!227 [sync] PR-224: fix CVE-2024-8929

From: @openeuler-sync-bot 
Reviewed-by: @fundawang 
Signed-off-by: @fundawang

php-cve-2024-11234.patch

@@ -0,0 +1,118 @@
+From bc1f192102dd8cbda028e40aa31604c4885d387c Mon Sep 17 00:00:00 2001
+From: Jakub Zelenka <bukka@php.net>
+Date: Fri, 8 Nov 2024 23:43:47 +0100
+Subject: [PATCH 3/8] Fix GHSA-c5f2-jwm7-mmq2: stream HTTP fulluri CRLF
+ injection
+
+(cherry picked from commit 426a6d4539ebee34879ac5de857036bb6ff0e732)
+---
+ ext/standard/http_fopen_wrapper.c             | 18 ++++++++----
+ .../tests/http/ghsa-c5f2-jwm7-mmq2.phpt       | 28 +++++++++++++++++++
+ 2 files changed, 40 insertions(+), 6 deletions(-)
+ create mode 100644 ext/standard/tests/http/ghsa-c5f2-jwm7-mmq2.phpt
+
+diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c
+index 45677c396ac..6859a4e5181 100644
+--- a/ext/standard/http_fopen_wrapper.c
++++ b/ext/standard/http_fopen_wrapper.c
+@@ -184,6 +184,11 @@ static php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper,
+ 			return NULL;
+ 		}
+ 
++		/* Should we send the entire path in the request line, default to no. */
++		if (context && (tmpzval = php_stream_context_get_option(context, "http", "request_fulluri")) != NULL) {
++			request_fulluri = zend_is_true(tmpzval);
++		}
++
+ 		use_ssl = resource->scheme && (ZSTR_LEN(resource->scheme) > 4) && ZSTR_VAL(resource->scheme)[4] == 's';
+ 		/* choose default ports */
+ 		if (use_ssl && resource->port == 0)
+@@ -203,6 +208,13 @@ static php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper,
+ 		}
+ 	}
+ 
++	if (request_fulluri && (strchr(path, '\n') != NULL || strchr(path, '\r') != NULL)) {
++		php_stream_wrapper_log_error(wrapper, options, "HTTP wrapper full URI path does not allow CR or LF characters");
++		php_url_free(resource);
++		zend_string_release(transport_string);
++		return NULL;
++	}
++
+ 	if (context && (tmpzval = php_stream_context_get_option(context, wrapper->wops->label, "timeout")) != NULL) {
+ 		double d = zval_get_double(tmpzval);
+ #ifndef PHP_WIN32
+@@ -383,12 +395,6 @@ finish:
+ 		smart_str_appends(&req_buf, "GET ");
+ 	}
+ 
+-	/* Should we send the entire path in the request line, default to no. */
+-	if (!request_fulluri && context &&
+-		(tmpzval = php_stream_context_get_option(context, "http", "request_fulluri")) != NULL) {
+-		request_fulluri = zend_is_true(tmpzval);
+-	}
+-
+ 	if (request_fulluri) {
+ 		/* Ask for everything */
+ 		smart_str_appends(&req_buf, path);
+diff --git a/ext/standard/tests/http/ghsa-c5f2-jwm7-mmq2.phpt b/ext/standard/tests/http/ghsa-c5f2-jwm7-mmq2.phpt
+new file mode 100644
+index 00000000000..e7dd194dbbe
+--- /dev/null
++++ b/ext/standard/tests/http/ghsa-c5f2-jwm7-mmq2.phpt
+@@ -0,0 +1,28 @@
++--TEST--
++GHSA-c5f2-jwm7-mmq2 (Configuring a proxy in a stream context might allow for CRLF injection in URIs)
++--INI--
++allow_url_fopen=1
++--CONFLICTS--
++server
++--FILE--
++<?php
++$serverCode = <<<'CODE'
++echo $_SERVER['REQUEST_URI'];
++CODE;
++
++include __DIR__."/../../../../sapi/cli/tests/php_cli_server.inc";
++php_cli_server_start($serverCode, null, []);
++
++$host = PHP_CLI_SERVER_ADDRESS;
++$userinput = "index.php HTTP/1.1\r\nHost: $host\r\n\r\nGET /index2.php HTTP/1.1\r\nHost: $host\r\n\r\nGET /index.php";
++$context = stream_context_create(['http' => ['proxy' => 'tcp://' . $host, 'request_fulluri' => true]]);
++echo file_get_contents("http://$host/$userinput", false, $context);
++?>
++--EXPECTF--
++Warning: file_get_contents(http://localhost:%d/index.php HTTP/1.1
++Host: localhost:%d
++
++GET /index2.php HTTP/1.1
++Host: localhost:%d
++
++GET /index.php): Failed to open stream: HTTP wrapper full URI path does not allow CR or LF characters in %s on line %d
+-- 
+2.47.0
+
+From 8d130e16fbfda7d154fedfa0f1ff1d5ad5e26815 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Fri, 22 Nov 2024 09:41:12 +0100
+Subject: [PATCH 8/8] fix transport_string release
+
+---
+ ext/standard/http_fopen_wrapper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c
+index 6859a4e5181..40e6f3dd4c3 100644
+--- a/ext/standard/http_fopen_wrapper.c
++++ b/ext/standard/http_fopen_wrapper.c
+@@ -211,7 +211,7 @@ static php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper,
+ 	if (request_fulluri && (strchr(path, '\n') != NULL || strchr(path, '\r') != NULL)) {
+ 		php_stream_wrapper_log_error(wrapper, options, "HTTP wrapper full URI path does not allow CR or LF characters");
+ 		php_url_free(resource);
+-		zend_string_release(transport_string);
++		efree(transport_string);
+ 		return NULL;
+ 	}
+ 
+-- 
+2.47.0
+

