Merge pull request #22 from php/PHP-8.3.14-security

PHP 8.3.14 - security fixes

Author: ericmann

.github/actions/configure-macos/action.yml

@@ -9,6 +9,7 @@ runs:
     - shell: bash
       run: |
         set -x
+        BREW_OPT="$(brew --prefix)"/opt
         export PATH="/usr/local/opt/bison/bin:$PATH"
         export PKG_CONFIG_PATH="$PKG_CONFIG_PATH:/usr/local/opt/[email protected]/lib/pkgconfig"
         export PKG_CONFIG_PATH="$PKG_CONFIG_PATH:/usr/local/opt/curl/lib/pkgconfig"
@@ -18,6 +19,7 @@ runs:
         export PKG_CONFIG_PATH="$PKG_CONFIG_PATH:/usr/local/opt/libxslt/lib/pkgconfig"
         export PKG_CONFIG_PATH="$PKG_CONFIG_PATH:/usr/local/opt/zlib/lib/pkgconfig"
         export PKG_CONFIG_PATH="$PKG_CONFIG_PATH:/usr/local/opt/icu4c/lib/pkgconfig"
+        sed -i -e 's/Requires.private:.*//g' "$BREW_OPT/curl/lib/pkgconfig/libcurl.pc"
         ./buildconf --force
         ./configure \
           CFLAGS="-Wno-strict-prototypes -Wno-unused-but-set-variable -Wno-single-bit-bitfield-constant-conversion" \

.github/workflows/labeler.yml

@@ -7,6 +7,7 @@ permissions:
 
 jobs:
   triage:
+    if: github.repository == 'php/php-src'
     permissions:
       pull-requests: write
     runs-on: ubuntu-latest

NEWS

@@ -1,10 +1,12 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
-?? ??? ????, PHP 8.3.14
+21 Now 2024, PHP 8.3.14
 
-- Cli:
+- CLI:
   . Fixed bug GH-16373 (Shebang is not skipped for router script in cli-server
     started through shebang). (ilutov)
+  . Fixed bug GHSA-4w77-75f9-2c8w (Heap-Use-After-Free in sapi_read_post_data
+    Processing in CLI SAPI Interface). (nielsdos)
 
 - COM:
   . Fixed out of bound writes to SafeArray data. (cmb)
@@ -79,10 +81,18 @@ PHP                                                                        NEWS
   . Fixed segfaults and other issues related to operator overloading with
     GMP objects. (Girgias)
 
+- LDAP:
+  . Fixed bug GHSA-g665-fm4p-vhff (OOB access in ldap_escape). (CVE-2024-8932)
+    (nielsdos)
+
 - MBstring:
   . Fixed bug GH-16361 (mb_substr overflow on start/length arguments).
     (David Carlier)
 
+- MySQLnd:
+  . Fixed bug GHSA-h35g-vwh6-m678 (Leak partial content of the heap through
+    heap buffer over-read). (CVE-2024-8929) (Jakub Zelenka)
+
 - Opcache:
   . Fixed bug GH-16408 (Array to string conversion warning emitted in
     optimizer). (ilutov)
@@ -95,7 +105,15 @@ PHP                                                                        NEWS
   . Fix various memory leaks on error conditions in openssl_x509_parse().
     (nielsdos)
 
-- PDO_ODBC:
+- PDO DBLIB:
+  . Fixed bug GHSA-5hqh-c84r-qjcv (Integer overflow in the dblib quoter causing
+    OOB writes). (CVE-2024-11236) (nielsdos)
+
+- PDO Firebird:
+  . Fixed bug GHSA-5hqh-c84r-qjcv (Integer overflow in the firebird quoter
+    causing OOB writes). (CVE-2024-11236) (nielsdos)
+
+- PDO ODBC:
   . Fixed bug GH-16450 (PDO_ODBC can inject garbage into field values). (cmb)
 
 - Phar:
@@ -141,6 +159,12 @@ PHP                                                                        NEWS
   . Fixed bug GH-16293 (Failed assertion when throwing in assert() callback with
     bail enabled). (ilutov)
 
