diff -Nru php8.1-8.1.2/debian/changelog php8.1-8.1.2/debian/changelog --- php8.1-8.1.2/debian/changelog 2023-08-18 11:41:11.000000000 +0000 +++ php8.1-8.1.2/debian/changelog 2024-05-01 10:10:07.000000000 +0000 @@ -1,3 +1,38 @@ +php8.1 (8.1.2-1ubuntu2.17) jammy-security; urgency=medium + + * SECURITY UPDATE: Heap buffer-overflow + - debian/patches/CVE-2022-4900.patch: prevent potential buffer + overflow for large valye of php_cli_server_workers_max in + sapi/cli/php_cli_server.c. + - CVE-2022-4900 + * SECURITY UPDATE: Cookie by pass + - debian/patches/CVE-2024-2756.patch: adds more mangling rules + in main/php_variable.c. + - CVE-2024-2756 + * SECURITY UPDATE: Account take over risk + - debian/patches/CVE-2024-3096.patch: disallow null character in bcrypt + password in ext/standard/password.c, + ext/standard/tests/password_bcrypt_errors.phpt. + - CVE-2024-3096 + + -- Leonidas Da Silva Barbosa Wed, 01 May 2024 07:10:07 -0300 + +php8.1 (8.1.2-1ubuntu2.16) jammy; urgency=medium + + * d/p/fix-segfault-in-fpm_status_export_to_zval.patch: fix + segmentation fault in fpm_status_export_to_zval. (LP: #2057576) + + -- Athos Ribeiro Wed, 10 Apr 2024 08:54:30 -0300 + +php8.1 (8.1.2-1ubuntu2.15) jammy; urgency=medium + + * d/p/fix-attribute-instantion-dangling-pointer.patch: Fix sigsegv from + dangling pointer on attribute observer. (LP: #2054621) + * d/p/fix-attribute-instantion-memory-overflow-recovery.patch: Fix sigsegv + during memory overflow recovery on attribute observer. + + -- Brian Morton Fri, 23 Feb 2024 12:26:53 -0500 + php8.1 (8.1.2-1ubuntu2.14) jammy-security; urgency=medium * SECURITY UPDATE: Disclosure sensitive information diff -Nru php8.1-8.1.2/debian/patches/CVE-2022-4900.patch php8.1-8.1.2/debian/patches/CVE-2022-4900.patch --- php8.1-8.1.2/debian/patches/CVE-2022-4900.patch 1970-01-01 00:00:00.000000000 +0000 +++ php8.1-8.1.2/debian/patches/CVE-2022-4900.patch 2024-05-01 10:09:37.000000000 +0000 @@ -0,0 +1,56 @@ +From 789a37f14405e2d1a05a76c9fb4ed2d49d4580d5 Mon Sep 17 00:00:00 2001 +From: guoyiyuan +Date: Wed, 13 Jul 2022 20:55:51 +0800 +Subject: [PATCH] Prevent potential buffer overflow for large value of + php_cli_server_workers_max + +Fixes #8989. +Closes #9000. +--- + NEWS | 4 ++++ + sapi/cli/php_cli_server.c | 10 +++------- + 2 files changed, 7 insertions(+), 7 deletions(-) + +Index: php8.1-8.1.2/NEWS +=================================================================== +--- php8.1-8.1.2.orig/NEWS ++++ php8.1-8.1.2/NEWS +@@ -2,6 +2,10 @@ PHP + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + 20 Jan 2022, PHP 8.1.2 + ++- CLI: ++ . Fixed potential overflow for the builtin server via the PHP_CLI_SERVER_WORKERS ++ environment variable. (yiyuaner) ++ + - Core: + . Fixed bug #81216 (Nullsafe operator leaks dynamic property name). (Dmitry) + . Fixed bug #81684 (Using null coalesce assignment with $GLOBALS["x"] produces +Index: php8.1-8.1.2/sapi/cli/php_cli_server.c +=================================================================== +--- php8.1-8.1.2.orig/sapi/cli/php_cli_server.c ++++ php8.1-8.1.2/sapi/cli/php_cli_server.c +@@ -2296,7 +2296,7 @@ static void php_cli_server_dtor(php_cli_ + !WIFSIGNALED(php_cli_server_worker_status)); + } + +- free(php_cli_server_workers); ++ pefree(php_cli_server_workers, 1); + } + #endif + } /* }}} */ +@@ -2382,12 +2382,8 @@ static void php_cli_server_startup_worke + if (php_cli_server_workers_max > 1) { + zend_long php_cli_server_worker; + +- php_cli_server_workers = calloc( +- php_cli_server_workers_max, sizeof(pid_t)); +- if (!php_cli_server_workers) { +- php_cli_server_workers_max = 1; +- return; +- } ++ php_cli_server_workers = pecalloc( ++ php_cli_server_workers_max, sizeof(pid_t), 1); + + php_cli_server_master = getpid(); + diff -Nru php8.1-8.1.2/debian/patches/CVE-2024-2756.patch php8.1-8.1.2/debian/patches/CVE-2024-2756.patch --- php8.1-8.1.2/debian/patches/CVE-2024-2756.patch 1970-01-01 00:00:00.000000000 +0000 +++ php8.1-8.1.2/debian/patches/CVE-2024-2756.patch 2024-05-01 10:09:45.000000000 +0000 @@ -0,0 +1,157 @@ +From 093c08af25fb323efa0c8e6154aa9fdeae3d3b53 Mon Sep 17 00:00:00 2001 +From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> +Date: Sun, 17 Mar 2024 21:04:47 +0100 +Subject: [PATCH] Fix GHSA-wpj3-hf5j-x4v4: __Host-/__Secure- cookie bypass due + to partial CVE-2022-31629 fix + +The check happened too early as later code paths may perform more +mangling rules. Move the check downwards right before adding the actual +variable. +--- + ext/standard/tests/ghsa-wpj3-hf5j-x4v4.phpt | 63 +++++++++++++++++++++ + main/php_variables.c | 41 +++++++++----- + 2 files changed, 90 insertions(+), 14 deletions(-) + create mode 100644 ext/standard/tests/ghsa-wpj3-hf5j-x4v4.phpt + +#diff --git a/ext/standard/tests/ghsa-wpj3-hf5j-x4v4.phpt b/ext/standard/tests/ghsa-wpj3-hf5j-x4v4.phpt +#new file mode 100644 +#index 0000000000000..77fcb68089488 +#--- /dev/null +#+++ b/ext/standard/tests/ghsa-wpj3-hf5j-x4v4.phpt +#@@ -0,0 +1,63 @@ +#+--TEST-- +#+ghsa-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix) +#+--COOKIE-- +#+..Host-test=ignore_1; +#+._Host-test=ignore_2; +#+.[Host-test=ignore_3; +#+_.Host-test=ignore_4; +#+__Host-test=ignore_5; +#+_[Host-test=ignore_6; +#+[.Host-test=ignore_7; +#+[_Host-test=ignore_8; +#+[[Host-test=ignore_9; +#+..Host-test[]=ignore_10; +#+._Host-test[]=ignore_11; +#+.[Host-test[]=ignore_12; +#+_.Host-test[]=ignore_13; +#+__Host-test[]=legitimate_14; +#+_[Host-test[]=legitimate_15; +#+[.Host-test[]=ignore_16; +#+[_Host-test[]=ignore_17; +#+[[Host-test[]=ignore_18; +#+..Secure-test=ignore_1; +#+._Secure-test=ignore_2; +#+.[Secure-test=ignore_3; +#+_.Secure-test=ignore_4; +#+__Secure-test=ignore_5; +#+_[Secure-test=ignore_6; +#+[.Secure-test=ignore_7; +#+[_Secure-test=ignore_8; +#+[[Secure-test=ignore_9; +#+..Secure-test[]=ignore_10; +#+._Secure-test[]=ignore_11; +#+.[Secure-test[]=ignore_12; +#+_.Secure-test[]=ignore_13; +#+__Secure-test[]=legitimate_14; +#+_[Secure-test[]=legitimate_15; +#+[.Secure-test[]=ignore_16; +#+[_Secure-test[]=ignore_17; +#+[[Secure-test[]=ignore_18; +#+--FILE-- +#+ +#+--EXPECT-- +#+array(3) { +#+ ["__Host-test"]=> +#+ array(1) { +#+ [0]=> +#+ string(13) "legitimate_14" +#+ } +#+ ["_"]=> +#+ array(2) { +#+ ["Host-test["]=> +#+ string(13) "legitimate_15" +#+ ["Secure-test["]=> +#+ string(13) "legitimate_15" +#+ } +#+ ["__Secure-test"]=> +#+ array(1) { +#+ [0]=> +#+ string(13) "legitimate_14" +#+ } +#+} +diff --git a/main/php_variables.c b/main/php_variables.c +index 17e4a1e5d2cf1..da7266416a54d 100644 +--- a/main/php_variables.c ++++ b/main/php_variables.c +@@ -54,6 +54,21 @@ static zend_always_inline void php_register_variable_quick(const char *name, siz + zend_string_release_ex(key, 0); + } + ++/* Discard variable if