php-cve-2024-11236.patch

@@ -0,0 +1,117 @@
+From 5d9e54065ed18c51e4f25d8900635f90810c7394 Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
+Date: Thu, 24 Oct 2024 22:02:17 +0200
+Subject: [PATCH 1/8] Fix GHSA-5hqh-c84r-qjcv: Integer overflow in the dblib
+ quoter causing OOB writes
+
+(cherry picked from commit d9baa9fed8c3ba692a36b388c0c7762e5102e2e0)
+---
+ ext/pdo_dblib/dblib_driver.c                 |  8 ++++++-
+ ext/pdo_dblib/tests/GHSA-5hqh-c84r-qjcv.phpt | 24 ++++++++++++++++++++
+ 2 files changed, 31 insertions(+), 1 deletion(-)
+ create mode 100644 ext/pdo_dblib/tests/GHSA-5hqh-c84r-qjcv.phpt
+
+diff --git a/ext/pdo_dblib/dblib_driver.c b/ext/pdo_dblib/dblib_driver.c
+index 7f160a402f7..d7d0901ea1a 100644
+--- a/ext/pdo_dblib/dblib_driver.c
++++ b/ext/pdo_dblib/dblib_driver.c
+@@ -152,6 +152,7 @@ static int dblib_handle_quoter(pdo_dbh_t *dbh, const char *unquoted, size_t unqu
+ 
+ 	size_t i;
+ 	char * q;
++	size_t extralen = 0;
+ 	*quotedlen = 0;
+ 
+ 	if (H->assume_national_character_set_strings) {
+@@ -166,7 +167,7 @@ static int dblib_handle_quoter(pdo_dbh_t *dbh, const char *unquoted, size_t unqu
+ 
+ 	/* Detect quoted length, adding extra char for doubled single quotes */
+ 	for (i = 0; i < unquotedlen; i++) {
+-		if (unquoted[i] == '\'') ++*quotedlen;
++		if (unquoted[i] == '\'') ++extralen;
+ 		++*quotedlen;
+ 	}
+ 
+@@ -174,6 +175,11 @@ static int dblib_handle_quoter(pdo_dbh_t *dbh, const char *unquoted, size_t unqu
+ 	if (use_national_character_set) {
+ 		++*quotedlen; /* N prefix */
+ 	}
++	if (UNEXPECTED(*quotedlen > ZSTR_MAX_LEN - extralen)) {
++		return 0;
++	}
++
++	*quotedlen += extralen;
+ 	q = *quoted = emalloc(*quotedlen + 1); /* Add byte for terminal null */
+ 	if (use_national_character_set) {
+ 		*q++ = 'N';
+diff --git a/ext/pdo_dblib/tests/GHSA-5hqh-c84r-qjcv.phpt b/ext/pdo_dblib/tests/GHSA-5hqh-c84r-qjcv.phpt
+new file mode 100644
+index 00000000000..431c61951ee
+--- /dev/null
++++ b/ext/pdo_dblib/tests/GHSA-5hqh-c84r-qjcv.phpt
+@@ -0,0 +1,24 @@
++--TEST--
++GHSA-5hqh-c84r-qjcv (Integer overflow in the dblib quoter causing OOB writes)
++--EXTENSIONS--
++pdo_dblib
++--SKIPIF--
++<?php
++if (PHP_INT_SIZE != 4) die("skip for 32bit platforms only");
++if (PHP_OS_FAMILY === "Windows") die("skip not for Windows because the virtual address space for application is only 2GiB");
++if (getenv("SKIP_SLOW_TESTS")) die("skip slow test");
++require __DIR__ . '/config.inc';
++getDbConnection();
++?>
++--INI--
++memory_limit=-1
++--FILE--
++<?php
++
++require __DIR__ . '/config.inc';
++$db = getDbConnection();
++var_dump($db->quote(str_repeat("'", 2147483646)));
++
++?>
++--EXPECT--
++bool(false)
+-- 
+2.47.0
+
+From b4f73be75dbdde970a18cc7a636898b10400fb3f Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
+Date: Thu, 24 Oct 2024 22:02:36 +0200
+Subject: [PATCH 2/8] Fix GHSA-5hqh-c84r-qjcv: Integer overflow in the firebird
+ quoter causing OOB writes
+
+(cherry picked from commit 69c5f68fdc3deed9ebce2cc44b4bf5e0c47cd28f)
+---
+ ext/pdo_firebird/firebird_driver.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/ext/pdo_firebird/firebird_driver.c b/ext/pdo_firebird/firebird_driver.c
+index e0a424c56ab..fb697978503 100644
+--- a/ext/pdo_firebird/firebird_driver.c
++++ b/ext/pdo_firebird/firebird_driver.c
+@@ -663,7 +663,7 @@ free_statement:
+ static int firebird_handle_quoter(pdo_dbh_t *dbh, const char *unquoted, size_t unquotedlen, /* {{{ */
+ 	char **quoted, size_t *quotedlen, enum pdo_param_type paramtype)
+ {
+-	int qcount = 0;
++	size_t qcount = 0;
+ 	char const *co, *l, *r;
+ 	char *c;
+ 
+@@ -678,6 +678,10 @@ static int firebird_handle_quoter(pdo_dbh_t *dbh, const char *unquoted, size_t u
+ 	/* count the number of ' characters */
+ 	for (co = unquoted; (co = strchr(co,'\'')); qcount++, co++);
+ 
++	if (UNEXPECTED(unquotedlen + 2 > ZSTR_MAX_LEN - qcount)) {
++		return 0;
++	}
++
+ 	*quotedlen = unquotedlen + qcount + 2;
+ 	*quoted = c = emalloc(*quotedlen+1);
+ 	*c++ = '\'';
+-- 
+2.47.0
+

php-cve-2024-5458.patch

@@ -0,0 +1,177 @@
+From 4066610b47e22c24cbee91be434a94357056a479 Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
+Date: Wed, 22 May 2024 22:25:02 +0200
+Subject: [PATCH 1/2] Fix GHSA-w8qr-v226-r27w
+
+We should not early-out with success status if we found an ipv6
+hostname, we should keep checking the rest of the conditions.
+Because integrating the if-check of the ipv6 hostname in the
+"Validate domain" if-check made the code hard to read, I extracted the
+condition out to a separate function. This also required to make
+a few pointers const in order to have some clean code.
+---
+ ext/filter/logical_filters.c              | 35 ++++++++++---------
+ ext/filter/tests/ghsa-w8qr-v226-r27w.phpt | 41 +++++++++++++++++++++++
+ 2 files changed, 61 insertions(+), 15 deletions(-)
+ create mode 100644 ext/filter/tests/ghsa-w8qr-v226-r27w.phpt
+
+diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c
+index ad011568aac..300c6e2809c 100644
+--- a/ext/filter/logical_filters.c
++++ b/ext/filter/logical_filters.c
+@@ -89,7 +89,7 @@
+ #define FORMAT_IPV4    4
+ #define FORMAT_IPV6    6
+ 
+-static int _php_filter_validate_ipv6(char *str, size_t str_len, int ip[8]);
++static int _php_filter_validate_ipv6(const char *str, size_t str_len, int ip[8]);
+ 
+ static int php_filter_parse_int(const char *str, size_t str_len, zend_long *ret) { /* {{{ */
+ 	zend_long ctx_value;
+@@ -572,6 +572,14 @@ static int is_userinfo_valid(zend_string *str)
+ 	return 1;
+ }
+ 
++static bool php_filter_is_valid_ipv6_hostname(const char *s, size_t l)
++{
++	const char *e = s + l;
++	const char *t = e - 1;
++
++	return *s == '[' && *t == ']' && _php_filter_validate_ipv6(s + 1, l - 2, NULL);
++}
++
+ void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */
+ {
+ 	php_url *url;
+@@ -592,7 +600,7 @@ void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */
+ 
+ 	if (url->scheme != NULL &&
+ 		(zend_string_equals_literal_ci(url->scheme, "http") || zend_string_equals_literal_ci(url->scheme, "https"))) {
+-		char *e, *s, *t;
++		const char *s;
+ 		size_t l;
+ 
+ 		if (url->host == NULL) {
+@@ -601,17 +609,14 @@ void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */
+ 
+ 		s = ZSTR_VAL(url->host);
+ 		l = ZSTR_LEN(url->host);
+-		e = s + l;
+-		t = e - 1;
+-
+-		/* An IPv6 enclosed by square brackets is a valid hostname */
+-		if (*s == '[' && *t == ']' && _php_filter_validate_ipv6((s + 1), l - 2, NULL)) {
+-			php_url_free(url);
+-			return;
+-		}
+ 
+-		// Validate domain
+-		if (!_php_filter_validate_domain(ZSTR_VAL(url->host), l, FILTER_FLAG_HOSTNAME)) {
++		if (
++			/* An IPv6 enclosed by square brackets is a valid hostname.*/
++			!php_filter_is_valid_ipv6_hostname(s, l) &&
++			/* Validate domain.
++			 * This includes a loose check for an IPv4 address. */
++			!_php_filter_validate_domain(ZSTR_VAL(url->host), l, FILTER_FLAG_HOSTNAME)
++		) {
+ 			php_url_free(url);
+ 			RETURN_VALIDATION_FAILED
+ 		}
+@@ -745,15 +750,15 @@ static int _php_filter_validate_ipv4(char *str, size_t str_len, int *ip) /* {{{
+ }
+ /* }}} */
+ 
+-static int _php_filter_validate_ipv6(char *str, size_t str_len, int ip[8]) /* {{{ */
++static int _php_filter_validate_ipv6(const char *str, size_t str_len, int ip[8]) /* {{{ */
+ {
+ 	int compressed_pos = -1;
+ 	int blocks = 0;
+ 	int num, n, i;
+ 	char *ipv4;
+-	char *end;
++	const char *end;
+ 	int ip4elm[4];
+-	char *s = str;
++	const char *s = str;
+ 
+ 	if (!memchr(str, ':', str_len)) {
+ 		return 0;
+diff --git a/ext/filter/tests/ghsa-w8qr-v226-r27w.phpt b/ext/filter/tests/ghsa-w8qr-v226-r27w.phpt
+new file mode 100644
+index 00000000000..0092408ee5a
+--- /dev/null
++++ b/ext/filter/tests/ghsa-w8qr-v226-r27w.phpt
+@@ -0,0 +1,41 @@
++--TEST--
++GHSA-w8qr-v226-r27w
++--EXTENSIONS--
++filter
++--FILE--
++<?php
++
++function test(string $input) {
++    var_dump(filter_var($input, FILTER_VALIDATE_URL));
++}
++
++echo "--- These ones should fail ---\n";
++test("http://t[est@127.0.0.1");
++test("http://t[est@[::1]");
++test("http://t[est@[::1");
++test("http://t[est@::1]");
++test("http://php.net\\@aliyun.com/aaa.do");
++test("http://test[@2001:db8:3333:4444:5555:6666:1.2.3.4]");
++test("http://te[st@2001:db8:3333:4444:5555:6666:1.2.3.4]");
++test("http://te[st@2001:db8:3333:4444:5555:6666:1.2.3.4");
++
++echo "--- These ones should work ---\n";
++test("http://test@127.0.0.1");
++test("http://test@[2001:db8:3333:4444:5555:6666:1.2.3.4]");
++test("http://test@[::1]");
++
++?>
++--EXPECT--
++--- These ones should fail ---
++bool(false)
++bool(false)
++bool(false)
++bool(false)
++bool(false)
++bool(false)
++bool(false)
++bool(false)
++--- These ones should work ---
++string(21) "http://test@127.0.0.1"
++string(50) "http://test@[2001:db8:3333:4444:5555:6666:1.2.3.4]"
++string(17) "http://test@[::1]"
+-- 
+2.45.1
+
+From a1ff81b786bd519597e770795be114f5171f0648 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 4 Jun 2024 16:48:08 +0200
+Subject: [PATCH 2/2] NEWS
+
+---
+ NEWS | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 1300609f189..7a9b6bdae18 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,12 @@
+ PHP                                                                        NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+ 
++Backported from 8.1.29
++
++- Filter:
++  . Fixed bug GHSA-w8qr-v226-r27w (Filter bypass in filter_var FILTER_VALIDATE_URL).
++    (CVE-2024-5458) (nielsdos)
++
+ Backported from 8.1.28
+ 
+ - Standard:
+-- 
+2.45.1
+

