From: Anil Dongare <[email protected]> Upstream Repository: https://github.com/php/php-src.git
Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14178 Type: Security Fix CVE: CVE-2025-14178 Score: 8.2 Patch: https://github.com/php/php-src/commit/c4268c15e361 Signed-off-by: Anil Dongare <[email protected]> --- .../php/php/CVE-2025-14178.patch | 65 +++++++++++++++++++ meta-oe/recipes-devtools/php/php_8.2.29.bb | 1 + 2 files changed, 66 insertions(+) create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2025-14178.patch diff --git a/meta-oe/recipes-devtools/php/php/CVE-2025-14178.patch b/meta-oe/recipes-devtools/php/php/CVE-2025-14178.patch new file mode 100644 index 0000000000..46fa8679e8 --- /dev/null +++ b/meta-oe/recipes-devtools/php/php/CVE-2025-14178.patch @@ -0,0 +1,65 @@ +From a46c3692d37f8c539b3b00ea4ab7ebc2d7db5507 Mon Sep 17 00:00:00 2001 +From: Niels Dossche <[email protected]> +Date: Sun, 9 Nov 2025 13:23:11 +0100 +Subject: [PATCH] Fix GHSA-h96m-rvf9-jgm2 + +CVE: CVE-2025-14178 +Upstream-Status: Backport [https://github.com/php/php-src/commit/c4268c15e361] + +(cherry picked from commit c4268c15e361ccd79289a3909f332ab2153f72e7) +Signed-off-by: Anil Dongare <[email protected]> +--- + ext/standard/array.c | 7 ++++++- + .../tests/array/GHSA-h96m-rvf9-jgm2.phpt | 16 ++++++++++++++++ + 2 files changed, 22 insertions(+), 1 deletion(-) + create mode 100644 ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt + +diff --git a/ext/standard/array.c b/ext/standard/array.c +index a1a92934084..30b9a425b20 100644 +--- a/ext/standard/array.c ++++ b/ext/standard/array.c +@@ -3903,7 +3903,7 @@ static zend_always_inline void php_array_merge_wrapper(INTERNAL_FUNCTION_PARAMET + int argc, i; + zval *src_entry; + HashTable *src, *dest; +- uint32_t count = 0; ++ uint64_t count = 0; + + ZEND_PARSE_PARAMETERS_START(0, -1) + Z_PARAM_VARIADIC('+', args, argc) +@@ -3923,6 +3923,11 @@ static zend_always_inline void php_array_merge_wrapper(INTERNAL_FUNCTION_PARAMET + count += zend_hash_num_elements(Z_ARRVAL_P(arg)); + } + ++ if (UNEXPECTED(count >= HT_MAX_SIZE)) { ++ zend_throw_error(NULL, "The total number of elements must be lower than %u", HT_MAX_SIZE); ++ RETURN_THROWS(); ++ } ++ + if (argc == 2) { + zval *ret = NULL; + +diff --git a/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt b/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt +new file mode 100644 +index 00000000000..2e3e85357e1 +--- /dev/null ++++ b/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt +@@ -0,0 +1,16 @@ ++--TEST-- ++GHSA-h96m-rvf9-jgm2 ++--FILE-- ++<?php ++ ++$power = 20; // Chosen to be well within a memory_limit ++$arr = range(0, 2**$power); ++try { ++ array_merge(...array_fill(0, 2**(32-$power), $arr)); ++} catch (Error $e) { ++ echo $e->getMessage(), "\n"; ++} ++ ++?> ++--EXPECTF-- ++The total number of elements must be lower than %d +-- +2.43.7 diff --git a/meta-oe/recipes-devtools/php/php_8.2.29.bb b/meta-oe/recipes-devtools/php/php_8.2.29.bb index 015d83c291..aa2244ce96 100644 --- a/meta-oe/recipes-devtools/php/php_8.2.29.bb +++ b/meta-oe/recipes-devtools/php/php_8.2.29.bb @@ -21,6 +21,7 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \ file://0010-iconv-fix-detection.patch \ file://0001-Change-whether-to-inline-XXH3_hashLong_withSecret-to.patch \ file://CVE-2025-14177.patch \ + file://CVE-2025-14178.patch \ " SRC_URI:append:class-target = " \ -- 2.44.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#124125): https://lists.openembedded.org/g/openembedded-devel/message/124125 Mute This Topic: https://lists.openembedded.org/mt/117634075/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
