[oe] [meta-oe][dunfell][PATCH] php: Fix CVE-2023-3824

Tue, 26 Sep 2023 23:57:36 -0700 

From: Siddharth Doshi <[email protected]>

Upstream-Status: Backport from 
[https://github.com/php/php-src/commit/80316123f3e9dcce8ac419bd9dd43546e2ccb5ef]
CVE: CVE-2023-3824
Signed-off-by: Siddharth Doshi <[email protected]>
---
 .../php/php/CVE-2023-3824.patch               | 91 +++++++++++++++++++
 meta-oe/recipes-devtools/php/php_7.4.33.bb    |  1 +
 2 files changed, 92 insertions(+)
 create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2023-3824.patch

diff --git a/meta-oe/recipes-devtools/php/php/CVE-2023-3824.patch 
b/meta-oe/recipes-devtools/php/php/CVE-2023-3824.patch
new file mode 100644
index 000000000..953b5258e
--- /dev/null
+++ b/meta-oe/recipes-devtools/php/php/CVE-2023-3824.patch
@@ -0,0 +1,91 @@
+From 80316123f3e9dcce8ac419bd9dd43546e2ccb5ef Mon Sep 17 00:00:00 2001
+From: Niels Dossche <[email protected]>
+Date: Mon, 10 Jul 2023 13:25:34 +0200
+Subject: [PATCH] Fix buffer mismanagement in phar_dir_read()
+
+Fixes GHSA-jqcx-ccgc-xwhv.
+
+Upstream-Status: Backport from 
[https://github.com/php/php-src/commit/80316123f3e9dcce8ac419bd9dd43546e2ccb5ef]
+CVE: CVE-2023-3824
+Signed-off-by: Siddharth Doshi <[email protected]>
+---
+ ext/phar/dirstream.c                    | 15 ++++++++------
+ ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt | 27 +++++++++++++++++++++++++
+ 2 files changed, 36 insertions(+), 6 deletions(-)
+ create mode 100644 ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt
+
+diff --git a/ext/phar/dirstream.c b/ext/phar/dirstream.c
+index 4710703c..490b1452 100644
+--- a/ext/phar/dirstream.c
++++ b/ext/phar/dirstream.c
+@@ -91,25 +91,28 @@ static int phar_dir_seek(php_stream *stream, zend_off_t 
offset, int whence, zend
+  */
+ static ssize_t phar_dir_read(php_stream *stream, char *buf, size_t count) /* 
{{{ */
+ {
+-      size_t to_read;
+       HashTable *data = (HashTable *)stream->abstract;
+       zend_string *str_key;
+       zend_ulong unused;
+ 
++      if (count != sizeof(php_stream_dirent)) {
++              return -1;
++      }
++
+       if (HASH_KEY_NON_EXISTENT == zend_hash_get_current_key(data, &str_key, 
&unused)) {
+               return 0;
+       }
+ 
+       zend_hash_move_forward(data);
+-      to_read = MIN(ZSTR_LEN(str_key), count);
+ 
+-      if (to_read == 0 || count < ZSTR_LEN(str_key)) {
++      php_stream_dirent *dirent = (php_stream_dirent *) buf;
++
++      if (sizeof(dirent->d_name) <= ZSTR_LEN(str_key)) {
+               return 0;
+       }
+ 
+-      memset(buf, 0, sizeof(php_stream_dirent));
+-      memcpy(((php_stream_dirent *) buf)->d_name, ZSTR_VAL(str_key), to_read);
+-      ((php_stream_dirent *) buf)->d_name[to_read + 1] = '\0';
++      memset(dirent, 0, sizeof(php_stream_dirent));
++      PHP_STRLCPY(dirent->d_name, ZSTR_VAL(str_key), sizeof(dirent->d_name), 
ZSTR_LEN(str_key));
+ 
+       return sizeof(php_stream_dirent);
+ }
+diff --git a/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt 
b/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt
+new file mode 100644
+index 00000000..4e12f05f
+--- /dev/null
++++ b/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt
+@@ -0,0 +1,27 @@
++--TEST--
++GHSA-jqcx-ccgc-xwhv (Buffer overflow and overread in phar_dir_read())
++--SKIPIF--
++<?php if (!extension_loaded("phar")) die("skip"); ?>
++--INI--
++phar.readonly=0
++--FILE--
++<?php
++$phar = new Phar(__DIR__. '/GHSA-jqcx-ccgc-xwhv.phar');
++$phar->startBuffering();
++$phar->addFromString(str_repeat('A', PHP_MAXPATHLEN - 1), 'This is the 
content of file 1.');
++$phar->addFromString(str_repeat('B', PHP_MAXPATHLEN - 1).'C', 'This is the 
content of file 2.');
++$phar->stopBuffering();
++
++$handle = opendir('phar://' . __DIR__ . '/GHSA-jqcx-ccgc-xwhv.phar');
++var_dump(strlen(readdir($handle)));
++// Must not be a string of length PHP_MAXPATHLEN+1
++var_dump(readdir($handle));
++closedir($handle);
++?>
++--CLEAN--
++<?php
++unlink(__DIR__. '/GHSA-jqcx-ccgc-xwhv.phar');
++?>
++--EXPECTF--
++int(%d)
++bool(false)
+-- 
+2.24.4
+
diff --git a/meta-oe/recipes-devtools/php/php_7.4.33.bb 
b/meta-oe/recipes-devtools/php/php_7.4.33.bb
index cde482079..2a82d62ca 100644
--- a/meta-oe/recipes-devtools/php/php_7.4.33.bb
+++ b/meta-oe/recipes-devtools/php/php_7.4.33.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \
            file://debian-php-fixheader.patch \
            file://0001-configure.ac-don-t-include-build-libtool.m4.patch \
            file://0001-php.m4-don-t-unset-cache-variables.patch \
+           file://CVE-2023-3824.patch \
           "
 
 SRC_URI_append_class-target = " \
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#105172): 
https://lists.openembedded.org/g/openembedded-devel/message/105172
Mute This Topic: https://lists.openembedded.org/mt/101613071/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to