diff -Nru php8.0-8.0.8/debian/changelog php8.0-8.0.8/debian/changelog --- php8.0-8.0.8/debian/changelog 2022-02-24 15:03:09.000000000 +0000 +++ php8.0-8.0.8/debian/changelog 2022-03-03 14:51:53.000000000 +0000 @@ -1,3 +1,32 @@ +php8.0 (8.0.8-1ubuntu0.3) impish-security; urgency=medium + + * SECURITY UPDATE: DoS in zend_string_extend function + - debian/patches/CVE-2017-8923.patch: fix integer Overflow when + concatenating strings in Zend/zend_vm_def.h, Zend/zend_vm_execute.h. + - CVE-2017-8923 + * SECURITY UPDATE: out of bounds access in php_pcre_replace_impl + - debian/patches/CVE-2017-9118-pre1.patch: fix heap buffer overflow via + str_repeat in Zend/zend_operators.c, Zend/zend_string.h. + - debian/patches/CVE-2017-9118-pre3.patch: fix too much memory is + allocated for preg_replace() in ext/pcre/php_pcre.c, + ext/pcre/tests/bug81243.phpt. + - debian/patches/CVE-2017-9118.patch: fix out of bounds in + php_pcre_replace_impl in Zend/zend_string.h, ext/pcre/php_pcre.c. + - CVE-2017-9118 + * SECURITY UPDATE: DoS via integer overflow in mysqli_real_escape_string + - debian/patches/CVE-2017-9120.patch: fix overflow in + ext/mysqli/mysqli_api.c. + - CVE-2017-9120 + * SECURITY UPDATE: filename truncation issue in XML parsing functions + - debian/patches/CVE-2021-21707.patch: special character is breaking + the path in xml function in ext/dom/domimplementation.c, + ext/dom/tests/bug79971_2.phpt, ext/libxml/libxml.c, + ext/simplexml/tests/bug79971_1.phpt, + ext/simplexml/tests/bug79971_1.xml. + - CVE-2021-21707 + + -- Marc Deslauriers Thu, 03 Mar 2022 09:51:53 -0500 + php8.0 (8.0.8-1ubuntu0.2) impish-security; urgency=medium * SECURITY UPDATE: Use after free diff -Nru php8.0-8.0.8/debian/patches/CVE-2017-8923.patch php8.0-8.0.8/debian/patches/CVE-2017-8923.patch --- php8.0-8.0.8/debian/patches/CVE-2017-8923.patch 1970-01-01 00:00:00.000000000 +0000 +++ php8.0-8.0.8/debian/patches/CVE-2017-8923.patch 2022-03-03 14:48:32.000000000 +0000 @@ -0,0 +1,122 @@ +From 0b7dffb41f0b571c00304c973f9b85ef910d43d9 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Tue, 17 Aug 2021 16:56:52 +0200 +Subject: [PATCH] Fix #73122: Integer Overflow when concatenating strings + +We must avoid integer overflows in memory allocations, so we introduce +an additional check in the VM, and bail out in the rare case of an +overflow. + +Closes GH-7381. +--- + NEWS | 1 + + Zend/zend_vm_def.h | 3 +++ + Zend/zend_vm_execute.h | 24 ++++++++++++++++++++++++ + 3 files changed, 28 insertions(+) + +#diff --git a/NEWS b/NEWS +#index 89a09e15b61b..f33242bcd7b3 100644 +#--- a/NEWS +#+++ b/NEWS +#@@ -6,6 +6,7 @@ PHP NEWS +# . Fixed bug #81302 (Stream position after stream filter removed). (cmb) +# . Fixed bug #81346 (Non-seekable streams don't update position after write). +# (cmb) +#+ . Fixed bug #73122 (Integer Overflow when concatenating strings). (cmb) +# +# - Opcache: +# . Fixed bug #81353 (segfault with preloading and statically bound closure). +--- a/Zend/zend_vm_def.h ++++ b/Zend/zend_vm_def.h +@@ -407,6 +407,9 @@ ZEND_VM_HANDLER(8, ZEND_CONCAT, CONST|TM + !ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) { + size_t len = ZSTR_LEN(op1_str); + ++ if (UNEXPECTED(len > ZSTR_MAX_LEN - ZSTR_LEN(op2_str))) { ++ zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation"); ++ } + str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0); + memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1); + ZVAL_NEW_STR(EX_VAR(opline->result.var), str); +--- a/Zend/zend_vm_execute.h ++++ b/Zend/zend_vm_execute.h +@@ -8179,6 +8179,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FAST + !ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) { + size_t len = ZSTR_LEN(op1_str); + ++ if (UNEXPECTED(len > ZSTR_MAX_LEN - ZSTR_LEN(op2_str))) { ++ zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation"); ++ } + str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0); + memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1); + ZVAL_NEW_STR(EX_VAR(opline->result.var), str); +@@ -10562,6 +10565,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FAST + !ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) { + size_t len = ZSTR_LEN(op1_str); + ++ if (UNEXPECTED(len > ZSTR_MAX_LEN - ZSTR_LEN(op2_str))) { ++ zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation"); ++ } + str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0); + memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1); + ZVAL_NEW_STR(EX_VAR(opline->result.var), str); +@@ -14625,6 +14631,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FAST + !ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) { + size_t len = ZSTR_LEN(op1_str); + ++ if (UNEXPECTED(len > ZSTR_MAX_LEN - ZSTR_LEN(op2_str))) { ++ zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation"); ++ } + str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0); + memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1); + ZVAL_NEW_STR(EX_VAR(opline->result.var), str); +@@ -15353,6 +15362,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FAST + !ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) { + size_t len = ZSTR_LEN(op1_str); + ++ if (UNEXPECTED(len > ZSTR_MAX_LEN - ZSTR_LEN(op2_str))) { ++ zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation"); ++ } + str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0); + memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1); + ZVAL_NEW_STR(EX_VAR(opline->result.var), str); +@@ -16773,6 +16785,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FAST + !ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) { + size_t len = ZSTR_LEN(op1_str); + ++ if (UNEXPECTED(len > ZSTR_MAX_LEN - ZSTR_LEN(op2_str))) { ++ zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation"); ++ } + str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0); + memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1); + ZVAL_NEW_STR(EX_VAR(opline->result.var), str); +@@ -38899,6 +38914,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FAST + !ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) { + size_t len = ZSTR_LEN(op1_str); + ++ if (UNEXPECTED(len > ZSTR_MAX_LEN - ZSTR_LEN(op2_str))) { ++ zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation"); ++ } + str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0); + memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1); + ZVAL_NEW_STR(EX_VAR(opline->result.var), str); +@@ -41284,6 +41302,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FAST + !ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) { + size_t len = ZSTR_LEN(op1_str); + ++ if (UNEXPECTED(len > ZSTR_MAX_LEN - ZSTR_LEN(op2_str))) { ++ zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation"); ++ } + str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0); + memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1); + ZVAL_NEW_STR(EX_VAR(opline->result.var), str); +@@ -47580,6 +47601,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FAST + !ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) { + size_t len = ZSTR_LEN(op1_str); + ++ if (UNEXPECTED(len > ZSTR_MAX_LEN - ZSTR_LEN(op2_str))) { ++ zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation"); ++ } + str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0); + memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1); + ZVAL_NEW_STR(EX_VAR(opline->result.var), str); diff -Nru php8.0-8.0.8/debian/patches/CVE-2017-9118.patch php8.0-8.0.8/debian/patches/CVE-2017-9118.patch --- php8.0-8.0.8/debian/patches/CVE-2017-9118.patch 1970-01-01 00:00:00.000000000 +0000 +++ php8.0-8.0.8/debian/patches/CVE-2017-9118.patch 2022-03-03 14:50:38.000000000 +0000 @@ -0,0 +1,65 @@ +From 712fc54e856d3d8e80a7d074a2733bc6b3a27e90 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Mon, 29 Nov 2021 15:48:41 +0100 +Subject: [PATCH] Fix #74604: Out of bounds in php_pcre_replace_impl + +Trying to allocate a `zend_string` with a length only slighty smaller +than `SIZE_MAX` causes an integer overflow; we make sure that this +doesn't happen by catering to the maximal overhead of a `zend_string`. + +Closes GH-7597. +--- + NEWS | 3 +++ + Zend/zend_string.h | 3 ++- + ext/pcre/php_pcre.c | 6 +++--- + 3 files changed, 8 insertions(+), 4 deletions(-) + +#diff --git a/NEWS b/NEWS +#index 0b46c1ad5c7a..cfe36d928117 100644 +#--- a/NEWS +#+++ b/NEWS +#@@ -16,6 +16,9 @@ PHP NEWS +# - OpenSSL: +# . Fixed bug #75725 (./configure: detecting RAND_egd). (Dilyan Palauzov) +# +#+- PCRE: +#+ . Fixed bug #74604 (Out of bounds in php_pcre_replace_impl). (cmb, Dmitry) +#+ +# - Standard: +# . Fixed bug #81618 (dns_get_record fails on FreeBSD for missing type). +# (fsbruva) +--- a/Zend/zend_string.h ++++ b/Zend/zend_string.h +@@ -83,7 +83,8 @@ END_EXTERN_C() + + #define _ZSTR_STRUCT_SIZE(len) (_ZSTR_HEADER_SIZE + len + 1) + +-#define ZSTR_MAX_LEN (SIZE_MAX - ZEND_MM_ALIGNED_SIZE(_ZSTR_HEADER_SIZE + 1)) ++#define ZSTR_MAX_OVERHEAD (ZEND_MM_ALIGNED_SIZE(_ZSTR_HEADER_SIZE + 1)) ++#define ZSTR_MAX_LEN (SIZE_MAX - ZSTR_MAX_OVERHEAD) + + #define ZSTR_ALLOCA_ALLOC(str, _len, use_heap) do { \ + (str) = (zend_string *)do_alloca(ZEND_MM_ALIGNED_SIZE_EX(_ZSTR_STRUCT_SIZE(_len), 8), (use_heap)); \ +--- a/ext/pcre/php_pcre.c ++++ b/ext/pcre/php_pcre.c +@@ -1712,7 +1712,7 @@ matched: + } + + if (new_len >= alloc_len) { +- alloc_len = zend_safe_address_guarded(2, new_len, 0); ++ alloc_len = zend_safe_address_guarded(2, new_len, ZSTR_MAX_OVERHEAD) - ZSTR_MAX_OVERHEAD; + if (result == NULL) { + result = zend_string_alloc(alloc_len, 0); + } else { +@@ -1948,9 +1948,9 @@ matched: + pcre2_get_mark(match_data), flags); + + ZEND_ASSERT(eval_result); +- new_len = zend_safe_address_guarded(1, ZSTR_LEN(eval_result), new_len); ++ new_len = zend_safe_address_guarded(1, ZSTR_LEN(eval_result) + ZSTR_MAX_OVERHEAD, new_len) -ZSTR_MAX_OVERHEAD; + if (new_len >= alloc_len) { +- alloc_len = zend_safe_address_guarded(2, new_len, 0); ++ alloc_len = zend_safe_address_guarded(2, new_len, ZSTR_MAX_OVERHEAD) - ZSTR_MAX_OVERHEAD; + if (result == NULL) { + result = zend_string_alloc(alloc_len, 0); + } else { diff -Nru php8.0-8.0.8/debian/patches/CVE-2017-9118-pre1.patch php8.0-8.0.8/debian/patches/CVE-2017-9118-pre1.patch --- php8.0-8.0.8/debian/patches/CVE-2017-9118-pre1.patch 1970-01-01 00:00:00.000000000 +0000 +++ php8.0-8.0.8/debian/patches/CVE-2017-9118-pre1.patch 2022-03-03 14:49:54.000000000 +0000 @@ -0,0 +1,51 @@ +From 760ff841a14160f25348f7969985cb8a2c4da3cc Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Wed, 21 Jul 2021 13:55:13 +0200 +Subject: [PATCH] Fix #74960: Heap buffer overflow via str_repeat + +Trying to allocate a `zend_string` with a length only slighty smaller +than `SIZE_MAX` causes an integer overflow, so callers may need to +check