!24 Fix CVE-2020-7063.patch

From: @wangchen2020 Reviewed-by: @small_leek Signed-off-by: @small_leek
2020-12-17 16:49:37 +08:00 · 2020-12-17 16:49:37 +08:00 · 453da26429
commit 453da26429
parent 22605b3194 5564e5526f
2 changed files with 126 additions and 1 deletions
--- a/CVE-2020-7063.patch
+++ b/CVE-2020-7063.patch
@ -0,0 +1,121 @@
+From ead40a66785aedaa393f953a0ed9224adaf040cd Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 15 Feb 2020 22:17:14 -0800
+Subject: [PATCH] Fix bug #79082 - Files added to tar with
+ Phar::buildFromIterator have all-access permissions
+
+---
+ ext/phar/phar_object.c                       | 11 ++++++
+ ext/phar/tests/bug79082.phpt                 | 52 ++++++++++++++++++++++++++++
+ ext/phar/tests/test79082/test79082-testfile  |  1 +
+ ext/phar/tests/test79082/test79082-testfile2 |  1 +
+ 4 files changed, 65 insertions(+)
+ create mode 100644 ext/phar/tests/bug79082.phpt
+ create mode 100644 ext/phar/tests/test79082/test79082-testfile
+ create mode 100644 ext/phar/tests/test79082/test79082-testfile2
+
+diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
+index 6cf097e36fe..89b553c2b91 100644
+--- a/ext/phar/phar_object.c
+++ b/ext/phar/phar_object.c
+@@ -1419,6 +1419,7 @@ static int phar_build(zend_object_iterator *iter, void *puser) /* {{{ */
+ 	char *str_key;
+ 	zend_class_entry *ce = p_obj->c;
+ 	phar_archive_object *phar_obj = p_obj->p;
+	php_stream_statbuf ssb;
+ 
+ 	value = iter->funcs->get_current_data(iter);
+ 
+@@ -1686,6 +1687,16 @@ after_open_fp:
+ 		php_stream_copy_to_stream_ex(fp, p_obj->fp, PHP_STREAM_COPY_ALL, &contents_len);
+ 		data->internal_file->uncompressed_filesize = data->internal_file->compressed_filesize =
+ 			php_stream_tell(p_obj->fp) - data->internal_file->offset;
+		if (php_stream_stat(fp, &ssb) != -1) {
+			data->internal_file->flags = ssb.sb.st_mode & PHAR_ENT_PERM_MASK ;
+		} else {
+#ifndef _WIN32
+			mode_t mask;
+			mask = umask(0);
+			umask(mask);
+			data->internal_file->flags &= ~mask;
+#endif
+		}
+ 	}
+ 
+ 	if (close_fp) {
+diff --git a/ext/phar/tests/bug79082.phpt b/ext/phar/tests/bug79082.phpt
+new file mode 100644
+index 00000000000..ca453d1b57b
+--- /dev/null
+++ b/ext/phar/tests/bug79082.phpt
+@@ -0,0 +1,52 @@
+--TEST--
+Phar: Bug #79082: Files added to tar with Phar::buildFromIterator have all-access permissions
+--SKIPIF--
+<?php 
+if (!extension_loaded("phar")) die("skip"); 
+if (defined("PHP_WINDOWS_VERSION_MAJOR")) die("skip not for Windows")
+?>
+--FILE--
+<?php
+umask(022);
+var_dump(decoct(umask()));
+chmod(__DIR__ . '/test79082/test79082-testfile', 0644);
+chmod(__DIR__ . '/test79082/test79082-testfile2', 0400);
+
+foreach([Phar::TAR => 'tar', Phar::ZIP => 'zip'] as $mode => $ext) {
+	clearstatcache();
+	$phar = new PharData(__DIR__ . '/test79082.' . $ext, null, null, $mode);
+	$phar->buildFromIterator(new \RecursiveDirectoryIterator(__DIR__ . '/test79082', \FilesystemIterator::SKIP_DOTS), __DIR__ . '/test79082');
+	$phar->extractTo(__DIR__);
+	var_dump(decoct(stat(__DIR__ . '/test79082-testfile')['mode']));
+	var_dump(decoct(stat(__DIR__ . '/test79082-testfile2')['mode']));
+	unlink(__DIR__ . '/test79082-testfile');
+	unlink(__DIR__ . '/test79082-testfile2');
+}
+foreach([Phar::TAR => 'tar', Phar::ZIP => 'zip'] as $mode => $ext) {
+	clearstatcache();
+	$phar = new PharData(__DIR__ . '/test79082-d.' . $ext, null, null, $mode);
+	$phar->buildFromDirectory(__DIR__ . '/test79082');
+	$phar->extractTo(__DIR__);
+	var_dump(decoct(stat(__DIR__ . '/test79082-testfile')['mode']));
+	var_dump(decoct(stat(__DIR__ . '/test79082-testfile2')['mode']));
+	unlink(__DIR__ . '/test79082-testfile');
+	unlink(__DIR__ . '/test79082-testfile2');
+}
+?>
+--CLEAN--
+<?
+unlink(__DIR__ . '/test79082.tar');
+unlink(__DIR__ . '/test79082.zip');
+unlink(__DIR__ . '/test79082-d.tar');
+unlink(__DIR__ . '/test79082-d.zip');
+?>
+--EXPECT--
+string(2) "22"
+string(6) "100644"
+string(6) "100400"
+string(6) "100644"
+string(6) "100400"
+string(6) "100644"
+string(6) "100400"
+string(6) "100644"
+string(6) "100400"
+diff --git a/ext/phar/tests/test79082/test79082-testfile b/ext/phar/tests/test79082/test79082-testfile
+new file mode 100644
+index 00000000000..9daeafb9864
+--- /dev/null
+++ b/ext/phar/tests/test79082/test79082-testfile
+@@ -0,0 +1 @@
+test
+diff --git a/ext/phar/tests/test79082/test79082-testfile2 b/ext/phar/tests/test79082/test79082-testfile2
+new file mode 100644
+index 00000000000..9daeafb9864
+--- /dev/null
+++ b/ext/phar/tests/test79082/test79082-testfile2
+@@ -0,0 +1 @@
+test
+-- 
+2.11.0
+
+
--- a/php.spec
+++ b/php.spec
@ -28,7 +28,7 @@

 Name:          php
 Version:       %{upver}%{?rcver:~%{rcver}}
-Release:       8
+Release:       9
 Summary:       PHP scripting language for creating dynamic web sites
 License:       PHP and Zend and BSD and MIT and ASL 1.0 and NCSA
 URL:           http://www.php.net/
@ -96,6 +96,7 @@ Patch6022:     CVE-2020-7064.patch
 Patch6023:     CVE-2020-7066.patch
 Patch6024:     CVE-2019-11048.patch
 Patch6025:     CVE-2020-7068.patch
+Patch6026:     CVE-2020-7063.patch

 BuildRequires: bzip2-devel, curl-devel >= 7.9, httpd-devel >= 2.0.46-1, pam-devel, httpd-filesystem, nginx-filesystem
 BuildRequires: libstdc++-devel, openssl-devel, sqlite-devel >= 3.6.0, zlib-devel, smtpdaemon, libedit-devel
@ -1157,6 +1158,9 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || :


 %changelog
+* Thu Dec 17 2020 wangchen <wangchen137@huawei.com> - 7.2.10-9
+- Fix CVE-2020-7063
+
 * Mon Nov 07 2020 liuweibo <liuweibo10@huawei.com> - 7.2.10-8
 - Append help recommends to main package