mangling made it start with __Host-, where pre-mangling it did not start with __Host- ++ * Discard variable if mangling made it start with __Secure-, where pre-mangling it did not start with __Secure- */ ++static bool php_is_forbidden_variable_name(const char *mangled_name, size_t mangled_name_len, const char *pre_mangled_name) ++{ ++ if (mangled_name_len >= sizeof("__Host-")-1 && strncmp(mangled_name, "__Host-", sizeof("__Host-")-1) == 0 && strncmp(pre_mangled_name, "__Host-", sizeof("__Host-")-1) != 0) { ++ return true; ++ } ++ ++ if (mangled_name_len >= sizeof("__Secure-")-1 && strncmp(mangled_name, "__Secure-", sizeof("__Secure-")-1) == 0 && strncmp(pre_mangled_name, "__Secure-", sizeof("__Secure-")-1) != 0) { ++ return true; ++ } ++ ++ return false; ++} ++ + PHPAPI void php_register_variable_ex(const char *var_name, zval *val, zval *track_vars_array) + { + char *p = NULL; +@@ -104,20 +119,6 @@ PHPAPI void php_register_variable_ex(const char *var_name, zval *val, zval *trac + } + var_len = p - var; + +- /* Discard variable if mangling made it start with __Host-, where pre-mangling it did not start with __Host- */ +- if (strncmp(var, "__Host-", sizeof("__Host-")-1) == 0 && strncmp(var_name, "__Host-", sizeof("__Host-")-1) != 0) { +- zval_ptr_dtor_nogc(val); +- free_alloca(var_orig, use_heap); +- return; +- } +- +- /* Discard variable if mangling made it start with __Secure-, where pre-mangling it did not start with __Secure- */ +- if (strncmp(var, "__Secure-", sizeof("__Secure-")-1) == 0 && strncmp(var_name, "__Secure-", sizeof("__Secure-")-1) != 0) { +- zval_ptr_dtor_nogc(val); +- free_alloca(var_orig, use_heap); +- return; +- } +- + if (var_len==0) { /* empty variable name, or variable name with a space in it */ + zval_ptr_dtor_nogc(val); + free_alloca(var_orig, use_heap); +@@ -221,6 +222,12 @@ PHPAPI void php_register_variable_ex(const char *var_name, zval *val, zval *trac + return; + } + } else { ++ if (php_is_forbidden_variable_name(index, index_len, var_name)) { ++ zval_ptr_dtor_nogc(val); ++ free_alloca(var_orig, use_heap); ++ return; ++ } ++ + gpc_element_p = zend_symtable_str_find(symtable1, index, index_len); + if (!gpc_element_p) { + zval tmp; +@@ -258,6 +265,12 @@ PHPAPI void php_register_variable_ex(const char *var_name, zval *val, zval *trac + zval_ptr_dtor_nogc(val); + } + } else { ++ if (php_is_forbidden_variable_name(index, index_len, var_name)) { ++ zval_ptr_dtor_nogc(val); ++ free_alloca(var_orig, use_heap); ++ return; ++ } ++ + zend_ulong idx; + + /* diff -Nru php8.1-8.1.2/debian/patches/CVE-2024-3096.patch php8.1-8.1.2/debian/patches/CVE-2024-3096.patch --- php8.1-8.1.2/debian/patches/CVE-2024-3096.patch 1970-01-01 00:00:00.000000000 +0000 +++ php8.1-8.1.2/debian/patches/CVE-2024-3096.patch 2024-05-01 10:09:51.000000000 +0000 @@ -0,0 +1,47 @@ +From 0ba5229a3f7572846e91c8f5382e87785f543826 Mon Sep 17 00:00:00 2001 +From: Jakub Zelenka +Date: Fri, 29 Mar 2024 15:27:59 +0000 +Subject: [PATCH] Fix bug GHSA-q6x7-frmf-grcw: password_verify can erroneously + return true + +Disallow null character in bcrypt password +--- + ext/standard/password.c | 5 +++++ + ext/standard/tests/password/password_bcrypt_errors.phpt | 7 +++++++ + 2 files changed, 12 insertions(+) + +diff --git a/ext/standard/password.c b/ext/standard/password.c +index 651cffc9fe656..fbe58da603053 100644 +--- a/ext/standard/password.c ++++ b/ext/standard/password.c +@@ -184,6 +184,11 @@ static zend_string* php_password_bcrypt_hash(const zend_string *password, zend_a + zval *zcost; + zend_long cost = PHP_PASSWORD_BCRYPT_COST; + ++ if (memchr(ZSTR_VAL(password), '\0', ZSTR_LEN(password))) { ++ zend_value_error("Bcrypt password must not contain null character"); ++ return NULL; ++ } ++ + if (options && (zcost = zend_hash_str_find(options, "cost", sizeof("cost")-1)) != NULL) { + cost = zval_get_long(zcost); + } +diff --git a/ext/standard/tests/password/password_bcrypt_errors.phpt b/ext/standard/tests/password/password_bcrypt_errors.phpt +index 10c3483f5a80d..5d823cba0217d 100644 +--- a/ext/standard/tests/password/password_bcrypt_errors.phpt ++++ b/ext/standard/tests/password/password_bcrypt_errors.phpt +@@ -14,7 +14,14 @@ try { + } catch (ValueError $exception) { + echo $exception->getMessage() . "\n"; + } ++ ++try { ++ var_dump(password_hash("null\0password", PASSWORD_BCRYPT)); ++} catch (ValueError $e) { ++ echo $e->getMessage(), "\n"; ++} + ?> + --EXPECT-- + Invalid bcrypt cost parameter specified: 3 + Invalid bcrypt cost parameter specified: 32 ++Bcrypt password must not contain null character diff -Nru php8.1-8.1.2/debian/patches/fix-attribute-instantion-dangling-pointer.patch php8.1-8.1.2/debian/patches/fix-attribute-instantion-dangling-pointer.patch --- php8.1-8.1.2/debian/patches/fix-attribute-instantion-dangling-pointer.patch 1970-01-01 00:00:00.000000000 +0000 +++ php8.1-8.1.2/debian/patches/fix-attribute-instantion-dangling-pointer.patch 2024-04-10 11:42:27.000000000 +0000 @@ -0,0 +1,115 @@ +From 2f6a06ccb0ef78e6122bb9e67f9b8b1ad07776e1 Mon Sep 17 00:00:00 2001 +From: Benjamin Eberlei +Date: Wed, 5 Jan 2022 11:09:25 +0100 +Subject: [PATCH] Fix #81430: Attribute instantiation leaves dangling pointer + +By switching attribute constructor stackframe to be called via +trampoline the stack allocation is not causing dangling pointers +in the zend_observer API anymore. + +Co-Authored-By: Florian Sowade +Co-Authored-By: Christopher Becker +Co-Authored-By: Dmitry Stogov + +Closes GH-7885. + +Bug: https://github.com/php/php-src/pull/7885 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/php8.1/+bug/2054621 +Origin: backport, https://github.com/php/php-src/commit/2f6a06ccb0ef78e6122bb9e67f9b8b1ad07776e1 +Last-Update: 2022-02-23 +--- + ext/reflection/php_reflection.c | 1 + + ext/zend_test/tests/observer_bug81430_1.phpt | 31 ++++++++++++++++++ + ext/zend_test/tests/observer_bug81430_2.phpt | 33 ++++++++++++++++++++ + 4 files changed, 69 insertions(+) + create mode 100644 ext/zend_test/tests/observer_bug81430_1.phpt + create mode 100644 ext/zend_test/tests/observer_bug81430_2.phpt + +diff --git a/ext/reflection/php_reflection.c b/ext/reflection/php_reflection.c +index f9b888f1c166b..61df70c4ec8a4 100644 +--- a/ext/reflection/php_reflection.c ++++ b/ext/reflection/php_reflection.c +@@ -6315,6 +6315,7 @@ static int call_attribute_constructor( + dummy_func.type = ZEND_USER_FUNCTION; + dummy_func.common.fn_flags = + attr->flags & ZEND_ATTRIBUTE_STRICT_TYPES ? ZEND_ACC_STRICT_TYPES : 0; ++ dummy_func.common.fn_flags |= ZEND_ACC_CALL_VIA_TRAMPOLINE; + dummy_func.op_array.filename = filename; + + dummy_opline.opcode = ZEND_DO_FCALL; +diff --git a/ext/zend_test/tests/observer_bug81430_1.phpt b/ext/zend_test/tests/observer_bug81430_1.phpt +new file mode 100644 +index 0000000000000..cac53ef70cbbb +--- /dev/null ++++ b/ext/zend_test/tests/observer_bug81430_1.phpt +@@ -0,0 +1,31 @@ ++--TEST-- ++Bug #81430 (Attribute instantiation frame accessing invalid frame pointer) ++--EXTENSIONS-- ++zend_test ++--INI-- ++memory_limit=20M ++zend_test.observer.enabled=1 ++zend_test.observer.observe_all=1 ++--FILE-- ++getAttributes(A::class)[0], 'newInstance']); ++?