php-cve-2024-8925.patch

@@ -0,0 +1,188 @@
+From 2b0daf421c162376892832588eccdfa9a286ed09 Mon Sep 17 00:00:00 2001
+From: Arnaud Le Blanc <arnaud.lb@gmail.com>
+Date: Mon, 9 Sep 2024 15:22:07 +0200
+Subject: [PATCH 3/8] Fix GHSA-9pqp-7h25-4f32
+
+multipart/form-data boundaries larger than the read buffer result in erroneous
+parsing, which violates data integrity.
+
+Limit boundary size, as allowed by RFC 1521:
+
+    Encapsulation boundaries [...] must be no longer than 70 characters, not
+    counting the two leading hyphens.
+
+We correctly parse payloads with boundaries of length up to
+FILLUNIT-strlen("\r\n--") bytes, so allow this for BC.
+
+(cherry picked from commit 19b49258d0c5a61398d395d8afde1123e8d161e0)
+---
+ main/rfc1867.c                       |   7 ++
+ tests/basic/GHSA-9pqp-7h25-4f32.inc  |   3 +
+ tests/basic/GHSA-9pqp-7h25-4f32.phpt | 100 +++++++++++++++++++++++++++
+ 3 files changed, 110 insertions(+)
+ create mode 100644 tests/basic/GHSA-9pqp-7h25-4f32.inc
+ create mode 100644 tests/basic/GHSA-9pqp-7h25-4f32.phpt
+
+diff --git a/main/rfc1867.c b/main/rfc1867.c
+index 3086e8da3db..eafe6a67d2e 100644
+--- a/main/rfc1867.c
++++ b/main/rfc1867.c
+@@ -752,6 +752,13 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
+ 		boundary_len = boundary_end-boundary;
+ 	}
+ 
++	/* Boundaries larger than FILLUNIT-strlen("\r\n--") characters lead to
++	 * erroneous parsing */
++	if (boundary_len > FILLUNIT-strlen("\r\n--")) {
++		sapi_module.sapi_error(E_WARNING, "Boundary too large in multipart/form-data POST data");
++		return;
++	}
++
+ 	/* Initialize the buffer */
+ 	if (!(mbuff = multipart_buffer_new(boundary, boundary_len))) {
+ 		sapi_module.sapi_error(E_WARNING, "Unable to initialize the input buffer");
+diff --git a/tests/basic/GHSA-9pqp-7h25-4f32.inc b/tests/basic/GHSA-9pqp-7h25-4f32.inc
+new file mode 100644
+index 00000000000..adf72a361a2
+--- /dev/null
++++ b/tests/basic/GHSA-9pqp-7h25-4f32.inc
+@@ -0,0 +1,3 @@
++<?php
++print "Hello world\n";
++var_dump($_POST);
+diff --git a/tests/basic/GHSA-9pqp-7h25-4f32.phpt b/tests/basic/GHSA-9pqp-7h25-4f32.phpt
+new file mode 100644
+index 00000000000..af819163705
+--- /dev/null
++++ b/tests/basic/GHSA-9pqp-7h25-4f32.phpt
+@@ -0,0 +1,100 @@
++--TEST--
++GHSA-9pqp-7h25-4f32
++--SKIPIF--
++<?php
++if (!getenv('TEST_PHP_CGI_EXECUTABLE')) {
++    die("skip php-cgi not available");
++}
++?>
++--FILE--
++<?php
++
++const FILLUNIT = 5 * 1024;
++
++function test($boundaryLen) {
++    printf("Boundary len: %d\n", $boundaryLen);
++
++    $cmd = [
++        getenv('TEST_PHP_CGI_EXECUTABLE'),
++        '-C',
++        '-n',
++        __DIR__ . '/GHSA-9pqp-7h25-4f32.inc',
++    ];
++
++    $boundary = str_repeat('A', $boundaryLen);
++    $body = ""
++        . "--$boundary\r\n"
++        . "Content-Disposition: form-data; name=\"koko\"\r\n"
++        . "\r\n"
++        . "BBB\r\n--" . substr($boundary, 0, -1) . "CCC\r\n"
++        . "--$boundary--\r\n"
++        ;
++
++    $env = array_merge($_ENV, [
++        'REDIRECT_STATUS' => '1',
++        'CONTENT_TYPE' => "multipart/form-data; boundary=$boundary",
++        'CONTENT_LENGTH' => strlen($body),
++        'REQUEST_METHOD' => 'POST',
++        'SCRIPT_FILENAME' => __DIR__ . '/GHSA-9pqp-7h25-4f32.inc',
++    ]);
++
++    $spec = [
++        0 => ['pipe', 'r'],
++        1 => STDOUT,
++        2 => STDOUT,
++    ];
++
++    $pipes = [];
++
++    print "Starting...\n";
++
++    $handle = proc_open($cmd, $spec, $pipes, getcwd(), $env);
++
++    fwrite($pipes[0], $body);
++
++    $status = proc_close($handle);
++
++    print "\n";
++}
++
++for ($offset = -1; $offset <= 1; $offset++) {
++    test(FILLUNIT - strlen("\r\n--") + $offset);
++}
++
++?>
++--EXPECTF--
++Boundary len: 5115
++Starting...
++X-Powered-By: %s
++Content-type: text/html; charset=UTF-8
++
++Hello world
++array(1) {
++  ["koko"]=>
++  string(5124) "BBB
++--AAA%sCCC"
++}
++
++Boundary len: 5116
++Starting...
++X-Powered-By: %s
++Content-type: text/html; charset=UTF-8
++
++Hello world
++array(1) {
++  ["koko"]=>
++  string(5125) "BBB
++--AAA%sCCC"
++}
++
++Boundary len: 5117
++Starting...
++X-Powered-By: %s
++Content-type: text/html; charset=UTF-8
++
++<br />
++<b>Warning</b>:  Boundary too large in multipart/form-data POST data in <b>Unknown</b> on line <b>0</b><br />
++Hello world
++array(0) {
++}
++
+-- 
+2.46.1
+
+From c75683864f6e4188439e8ca2adbb05824918be12 Mon Sep 17 00:00:00 2001
+From: Jakub Zelenka <bukka@php.net>
+Date: Mon, 23 Sep 2024 18:54:31 +0100
+Subject: [PATCH 7/8] Skip GHSA-9pqp-7h25-4f32 test on Windows
+
+(cherry picked from commit c70e25630832fa10d421328eed2b8e1a36af7a64)
+---
+ tests/basic/GHSA-9pqp-7h25-4f32.phpt | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tests/basic/GHSA-9pqp-7h25-4f32.phpt b/tests/basic/GHSA-9pqp-7h25-4f32.phpt
+index af819163705..29bcb6557d5 100644
+--- a/tests/basic/GHSA-9pqp-7h25-4f32.phpt
++++ b/tests/basic/GHSA-9pqp-7h25-4f32.phpt
+@@ -5,6 +5,9 @@ GHSA-9pqp-7h25-4f32
+ if (!getenv('TEST_PHP_CGI_EXECUTABLE')) {
+     die("skip php-cgi not available");
+ }
++if (substr(PHP_OS, 0, 3) == 'WIN') {
++    die("skip not for Windows in CI - probably resource issue");
++}
+ ?>
+ --FILE--
+ <?php
+-- 
+2.46.1
+

