| Message ID | 20260118065038.326233-1-adongare@cisco.com |
|---|---|
| State | Accepted, archived |
| Delegated to: | Anuj Mittal |
| Headers | show |
| Series | [meta-openembedded,scarthgap] php 8.2.29: CVE-2025-14177 | expand |
Though this patch works, alternatively you could also just upgrade php to 8.2.30, it also contains this fix (and other fixes also). On 1/18/26 07:50, Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote: > From: Anil Dongare <adongare@cisco.com> > > Upstream Repository: https://github.com/php/php-src.git > > Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14177 > Type: Security Fix > CVE: CVE-2025-14177 > Score: 7.5 > Patch: https://github.com/php/php-src/commit/c5f28c7cf0a0 > > Signed-off-by: Anil Dongare <adongare@cisco.com> > --- > .../php/php/CVE-2025-14177.patch | 84 +++++++++++++++++++ > meta-oe/recipes-devtools/php/php_8.2.29.bb | 1 + > 2 files changed, 85 insertions(+) > create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2025-14177.patch > > diff --git a/meta-oe/recipes-devtools/php/php/CVE-2025-14177.patch b/meta-oe/recipes-devtools/php/php/CVE-2025-14177.patch > new file mode 100644 > index 0000000000..6b5ffe0029 > --- /dev/null > +++ b/meta-oe/recipes-devtools/php/php/CVE-2025-14177.patch > @@ -0,0 +1,84 @@ > +From 7aac95c5280ea395ccfcd624cae7e87749ff6eeb Mon Sep 17 00:00:00 2001 > +From: Niels Dossche <7771979+ndossche@users.noreply.github.com> > +Date: Tue, 25 Nov 2025 23:11:38 +0100 > +Subject: [PATCH] Fix GH-20584: Information Leak of Memory > + > +The string added had uninitialized memory due to > +php_read_stream_all_chunks() not moving the buffer position, resulting > +in the same data always being overwritten instead of new data being > +added to the end of the buffer. > + > +This is backport as there is a security impact as described in > +GHSA-3237-qqm7-mfv7 . > + > +CVE: CVE-2025-14177 > +Upstream-Status: Backport [https://github.com/php/php-src/commit/c5f28c7cf0a0] > + > +(cherry picked from commit c5f28c7cf0a052f48e47877c7aa5c5bcc54f1cfc) > +Signed-off-by: Anil Dongare <adongare@cisco.com> > +--- > + ext/standard/image.c | 1 + > + ext/standard/tests/image/gh20584.phpt | 39 +++++++++++++++++++++++++++ > + 2 files changed, 40 insertions(+) > + create mode 100644 ext/standard/tests/image/gh20584.phpt > + > +diff --git a/ext/standard/image.c b/ext/standard/image.c > +index 2bd5429efac..15761364c34 100644 > +--- a/ext/standard/image.c > ++++ b/ext/standard/image.c > +@@ -403,6 +403,7 @@ static size_t php_read_stream_all_chunks(php_stream *stream, char *buffer, size_ > + if (read_now < stream->chunk_size && read_total != length) { > + return 0; > + } > ++ buffer += read_now; > + } while (read_total < length); > + > + return read_total; > +diff --git a/ext/standard/tests/image/gh20584.phpt b/ext/standard/tests/image/gh20584.phpt > +new file mode 100644 > +index 00000000000..d117f218202 > +--- /dev/null > ++++ b/ext/standard/tests/image/gh20584.phpt > +@@ -0,0 +1,39 @@ > ++--TEST-- > ++GH-20584 (Information Leak of Memory) > ++--CREDITS-- > ++Nikita Sveshnikov (Positive Technologies) > ++--FILE-- > ++<?php > ++// Minimal PoC: corruption/uninitialized memory leak when reading APP1 via php://filter > ++$file = __DIR__ . '/gh20584.jpg'; > ++ > ++// Make APP1 large enough so it is read in multiple chunks > ++$chunk = 8192; > ++$tail = 123; > ++$payload = str_repeat('A', $chunk) . str_repeat('B', $chunk) . str_repeat('Z', > ++$tail); > ++$app1Len = 2 + strlen($payload); > ++ > ++// Minimal JPEG: SOI + APP1 + SOF0(1x1) + EOI > ++$sof = "\xFF\xC0" . pack('n', 11) . "\x08" . pack('n',1) . pack('n',1) . > ++"\x01\x11\x00"; > ++$jpeg = "\xFF\xD8" . "\xFF\xE1" . pack('n', $app1Len) . $payload . $sof . > ++"\xFF\xD9"; > ++file_put_contents($file, $jpeg); > ++ > ++// Read through a filter to enforce multiple reads > ++$src = 'php://filter/read=string.rot13|string.rot13/resource=' . $file; > ++$info = null; > ++@getimagesize($src, $info); > ++$exp = $payload; > ++$ret = $info['APP1']; > ++ > ++var_dump($ret === $exp); > ++ > ++?> > ++--CLEAN-- > ++<?php > ++@unlink(__DIR__ . '/gh20584.jpg'); > ++?