+- Streams:
+  . Fixed bug GHSA-c5f2-jwm7-mmq2 (Configuring a proxy in a stream context
+    might allow for CRLF injection in URIs). (CVE-2024-11234) (Jakub Zelenka)
+  . Fixed bug GHSA-r977-prxv-hc43 (Single byte overread with
+    convert.quoted-printable-decode filter). (CVE-2024-11233) (nielsdos)
+
 - SysVMsg:
   . Fixed bug GH-16592 (msg_send() crashes when a type does not properly
     serialized). (David Carlier / cmb)

ext/intl/tests/bug62070_3.phpt

@@ -4,6 +4,7 @@ Bug #62070: Collator::getSortKey() returns garbage
 intl
 --SKIPIF--
 <?php if (version_compare(INTL_ICU_VERSION, '62.1') < 0) die('skip for ICU >= 62.1'); ?>
+<?php if (version_compare(INTL_ICU_VERSION, '76.1') >=  0) die('skip for ICU < 76.1'); ?>
 --FILE--
 <?php
 $s1 = 'Hello';

ext/intl/tests/bug62070_icu76_1.phpt

@@ -0,0 +1,17 @@
+--TEST--
+Bug #62070: Collator::getSortKey() returns garbage
+--EXTENSIONS--
+intl
+--SKIPIF--
+<?php if (version_compare(INTL_ICU_VERSION, '76.1') < 0) die('skip for ICU >= 76.1'); ?>
+--FILE--
+<?php
+$s1 = 'Hello';
+
+$coll = collator_create('en_US');
+$res = collator_get_sort_key($coll, $s1);
+
+echo urlencode($res);
+?>
+--EXPECT--
+93AAG%01%09%01%DC%08

ext/intl/tests/collator_get_sort_key_variant7.phpt

@@ -4,6 +4,7 @@ collator_get_sort_key() icu >= 62.1
 intl
 --SKIPIF--
 <?php if (version_compare(INTL_ICU_VERSION, '62.1') < 0) die('skip for ICU >= 62.1'); ?>
+<?php if (version_compare(INTL_ICU_VERSION, '76.1') >=  0) die('skip for ICU < 76.1'); ?>
 --FILE--
 <?php
 

ext/intl/tests/collator_get_sort_key_variant_icu76_1.phpt

@@ -0,0 +1,97 @@
+--TEST--
+collator_get_sort_key() icu >= 62.1
+--EXTENSIONS--
+intl
+--SKIPIF--
+<?php if (version_compare(INTL_ICU_VERSION, '76.1') < 0) die('skip for ICU >= 76.1'); ?>
+--FILE--
+<?php
+
+/*
+ * Get sort keys using various locales
+ */
+function sort_arrays( $locale, $data )
+{
+    $res_str = '';
+
+    $coll = ut_coll_create( $locale );
+
+    foreach($data as $value) {
+        $res_val = ut_coll_get_sort_key( $coll, $value );
+        $res_str .= "source: ".$value."\n".
+                    "key: ".bin2hex($res_val)."\n";
+    }
+
+    return $res_str;
+}
+
+
+function ut_main()
+{
+    $res_str = '';
+
+    // Regular strings keys
+    $test_params = array(
+        'abc', 'abd', 'aaa',
+        'аа', 'а', 'z',
+        '', '3',
+        'y'  , 'i'  , 'k'
+    );
+
+    $res_str .= sort_arrays( 'en_US', $test_params );
+
+    // Sort a non-ASCII array using ru_RU locale.
+    $test_params = array(
+        'абг', 'абв', 'жжж', 'эюя'
+    );
+
+    $res_str .= sort_arrays( 'ru_RU', $test_params );
+
+    // Sort an array using Lithuanian locale.
+    $res_str .= sort_arrays( 'lt_LT', $test_params );
+
+    return $res_str . "\n";
+}
+
+include_once( 'ut_common.inc' );
+ut_run();
+?>
+--EXPECT--
+source: abc
+key: 2b2d2f01070107
+source: abd
+key: 2b2d3101070107
+source: aaa
+key: 2b2b2b01070107
+source: аа
+key: 62060601060106
+source: а
+key: 620601050105
+source: z
+key: 5d01050105
+source: 
+key: 0101
+source: 3
+key: 1801050105
+source: y
+key: 5b01050105
+source: i
+key: 3b01050105
+source: k
+key: 3f01050105
+source: абг
+key: 28060c1001070107
+source: абв
+key: 28060c0e01070107
+source: жжж
+key: 282c2c2c01070107
+source: эюя
+key: 28eef0f401070107
+source: абг
+key: 62060c1001070107
+source: абв
+key: 62060c0e01070107
+source: жжж
+key: 622c2c2c01070107
+source: эюя
+key: 62eef0f401070107