php-cve-2024-8926.patch

@@ -0,0 +1,174 @@
+From 9f95e17cc0a9a79da82157e34e3effe1bc395037 Mon Sep 17 00:00:00 2001
+From: Jan Ehrhardt <github@ehrhardt.nl>
+Date: Wed, 5 Jun 2024 20:44:46 +0200
+Subject: [PATCH 1/8] Fix GHSA-3qgc-jrrr-25jv
+
+---
+ sapi/cgi/cgi_main.c                     | 23 ++++++++++++++-
+ sapi/cgi/tests/ghsa-3qgc-jrrr-25jv.phpt | 38 +++++++++++++++++++++++++
+ 2 files changed, 60 insertions(+), 1 deletion(-)
+ create mode 100644 sapi/cgi/tests/ghsa-3qgc-jrrr-25jv.phpt
+
+diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c
+index 0d52941c5a1..0d3b54ed8b8 100644
+--- a/sapi/cgi/cgi_main.c
++++ b/sapi/cgi/cgi_main.c
+@@ -1798,8 +1798,13 @@ int main(int argc, char *argv[])
+ 		}
+ 	}
+ 
++	/* Apache CGI will pass the query string to the command line if it doesn't contain a '='.
++	 * This can create an issue where a malicious request can pass command line arguments to
++	 * the executable. Ideally we skip argument parsing when we're in cgi or fastcgi mode,
++	 * but that breaks PHP scripts on Linux with a hashbang: `#!/php-cgi -d option=value`.
++	 * Therefore, this code only prevents passing arguments if the query string starts with a '-'.
++	 * Similarly, scripts spawned in subprocesses on Windows may have the same issue. */
+ 	if((query_string = getenv("QUERY_STRING")) != NULL && strchr(query_string, '=') == NULL) {
+-		/* we've got query string that has no = - apache CGI will pass it to command line */
+ 		unsigned char *p;
+ 		decoded_query_string = strdup(query_string);
+ 		php_url_decode(decoded_query_string, strlen(decoded_query_string));
+@@ -1809,6 +1814,22 @@ int main(int argc, char *argv[])
+ 		if(*p == '-') {
+ 			skip_getopt = 1;
+ 		}
++
++		/* On Windows we have to take into account the "best fit" mapping behaviour. */
++#ifdef PHP_WIN32
++		if (*p >= 0x80) {
++			wchar_t wide_buf[1];
++			wide_buf[0] = *p;
++			char char_buf[4];
++			size_t wide_buf_len = sizeof(wide_buf) / sizeof(wide_buf[0]);
++			size_t char_buf_len = sizeof(char_buf) / sizeof(char_buf[0]);
++			if (WideCharToMultiByte(CP_ACP, 0, wide_buf, wide_buf_len, char_buf, char_buf_len, NULL, NULL) == 0
++				|| char_buf[0] == '-') {
++				skip_getopt = 1;
++			}
++		}
++#endif
++
+ 		free(decoded_query_string);
+ 	}
+ 
+diff --git a/sapi/cgi/tests/ghsa-3qgc-jrrr-25jv.phpt b/sapi/cgi/tests/ghsa-3qgc-jrrr-25jv.phpt
+new file mode 100644
+index 00000000000..fd2fcdfbf89
+--- /dev/null
++++ b/sapi/cgi/tests/ghsa-3qgc-jrrr-25jv.phpt
+@@ -0,0 +1,38 @@
++--TEST--
++GHSA-3qgc-jrrr-25jv
++--SKIPIF--
++<?php
++include 'skipif.inc';
++if (PHP_OS_FAMILY !== "Windows") die("skip Only for Windows");
++
++$codepage = trim(shell_exec("powershell Get-ItemPropertyValue HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Nls\\CodePage ACP"));
++if ($codepage !== '932' && $codepage !== '936' && $codepage !== '950') die("skip Wrong codepage");
++?>
++--FILE--
++<?php
++include 'include.inc';
++
++$filename = __DIR__."/GHSA-3qgc-jrrr-25jv_tmp.php";
++$script = '<?php echo "hello "; echo "world"; ?>';
++file_put_contents($filename, $script);
++
++$php = get_cgi_path();
++reset_env_vars();
++
++putenv("SERVER_NAME=Test");
++putenv("SCRIPT_FILENAME=$filename");
++putenv("QUERY_STRING=%ads");
++putenv("REDIRECT_STATUS=1");
++
++passthru("$php -s");
++
++?>
++--CLEAN--
++<?php
++@unlink(__DIR__."/GHSA-3qgc-jrrr-25jv_tmp.php");
++?>
++--EXPECTF--
++X-Powered-By: PHP/%s
++Content-type: %s
++
++hello world
+-- 
+2.46.1
+
+From 2d2552e092b6ff32cd823692d512f126ee629842 Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
+Date: Fri, 14 Jun 2024 19:49:22 +0200
+Subject: [PATCH 4/8] Fix GHSA-p99j-rfp4-xqvq
+
+It's no use trying to work around whatever the operating system and Apache
+do because we'll be fighting that until eternity.
+Change the skip_getopt condition such that when we're running in
+CGI or FastCGI mode we always skip the argument parsing.
+This is a BC break, but this seems to be the only way to get rid of this
+class of issues.
+
+(cherry picked from commit abcfd980bfa03298792fd3aba051c78d52f10642)
+---
+ sapi/cgi/cgi_main.c | 26 ++++++++------------------
+ 1 file changed, 8 insertions(+), 18 deletions(-)
+
+diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c
+index 0d3b54ed8b8..6e148874e4f 100644
+--- a/sapi/cgi/cgi_main.c
++++ b/sapi/cgi/cgi_main.c
+@@ -1748,7 +1748,6 @@ int main(int argc, char *argv[])
+ 	int status = 0;
+ #endif
+ 	char *query_string;
+-	char *decoded_query_string;
+ 	int skip_getopt = 0;
+ 
+ #if defined(SIGPIPE) && defined(SIG_IGN)
+@@ -1803,10 +1802,15 @@ int main(int argc, char *argv[])
+ 	 * the executable. Ideally we skip argument parsing when we're in cgi or fastcgi mode,
+ 	 * but that breaks PHP scripts on Linux with a hashbang: `#!/php-cgi -d option=value`.
+ 	 * Therefore, this code only prevents passing arguments if the query string starts with a '-'.
+-	 * Similarly, scripts spawned in subprocesses on Windows may have the same issue. */
++	 * Similarly, scripts spawned in subprocesses on Windows may have the same issue.
++	 * However, Windows has lots of conversion rules and command line parsing rules that
++	 * are too difficult and dangerous to reliably emulate. */
+ 	if((query_string = getenv("QUERY_STRING")) != NULL && strchr(query_string, '=') == NULL) {
++#ifdef PHP_WIN32
++		skip_getopt = cgi || fastcgi;
++#else
+ 		unsigned char *p;
+-		decoded_query_string = strdup(query_string);
++		char *decoded_query_string = strdup(query_string);
+ 		php_url_decode(decoded_query_string, strlen(decoded_query_string));
+ 		for (p = (unsigned char *)decoded_query_string; *p &&  *p <= ' '; p++) {
+ 			/* skip all leading spaces */
+@@ -1815,22 +1819,8 @@ int main(int argc, char *argv[])
+ 			skip_getopt = 1;
+ 		}
+ 
+-		/* On Windows we have to take into account the "best fit" mapping behaviour. */
+-#ifdef PHP_WIN32
+-		if (*p >= 0x80) {
+-			wchar_t wide_buf[1];
+-			wide_buf[0] = *p;
+-			char char_buf[4];
+-			size_t wide_buf_len = sizeof(wide_buf) / sizeof(wide_buf[0]);
+-			size_t char_buf_len = sizeof(char_buf) / sizeof(char_buf[0]);
+-			if (WideCharToMultiByte(CP_ACP, 0, wide_buf, wide_buf_len, char_buf, char_buf_len, NULL, NULL) == 0
+-				|| char_buf[0] == '-') {
+-				skip_getopt = 1;
+-			}
+-		}
+-#endif
+-
+ 		free(decoded_query_string);
++#endif
+ 	}
+ 
+ 	while (!skip_getopt && (c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 0, 2)) != -1) {
+-- 
+2.46.1
+

