packages/php
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2019-11048

Browse Source
This commit is contained in:
wang_yue111 2020-07-21 15:22:16 +08:00
parent e9e3f967a7
commit 56d59456d5
2 changed files with 44 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
CVE-2019-11048.patch Normal file
View File

@ -0,0 +1,36 @@
From 1c9bd513ac5c7c1d13d7f0dfa7c16a7ad2ce0f87 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Wed, 18 Mar 2020 10:26:53 +0100
Subject: [PATCH] Fix #78875: Long filenames cause OOM and temp files are not
cleaned
We must not cast `size_t` to `int` (unless the `size_t` value is
guaranteed to be less than or equal to `INT_MAX`). In this case we can
declare `array_len` as `size_t` in the first place.
---
main/rfc1867.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/main/rfc1867.c b/main/rfc1867.c
index bd01b34cf070..783eab4175d5 100644
--- a/main/rfc1867.c
+++ b/main/rfc1867.c
@@ -692,7 +692,8 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL;
char *lbuf = NULL, *abuf = NULL;
zend_string *temp_filename = NULL;
- int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0, array_len = 0;
+ int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0;
+ size_t array_len = 0;
int64_t total_bytes = 0, max_file_size = 0;
int skip_upload = 0, anonindex = 0, is_anonymous;
HashTable *uploaded_files = NULL;
@@ -1126,7 +1127,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
is_arr_upload = (start_arr = strchr(param,'[')) && (param[strlen(param)-1] == ']');
if (is_arr_upload) {
- array_len = (int)strlen(start_arr);
+ array_len = strlen(start_arr);
if (array_index) {
efree(array_index);
}

9
php.spec
View File

@ -28,7 +28,7 @@
Name: php Name: php
Version: %{upver}%{?rcver:~%{rcver}} Version: %{upver}%{?rcver:~%{rcver}}
Release: 4 Release: 5
Summary: PHP scripting language for creating dynamic web sites Summary: PHP scripting language for creating dynamic web sites
License: PHP and Zend and BSD and MIT and ASL 1.0 and NCSA License: PHP and Zend and BSD and MIT and ASL 1.0 and NCSA
URL: http://www.php.net/ URL: http://www.php.net/
@ -91,6 +91,7 @@ Patch6020: CVE-2018-19518.patch
Patch6021: CVE-2019-6977.patch Patch6021: CVE-2019-6977.patch
Patch6022: CVE-2020-7064.patch Patch6022: CVE-2020-7064.patch
Patch6023: CVE-2020-7066.patch Patch6023: CVE-2020-7066.patch
Patch6024: CVE-2019-11048.patch
BuildRequires: bzip2-devel, curl-devel >= 7.9, httpd-devel >= 2.0.46-1, pam-devel, httpd-filesystem, nginx-filesystem BuildRequires: bzip2-devel, curl-devel >= 7.9, httpd-devel >= 2.0.46-1, pam-devel, httpd-filesystem, nginx-filesystem
BuildRequires: libstdc++-devel, openssl-devel, sqlite-devel >= 3.6.0, zlib-devel, smtpdaemon, libedit-devel BuildRequires: libstdc++-devel, openssl-devel, sqlite-devel >= 3.6.0, zlib-devel, smtpdaemon, libedit-devel
@ -1151,6 +1152,12 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || :
%changelog %changelog
* Tue Jul 21 2020 wangyue <wangyue92@huawei.com> - 7.2.10-5
- Type:cves
- ID:CVE-2019-11048
- SUG:restart
- DESC:fix CVE-2019-11048
* Fri Apr 24 2020 openEuler Buildteam <buildteam@openeuler.org> - 7.2.10-4 * Fri Apr 24 2020 openEuler Buildteam <buildteam@openeuler.org> - 7.2.10-4
- Type:cves - Type:cves
- ID:CVE-2020-7064 CVE-2020-7066 - ID:CVE-2020-7064 CVE-2020-7066