diff -Nru php7.2-7.2.24/debian/changelog php7.2-7.2.24/debian/changelog --- php7.2-7.2.24/debian/changelog 2020-04-08 15:45:57.000000000 +0000 +++ php7.2-7.2.24/debian/changelog 2020-05-26 13:09:11.000000000 +0000 @@ -1,3 +1,21 @@ +php7.2 (7.2.24-0ubuntu0.18.04.6) bionic-security; urgency=medium + + * SECURITY UPDATE: Denial of service through oversized memory allocated + - debian/patches/CVE-2019-11048.patch: changes types int to size_t + in main/rfc1867.c. + - CVE-2019-11048 + + -- Leonidas S. Barbosa Tue, 26 May 2020 10:09:11 -0300 + +php7.2 (7.2.24-0ubuntu0.18.04.5) bionic; urgency=medium + + * libapache2-mod-php.postinst.extra: Disable other mod-php + versions. Fixes failure when upgrading from previous versions of + mod-php. + (LP: #1865218) + + -- Bryce Harrington Sat, 25 Apr 2020 02:40:59 +0000 + php7.2 (7.2.24-0ubuntu0.18.04.4) bionic-security; urgency=medium * SECURITY UDPATE: Null dereference pointer diff -Nru php7.2-7.2.24/debian/libapache2-mod-php.postinst.extra php7.2-7.2.24/debian/libapache2-mod-php.postinst.extra --- php7.2-7.2.24/debian/libapache2-mod-php.postinst.extra 2018-03-14 22:00:53.000000000 +0000 +++ php7.2-7.2.24/debian/libapache2-mod-php.postinst.extra 2020-04-25 02:40:59.000000000 +0000 @@ -13,9 +13,14 @@ fi PHP_MODULE=$(a2query -m | sed -n 's/^\(php[\.0-9]*\) (enabled.*)/\1/p') - if [ -n "$PHP_MODULE" -a "$PHP_MODULE" != "php@PHP_VERSION@" ]; then - apache2_msg "err" "$DPKG_MAINTSCRIPT_PACKAGE: $PHP_MODULE module already enabled, not enabling PHP @PHP_VERSION@" - return 1 + if [ -n "$PHP_MODULE" -a "$PHP_MODULE" != "php@PHP_VERSION@" ]; then + local a2invoke_ret=0 + apache2_msg "info" "$DPKG_MAINTSCRIPT_PACKAGE: Disabling old $PHP_MODULE in favor of using PHP @PHP_VERSION@" + apache2_invoke dismod $PHP_MODULE || a2invoke_ret=1 + if [ "${a2invoke_ret}" -ne 0 ]; then + apache2_msg "err" "$DPKG_MAINTSCRIPT_PACKAGE: (${a2invoke_ret}) failed to disable old $PHP_MODULE" + return 1 + fi fi mpm=$(a2query -M) diff -Nru php7.2-7.2.24/debian/patches/CVE-2019-11048.patch php7.2-7.2.24/debian/patches/CVE-2019-11048.patch --- php7.2-7.2.24/debian/patches/CVE-2019-11048.patch 1970-01-01 00:00:00.000000000 +0000 +++ php7.2-7.2.24/debian/patches/CVE-2019-11048.patch 2020-05-26 13:09:04.000000000 +0000 @@ -0,0 +1,36 @@ +From 1c9bd513ac5c7c1d13d7f0dfa7c16a7ad2ce0f87 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Wed, 18 Mar 2020 10:26:53 +0100 +Subject: [PATCH] Fix #78875: Long filenames cause OOM and temp files are not + cleaned + +We must not cast `size_t` to `int` (unless the `size_t` value is +guaranteed to be less than or equal to `INT_MAX`). In this case we can +declare `array_len` as `size_t` in the first place. +--- + main/rfc1867.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/main/rfc1867.c b/main/rfc1867.c +index bd01b34cf070..783eab4175d5 100644 +--- a/main/rfc1867.c ++++ b/main/rfc1867.c +@@ -692,7 +692,8 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */ + char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL; + char *lbuf = NULL, *abuf = NULL; + zend_string *temp_filename = NULL; +- int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0, array_len = 0; ++ int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0; ++ size_t array_len = 0; + int64_t total_bytes = 0, max_file_size = 0; + int skip_upload = 0, anonindex = 0, is_anonymous; + HashTable *uploaded_files = NULL; +@@ -1126,7 +1127,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */ + is_arr_upload = (start_arr = strchr(param,'[')) && (param[strlen(param)-1] == ']'); + + if (is_arr_upload) { +- array_len = (int)strlen(start_arr); ++ array_len = strlen(start_arr); + if (array_index) { + efree(array_index); + } diff -Nru php7.2-7.2.24/debian/patches/series php7.2-7.2.24/debian/patches/series --- php7.2-7.2.24/debian/patches/series 2020-04-08 15:45:57.000000000 +0000 +++ php7.2-7.2.24/debian/patches/series 2020-05-26 13:09:04.000000000 +0000 @@ -56,3 +56,4 @@ CVE-2020-7064.patch CVE-2020-7066.patch Fix_test_bug79282.patch +CVE-2019-11048.patch