shivammathur
diff --git a/‎config/patches/5.6/0204-Fix-81740-PDO-quote-may-return-unquoted-string.patch‎
Lines changed: 52 additions & 0 deletions b/‎config/patches/5.6/0204-Fix-81740-PDO-quote-may-return-unquoted-string.patch‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎config/patches/5.6/0205-adapt-test-for-5.x.patch‎
Lines changed: 21 additions & 0 deletions b/‎config/patches/5.6/0205-adapt-test-for-5.x.patch‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎config/patches/5.6/0206-NEWS.patch‎
Lines changed: 27 additions & 0 deletions b/‎config/patches/5.6/0206-NEWS.patch‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎config/patches/5.6/0207-crypt-Fix-validation-of-malformed-BCrypt-hashes.patch‎
Lines changed: 145 additions & 0 deletions b/‎config/patches/5.6/0207-crypt-Fix-validation-of-malformed-BCrypt-hashes.patch‎
Lines changed: 145 additions & 0 deletions
diff --git a/‎config/patches/5.6/0208-crypt-Fix-possible-buffer-overread-in-php_crypt.patch‎
Lines changed: 39 additions & 0 deletions b/‎config/patches/5.6/0208-crypt-Fix-possible-buffer-overread-in-php_crypt.patch‎
Lines changed: 39 additions & 0 deletions
diff --git a/‎config/patches/5.6/0209-Fix-array-overrun-when-appending-slash-to-paths.patch‎
Lines changed: 65 additions & 0 deletions b/‎config/patches/5.6/0209-Fix-array-overrun-when-appending-slash-to-paths.patch‎
Lines changed: 65 additions & 0 deletions
diff --git a/‎config/patches/5.6/0210-NEWS.patch‎
Lines changed: 28 additions & 0 deletions b/‎config/patches/5.6/0210-NEWS.patch‎
Lines changed: 28 additions & 0 deletions
@@ -0,0 +1,52 @@
+From: "Christoph M. Becker" <[email protected]>
+Date: Mon, 31 Oct 2022 17:20:23 +0100
+Subject: Fix #81740: PDO::quote() may return unquoted string
+
+`sqlite3_snprintf()` expects its first parameter to be `int`; we need
+to avoid overflow.
+
+(cherry picked from commit 921b6813da3237a83e908998483f46ae3d8bacba)
+(cherry picked from commit 7cb160efe19d3dfb8b92629805733ea186b55050)
+---
+ ext/pdo_sqlite/sqlite_driver.c     |  3 +++
+ ext/pdo_sqlite/tests/bug81740.phpt | 17 +++++++++++++++++
+ 2 files changed, 20 insertions(+)
+ create mode 100644 ext/pdo_sqlite/tests/bug81740.phpt
+
+diff --git a/ext/pdo_sqlite/sqlite_driver.c b/ext/pdo_sqlite/sqlite_driver.c
+index 09df8d7..413c23c 100644
+--- a/ext/pdo_sqlite/sqlite_driver.c
++++ b/ext/pdo_sqlite/sqlite_driver.c
+@@ -232,6 +232,9 @@ static char *pdo_sqlite_last_insert_id(pdo_dbh_t *dbh, const char *name, unsigne
+ /* NB: doesn't handle binary strings... use prepared stmts for that */
+ static int sqlite_handle_quoter(pdo_dbh_t *dbh, const char *unquoted, int unquotedlen, char **quoted, int *quotedlen, enum pdo_param_type paramtype  TSRMLS_DC)
+ {
++	if (unquotedlen > (INT_MAX - 3) / 2) {
++		return 0;
++	}
+ 	*quoted = safe_emalloc(2, unquotedlen, 3);
+ 	sqlite3_snprintf(2*unquotedlen + 3, *quoted, "'%q'", unquoted);
+ 	*quotedlen = strlen(*quoted);
+diff --git a/ext/pdo_sqlite/tests/bug81740.phpt b/ext/pdo_sqlite/tests/bug81740.phpt
+new file mode 100644
+index 0000000..99fb07c
+--- /dev/null
++++ b/ext/pdo_sqlite/tests/bug81740.phpt
+@@ -0,0 +1,17 @@
++--TEST--
++Bug #81740 (PDO::quote() may return unquoted string)
++--SKIPIF--
++<?php
++if (!extension_loaded('pdo_sqlite')) print 'skip not loaded';
++if (getenv("SKIP_SLOW_TESTS")) die("skip slow test");
++?>
++--INI--
++memory_limit=-1
++--FILE--
++<?php
++$pdo = new PDO("sqlite::memory:");
++$string = str_repeat("a", 0x80000000);
++var_dump($pdo->quote($string));
++?>
++--EXPECT--
++bool(false)
@@ -0,0 +1,21 @@
+From: Remi Collet <[email protected]>
+Date: Tue, 20 Dec 2022 08:42:44 +0100
+Subject: adapt test for 5.x
+
+---