that explicitly. To make that easy in a portable way, we +introduce `ZSTR_MAX_LEN`. + +Closes GH-7294. +--- + NEWS | 1 + + Zend/zend_operators.c | 2 +- + Zend/zend_string.h | 2 ++ + 3 files changed, 4 insertions(+), 1 deletion(-) + +#diff --git a/NEWS b/NEWS +#index 40a01fb4b639..277411332e52 100644 +#--- a/NEWS +#+++ b/NEWS +#@@ -15,6 +15,7 @@ PHP NEWS +# . Fixed bug #72146 (Integer overflow on substr_replace). (cmb) +# . Fixed bug #81265 (getimagesize returns 0 for 256px ICO images). +# (George Dietrich) +#+ . Fixed bug #74960 (Heap buffer overflow via str_repeat). (cmb, Dmitry) +# +# 29 Jul 2021, PHP 7.4.22 +# +--- a/Zend/zend_operators.c ++++ b/Zend/zend_operators.c +@@ -1874,7 +1874,7 @@ ZEND_API zend_result ZEND_FASTCALL conca + size_t result_len = op1_len + op2_len; + zend_string *result_str; + +- if (UNEXPECTED(op1_len > SIZE_MAX - op2_len)) { ++ if (UNEXPECTED(op1_len > ZSTR_MAX_LEN - op2_len)) { + zend_throw_error(NULL, "String size overflow"); + zval_ptr_dtor_str(&op1_copy); + zval_ptr_dtor_str(&op2_copy); +--- a/Zend/zend_string.h ++++ b/Zend/zend_string.h +@@ -83,6 +83,8 @@ END_EXTERN_C() + + #define _ZSTR_STRUCT_SIZE(len) (_ZSTR_HEADER_SIZE + len + 1) + ++#define ZSTR_MAX_LEN (SIZE_MAX - ZEND_MM_ALIGNED_SIZE(_ZSTR_HEADER_SIZE + 1)) ++ + #define ZSTR_ALLOCA_ALLOC(str, _len, use_heap) do { \ + (str) = (zend_string *)do_alloca(ZEND_MM_ALIGNED_SIZE_EX(_ZSTR_STRUCT_SIZE(_len), 8), (use_heap)); \ + GC_SET_REFCOUNT(str, 1); \ diff -Nru php8.0-8.0.8/debian/patches/CVE-2017-9118-pre3.patch php8.0-8.0.8/debian/patches/CVE-2017-9118-pre3.patch --- php8.0-8.0.8/debian/patches/CVE-2017-9118-pre3.patch 1970-01-01 00:00:00.000000000 +0000 +++ php8.0-8.0.8/debian/patches/CVE-2017-9118-pre3.patch 2022-03-03 14:50:32.000000000 +0000 @@ -0,0 +1,117 @@ +From a6b43086e6799eedf02d36ccea103e2b10c1005a Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Mon, 12 Jul 2021 16:35:35 +0200 +Subject: [PATCH] Fix #81243: Too much memory is allocated for preg_replace() + +Trimming a potentially over-allocated string appears to be reasonable, +so we drop the condition altogether. + +We also re-allocate twice the size needed in the first place, and not +roughly tripple the size. + +Closes GH-7231. +--- + NEWS | 1 + + ext/pcre/php_pcre.c | 32 ++++++++++++++------------------ + ext/pcre/tests/bug81243.phpt | 21 +++++++++++++++++++++ + 3 files changed, 36 insertions(+), 18 deletions(-) + create mode 100644 ext/pcre/tests/bug81243.phpt + +#diff --git a/NEWS b/NEWS +#index 527d999a0512..6b93d651d105 100644 +#--- a/NEWS +#+++ b/NEWS +#@@ -25,6 +25,7 @@ PHP NEWS +# +# - PCRE: +# . Fixed bug #81101 (PCRE2 10.37 shows unexpected result). (Anatol) +#+ . Fixed bug #81243 (Too much memory is allocated for preg_replace()). (cmb) +# +# - Standard: +# . Fixed bug #81223 (flock() only locks first byte of file). (cmb) +--- a/ext/pcre/php_pcre.c ++++ b/ext/pcre/php_pcre.c +@@ -1712,7 +1712,7 @@ matched: + } + + if (new_len >= alloc_len) { +- alloc_len = zend_safe_address_guarded(2, new_len, alloc_len); ++ alloc_len = zend_safe_address_guarded(2, new_len, 0); + if (result == NULL) { + result = zend_string_alloc(alloc_len, 0); + } else { +@@ -1798,14 +1798,12 @@ not_matched: + result = zend_string_copy(subject_str); + break; + } +- new_len = result_len + subject_len - last_end_offset; +- if (new_len >= alloc_len) { +- alloc_len = new_len; /* now we know exactly how long it is */ +- if (NULL != result) { +- result = zend_string_realloc(result, alloc_len, 0); +- } else { +- result = zend_string_alloc(alloc_len, 0); +- } ++ /* now we know exactly how