php-cve-2024-8927.patch

@@ -0,0 +1,56 @@
+From 8aa748ee0657cdee8d883ba50d04b68bc450f686 Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
+Date: Tue, 18 Jun 2024 21:28:26 +0200
+Subject: [PATCH 5/8] Fix GHSA-94p6-54jq-9mwp
+
+Apache only generates REDIRECT_STATUS, so explicitly check for that
+if the server name is Apache, don't allow other variable names.
+Furthermore, redirect.so and Netscape no longer exist, so
+remove those entries as we can't check their server name anymore.
+
+We now also check for the configuration override *first* such that it
+always take precedence. This would allow for a mitigation path if
+something like this happens in the future.
+
+(cherry picked from commit 48808d98f4fc2a05193cdcc1aedd6c66816450f1)
+---
+ sapi/cgi/cgi_main.c | 23 +++++++++++------------
+ 1 file changed, 11 insertions(+), 12 deletions(-)
+
+diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c
+index 6e148874e4f..5879d0e0f93 100644
+--- a/sapi/cgi/cgi_main.c
++++ b/sapi/cgi/cgi_main.c
+@@ -1910,18 +1910,17 @@ int main(int argc, char *argv[])
+ 
+ 	/* check force_cgi after startup, so we have proper output */
+ 	if (cgi && CGIG(force_redirect)) {
+-		/* Apache will generate REDIRECT_STATUS,
+-		 * Netscape and redirect.so will generate HTTP_REDIRECT_STATUS.
+-		 * redirect.so and installation instructions available from
+-		 * http://www.koehntopp.de/php.
+-		 *   -- kk@netuse.de
+-		 */
+-		if (!getenv("REDIRECT_STATUS") &&
+-			!getenv ("HTTP_REDIRECT_STATUS") &&
+-			/* this is to allow a different env var to be configured
+-			 * in case some server does something different than above */
+-			(!CGIG(redirect_status_env) || !getenv(CGIG(redirect_status_env)))
+-		) {
++		/* This is to allow a different environment variable to be configured
++		 * in case the we cannot auto-detect which environment variable to use.
++		 * Checking this first to allow user overrides in case the environment
++		 * variable can be set by an untrusted party. */
++		const char *redirect_status_env = CGIG(redirect_status_env);
++		if (!redirect_status_env) {
++			/* Apache will generate REDIRECT_STATUS. */
++			redirect_status_env = "REDIRECT_STATUS";
++		}
++
++		if (!getenv(redirect_status_env)) {
+ 			zend_try {
+ 				SG(sapi_headers).http_response_code = 400;
+ 				PUTS("<b>Security Alert!</b> The PHP CGI cannot be accessed directly.\n\n\
+-- 
+2.46.1
+

php-cve-2024-8932.patch

@@ -0,0 +1,130 @@
+From 9f367d847989b339c33369737daf573e30bab5f1 Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
+Date: Thu, 26 Sep 2024 22:22:27 +0200
+Subject: [PATCH 4/8] Fix GHSA-g665-fm4p-vhff: OOB access in ldap_escape
+
+(cherry picked from commit f9ecf90070a11dad09ca7671a712f81cc2a7d52f)
+---
+ ext/ldap/ldap.c                           | 20 ++++++++++++++--
+ ext/ldap/tests/GHSA-g665-fm4p-vhff-1.phpt | 28 ++++++++++++++++++++++
+ ext/ldap/tests/GHSA-g665-fm4p-vhff-2.phpt | 29 +++++++++++++++++++++++
+ 3 files changed, 75 insertions(+), 2 deletions(-)
+ create mode 100644 ext/ldap/tests/GHSA-g665-fm4p-vhff-1.phpt
+ create mode 100644 ext/ldap/tests/GHSA-g665-fm4p-vhff-2.phpt
+
+diff --git a/ext/ldap/ldap.c b/ext/ldap/ldap.c
+index c4dfe0c5b07..6661310d055 100644
+--- a/ext/ldap/ldap.c
++++ b/ext/ldap/ldap.c
+@@ -3760,13 +3760,23 @@ static zend_string* php_ldap_do_escape(const zend_bool *map, const char *value,
+ 	zend_string *ret;
+ 
+ 	for (i = 0; i < valuelen; i++) {
+-		len += (map[(unsigned char) value[i]]) ? 3 : 1;
++		size_t addend = (map[(unsigned char) value[i]]) ? 3 : 1;
++		if (len > ZSTR_MAX_LEN - addend) {
++			return NULL;
++		}
++		len += addend;
+ 	}
+ 	/* Per RFC 4514, a leading and trailing space must be escaped */
+ 	if ((flags & PHP_LDAP_ESCAPE_DN) && (value[0] == ' ')) {
++		if (len > ZSTR_MAX_LEN - 2) {
++			return NULL;
++		}
+ 		len += 2;
+ 	}
+ 	if ((flags & PHP_LDAP_ESCAPE_DN) && ((valuelen > 1) && (value[valuelen - 1] == ' '))) {
++		if (len > ZSTR_MAX_LEN - 2) {
++			return NULL;
++		}
+ 		len += 2;
+ 	}
+ 
+@@ -3833,7 +3843,13 @@ PHP_FUNCTION(ldap_escape)
+ 		php_ldap_escape_map_set_chars(map, ignores, ignoreslen, 0);
+ 	}
+ 
+-	RETURN_NEW_STR(php_ldap_do_escape(map, value, valuelen, flags));
++	zend_string *result = php_ldap_do_escape(map, value, valuelen, flags);
++	if (UNEXPECTED(!result)) {
++		zend_argument_value_error(1, "is too long");
++		RETURN_THROWS();
++	}
++
++	RETURN_NEW_STR(result);
+ }
+ 
+ #ifdef STR_TRANSLATION
+diff --git a/ext/ldap/tests/GHSA-g665-fm4p-vhff-1.phpt b/ext/ldap/tests/GHSA-g665-fm4p-vhff-1.phpt
+new file mode 100644
+index 00000000000..8e2c4fb160d
+--- /dev/null
++++ b/ext/ldap/tests/GHSA-g665-fm4p-vhff-1.phpt
+@@ -0,0 +1,28 @@
++--TEST--
++GHSA-g665-fm4p-vhff (OOB access in ldap_escape)
++--EXTENSIONS--
++ldap
++--INI--
++memory_limit=-1
++--SKIPIF--
++<?php
++if (PHP_INT_SIZE !== 4) die("skip only for 32-bit");
++if (getenv("SKIP_SLOW_TESTS")) die("skip slow test");
++?>
++--FILE--
++<?php
++try {
++    ldap_escape(' '.str_repeat("#", 1431655758), "", LDAP_ESCAPE_DN);
++} catch (ValueError $e) {
++    echo $e->getMessage(), "\n";
++}
++
++try {
++    ldap_escape(str_repeat("#", 1431655758).' ', "", LDAP_ESCAPE_DN);
++} catch (ValueError $e) {
++    echo $e->getMessage(), "\n";
++}
++?>
++--EXPECT--
++ldap_escape(): Argument #1 ($value) is too long
++ldap_escape(): Argument #1 ($value) is too long
+diff --git a/ext/ldap/tests/GHSA-g665-fm4p-vhff-2.phpt b/ext/ldap/tests/GHSA-g665-fm4p-vhff-2.phpt
+new file mode 100644
+index 00000000000..a69597084be
+--- /dev/null
++++ b/ext/ldap/tests/GHSA-g665-fm4p-vhff-2.phpt
+@@ -0,0 +1,29 @@
++--TEST--
++GHSA-g665-fm4p-vhff (OOB access in ldap_escape)
++--EXTENSIONS--
++ldap
++--INI--
++memory_limit=-1
++--SKIPIF--
++<?php
++if (PHP_INT_SIZE !== 4) die("skip only for 32-bit");
++if (getenv("SKIP_SLOW_TESTS")) die("skip slow test");
++?>
++--FILE--
++<?php
++try {
++    ldap_escape(str_repeat("*", 1431655759), "", LDAP_ESCAPE_FILTER);
++} catch (ValueError $e) {
++    echo $e->getMessage(), "\n";
++}
++
++// would allocate a string of length 2
++try {
++    ldap_escape(str_repeat("*", 1431655766), "", LDAP_ESCAPE_FILTER);
++} catch (ValueError $e) {
++    echo $e->getMessage(), "\n";
++}
++?>
++--EXPECT--
++ldap_escape(): Argument #1 ($value) is too long
++ldap_escape(): Argument #1 ($value) is too long
+-- 
+2.47.0
+