+ ext/pdo_sqlite/tests/bug81740.phpt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/pdo_sqlite/tests/bug81740.phpt b/ext/pdo_sqlite/tests/bug81740.phpt
+index 99fb07c..08947e3 100644
+--- a/ext/pdo_sqlite/tests/bug81740.phpt
++++ b/ext/pdo_sqlite/tests/bug81740.phpt
+@@ -10,7 +10,7 @@ memory_limit=-1
+ --FILE--
+ <?php
+ $pdo = new PDO("sqlite::memory:");
+-$string = str_repeat("a", 0x80000000);
++$string = str_repeat("a", 0x7fffffff);
+ var_dump($pdo->quote($string));
+ ?>
+ --EXPECT--
@@ -0,0 +1,27 @@
+From: Remi Collet <[email protected]>
+Date: Mon, 19 Dec 2022 09:24:02 +0100
+Subject: NEWS
+
+(cherry picked from commit 7328f3a0344806b846bd05657bdce96e47810bf0)
+(cherry picked from commit dbfbd99e91701c0a5613133c06305fd70545e9ad)
+---
+ NEWS | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 8cb7923..e2c4da6 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,12 @@
+ PHP                                                                        NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+ 
++Backported from 8.0.27
++
++- PDO/SQLite:
++  . Fixed bug #81740 (PDO::quote() may return unquoted string).
++    (CVE-2022-31631) (cmb)
++
+ Backported from 7.4.32
+ 
+ - Core:
@@ -0,0 +1,145 @@
+From: =?utf-8?q?Tim_D=C3=BCsterhus?= <[email protected]>
+Date: Mon, 23 Jan 2023 21:15:24 +0100
+Subject: crypt: Fix validation of malformed BCrypt hashes
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+PHP’s implementation of crypt_blowfish differs from the upstream Openwall
+version by adding a “PHP Hack”, which allows one to cut short the BCrypt salt
+by including a `$` character within the characters that represent the salt.
+
+Hashes that are affected by the “PHP Hack” may erroneously validate any
+password as valid when used with `password_verify` and when comparing the
+return value of `crypt()` against the input.
+
+The PHP Hack exists since the first version of PHP’s own crypt_blowfish
+implementation that was added in 1e820eca02dcf322b41fd2fe4ed2a6b8309f8ab5.
+
+No clear reason is given for the PHP Hack’s existence. This commit removes it,
+because BCrypt hashes containing a `$` character in their salt are not valid
+BCrypt hashes.
+
+(cherry picked from commit c840f71524067aa474c00c3eacfb83bd860bfc8a)
+(cherry picked from commit 7437aaae38cf4b3357e7580f9e22fd4a403b6c23)
+(cherry picked from commit ed8df26f0b2834cd35996e6712ac206972cb5324)
+---
+ ext/standard/crypt_blowfish.c                    |  8 ---
+ ext/standard/tests/crypt/bcrypt_salt_dollar.phpt | 82 ++++++++++++++++++++++++
+ 2 files changed, 82 insertions(+), 8 deletions(-)
+ create mode 100644 ext/standard/tests/crypt/bcrypt_salt_dollar.phpt
+
+diff --git a/ext/standard/crypt_blowfish.c b/ext/standard/crypt_blowfish.c
+index 5cf3067..e923b55 100644
+--- a/ext/standard/crypt_blowfish.c
++++ b/ext/standard/crypt_blowfish.c
+@@ -377,7 +377,6 @@ static unsigned char BF_atoi64[0x60] = {
+ #define BF_safe_atoi64(dst, src) \
+ { \
+ 	tmp = (unsigned char)(src); \
+-	if (tmp == '$') break; /* PHP hack */ \
+ 	if ((unsigned int)(tmp -= 0x20) >= 0x60) return -1; \
+ 	tmp = BF_atoi64[tmp]; \
+ 	if (tmp > 63) return -1; \
+@@ -405,13 +404,6 @@ static int BF_decode(BF_word *dst, const char *src, int size)
+ 		*dptr++ = ((c3 & 0x03) << 6) | c4;
+ 	} while (dptr < end);
+ 
+-	if (end - dptr == size) {
+-		return -1;
+-	}
+-
+-	while (dptr < end) /* PHP hack */
+-		*dptr++ = 0;
+-
+ 	return 0;
+ }
+ 
+diff --git a/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt b/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt
+new file mode 100644
+index 0000000..32e335f
+--- /dev/null
++++ b/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt
+@@ -0,0 +1,82 @@
++--TEST--
++bcrypt correctly rejects salts containing $
++--FILE--
++<?php
++for ($i = 0; $i < 23; $i++) {
