From: Anil Dongare <[email protected]> Upstream Repository: https://github.com/php/php-src.git
Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14177 Type: Security Fix CVE: CVE-2025-14177 Score: 7.5 Patch: https://github.com/php/php-src/commit/c5f28c7cf0a0 Signed-off-by: Anil Dongare <[email protected]> --- .../php/php/CVE-2025-14177.patch | 84 +++++++++++++++++++ meta-oe/recipes-devtools/php/php_8.2.29.bb | 1 + 2 files changed, 85 insertions(+) create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2025-14177.patch diff --git a/meta-oe/recipes-devtools/php/php/CVE-2025-14177.patch b/meta-oe/recipes-devtools/php/php/CVE-2025-14177.patch new file mode 100644 index 0000000000..6b5ffe0029 --- /dev/null +++ b/meta-oe/recipes-devtools/php/php/CVE-2025-14177.patch @@ -0,0 +1,84 @@ +From 7aac95c5280ea395ccfcd624cae7e87749ff6eeb Mon Sep 17 00:00:00 2001 +From: Niels Dossche <[email protected]> +Date: Tue, 25 Nov 2025 23:11:38 +0100 +Subject: [PATCH] Fix GH-20584: Information Leak of Memory + +The string added had uninitialized memory due to +php_read_stream_all_chunks() not moving the buffer position, resulting +in the same data always being overwritten instead of new data being +added to the end of the buffer. + +This is backport as there is a security impact as described in +GHSA-3237-qqm7-mfv7 . + +CVE: CVE-2025-14177 +Upstream-Status: Backport [https://github.com/php/php-src/commit/c5f28c7cf0a0] + +(cherry picked from commit c5f28c7cf0a052f48e47877c7aa5c5bcc54f1cfc) +Signed-off-by: Anil Dongare <[email protected]> +--- + ext/standard/image.c | 1 + + ext/standard/tests/image/gh20584.phpt | 39 +++++++++++++++++++++++++++ + 2 files changed, 40 insertions(+) + create mode 100644 ext/standard/tests/image/gh20584.phpt + +diff --git a/ext/standard/image.c b/ext/standard/image.c +index 2bd5429efac..15761364c34 100644 +--- a/ext/standard/image.c ++++ b/ext/standard/image.c +@@ -403,6 +403,7 @@ static size_t php_read_stream_all_chunks(php_stream *stream, char *buffer, size_ + if (read_now < stream->chunk_size && read_total != length) { + return 0; + } ++ buffer += read_now; + } while (read_total < length); + + return read_total; +diff --git a/ext/standard/tests/image/gh20584.phpt b/ext/standard/tests/image/gh20584.phpt +new file mode 100644 +index 00000000000..d117f218202 +--- /dev/null ++++ b/ext/standard/tests/image/gh20584.phpt +@@ -0,0 +1,39 @@ ++--TEST-- ++GH-20584 (Information Leak of Memory) ++--CREDITS-- ++Nikita Sveshnikov (Positive Technologies) ++--FILE-- ++<?php ++// Minimal PoC: corruption/uninitialized memory leak when reading APP1 via php://filter ++$file = __DIR__ . '/gh20584.jpg'; ++ ++// Make APP1 large enough so it is read in multiple chunks ++$chunk = 8192; ++$tail = 123; ++$payload = str_repeat('A', $chunk) . str_repeat('B', $chunk) . str_repeat('Z', ++$tail); ++$app1Len = 2 + strlen($payload); ++ ++// Minimal JPEG: SOI + APP1 + SOF0(1x1) + EOI ++$sof = "\xFF\xC0" . pack('n', 11) . "\x08" . pack('n',1) . pack('n',1) . ++"\x01\x11\x00"; ++$jpeg = "\xFF\xD8" . "\xFF\xE1" . pack('n', $app1Len) . $payload . $sof . ++"\xFF\xD9"; ++file_put_contents($file, $jpeg); ++ ++// Read through a filter to enforce multiple reads ++$src = 'php://filter/read=string.rot13|string.rot13/resource=' . $file; ++$info = null; ++@getimagesize($src, $info); ++$exp = $payload; ++$ret = $info['APP1']; ++ ++var_dump($ret === $exp); ++ ++?> ++--CLEAN-- ++<?php ++@unlink(__DIR__ . '/gh20584.jpg'); ++?> ++--EXPECT-- ++bool(true) +-- +2.43.5 + diff --git a/meta-oe/recipes-devtools/php/php_8.2.29.bb b/meta-oe/recipes-devtools/php/php_8.2.29.bb index 08cece1c17..015d83c291 100644 --- a/meta-oe/recipes-devtools/php/php_8.2.29.bb +++ b/meta-oe/recipes-devtools/php/php_8.2.29.bb @@ -20,6 +20,7 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \ file://0009-php-don-t-use-broken-wrapper-for-mkdir.patch \ file://0010-iconv-fix-detection.patch \ file://0001-Change-whether-to-inline-XXH3_hashLong_withSecret-to.patch \ + file://CVE-2025-14177.patch \ " SRC_URI:append:class-target = " \ -- 2.44.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#123569): https://lists.openembedded.org/g/openembedded-devel/message/123569 Mute This Topic: https://lists.openembedded.org/mt/117326955/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