php-cve-2024-9026.patch

@@ -0,0 +1,136 @@
+From 22f4d3504d7613ce78bb96aa53cbfe7d672fa036 Mon Sep 17 00:00:00 2001
+From: Jakub Zelenka <bukka@php.net>
+Date: Thu, 12 Sep 2024 13:11:11 +0100
+Subject: [PATCH 6/8] Fix GHSA-865w-9rf3-2wh5: FPM: Logs from childrens may be
+ altered
+
+(cherry picked from commit 1f8e16172c7961045c2b0f34ba7613e3f21cdee8)
+---
+ sapi/fpm/fpm/fpm_stdio.c                      |  2 +-
+ .../log-bwp-msg-flush-split-sep-pos-end.phpt  | 47 +++++++++++++++++++
+ ...log-bwp-msg-flush-split-sep-pos-start.phpt | 47 +++++++++++++++++++
+ 3 files changed, 95 insertions(+), 1 deletion(-)
+ create mode 100644 sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-end.phpt
+ create mode 100644 sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-start.phpt
+
+diff --git a/sapi/fpm/fpm/fpm_stdio.c b/sapi/fpm/fpm/fpm_stdio.c
+index d75f9158cda..7983d6217b2 100644
+--- a/sapi/fpm/fpm/fpm_stdio.c
++++ b/sapi/fpm/fpm/fpm_stdio.c
+@@ -228,7 +228,7 @@ stdio_read:
+ 			if 	((sizeof(FPM_STDIO_CMD_FLUSH) - cmd_pos) <= in_buf &&
+ 					!memcmp(buf, &FPM_STDIO_CMD_FLUSH[cmd_pos], sizeof(FPM_STDIO_CMD_FLUSH) - cmd_pos)) {
+ 				zlog_stream_finish(log_stream);
+-				start = cmd_pos;
++				start = sizeof(FPM_STDIO_CMD_FLUSH) - cmd_pos;
+ 			} else {
+ 				zlog_stream_str(log_stream, &FPM_STDIO_CMD_FLUSH[0], cmd_pos);
+ 			}
+diff --git a/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-end.phpt b/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-end.phpt
+new file mode 100644
+index 00000000000..52826320080
+--- /dev/null
++++ b/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-end.phpt
+@@ -0,0 +1,47 @@
++--TEST--
++FPM: Buffered worker output plain log with msg with flush split position towards separator end
++--SKIPIF--
++<?php include "skipif.inc"; ?>
++--FILE--
++<?php
++
++require_once "tester.inc";
++
++$cfg = <<<EOT
++[global]
++error_log = {{FILE:LOG}}
++[unconfined]
++listen = {{ADDR}}
++pm = dynamic
++pm.max_children = 5
++pm.start_servers = 1
++pm.min_spare_servers = 1
++pm.max_spare_servers = 3
++catch_workers_output = yes
++decorate_workers_output = no
++EOT;
++
++$code = <<<EOT
++<?php
++file_put_contents('php://stderr', str_repeat('a', 1013) . "Quarkslab\0fscf\0Quarkslab");
++EOT;
++
++$tester = new FPM\Tester($cfg, $code);
++$tester->start();
++$tester->expectLogStartNotices();
++$tester->request()->expectEmptyBody();
++$tester->expectLogLine(str_repeat('a', 1013)  . "Quarkslab", decorated: false);
++$tester->expectLogLine("Quarkslab", decorated: false);
++$tester->terminate();
++$tester->expectLogTerminatingNotices();
++$tester->close();
++
++?>
++Done
++--EXPECT--
++Done
++--CLEAN--
++<?php
++require_once "tester.inc";
++FPM\Tester::clean();
++?>
+diff --git a/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-start.phpt b/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-start.phpt
+new file mode 100644
+index 00000000000..34905938553
+--- /dev/null
++++ b/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-start.phpt
+@@ -0,0 +1,47 @@
++--TEST--
++FPM: Buffered worker output plain log with msg with flush split position towards separator start
++--SKIPIF--
++<?php include "skipif.inc"; ?>
++--FILE--
++<?php
++
++require_once "tester.inc";
++
++$cfg = <<<EOT
++[global]
++error_log = {{FILE:LOG}}
++[unconfined]
++listen = {{ADDR}}
++pm = dynamic
++pm.max_children = 5
++pm.start_servers = 1
++pm.min_spare_servers = 1
++pm.max_spare_servers = 3
++catch_workers_output = yes
++decorate_workers_output = no
++EOT;
++
++$code = <<<EOT
++<?php
++file_put_contents('php://stderr', str_repeat('a', 1009) . "Quarkslab\0fscf\0Quarkslab");
++EOT;
++
++$tester = new FPM\Tester($cfg, $code);
++$tester->start();
++$tester->expectLogStartNotices();
++$tester->request()->expectEmptyBody();
++$tester->expectLogLine(str_repeat('a', 1009)  . "Quarkslab", decorated: false);
++$tester->expectLogLine("Quarkslab", decorated: false);
++$tester->terminate();
++$tester->expectLogTerminatingNotices();
++$tester->close();
++
++?>
++Done
++--EXPECT--
++Done
++--CLEAN--
++<?php
++require_once "tester.inc";
++FPM\Tester::clean();
++?>
+-- 
+2.46.1