++	$salt = '$2y$04$' . str_repeat('0', $i) . '$';
++	$result = crypt("foo", $salt);
++	var_dump($salt);
++	var_dump($result);
++	var_dump($result === $salt);
++}
++?>
++--EXPECT--
++string(8) "$2y$04$$"
++string(2) "*0"
++bool(false)
++string(9) "$2y$04$0$"
++string(2) "*0"
++bool(false)
++string(10) "$2y$04$00$"
++string(2) "*0"
++bool(false)
++string(11) "$2y$04$000$"
++string(2) "*0"
++bool(false)
++string(12) "$2y$04$0000$"
++string(2) "*0"
++bool(false)
++string(13) "$2y$04$00000$"
++string(2) "*0"
++bool(false)
++string(14) "$2y$04$000000$"
++string(2) "*0"
++bool(false)
++string(15) "$2y$04$0000000$"
++string(2) "*0"
++bool(false)
++string(16) "$2y$04$00000000$"
++string(2) "*0"
++bool(false)
++string(17) "$2y$04$000000000$"
++string(2) "*0"
++bool(false)
++string(18) "$2y$04$0000000000$"
++string(2) "*0"
++bool(false)
++string(19) "$2y$04$00000000000$"
++string(2) "*0"
++bool(false)
++string(20) "$2y$04$000000000000$"
++string(2) "*0"
++bool(false)
++string(21) "$2y$04$0000000000000$"
++string(2) "*0"
++bool(false)
++string(22) "$2y$04$00000000000000$"
++string(2) "*0"
++bool(false)
++string(23) "$2y$04$000000000000000$"
++string(2) "*0"
++bool(false)
++string(24) "$2y$04$0000000000000000$"
++string(2) "*0"
++bool(false)
++string(25) "$2y$04$00000000000000000$"
++string(2) "*0"
++bool(false)
++string(26) "$2y$04$000000000000000000$"
++string(2) "*0"
++bool(false)
++string(27) "$2y$04$0000000000000000000$"
++string(2) "*0"
++bool(false)
++string(28) "$2y$04$00000000000000000000$"
++string(2) "*0"
++bool(false)
++string(29) "$2y$04$000000000000000000000$"
++string(2) "*0"
++bool(false)
++string(30) "$2y$04$0000000000000000000000$"
++string(60) "$2y$04$000000000000000000000u2a2UpVexIt9k3FMJeAVr3c04F5tcI8K"
++bool(false)
@@ -0,0 +1,39 @@
+From: =?utf-8?q?Tim_D=C3=BCsterhus?= <[email protected]>
+Date: Mon, 23 Jan 2023 22:13:57 +0100
+Subject: crypt: Fix possible buffer overread in php_crypt()
+
+(cherry picked from commit a92acbad873a05470af1a47cb785a18eadd827b5)
+(cherry picked from commit ed0281b588a6840cb95f3134a4e68847a3be5bb7)
+(cherry picked from commit bc633b1095280f6a6b96b82f5241c14d25008e7f)
+---
+ ext/standard/crypt.c                                   | 1 +
+ ext/standard/tests/password/password_bcrypt_short.phpt | 8 ++++++++
+ 2 files changed, 9 insertions(+)
+ create mode 100644 ext/standard/tests/password/password_bcrypt_short.phpt
+
+diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c
+index 1b83d6e..56e1396 100644
+--- a/ext/standard/crypt.c
++++ b/ext/standard/crypt.c
+@@ -196,6 +196,7 @@ PHPAPI int php_crypt(const char *password, const int pass_len, const char *salt,
+ 		} else if (
+ 				salt[0] == '$' &&
+ 				salt[1] == '2' &&
++				salt[2] != 0 &&
+ 				salt[3] == '$' &&
+ 				salt[4] >= '0' && salt[4] <= '3' &&
+ 				salt[5] >= '0' && salt[5] <= '9' &&
+diff --git a/ext/standard/tests/password/password_bcrypt_short.phpt b/ext/standard/tests/password/password_bcrypt_short.phpt
+new file mode 100644
+index 0000000..085bc8a
+--- /dev/null
++++ b/ext/standard/tests/password/password_bcrypt_short.phpt
+@@ -0,0 +1,8 @@
++--TEST--
++Test that password_hash() does not overread buffers when a short hash is passed
++--FILE--
++<?php
++var_dump(password_verify("foo", '$2'));
++?>
++--EXPECT--
++bool(false)
@@ -0,0 +1,65 @@
+From: Niels Dossche <[email protected]>
+Date: Fri, 27 Jan 2023 19:28:27 +0100
+Subject: Fix array overrun when appending slash to paths
+
+Fix it by extending the array sizes by one character. As the input is
+limited to the maximum path length, there will always be place to append
+the slash. As the php_check_specific_open_basedir() simply uses the
+strings to compare against each other, no new failures related to too
+long paths are introduced.