> > ++--EXPECT-- > ++bool(true) > +-- > +2.43.5 > + > diff --git a/meta-oe/recipes-devtools/php/php_8.2.29.bb b/meta-oe/recipes-devtools/php/php_8.2.29.bb > index 08cece1c17..015d83c291 100644 > --- a/meta-oe/recipes-devtools/php/php_8.2.29.bb > +++ b/meta-oe/recipes-devtools/php/php_8.2.29.bb > @@ -20,6 +20,7 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \ > file://0009-php-don-t-use-broken-wrapper-for-mkdir.patch \ > file://0010-iconv-fix-detection.patch \ > file://0001-Change-whether-to-inline-XXH3_hashLong_withSecret-to.patch \ > + file://CVE-2025-14177.patch \ > " > > SRC_URI:append:class-target = " \ > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#123569): https://lists.openembedded.org/g/openembedded-devel/message/123569 > Mute This Topic: https://lists.openembedded.org/mt/117326955/6084445 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [skandigraun@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta-oe/recipes-devtools/php/php/CVE-2025-14177.patch b/meta-oe/recipes-devtools/php/php/CVE-2025-14177.patch new file mode 100644 index 0000000000..6b5ffe0029 --- /dev/null +++ b/meta-oe/recipes-devtools/php/php/CVE-2025-14177.patch @@ -0,0 +1,84 @@ +From 7aac95c5280ea395ccfcd624cae7e87749ff6eeb Mon Sep 17 00:00:00 2001 +From: Niels Dossche <7771979+ndossche@users.noreply.github.com> +Date: Tue, 25 Nov 2025 23:11:38 +0100 +Subject: [PATCH] Fix GH-20584: Information Leak of Memory + +The string added had uninitialized memory due to +php_read_stream_all_chunks() not moving the buffer position, resulting +in the same data always being overwritten instead of new data being +added to the end of the buffer. + +This is backport as there is a security impact as described in +GHSA-3237-qqm7-mfv7 . + +CVE: CVE-2025-14177 +Upstream-Status: Backport [https://github.com/php/php-src/commit/c5f28c7cf0a0] + +(cherry picked from commit c5f28c7cf0a052f48e47877c7aa5c5bcc54f1cfc) +Signed-off-by: Anil Dongare <adongare@cisco.com> +--- + ext/standard/image.c | 1 + + ext/standard/tests/image/gh20584.phpt | 39 +++++++++++++++++++++++++++ + 2 files changed, 40 insertions(+) + create mode 100644 ext/standard/tests/image/gh20584.phpt + +diff --git a/ext/standard/image.c b/ext/standard/image.c +index 2bd5429efac..15761364c34 100644 +--- a/ext/standard/image.c ++++ b/ext/standard/image.c +@@ -403,6 +403,7 @@ static size_t php_read_stream_all_chunks(php_stream *stream, char *buffer, size_ + if (read_now < stream->chunk_size && read_total != length) { + return 0; + } ++ buffer += read_now; + } while (read_total < length); + + return read_total; +diff --git a/ext/standard/tests/image/gh20584.phpt b/ext/standard/tests/image/gh20584.phpt +new file mode 100644 +index 00000000000..d117f218202 +--- /dev/null ++++ b/ext/standard/tests/image/gh20584.phpt +@@ -0,0 +1,39 @@ ++--TEST-- ++GH-20584 (Information Leak of Memory) ++--CREDITS-- ++Nikita Sveshnikov (Positive Technologies) ++--FILE-- ++<?php ++// Minimal PoC: corruption/uninitialized memory leak when reading APP1 via php://filter ++$file = __DIR__ . '/gh20584.jpg'; ++ ++// Make APP1 large enough so it is read in multiple chunks ++$chunk = 8192; ++$tail = 123; ++$payload = str_repeat('A', $chunk) . str_repeat('B', $chunk) . str_repeat('Z', ++$tail); ++$app1Len = 2 + strlen($payload); ++ ++// Minimal JPEG: SOI + APP1 + SOF0(1x1) + EOI ++$sof = "\xFF\xC0" . pack('n', 11) . "\x08" . pack('n',1) . pack('n',1) . ++"\x01\x11\x00"; ++$jpeg = "\xFF\xD8" . "\xFF\xE1" . pack('n', $app1Len) . $payload . $sof . ++"\xFF\xD9"; ++file_put_contents($file, $jpeg); ++ ++// Read through a filter to enforce multiple reads ++$src = 'php://filter/read=string.rot13|string.rot13/resource=' . $file; ++$info = null; ++@getimagesize($src, $info); ++$exp = $payload; ++$ret = $info['APP1']; ++ ++var_dump($ret === $exp); ++ ++?> ++--CLEAN-- ++<?php ++@unlink(__DIR__ . '/gh20584.jpg'); ++?> ++--EXPECT-- ++bool(true) +-- +2.43.5 + diff --git a/meta-oe/recipes-devtools/php/php_8.2.29.bb b/meta-oe/recipes-devtools/php/php_8.2.29.bb index 08cece1c17..015d83c291 100644 --- a/meta-oe/recipes-devtools/php/php_8.2.29.bb +++ b/meta-oe/recipes-devtools/php/php_8.2.29.bb @@ -20,6 +20,7 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \ file://0009-php-don-t-use-broken-wrapper-for-mkdir.patch \ file://0010-iconv-fix-detection.patch \ file://0001-Change-whether-to-inline-XXH3_hashLong_withSecret-to.patch \ + file://CVE-2025-14177.patch \ " SRC_URI:append:class-target = " \