php-ghsa-4w77-75f9-2c8w.patch

@@ -0,0 +1,86 @@
+From 462092a48aa0dbad24d9fa8a4a9d418faa14d309 Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
+Date: Sat, 9 Nov 2024 15:29:52 +0100
+Subject: [PATCH 6/8] Fix GHSA-4w77-75f9-2c8w
+
+(cherry picked from commit 7dd336ae838bbf2c62dc47e3c900d657d3534c02)
+---
+ sapi/cli/php_cli_server.c               |  6 +---
+ sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt | 41 +++++++++++++++++++++++++
+ 2 files changed, 42 insertions(+), 5 deletions(-)
+ create mode 100644 sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt
+
+diff --git a/sapi/cli/php_cli_server.c b/sapi/cli/php_cli_server.c
+index 295448f1211..5104318a634 100644
+--- a/sapi/cli/php_cli_server.c
++++ b/sapi/cli/php_cli_server.c
+@@ -1863,8 +1863,6 @@ static size_t php_cli_server_client_send_through(php_cli_server_client *client,
+ 
+ static void php_cli_server_client_populate_request_info(const php_cli_server_client *client, sapi_request_info *request_info) /* {{{ */
+ {
+-	char *val;
+-
+ 	request_info->request_method = php_http_method_str(client->request.request_method);
+ 	request_info->proto_num = client->request.protocol_version;
+ 	request_info->request_uri = client->request.request_uri;
+@@ -1872,9 +1870,7 @@ static void php_cli_server_client_populate_request_info(const php_cli_server_cli
+ 	request_info->query_string = client->request.query_string;
+ 	request_info->content_length = client->request.content_len;
+ 	request_info->auth_user = request_info->auth_password = request_info->auth_digest = NULL;
+-	if (NULL != (val = zend_hash_str_find_ptr(&client->request.headers, "content-type", sizeof("content-type")-1))) {
+-		request_info->content_type = val;
+-	}
++	request_info->content_type = zend_hash_str_find_ptr(&client->request.headers, "content-type", sizeof("content-type")-1);
+ } /* }}} */
+ 
+ static void destroy_request_info(sapi_request_info *request_info) /* {{{ */
+diff --git a/sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt b/sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt
+new file mode 100644
+index 00000000000..2c8aeff12d5
+--- /dev/null
++++ b/sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt
+@@ -0,0 +1,41 @@
++--TEST--
++GHSA-4w77-75f9-2c8w (Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI Interface)
++--INI--
++allow_url_fopen=1
++--SKIPIF--
++<?php
++include "skipif.inc";
++?>
++--FILE--
++<?php
++include "php_cli_server.inc";
++
++$serverCode = <<<'CODE'
++var_dump(file_get_contents('php://input'));
++CODE;
++
++php_cli_server_start($serverCode, null, []);
++
++$options = [
++    "http" => [
++        "method" => "POST",
++        "header" => "Content-Type: application/x-www-form-urlencoded",
++        "content" => "AAAAA",
++    ],
++];
++$context = stream_context_create($options);
++
++echo file_get_contents("http://" . PHP_CLI_SERVER_ADDRESS . "/", context: $context);
++
++$options = [
++    "http" => [
++        "method" => "POST",
++    ],
++];
++$context = stream_context_create($options);
++
++echo file_get_contents("http://" . PHP_CLI_SERVER_ADDRESS . "/", context: $context);
++?>
++--EXPECT--
++string(5) "AAAAA"
++string(0) ""
+-- 
+2.47.0
+

php.spec

@@ -26,9 +26,9 @@
 
 Name:          php
 Version:       %{upver}
-Release:       3
+Release:       8
 Summary:       PHP scripting language for creating dynamic web sites
-License:       PHP-3.01 and Zend-2.0 and BSD and MIT and ASL 1.0 and NCSA
+License:       PHP-3.01 AND Zend-2.0 AND BSD-2-Clause AND MIT AND Apache-1.0 AND NCSA AND BSL-1.0
 URL:           http://www.php.net/
 Source0:       http://www.php.net/distributions/php-%{upver}%{?rcver}.tar.xz
 Source1:       php.conf
@@ -57,6 +57,17 @@ Patch6:        php-8.0.0-phpinfo.patch
 Patch7:        php-7.4.0-datetests.patch
 Patch9:        php-cve-2024-2756.patch
 Patch10:       php-cve-2024-3096.patch
+Patch11:       php-cve-2024-5458.patch
+Patch12:       php-cve-2024-8925.patch
+Patch13:       php-cve-2024-8926.patch
+Patch14:       php-cve-2024-8927.patch
+Patch15:       php-cve-2024-9026.patch
+Patch16:       php-cve-2024-11236.patch
+Patch17:       php-cve-2024-11234.patch
+Patch18:       php-cve-2024-8932.patch
+Patch19:       php-cve-2024-11233.patch
+Patch20:       php-ghsa-4w77-75f9-2c8w.patch
+Patch21:       php-cve-2024-8929.patch
 
 BuildRequires: bzip2-devel, curl-devel >= 7.9, httpd-devel >= 2.0.46-1, pam-devel, httpd-filesystem, nginx-filesystem
 BuildRequires: libstdc++-devel, openssl-devel, sqlite-devel >= 3.6.0, zlib-devel, smtpdaemon, libedit-devel
@@ -91,7 +102,7 @@ which adds support for the PHP language to Apache HTTP Server.
 
 %package cli
 Summary:  Command-line interface for PHP
-License:  PHP and Zend and BSD and MIT and ASL 1.0 and NCSA and PostgreSQL
+License:  PHP-3.01 AND Zend-2.0 AND BSD-2-Clause AND MIT AND Apache-1.0 AND NCSA AND PostgreSQL
 Requires: php-common%{?_isa} = %{version}-%{release}
 Provides: php-cgi = %{version}-%{release}, php-cgi%{?_isa} = %{version}-%{release}, php-pcntl, php-pcntl%{?_isa}
 Provides: php-readline, php-readline%{?_isa}
@@ -124,7 +135,7 @@ any size, especially busier sites.
 
 %package  common
 Summary:   Common files for PHP
-License:   PHP and BSD
+License:   PHP-3.01 AND BSD-2-Clause
 Provides:  php(api) = %{apiver}-%{__isa_bits}, php(zend-abi) = %{zendver}-%{__isa_bits}
 Provides:  php(language) = %{version}, php(language)%{?_isa} = %{version}, php-bz2, php-bz2%{?_isa}
 Provides:  php-calendar, php-calendar%{?_isa}, php-core = %{version}, php-core%{?_isa} = %{version}
@@ -161,7 +172,7 @@ need to install this package.
 
 %package opcache
 Summary:   The Zend OPcache
-License:   PHP
+License:   PHP-3.01
 Requires:  php-common%{?_isa} = %{version}-%{release}
 Provides:  php-pecl-zendopcache = %{version}, php-pecl-zendopcache%{?_isa} = %{version}, php-pecl(opcache) = %{version}
 Provides:  php-pecl(opcache)%{?_isa} = %{version}
@@ -176,7 +187,7 @@ bytecode optimization patterns that make code execution faster.
 %if %{with_imap}
 %package imap
 Summary:       A module for PHP applications that use IMAP
-License:       PHP
+License:       PHP-3.01
 Requires:      php-common%{?_isa} = %{version}-%{release}
 BuildRequires: krb5-devel, openssl-devel, libc-client-devel
 
@@ -188,7 +199,7 @@ messages on mail servers. PHP is an HTML-embedded scripting language.
 
 %package ldap
 Summary:       A module for PHP applications that use LDAP
-License:       PHP
+License:       PHP-3.01
 Requires:      php-common%{?_isa} = %{version}-%{release}
 BuildRequires: cyrus-sasl-devel, openldap-devel, openssl-devel
 
@@ -200,7 +211,7 @@ language.
 
 %package pdo
 Summary:  A database access abstraction module for PHP applications
-License:  PHP
+License:  PHP-3.01
 Requires: php-common%{?_isa} = %{version}-%{release}
 Provides: php-pdo-abi  = %{pdover}-%{__isa_bits}, php(pdo-abi) = %{pdover}-%{__isa_bits}, php-sqlite3, php-sqlite3%{?_isa}
 Provides: php-pdo_sqlite, php-pdo_sqlite%{?_isa}
@@ -213,7 +224,7 @@ databases.
 
 %package mysqlnd
 Summary:  A module for PHP applications that use MySQL databases
-License:  PHP
+License:  PHP-3.01
 Requires: php-pdo%{?_isa} = %{version}-%{release}
 Provides: php_database, php-mysqli = %{version}-%{release}, php-mysqli%{?_isa} = %{version}-%{release},php-pdo_mysql
 Provides: php-pdo_mysql%{?_isa}
@@ -228,7 +239,7 @@ This package use the MySQL Native Driver
 
 %package pgsql
 Summary:       A PostgreSQL database module for PHP
-License:       PHP
+License:       PHP-3.01
 Requires:      php-pdo%{?_isa} = %{version}-%{release}
 Provides:      php_database, php-pdo_pgsql, php-pdo_pgsql%{?_isa}
 BuildRequires: krb5-devel, openssl-devel, postgresql-devel
@@ -243,7 +254,7 @@ php package.
 
 %package process
 Summary:  Modules for PHP script using system process interfaces
-License:  PHP
+License:  PHP-3.01
 Requires: php-common%{?_isa} = %{version}-%{release}
 Provides: php-posix, php-posix%{?_isa}, php-shmop, php-shmop%{?_isa}, php-sysvsem, php-sysvsem%{?_isa}
 Provides: php-sysvshm, php-sysvshm%{?_isa}, php-sysvmsg, php-sysvmsg%{?_isa}
@@ -255,7 +266,7 @@ communication.
 
 %package odbc
 Summary:       A module for PHP applications that use ODBC databases
-License:       PHP
+License:       PHP-3.01
 Requires:      php-pdo%{?_isa} = %{version}-%{release}
 Provides:      php_database, php-pdo_odbc, php-pdo_odbc%{?_isa}
 BuildRequires: unixODBC-devel
@@ -271,7 +282,7 @@ package.
 
 %package soap
 Summary:       A module for PHP applications that use the SOAP protocol
-License:       PHP
+License:       PHP-3.01
 Requires:      php-common%{?_isa} = %{version}-%{release}
 BuildRequires: libxml2-devel
 
@@ -282,7 +293,7 @@ support to PHP for using the SOAP web services protocol.
 %if %{with_firebird}
 %package interbase
 Summary:        A module for PHP applications that use Interbase/Firebird databases
-License:        PHP
+License:        PHP-3.01
 BuildRequires:  firebird-devel
 Requires:       php-pdo%{?_isa} = %{version}-%{release}
 Provides:       php_database, php-firebird, php-firebird%{?_isa}, php-pdo_firebird, php-pdo_firebird%{?_isa}
@@ -301,7 +312,7 @@ License.
 
 %package snmp
 Summary:       A module for PHP applications that query SNMP-managed devices
-License:       PHP
+License:       PHP-3.01
 Requires:      php-common%{?_isa} = %{version}-%{release}, net-snmp
 BuildRequires: net-snmp-devel
 
@@ -313,7 +324,7 @@ will need to install this package and the php package.
 
 %package xml
 Summary:       A module for PHP applications which use XML
-License:       PHP
+License:       PHP-3.01
 Requires:      php-common%{?_isa} = %{version}-%{release}
 Provides:      php-dom, php-dom%{?_isa}, php-domxml, php-domxml%{?_isa}, php-simplexml, php-simplexml%{?_isa}
 Provides:      php-xmlreader, php-xmlreader%{?_isa}, php-xmlwriter, php-xmlwriter%{?_isa}
@@ -328,7 +339,7 @@ and performing XSL transformations on XML documents.
 
 %package mbstring
 Summary:       A module for PHP applications which need multi-byte string handling
-License:       PHP and LGPLv2 and OpenLDAP
+License:       PHP-3.01 AND LGPL-2.1-only AND OLDAP-2.8
 BuildRequires: oniguruma-devel
 Provides:      bundled(libmbfl) = 1.3.2
 Requires:      php-common%{?_isa} = %{version}-%{release}
@@ -340,9 +351,9 @@ support for multi-byte string handling to PHP.
 %package gd
 Summary: A module for PHP applications for using the gd graphics library
 %if %{with_libgd}
-License: PHP
+License: PHP-3.01
 %else
-License: PHP and BSD
+License: PHP-3.01 and BSD-2-Clause
 %endif
 Requires: php-common%{?_isa} = %{version}-%{release}
 %if %{with_libgd}
@@ -358,7 +369,7 @@ support for using the gd graphics library to PHP.
 
 %package bcmath
 Summary: A module for PHP applications for using the bcmath library
-License: PHP and LGPLv2+
+License: PHP-3.01 AND LGPL-2.1-or-later
 Requires: php-common%{?_isa} = %{version}-%{release}
 
 %description bcmath
@@ -367,7 +378,7 @@ support for using the bcmath library to PHP.
 
 %package gmp
 Summary: A module for PHP applications for using the GNU MP library
-License: PHP
+License: PHP-3.01
 BuildRequires: gmp-devel
 Requires: php-common%{?_isa} = %{version}-%{release}
 
@@ -377,7 +388,7 @@ using the GNU MP library.
 
 %package dba
 Summary: A database abstraction layer module for PHP applications
-License: PHP
+License: PHP-3.01
 BuildRequires: lmdb-devel, tokyocabinet-devel
 Requires: php-common%{?_isa} = %{version}-%{release}
 
@@ -387,7 +398,7 @@ support for using the DBA database abstraction layer to PHP.
 
 %package tidy
 Summary: Standard PHP module provides tidy library support
-License: PHP
+License: PHP-3.01
 Requires: php-common%{?_isa} = %{version}-%{release}
 BuildRequires: libtidy-devel
 
@@ -398,7 +409,7 @@ support for using the tidy library to PHP.
 %if %{with_freetds}
 %package pdo-dblib
 Summary: PDO driver Microsoft SQL Server and Sybase databases
-License: PHP
+License: PHP-3.01
 Requires: php-pdo%{?_isa} = %{version}-%{release}
 BuildRequires: freetds-devel
 Provides: php-pdo_dblib, php-pdo_dblib%{?_isa}
@@ -421,7 +432,7 @@ into applications to provide PHP scripting language support.
 %if %{with_pspell}
 %package pspell
 Summary: A module for PHP applications for using pspell interfaces
-License: PHP
+License: PHP-3.01
 Requires: php-common%{?_isa} = %{version}-%{release}
 BuildRequires: aspell-devel >= 0.50.0
 
@@ -432,7 +443,7 @@ support for using the pspell library to PHP.
 
 %package intl
 Summary: Internationalization extension for PHP applications
-License: PHP
+License: PHP-3.01
 Requires: php-common%{?_isa} = %{version}-%{release}
 BuildRequires: libicu-devel >= 4.0
 
@@ -442,7 +453,7 @@ support for using the ICU library to PHP.
 
 %package enchant
 Summary: Enchant spelling extension for PHP applications
-License: PHP
+License: PHP-3.01
 Requires: php-common%{?_isa} = %{version}-%{release}
 BuildRequires: enchant2-devel
 
@@ -453,7 +464,7 @@ support for using the enchant library to PHP.
 %if %{with_sodium}
 %package sodium
 Summary: Wrapper for the Sodium cryptographic library
-License: PHP
+License: PHP-3.01
 BuildRequires:  pkgconfig(libsodium) >= 1.0.9
 
 Requires: php-common%{?_isa} = %{version}-%{release}
@@ -468,7 +479,7 @@ low-level PHP extension for the libsodium cryptographic library.
 %package ffi
 Summary: Foreign Function Interface
 # All files licensed under PHP version 3.0.1
-License: PHP
+License: PHP-3.01
 Group: System Environment/Libraries
 BuildRequires:  pkgconfig(libffi)
 Requires: php-common%{?_isa} = %{version}-%{release}
@@ -480,11 +491,7 @@ scripting language and therefore develop “system code” more productively.
 For PHP, FFI opens a way to write PHP extensions and bindings to C libraries
 in pure PHP.
 
-%package help
-Summary: help
-
-%description help
-help
+%package_help
 
 %prep
 %autosetup -n php-%{upver}%{?rcver} -p1
@@ -1080,6 +1087,31 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || :
 %{_mandir}/*
 
 %changelog
+* Thu Nov 28 2024 Funda Wang <fundawang@yeah.net> - 8.0.30-8
+- Fix Leak partial content of the heap through heap buffer over-read
+  CVE-2024-8929
+
+* Sat Nov 23 2024 Funda Wang <fundawang@yeah.net> - 8.0.30-7
+- Fix Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI Interface
+  GHSA-4w77-75f9-2c8w
+- Fix OOB access in ldap_escape
+  CVE-2024-8932
+- Fix Integer overflow in the dblib/firebird quoter causing OOB writes
+  CVE-2024-11236
+- Fix Configuring a proxy in a stream context might allow for CRLF injection in URIs
+  CVE-2024-11234
+- Fix Single byte overread with convert.quoted-printable-decode filter
+  CVE-2024-11233
+
+* Fri Sep 27 2024 Funda Wang <fundawang@yeah.net> - 8.0.30-6
+- fix CVE-2024-8925, CVE-2024-8926, CVE-2024-8927, CVE-2024-9026
+
+* Wed Jun 12 2024 Funda Wang <fundawang@yeah.net> - 8.0.30-5
+- Update licenses declaration
+
+* Fri Jun 07 2024 Funda Wang <fundawang@yeah.net> - 8.0.30-4
+- fix CVE-2024-5458
+
 * Mon Apr 15 2024 Funda Wang <fundawang@yeah.net> - 8.0.30-3
 - fix CVE-2024-2756, CVE-2024-3096