packages/php
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2021-21708

Browse Source
This commit is contained in:
panxiaohe 2022-03-09 19:35:22 +08:00
parent e2e9607e50
commit 5d41b98fe0
2 changed files with 59 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
backport-CVE-2021-21708-Fix-81708.patch Normal file
View File

@ -0,0 +1,54 @@
From 82f1bf1b6bc3a43aba62214870e6d0931e93a6d9 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Mon, 31 Jan 2022 15:43:24 +0100
Subject: [PATCH] Fix #81708: UAF due to php_filter_float() failing for ints
We must only release the zval, if we actually assign a new zval.
---
ext/filter/logical_filters.c | 2 +-
ext/filter/tests/bug81708.phpt | 20 ++++++++++++++++++++
2 files changed, 21 insertions(+), 1 deletion(-)
create mode 100644 ext/filter/tests/bug81708.phpt
diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c
index 1bf7c00d13c6..95f7a99e34b1 100644
--- a/ext/filter/logical_filters.c
+++ b/ext/filter/logical_filters.c
@@ -436,10 +436,10 @@ void php_filter_float(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */
switch (is_numeric_string(num, p - num, &lval, &dval, 0)) {
case IS_LONG:
- zval_ptr_dtor(value);
if ((min_range_set && (lval < min_range)) || (max_range_set && (lval > max_range))) {
goto error;
}
+ zval_ptr_dtor(value);
ZVAL_DOUBLE(value, (double)lval);
break;
case IS_DOUBLE:
diff --git a/ext/filter/tests/bug81708.phpt b/ext/filter/tests/bug81708.phpt
new file mode 100644
index 000000000000..d0036af13682
--- /dev/null
+++ b/ext/filter/tests/bug81708.phpt
@@ -0,0 +1,20 @@
+--TEST--
+Bug #81708 (UAF due to php_filter_float() failing for ints)
+--SKIPIF--
+<?php
+if (!extension_loaded("filter")) die("skip filter extension not available");
+?>
+--INI--
+opcache.enable_cli=0
+--FILE--
+<?php
+$input = "+" . str_repeat("1", 2); // avoid string interning
+filter_var(
+ $input,
+ FILTER_VALIDATE_FLOAT,
+ ["options" => ['min_range' => -1, 'max_range' => 1]]
+);
+var_dump($input);
+?>
+--EXPECT--
+string(3) "+11"

6
php.spec
View File

@ -26,7 +26,7 @@
Name: php Name: php
Version: %{upver}%{?rcver:~%{rcver}} Version: %{upver}%{?rcver:~%{rcver}}
Release: 6 Release: 7
Summary: PHP scripting language for creating dynamic web sites Summary: PHP scripting language for creating dynamic web sites
License: PHP and Zend-2.0 and BSD and MIT and ASL 1.0 and NCSA License: PHP and Zend-2.0 and BSD and MIT and ASL 1.0 and NCSA
URL: http://www.php.net/ URL: http://www.php.net/
@ -63,6 +63,7 @@ Patch12: backport-0002-CVE-2021-21705.patch
Patch13: backport-CVE-2021-21704.patch Patch13: backport-CVE-2021-21704.patch
Patch14: backport-CVE-2021-21703.patch Patch14: backport-CVE-2021-21703.patch
Patch15: backport-CVE-2021-21707.patch Patch15: backport-CVE-2021-21707.patch
Patch16: backport-CVE-2021-21708-Fix-81708.patch
BuildRequires: bzip2-devel, curl-devel >= 7.9, httpd-devel >= 2.0.46-1, pam-devel, httpd-filesystem, nginx-filesystem BuildRequires: bzip2-devel, curl-devel >= 7.9, httpd-devel >= 2.0.46-1, pam-devel, httpd-filesystem, nginx-filesystem
BuildRequires: libstdc++-devel, openssl-devel, sqlite-devel >= 3.6.0, zlib-devel, smtpdaemon, libedit-devel BuildRequires: libstdc++-devel, openssl-devel, sqlite-devel >= 3.6.0, zlib-devel, smtpdaemon, libedit-devel
@ -1091,6 +1092,9 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || :
%{_mandir}/* %{_mandir}/*
%changelog %changelog
* Wed Mar 9 2022 panxiaohe <panxh.life@foxmail.com> - 8.0.0-7
- Fix CVE-2021-21708
* Fri Jan 28 2022 herengui <herengui@uniontech.com> - 8.0.0-6 * Fri Jan 28 2022 herengui <herengui@uniontech.com> - 8.0.0-6
- Fix CVE-2021-21707 - Fix CVE-2021-21707