long it is */ ++ alloc_len = result_len + subject_len - last_end_offset; ++ if (NULL != result) { ++ result = zend_string_realloc(result, alloc_len, 0); ++ } else { ++ result = zend_string_alloc(alloc_len, 0); + } + /* stick that last bit of string on our output */ + memcpy(ZSTR_VAL(result) + result_len, piece, subject_len - last_end_offset); +@@ -1952,7 +1950,7 @@ matched: + ZEND_ASSERT(eval_result); + new_len = zend_safe_address_guarded(1, ZSTR_LEN(eval_result), new_len); + if (new_len >= alloc_len) { +- alloc_len = zend_safe_address_guarded(2, new_len, alloc_len); ++ alloc_len = zend_safe_address_guarded(2, new_len, 0); + if (result == NULL) { + result = zend_string_alloc(alloc_len, 0); + } else { +@@ -2009,14 +2007,12 @@ not_matched: + result = zend_string_copy(subject_str); + break; + } +- new_len = result_len + subject_len - last_end_offset; +- if (new_len >= alloc_len) { +- alloc_len = new_len; /* now we know exactly how long it is */ +- if (NULL != result) { +- result = zend_string_realloc(result, alloc_len, 0); +- } else { +- result = zend_string_alloc(alloc_len, 0); +- } ++ /* now we know exactly how long it is */ ++ alloc_len = result_len + subject_len - last_end_offset; ++ if (NULL != result) { ++ result = zend_string_realloc(result, alloc_len, 0); ++ } else { ++ result = zend_string_alloc(alloc_len, 0); + } + /* stick that last bit of string on our output */ + memcpy(ZSTR_VAL(result) + result_len, piece, subject_len - last_end_offset); +--- /dev/null ++++ b/ext/pcre/tests/bug81243.phpt +@@ -0,0 +1,21 @@ ++--TEST-- ++Bug #81243 (Too much memory is allocated for preg_replace()) ++--FILE-- ++ ++--EXPECT-- ++bool(true) ++bool(true) diff -Nru php8.0-8.0.8/debian/patches/CVE-2017-9120.patch php8.0-8.0.8/debian/patches/CVE-2017-9120.patch --- php8.0-8.0.8/debian/patches/CVE-2017-9120.patch 1970-01-01 00:00:00.000000000 +0000 +++ php8.0-8.0.8/debian/patches/CVE-2017-9120.patch 2022-03-03 14:51:42.000000000 +0000 @@ -0,0 +1,39 @@ +From 5977610de1aa87630e40a299a2d90fb7cd00bf7c Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Mon, 9 Aug 2021 12:48:21 +0200 +Subject: [PATCH] Fix #74544: Integer overflow in mysqli_real_escape_string() + +The patch has been provided by @johannes. + +Closes GH-7353. +--- + NEWS | 4 ++++ + ext/mysqli/mysqli_api.c | 2 +- + 2 files changed, 5 insertions(+), 1 deletion(-) + +#diff --git a/NEWS b/NEWS +#index 28341f26c94c..cb5132397221 100644 +#--- a/NEWS +#+++ b/NEWS +#@@ -18,6 +18,10 @@ PHP NEWS +# - GD: +# . Fixed bug #51498 (imagefilledellipse does not work for large circles). (cmb) +# +#+- MySQLi: +#+ . Fixed bug #74544 (Integer overflow in mysqli_real_escape_string()). (cmb, +#+ johannes) +#+ +# - OpenSSL: +# . Fixed bug #81327 (Error build openssl extension on php 7.4.22). (cmb) +# +--- a/ext/mysqli/mysqli_api.c ++++ b/ext/mysqli/mysqli_api.c +@@ -1894,7 +1894,7 @@ PHP_FUNCTION(mysqli_real_escape_string) + } + MYSQLI_FETCH_RESOURCE_CONN(mysql, mysql_link, MYSQLI_STATUS_VALID); + +- newstr = zend_string_alloc(2 * escapestr_len, 0); ++ newstr = zend_string_safe_alloc(2, escapestr_len, 0, 0); + ZSTR_LEN(newstr) = mysql_real_escape_string_quote(mysql->mysql, ZSTR_VAL(newstr), escapestr, escapestr_len, '\''); + newstr = zend_string_truncate(newstr, ZSTR_LEN(newstr), 0); + diff -Nru php8.0-8.0.8/debian/patches/CVE-2021-21707.patch php8.0-8.0.8/debian/patches/CVE-2021-21707.patch --- php8.0-8.0.8/debian/patches/CVE-2021-21707.patch 1970-01-01 00:00:00.000000000 +0000 +++ php8.0-8.0.8/debian/patches/CVE-2021-21707.patch 2022-03-03 14:51:49.000000000 +0000 @@ -0,0 +1,118 @@ +From