+We'll let the DOM and XML case handle a potentially too long path in the
+library code.
+
+(cherry picked from commit ec10b28d64decbc54aa1e585dce580f0bd7a5953)
+(cherry picked from commit 887cd0710ad856a0d22c329b6ea6c71ebd8621ae)
+(cherry picked from commit d43aca084651d395d1191a9751e2ea90036df09e)
+---
+ ext/dom/document.c            | 2 +-
+ ext/xmlreader/php_xmlreader.c | 2 +-
+ main/fopen_wrappers.c         | 6 +++---
+ 3 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/ext/dom/document.c b/ext/dom/document.c
+index 1970c38..7cf4464 100644
+--- a/ext/dom/document.c
++++ b/ext/dom/document.c
+@@ -1498,7 +1498,7 @@ static xmlDocPtr dom_document_parser(zval *id, int mode, char *source, int sourc
+ 	int validate, recover, resolve_externals, keep_blanks, substitute_ent;
+ 	int resolved_path_len;
+ 	int old_error_reporting = 0;
+-	char *directory=NULL, resolved_path[MAXPATHLEN];
++	char *directory=NULL, resolved_path[MAXPATHLEN + 1];
+ 
+ 	if (id != NULL) {
+ 		intern = (dom_object *)zend_object_store_get_object(id TSRMLS_CC);
+diff --git a/ext/xmlreader/php_xmlreader.c b/ext/xmlreader/php_xmlreader.c
+index 31208d8..7948b4c 100644
+--- a/ext/xmlreader/php_xmlreader.c
++++ b/ext/xmlreader/php_xmlreader.c
+@@ -1044,7 +1044,7 @@ PHP_METHOD(xmlreader, XML)
+ 	xmlreader_object *intern = NULL;
+ 	char *source, *uri = NULL, *encoding = NULL;
+ 	int resolved_path_len, ret = 0;
+-	char *directory=NULL, resolved_path[MAXPATHLEN];
++	char *directory=NULL, resolved_path[MAXPATHLEN + 1];
+ 	xmlParserInputBufferPtr inputbfr;
+ 	xmlTextReaderPtr reader;
+ 
+diff --git a/main/fopen_wrappers.c b/main/fopen_wrappers.c
+index af9c558..1554aaa 100644
+--- a/main/fopen_wrappers.c
++++ b/main/fopen_wrappers.c
+@@ -141,10 +141,10 @@ PHPAPI ZEND_INI_MH(OnUpdateBaseDir)
+ */
+ PHPAPI int php_check_specific_open_basedir(const char *basedir, const char *path TSRMLS_DC)
+ {
+-	char resolved_name[MAXPATHLEN];
+-	char resolved_basedir[MAXPATHLEN];
++	char resolved_name[MAXPATHLEN + 1];
++	char resolved_basedir[MAXPATHLEN + 1];
+ 	char local_open_basedir[MAXPATHLEN];
+-	char path_tmp[MAXPATHLEN];
++	char path_tmp[MAXPATHLEN + 1];
+ 	char *path_file;
+ 	int resolved_basedir_len;
+ 	int resolved_name_len;
@@ -0,0 +1,28 @@
+From: Remi Collet <[email protected]>
+Date: Mon, 13 Feb 2023 11:46:47 +0100
+Subject: NEWS
+
+(cherry picked from commit 614468ce4056c0ef93aae09532dcffdf65b594b5)
+---
+ NEWS | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index e2c4da6..27b96a6 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,14 @@
+ PHP                                                                        NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+ 
++Backported from 8.0.28
++
++- Core:
++  . Fixed bug #81744 (Password_verify() always return true with some hash).
++    (CVE-2023-0567). (Tim Düsterhus)
++  . Fixed bug #81746 (1-byte array overrun in common path resolve code).
++    (CVE-2023-0568). (Niels Dossche)
++
+ Backported from 8.0.27
+ 
+ - PDO/SQLite: