd/libgd/gd_color_match.c
+index a4e56b1c40..e6f539bc75 100644
+--- a/ext/gd/libgd/gd_color_match.c
++++ b/ext/gd/libgd/gd_color_match.c
+@@ -33,8 +33,8 @@ int gdImageColorMatch (gdImagePtr im1, gdImagePtr im2)
+ 		return -4; /* At least 1 color must be allocated */
+ 	}
+ 
+-	buf = (unsigned long *)safe_emalloc(sizeof(unsigned long), 5 * im2->colorsTotal, 0);
+-	memset( buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal );
++	buf = (unsigned long *)safe_emalloc(sizeof(unsigned long), 5 * gdMaxColors, 0);
++	memset( buf, 0, sizeof(unsigned long) * 5 * gdMaxColors );
+ 
+ 	for (x=0; x<im1->sx; x++) {
+ 		for( y=0; y<im1->sy; y++ ) {
+diff --git a/ext/gd/tests/bug77270.phpt b/ext/gd/tests/bug77270.phpt
+new file mode 100644
+index 0000000000..1c4555a64d
+--- /dev/null
++++ b/ext/gd/tests/bug77270.phpt
+@@ -0,0 +1,18 @@
++--TEST--
++Bug #77270 (imagecolormatch Out Of Bounds Write on Heap)
++--SKIPIF--
++<?php
++if (!extension_loaded('gd')) die('skip gd extension not available');
++if (!GD_BUNDLED && version_compare(GD_VERSION, '2.2.5', '<=')) die('skip upstream bugfix has not been released');
++?>
++--FILE--
++<?php
++$img1 = imagecreatetruecolor(0xfff, 0xfff);
++$img2 = imagecreate(0xfff, 0xfff);
++imagecolorallocate($img2, 0, 0, 0);
++imagesetpixel($img2, 0, 0, 255);
++imagecolormatch($img1, $img2);
++?>
++===DONE===
++--EXPECT--
++===DONE===
+-- 
+2.11.0

php.spec

@@ -28,7 +28,7 @@
 
 Name:          php
 Version:       %{upver}%{?rcver:~%{rcver}}
-Release:       2
+Release:       3
 Summary:       PHP scripting language for creating dynamic web sites
 License:       PHP and Zend and BSD and MIT and ASL 1.0 and NCSA
 URL:           http://www.php.net/
@@ -85,6 +85,10 @@ Patch6016:     CVE-2019-11045.patch
 Patch6017:     CVE-2019-11046.patch
 Patch6018:     CVE-2019-11050.patch
 Patch6019:     CVE-2019-11047.patch
+#git.php.net/?p=php-src.git;a=patch;h=336d2086a9189006909ae06c7e95902d7d5ff77e
+Patch6020:     CVE-2018-19518.patch
+#git.php.net/?p=php-src.git;a=patch;h=a15af81b5f0058e020eda0f109f51a3c863f5212
+Patch6021:     CVE-2019-6977.patch
 
 BuildRequires: bzip2-devel, curl-devel >= 7.9, httpd-devel >= 2.0.46-1, pam-devel, httpd-filesystem, nginx-filesystem
 BuildRequires: libstdc++-devel, openssl-devel, sqlite-devel >= 3.6.0, zlib-devel, smtpdaemon, libedit-devel
@@ -104,7 +108,7 @@ Provides: php-zts = %{version}-%{release}, php-zts%{?_isa} = %{version}-%{releas
 
 Requires: httpd-mmn = %{_httpd_mmn}, php-common%{?_isa} = %{version}-%{release}, php-cli%{?_isa} = %{version}-%{release}
 Provides: mod_php = %{version}-%{release}, php(httpd)
-Recommends: php-fpm%{?_isa} = %{version}-%{release}
+#Recommends: php-fpm%{?_isa} = %{version}-%{release}
 Requires(pre): httpd-filesystem
 
 %description
@@ -527,7 +531,11 @@ The php-sodium package provides a simple,
 low-level PHP extension for the libsodium cryptographic library.
 %endif
 
-%package_help
+%package help
+Summary: help
+
+%description help
+help
 
 %prep
 %autosetup -n php-%{upver}%{?rcver} -p1
@@ -1141,6 +1149,12 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || :
 
 
 %changelog
+* Mon Mar 16 2020 shijian <shijian16@huawei.com> - 7.2.10-3
+- Type:cves
+- ID:CVE-2018-19518 CVE-2019-6977
+- SUG:restart
+- DESC:fix CVE-2018-19518 CVE-2019-6977
+
 * Thu Mar 12 2020 openEuler Buildteam <buildteam@openeuler.org> - 7.2.10-2
 - Add CVE patches