Re: [oe] [meta-openembedded] [scarthgap] [PATCH] php 8.2.29: CVE-2025-14177

Mon, 19 Jan 2026 00:21:48 -0800 

Though this patch works, alternatively you could also just upgrade php
to 8.2.30, it also contains this fix (and other fixes also).

On 1/18/26 07:50, Anil Dongare -X (adongare - E INFOCHIPS PRIVATE
LIMITED at Cisco) via lists.openembedded.org wrote:
> From: Anil Dongare <[email protected]>
>
> Upstream Repository: https://github.com/php/php-src.git
>
> Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14177
> Type: Security Fix
> CVE: CVE-2025-14177
> Score: 7.5
> Patch: https://github.com/php/php-src/commit/c5f28c7cf0a0
>
> Signed-off-by: Anil Dongare <[email protected]>
> ---
>  .../php/php/CVE-2025-14177.patch              | 84 +++++++++++++++++++
>  meta-oe/recipes-devtools/php/php_8.2.29.bb    |  1 +
>  2 files changed, 85 insertions(+)
>  create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2025-14177.patch
>
> diff --git a/meta-oe/recipes-devtools/php/php/CVE-2025-14177.patch 
> b/meta-oe/recipes-devtools/php/php/CVE-2025-14177.patch
> new file mode 100644
> index 0000000000..6b5ffe0029
> --- /dev/null
> +++ b/meta-oe/recipes-devtools/php/php/CVE-2025-14177.patch
> @@ -0,0 +1,84 @@
> +From 7aac95c5280ea395ccfcd624cae7e87749ff6eeb Mon Sep 17 00:00:00 2001
> +From: Niels Dossche <[email protected]>
> +Date: Tue, 25 Nov 2025 23:11:38 +0100
> +Subject: [PATCH] Fix GH-20584: Information Leak of Memory
> +
> +The string added had uninitialized memory due to
> +php_read_stream_all_chunks() not moving the buffer position, resulting
> +in the same data always being overwritten instead of new data being
> +added to the end of the buffer.
> +
> +This is backport as there is a security impact as described in
> +GHSA-3237-qqm7-mfv7 .
> +
> +CVE: CVE-2025-14177
> +Upstream-Status: Backport 
> [https://github.com/php/php-src/commit/c5f28c7cf0a0]
> +
> +(cherry picked from commit c5f28c7cf0a052f48e47877c7aa5c5bcc54f1cfc)
> +Signed-off-by: Anil Dongare <[email protected]>
> +---
> + ext/standard/image.c                  |  1 +
> + ext/standard/tests/image/gh20584.phpt | 39 +++++++++++++++++++++++++++
> + 2 files changed, 40 insertions(+)
> + create mode 100644 ext/standard/tests/image/gh20584.phpt
> +
> +diff --git a/ext/standard/image.c b/ext/standard/image.c
> +index 2bd5429efac..15761364c34 100644
> +--- a/ext/standard/image.c
> ++++ b/ext/standard/image.c
> +@@ -403,6 +403,7 @@ static size_t php_read_stream_all_chunks(php_stream 
> *stream, char *buffer, size_
> +             if (read_now < stream->chunk_size && read_total != length) {
> +                     return 0;
> +             }
> ++            buffer += read_now;
> +     } while (read_total < length);
> + 
> +     return read_total;
> +diff --git a/ext/standard/tests/image/gh20584.phpt 
> b/ext/standard/tests/image/gh20584.phpt
> +new file mode 100644
> +index 00000000000..d117f218202
> +--- /dev/null
> ++++ b/ext/standard/tests/image/gh20584.phpt
> +@@ -0,0 +1,39 @@
> ++--TEST--
> ++GH-20584 (Information Leak of Memory)
> ++--CREDITS--
> ++Nikita Sveshnikov (Positive Technologies)
> ++--FILE--
> ++<?php
> ++// Minimal PoC: corruption/uninitialized memory leak when reading APP1 via 
> php://filter
> ++$file = __DIR__ . '/gh20584.jpg';
> ++
> ++// Make APP1 large enough so it is read in multiple chunks
> ++$chunk = 8192;
> ++$tail = 123;
> ++$payload = str_repeat('A', $chunk) . str_repeat('B', $chunk) . 
> str_repeat('Z',
> ++$tail);
> ++$app1Len = 2 + strlen($payload);
> ++
> ++// Minimal JPEG: SOI + APP1 + SOF0(1x1) + EOI
> ++$sof = "\xFF\xC0" . pack('n', 11) . "\x08" . pack('n',1) . pack('n',1) .
> ++"\x01\x11\x00";
> ++$jpeg = "\xFF\xD8" . "\xFF\xE1" . pack('n', $app1Len) . $payload . $sof .
> ++"\xFF\xD9";
> ++file_put_contents($file, $jpeg);
> ++
> ++// Read through a filter to enforce multiple reads
> ++$src = 'php://filter/read=string.rot13|string.rot13/resource=' . $file;
> ++$info = null;
> ++@getimagesize($src, $info);
> ++$exp = $payload;
> ++$ret = $info['APP1'];
> ++
> ++var_dump($ret === $exp);
> ++
> ++?>
> ++--CLEAN--
> ++<?php
> ++@unlink(__DIR__ . '/gh20584.jpg');
> ++?>
> ++--EXPECT--
> ++bool(true)
> +-- 
> +2.43.5
> +
> diff --git a/meta-oe/recipes-devtools/php/php_8.2.29.bb 
> b/meta-oe/recipes-devtools/php/php_8.2.29.bb
> index 08cece1c17..015d83c291 100644
> --- a/meta-oe/recipes-devtools/php/php_8.2.29.bb
> +++ b/meta-oe/recipes-devtools/php/php_8.2.29.bb
> @@ -20,6 +20,7 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \
>             file://0009-php-don-t-use-broken-wrapper-for-mkdir.patch \
>             file://0010-iconv-fix-detection.patch \
>             
> file://0001-Change-whether-to-inline-XXH3_hashLong_withSecret-to.patch \
> +           file://CVE-2025-14177.patch \
>            "
>  
>  SRC_URI:append:class-target = " \
>
> 
>


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#123594): 
https://lists.openembedded.org/g/openembedded-devel/message/123594
Mute This Topic: https://lists.openembedded.org/mt/117326955/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
  • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Gyorgy Sarvari via lists.openembedded.org

Reply via email to