> ++--EXPECTF-- ++ ++ ++ ++ ++ ++ +diff --git a/ext/zend_test/tests/observer_bug81430_2.phpt b/ext/zend_test/tests/observer_bug81430_2.phpt +new file mode 100644 +index 0000000000000..4d56248a80f34 +--- /dev/null ++++ b/ext/zend_test/tests/observer_bug81430_2.phpt +@@ -0,0 +1,33 @@ ++--TEST-- ++Bug #81430 (Attribute instantiation leaves dangling execute_data pointer) ++--EXTENSIONS-- ++zend_test ++--INI-- ++memory_limit=20M ++zend_test.observer.enabled=1 ++zend_test.observer.observe_all=1 ++--FILE-- ++getAttributes(A::class)[0], 'newInstance']); ++?> ++--EXPECTF-- ++ ++ ++ ++ ++ ++Fatal error: Allowed memory size of %d bytes exhausted %s in %s on line %d ++ ++ diff -Nru php8.1-8.1.2/debian/patches/fix-attribute-instantion-memory-overflow-recovery.patch php8.1-8.1.2/debian/patches/fix-attribute-instantion-memory-overflow-recovery.patch --- php8.1-8.1.2/debian/patches/fix-attribute-instantion-memory-overflow-recovery.patch 1970-01-01 00:00:00.000000000 +0000 +++ php8.1-8.1.2/debian/patches/fix-attribute-instantion-memory-overflow-recovery.patch 2024-04-10 11:42:27.000000000 +0000 @@ -0,0 +1,88 @@ +From 7e6558edf1570ebf09390624feb06747385f0224 Mon Sep 17 00:00:00 2001 +From: Dmitry Stogov +Date: Wed, 12 Jan 2022 12:08:59 +0300 +Subject: [PATCH] Fix ext/zend_test/tests/observer_bug81430_2.phpt failure + +Bug: https://github.com/php/php-src/pull/7885 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/php8.1/+bug/2054621 +Origin: backport, https://github.com/php/php-src/commit/f7c3f6e7e25471da9cfb2ba082a77cc3c85bc6ed +Last-Update: 2022-02-23 +--- + ext/reflection/php_reflection.c | 48 ++++++++++++++++++++------------- + 1 file changed, 29 insertions(+), 19 deletions(-) + +diff --git a/ext/reflection/php_reflection.c b/ext/reflection/php_reflection.c +index a1c97ae9ec037..b344943bf2288 100644 +--- a/ext/reflection/php_reflection.c ++++ b/ext/reflection/php_reflection.c +@@ -6522,9 +6522,7 @@ static int call_attribute_constructor( + zval *args, uint32_t argc, HashTable *named_params, zend_string *filename) + { + zend_function *ctor = ce->constructor; +- zend_execute_data *prev_execute_data, dummy_frame; +- zend_function dummy_func; +- zend_op dummy_opline; ++ zend_execute_data *call = NULL; + ZEND_ASSERT(ctor != NULL); + + if (!(ctor->common.fn_flags & ZEND_ACC_PUBLIC)) { +@@ -6535,31 +6533,43 @@ static int call_attribute_constructor( + if (filename) { + /* Set up dummy call frame that makes it look like the attribute was invoked + * from where it occurs in the code. */ +- memset(&dummy_frame, 0, sizeof(zend_execute_data)); +- memset(&dummy_func, 0, sizeof(zend_function)); +- memset(&dummy_opline, 0, sizeof(zend_op)); ++ zend_function dummy_func; ++ zend_op *opline; + +- prev_execute_data = EG(current_execute_data); +- dummy_frame.prev_execute_data = prev_execute_data; +- dummy_frame.func = &dummy_func; +- dummy_frame.opline = &dummy_opline; ++ memset(&dummy_func, 0, sizeof(zend_function)); + +- dummy_func.type = ZEND_USER_FUNCTION; +- dummy_func.common.fn_flags = ++ call = zend_vm_stack_push_call_frame_ex( ++ ZEND_MM_ALIGNED_SIZE_EX(sizeof(zend_execute_data), sizeof(zval)) + ++ ZEND_MM_ALIGNED_SIZE_EX(sizeof(zend_op), sizeof(zval)) + ++ ZEND_MM_ALIGNED_SIZE_EX(sizeof(zend_function), sizeof(zval)), ++ 0, &dummy_func, 0, NULL); ++ ++ opline = (zend_op*)(call + 1); ++ memset(opline, 0, sizeof(zend_op)); ++ opline->opcode = ZEND_DO_FCALL; ++ opline->lineno = attr->lineno; ++ ++ call->opline = opline; ++ call->call = NULL; ++ call->return_value = NULL; ++ call->func = (zend_function*)(call->opline + 1); ++ call->prev_execute_data = EG(current_execute_data); ++ ++ memset(call->func, 0, sizeof(zend_function)); ++ call->func->type = ZEND_USER_FUNCTION; ++ call->func->op_array.fn_flags = + attr->flags & ZEND_ATTRIBUTE_STRICT_TYPES ? ZEND_ACC_STRICT_TYPES : 0; +- dummy_func.common.fn_flags |= ZEND_ACC_CALL_VIA_TRAMPOLINE; +- dummy_func.op_array.filename = filename; +- +- dummy_opline.opcode = ZEND_DO_FCALL; +- dummy_opline.lineno = attr->lineno; ++ call->func->op_array.fn_flags |= ZEND_ACC_CALL_VIA_TRAMPOLINE; ++ call->func->op_array.filename = filename; + +- EG(current_execute_data) = &dummy_frame; ++ EG(current_execute_data) = call; + } + + zend_call_known_function(ctor, obj, obj->ce, NULL, argc, args, named_params); + + if (filename) { +- EG(current_execute_data) = prev_execute_data; ++ EG(current_execute_data) = call->prev_execute_data; ++ zend_vm_stack_free_call_frame(call); + } + + if (EG(exception)) { diff -Nru php8.1-8.1.2/debian/patches/fix-segfault-in-fpm_status_export_to_zval.patch php8.1-8.1.2/debian/patches/fix-segfault-in-fpm_status_export_to_zval.patch --- php8.1-8.1.2/debian/patches/fix-segfault-in-fpm_status_export_to_zval.patch 1970-01-01 00:00:00.000000000 +0000 +++ php8.1-8.1.2/debian/patches/fix-segfault-in-fpm_status_export_to_zval.patch 2024-04-10 11:54:30.000000000 +0000 @@ -0,0 +1,27 @@ +From df259f88daaf7df5673fd78a0a1b76a1d831d0a2 Mon Sep 17 00:00:00 2001 +From: Patrick Prasse +Date: Fri, 17 Nov 2023 16:32:23 +0000 +Subject: [PATCH] Fix bug GH-12705: Segmentation fault in fpm_status_export_to_zval + +Closes GH-12706 + +Bug: https://github.com/php/php-src/issues/12705 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/php7.4/+bug/2057576 +Last-update: 2024-04-10 +Origin: upstream, https://github.com/php/php-src/commit/df259f88daaf7df5673fd78a0a1b76a1d831d0a2 +--- + NEWS | 4 ++++ + sapi/fpm/fpm/fpm_status.c | 2 +- + 2 files changed, 5 insertions(+), 1 deletion(-) + +--- a/sapi/fpm/fpm/fpm_status.c ++++ b/sapi/fpm/fpm/fpm_status.c +@@ -55,7 +55,7 @@ + + scoreboard_p = fpm_scoreboard_acquire(NULL, 1); + if (!scoreboard_p) { +- zlog(ZLOG_NOTICE, "[pool %s] status: scoreboard already in use.", scoreboard_p->pool); ++ zlog(ZLOG_NOTICE, "[pool (unknown)] status: scoreboard already in use."); + return -1; + } + diff -Nru php8.1-8.1.2/debian/patches/series php8.1-8.1.2/debian/patches/series --- php8.1-8.1.2/debian/patches/series 2023-08-18 11:41:05.000000000 +0000 +++ php8.1-8.1.2/debian/patches/series 2024-05-01 10:09:51.000000000 +0000 @@ -68,3 +68,9 @@ CVE-2023-3247-2.patch CVE-2023-3823.patch CVE-2023-3824.patch +fix-attribute-instantion-dangling-pointer.patch +fix-attribute-instantion-memory-overflow-recovery.patch +fix-segfault-in-fpm_status_export_to_zval.patch +CVE-2022-4900.patch +CVE-2024-2756.patch +CVE-2024-3096.patch