f15f8fc573eb38c3c73e23e0930063a6f6409ed4 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Tue, 1 Sep 2020 10:04:28 +0200 +Subject: [PATCH] Fix #79971: special character is breaking the path in xml + function + +The libxml based XML functions accepting a filename actually accept +URIs with possibly percent-encoded characters. Percent-encoded NUL +bytes lead to truncation, like non-encoded NUL bytes would. We catch +those, and let the functions fail with a respective warning. +--- + ext/dom/domimplementation.c | 5 +++++ + ext/dom/tests/bug79971_2.phpt | 20 ++++++++++++++++++++ + ext/libxml/libxml.c | 9 +++++++++ + ext/simplexml/tests/bug79971_1.phpt | 27 +++++++++++++++++++++++++++ + ext/simplexml/tests/bug79971_1.xml | 2 ++ + 5 files changed, 63 insertions(+) + create mode 100644 ext/dom/tests/bug79971_2.phpt + create mode 100644 ext/simplexml/tests/bug79971_1.phpt + create mode 100644 ext/simplexml/tests/bug79971_1.xml + +--- a/ext/dom/domimplementation.c ++++ b/ext/dom/domimplementation.c +@@ -78,6 +78,11 @@ PHP_METHOD(DOMImplementation, createDocu + pch2 = (xmlChar *) systemid; + } + ++ if (strstr(name, "%00")) { ++ php_error_docref(NULL, E_WARNING, "URI must not contain percent-encoded NUL bytes"); ++ RETURN_FALSE; ++ } ++ + uri = xmlParseURI(name); + if (uri != NULL && uri->opaque != NULL) { + localname = xmlStrdup((xmlChar *) uri->opaque); +--- /dev/null ++++ b/ext/dom/tests/bug79971_2.phpt +@@ -0,0 +1,20 @@ ++--TEST-- ++Bug #79971 (special character is breaking the path in xml function) ++--SKIPIF-- ++ ++--FILE-- ++createDocumentType("$uri%00foo")); ++?> ++--EXPECTF-- ++Warning: DOMImplementation::createDocumentType(): URI must not contain percent-encoded NUL bytes in %s on line %d ++bool(false) +--- a/ext/libxml/libxml.c ++++ b/ext/libxml/libxml.c +@@ -255,6 +255,10 @@ static void *php_libxml_streams_IO_open_ + int isescaped=0; + xmlURI *uri; + ++ if (strstr(filename, "%00")) { ++ php_error_docref(NULL, E_WARNING, "URI must not contain percent-encoded NUL bytes"); ++ return NULL; ++ } + + uri = xmlParseURI(filename); + if (uri && (uri->scheme == NULL || +@@ -434,6 +438,11 @@ php_libxml_output_buffer_create_filename + if (URI == NULL) + return(NULL); + ++ if (strstr(URI, "%00")) { ++ php_error_docref(NULL, E_WARNING, "URI must not contain percent-encoded NUL bytes"); ++ return NULL; ++ } ++ + puri = xmlParseURI(URI); + if (puri != NULL) { + if (puri->scheme != NULL) +--- /dev/null ++++ b/ext/simplexml/tests/bug79971_1.phpt +@@ -0,0 +1,27 @@ ++--TEST-- ++Bug #79971 (special character is breaking the path in xml function) ++--SKIPIF-- ++ ++--FILE-- ++asXML("$uri.out%00foo")); ++?> ++--EXPECTF-- ++Warning: simplexml_load_file(): URI must not contain percent-encoded NUL bytes in %s on line %d ++ ++Warning: simplexml_load_file(): I/O warning : failed to load external entity "%s/bug79971_1.xml%00foo" in %s on line %d ++bool(false) ++ ++Warning: SimpleXMLElement::asXML(): URI must not contain percent-encoded NUL bytes in %s on line %d ++bool(false) +--- /dev/null ++++ b/ext/simplexml/tests/bug79971_1.xml +@@ -0,0 +1,2 @@ ++ ++ diff -Nru php8.0-8.0.8/debian/patches/series php8.0-8.0.8/debian/patches/series --- php8.0-8.0.8/debian/patches/series 2022-02-24 15:02:53.000000000 +0000 +++ php8.0-8.0.8/debian/patches/series 2022-03-03 14:51:45.000000000 +0000 @@ -42,3 +42,9 @@ 0042-Don-t-close-the-credits-buffer-file-descriptor-too-e.patch CVE-2021-21703.patch CVE-2021-21708.patch +CVE-2017-8923.patch +CVE-2017-9118-pre1.patch +CVE-2017-9118-pre3.patch +CVE-2017-9118.patch +CVE-2017-9120.patch +CVE-2021-21707.patch