141 lines
4.9 KiB
Diff
141 lines
4.9 KiB
Diff
diff --git a/ext/phar/phar.c b/ext/phar/phar.c
|
|
index ba76a9b0e0..52c973d7c4 100644
|
|
--- a/ext/phar/phar.c
|
|
+++ b/ext/phar/phar.c
|
|
@@ -1575,7 +1575,8 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a
|
|
const char zip_magic[] = "PK\x03\x04";
|
|
const char gz_magic[] = "\x1f\x8b\x08";
|
|
const char bz_magic[] = "BZh";
|
|
- char *pos, test = '\0';
|
|
+ char *pos;
|
|
+ int recursion_count = 3; // arbitrary limit to avoid too deep or even infinite recursion
|
|
const int window_size = 1024;
|
|
char buffer[1024 + sizeof(token)]; /* a 1024 byte window + the size of the halt_compiler token (moving window) */
|
|
const zend_long readsize = sizeof(buffer) - sizeof(token);
|
|
@@ -1603,8 +1604,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a
|
|
MAPPHAR_ALLOC_FAIL("internal corruption of phar \"%s\" (truncated entry)")
|
|
}
|
|
|
|
- if (!test) {
|
|
- test = '\1';
|
|
+ if (recursion_count) {
|
|
pos = buffer+tokenlen;
|
|
if (!memcmp(pos, gz_magic, 3)) {
|
|
char err = 0;
|
|
@@ -1664,7 +1664,10 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a
|
|
compression = PHAR_FILE_COMPRESSED_GZ;
|
|
|
|
/* now, start over */
|
|
- test = '\0';
|
|
+ if (!--recursion_count) {
|
|
+ MAPPHAR_ALLOC_FAIL("unable to decompress gzipped phar archive \"%s\"");
|
|
+ break;
|
|
+ }
|
|
continue;
|
|
} else if (!memcmp(pos, bz_magic, 3)) {
|
|
php_stream_filter *filter;
|
|
@@ -1702,7 +1705,10 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a
|
|
compression = PHAR_FILE_COMPRESSED_BZ2;
|
|
|
|
/* now, start over */
|
|
- test = '\0';
|
|
+ if (!--recursion_count) {
|
|
+ MAPPHAR_ALLOC_FAIL("unable to decompress bzipped phar archive \"%s\"");
|
|
+ break;
|
|
+ }
|
|
continue;
|
|
}
|
|
|
|
From 8fad7bf40e1b5bf74f308eb882b1d72987ef539c Mon Sep 17 00:00:00 2001
|
|
From: "Christoph M. Becker" <cmbecker69@gmx.de>
|
|
Date: Tue, 27 Sep 2022 17:43:40 +0200
|
|
Subject: [PATCH] Fix regression introduced by fixing bug 81726
|
|
|
|
When a tar phar is created, `phar_open_from_fp()` is also called, but
|
|
since the file has just been created, none of the format checks can
|
|
succeed, so we continue to loop, but must not check again for the
|
|
format. Therefore, we bring back the old `test` variable.
|
|
|
|
Closes GH-9620.
|
|
|
|
(cherry picked from commit 432bf196d59bcb661fcf9cb7029cea9b43f490af)
|
|
---
|
|
ext/phar/phar.c | 7 +++++--
|
|
1 file changed, 5 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/ext/phar/phar.c b/ext/phar/phar.c
|
|
index 52c973d7c4..534af318f4 100644
|
|
--- a/ext/phar/phar.c
|
|
+++ b/ext/phar/phar.c
|
|
@@ -1575,7 +1575,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a
|
|
const char zip_magic[] = "PK\x03\x04";
|
|
const char gz_magic[] = "\x1f\x8b\x08";
|
|
const char bz_magic[] = "BZh";
|
|
- char *pos;
|
|
+ char *pos, test = '\0';
|
|
int recursion_count = 3; // arbitrary limit to avoid too deep or even infinite recursion
|
|
const int window_size = 1024;
|
|
char buffer[1024 + sizeof(token)]; /* a 1024 byte window + the size of the halt_compiler token (moving window) */
|
|
@@ -1604,7 +1604,8 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a
|
|
MAPPHAR_ALLOC_FAIL("internal corruption of phar \"%s\" (truncated entry)")
|
|
}
|
|
|
|
- if (recursion_count) {
|
|
+ if (!test && recursion_count) {
|
|
+ test = '\1';
|
|
pos = buffer+tokenlen;
|
|
if (!memcmp(pos, gz_magic, 3)) {
|
|
char err = 0;
|
|
@@ -1664,6 +1665,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a
|
|
compression = PHAR_FILE_COMPRESSED_GZ;
|
|
|
|
/* now, start over */
|
|
+ test = '\0';
|
|
if (!--recursion_count) {
|
|
MAPPHAR_ALLOC_FAIL("unable to decompress gzipped phar archive \"%s\"");
|
|
break;
|
|
@@ -1705,6 +1707,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a
|
|
compression = PHAR_FILE_COMPRESSED_BZ2;
|
|
|
|
/* now, start over */
|
|
+ test = '\0';
|
|
if (!--recursion_count) {
|
|
MAPPHAR_ALLOC_FAIL("unable to decompress bzipped phar archive \"%s\"");
|
|
break;
|
|
--
|
|
2.37.3
|
|
|
|
From 9d32d284b25f5df75780911a47b3c23cbaac1761 Mon Sep 17 00:00:00 2001
|
|
From: Remi Collet <remi@remirepo.net>
|
|
Date: Fri, 30 Sep 2022 09:22:14 +0200
|
|
Subject: [PATCH] fix NEWS
|
|
|
|
---
|
|
NEWS | 8 +++++---
|
|
1 file changed, 5 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/NEWS b/NEWS
|
|
index fe4cb9c484..b7a19aea19 100644
|
|
--- a/NEWS
|
|
+++ b/NEWS
|
|
@@ -1,14 +1,16 @@
|
|
PHP NEWS
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
|
-Backported from 7.4.31
|
|
+Backported from 7.4.32
|
|
|
|
- Core:
|
|
- . Fixed bug #81726: phar wrapper: DOS when using quine gzip file.
|
|
- (CVE-2022-31628). (cmb)
|
|
. Fixed bug #81727: Don't mangle HTTP variable names that clash with ones
|
|
that have a specific semantic meaning. (CVE-2022-31629). (Derick)
|
|
|
|
+- Phar:
|
|
+ . Fixed bug #81726: phar wrapper: DOS when using quine gzip file.
|
|
+ (CVE-2022-31628). (cmb)
|
|
+
|
|
Backported from 7.4.30
|
|
|
|
- mysqlnd:
|