ext/intl/tests/locale_get_display_name8.phpt

@@ -317,14 +317,14 @@ disp_locale=fr :  display_name=anglais #États-Unis, attribute=islamcal#
 disp_locale=de :  display_name=Englisch #Vereinigte Staaten, attribute=islamcal#
 -----------------
 locale='zh-CN-a-myExt-x-private'
-disp_locale=en :  display_name=Chinese #China, a=myext, Private-Use=private#
-disp_locale=fr :  display_name=chinois #Chine, a=myext, usage privé=private#
-disp_locale=de :  display_name=Chinesisch #China, a=myext, Privatnutzung=private#
+disp_locale=en :  display_name=Chinese #China(, A_MYEXT_X_PRIVATE)?, a=myext, Private-Use=private#
+disp_locale=fr :  display_name=chinois #Chine(, A_MYEXT_X_PRIVATE)?, a=myext, usage privé=private#
+disp_locale=de :  display_name=Chinesisch #China(, A_MYEXT_X_PRIVATE)?, a=myext, Privatnutzung=private#
 -----------------
 locale='en-a-myExt-b-another'
-disp_locale=en :  display_name=English #a=myext, b=another#
-disp_locale=fr :  display_name=anglais #a=myext, b=another#
-disp_locale=de :  display_name=Englisch #a=myext, b=another#
+disp_locale=en :  display_name=English #(A_MYEXT_B_ANOTHER, )?a=myext, b=another#
+disp_locale=fr :  display_name=anglais #(A_MYEXT_B_ANOTHER, )?a=myext, b=another#
+disp_locale=de :  display_name=Englisch #(A_MYEXT_B_ANOTHER, )?a=myext, b=another#
 -----------------
 locale='de-419-DE'
 disp_locale=en :  display_name=German #Latin America, DE#
@@ -337,7 +337,7 @@ disp_locale=fr :  display_name=a #Allemagne#
 disp_locale=de :  display_name=a #Deutschland#
 -----------------
 locale='ar-a-aaa-b-bbb-a-ccc'
-disp_locale=en :  display_name=Arabic #a=aaa, b=bbb#
-disp_locale=fr :  display_name=arabe #a=aaa, b=bbb#
-disp_locale=de :  display_name=Arabisch #a=aaa, b=bbb#
+disp_locale=en :  display_name=Arabic #(A_AAA_B_BBB_A_CCC, )?a=aaa, b=bbb#
+disp_locale=fr :  display_name=arabe #(A_AAA_B_BBB_A_CCC, )?a=aaa, b=bbb#
+disp_locale=de :  display_name=Arabisch #(A_AAA_B_BBB_A_CCC, )?a=aaa, b=bbb#
 -----------------

ext/intl/tests/locale_get_display_variant2.phpt

@@ -248,14 +248,14 @@ disp_locale=fr :  display_variant=
 disp_locale=de :  display_variant=
 -----------------
 locale='zh-CN-a-myExt-x-private'
-disp_locale=en :  display_variant=
-disp_locale=fr :  display_variant=
-disp_locale=de :  display_variant=
+disp_locale=en :  display_variant=(A_MYEXT_X_PRIVATE)?
+disp_locale=fr :  display_variant=(A_MYEXT_X_PRIVATE)?
+disp_locale=de :  display_variant=(A_MYEXT_X_PRIVATE)?
 -----------------
 locale='en-a-myExt-b-another'
-disp_locale=en :  display_variant=(MYEXT_B_ANOTHER)?
-disp_locale=fr :  display_variant=(MYEXT_B_ANOTHER)?
-disp_locale=de :  display_variant=(MYEXT_B_ANOTHER)?
+disp_locale=en :  display_variant=((A_)?MYEXT_B_ANOTHER)?
+disp_locale=fr :  display_variant=((A_)?MYEXT_B_ANOTHER)?
+disp_locale=de :  display_variant=((A_)?MYEXT_B_ANOTHER)?
 -----------------
 locale='de-419-DE'
 disp_locale=en :  display_variant=DE
@@ -268,7 +268,7 @@ disp_locale=fr :  display_variant=
 disp_locale=de :  display_variant=
 -----------------
 locale='ar-a-aaa-b-bbb-a-ccc'
-disp_locale=en :  display_variant=(AAA_B_BBB_A_CCC)?
-disp_locale=fr :  display_variant=(AAA_B_BBB_A_CCC)?
-disp_locale=de :  display_variant=(AAA_B_BBB_A_CCC)?
+disp_locale=en :  display_variant=((A_)?AAA_B_BBB_A_CCC)?
+disp_locale=fr :  display_variant=((A_)?AAA_B_BBB_A_CCC)?
+disp_locale=de :  display_variant=((A_)?AAA_B_BBB_A_CCC)?
 -----------------

ext/intl/tests/timezone_IDforWindowsID_basic2.phpt

@@ -4,6 +4,7 @@ IntlTimeZone::getIDForWindowsID basic test
 intl
 --SKIPIF--
 <?php if (version_compare(INTL_ICU_VERSION, '58.1') < 0) die('skip for ICU >= 58.1'); ?>
+<?php if (version_compare(INTL_ICU_VERSION, '76.1') >= 0) die('skip for ICU <= 76.1'); ?>
 --FILE--
 <?php
 

ext/intl/tests/timezone_IDforWindowsID_basic_icu76_1.phpt

@@ -0,0 +1,44 @@
+--TEST--
+IntlTimeZone::getIDForWindowsID basic test
+--EXTENSIONS--
+intl
+--SKIPIF--
+<?php if (version_compare(INTL_ICU_VERSION, '76.1') < 0) die('skip for ICU >= 76.1'); ?>
+--FILE--
+<?php
+
+$tzs = array(
+  'Gnomeregan' => array(NULL),
+  'India Standard Time' => array(NULL),
+  'Pacific Standard Time' => array('001', 'CA', 'MX', 'US', 'ZZ'),
+  'Romance Standard Time' => array('001', 'BE', 'DK', 'ES', 'FR'),
+);
+
+foreach ($tzs as $tz => $regions) {
+  echo "** $tz\n";
+  foreach ($regions as $region) {
+    var_dump(IntlTimeZone::getIDForWindowsID($tz, $region));
+    if (intl_get_error_code() != U_ZERO_ERROR) {
+      echo "Error: ", intl_get_error_message(), "\n";
+    }
+  }
+}
+?>
+--EXPECTF--
+** Gnomeregan
+bool(false)
+Error: %snknown windows timezone: U_ILLEGAL_ARGUMENT_ERROR
+** India Standard Time
+string(13) "Asia/Calcutta"
+** Pacific Standard Time
+string(19) "America/Los_Angeles"
+string(17) "America/Vancouver"
+string(19) "America/Los_Angeles"
+string(19) "America/Los_Angeles"
+string(19) "America/Los_Angeles"
+** Romance Standard Time
+string(12) "Europe/Paris"
+string(15) "Europe/Brussels"
+string(17) "Europe/Copenhagen"
+string(13) "Europe/Madrid"
+string(12) "Europe/Paris"

ext/ldap/ldap.c

@@ -3775,13 +3775,23 @@ static zend_string* php_ldap_do_escape(const bool *map, const char *value, size_
 	zend_string *ret;
 
 	for (i = 0; i < valuelen; i++) {
-		len += (map[(unsigned char) value[i]]) ? 3 : 1;
+		size_t addend = (map[(unsigned char) value[i]]) ? 3 : 1;
+		if (len > ZSTR_MAX_LEN - addend) {
+			return NULL;
+		}
+		len += addend;
 	}
 	/* Per RFC 4514, a leading and trailing space must be escaped */
 	if ((flags & PHP_LDAP_ESCAPE_DN) && (value[0] == ' ')) {
+		if (len > ZSTR_MAX_LEN - 2) {
+			return NULL;
+		}
 		len += 2;
 	}
 	if ((flags & PHP_LDAP_ESCAPE_DN) && ((valuelen > 1) && (value[valuelen - 1] == ' '))) {
+		if (len > ZSTR_MAX_LEN - 2) {
+			return NULL;
+		}
 		len += 2;
 	}
 
@@ -3848,7 +3858,13 @@ PHP_FUNCTION(ldap_escape)
 		php_ldap_escape_map_set_chars(map, ignores, ignoreslen, 0);
 	}
 
-	RETURN_NEW_STR(php_ldap_do_escape(map, value, valuelen, flags));
+	zend_string *result = php_ldap_do_escape(map, value, valuelen, flags);
+	if (UNEXPECTED(!result)) {
+		zend_argument_value_error(1, "is too long");
+		RETURN_THROWS();
+	}
+
+	RETURN_NEW_STR(result);
 }
 
 #ifdef STR_TRANSLATION