!225 [sync] PR-224: fix CVE-2024-8929

From: @openeuler-sync-bot Reviewed-by: @dillon_chen Signed-off-by: @dillon_chen
2024-11-28 02:38:37 +00:00 · 2024-11-28 02:38:37 +00:00 · fe198cc6bf
commit fe198cc6bf
parent 5c2d720ef2 104bb80c54
2 changed files with 2292 additions and 6 deletions
--- a/php-cve-2024-8929.patch
+++ b/php-cve-2024-8929.patch
--- a/php.spec
+++ b/php.spec
@ -26,7 +26,7 @@

 Name:          php
 Version:       %{upver}
-Release:       7
+Release:       8
 Summary:       PHP scripting language for creating dynamic web sites
 License:       PHP-3.01 AND Zend-2.0 AND BSD-2-Clause AND MIT AND Apache-1.0 AND NCSA AND BSL-1.0
 URL:           http://www.php.net/
@ -68,6 +68,7 @@ Patch17:       php-cve-2024-11234.patch
 Patch18:       php-cve-2024-8932.patch
 Patch19:       php-cve-2024-11233.patch
 Patch20:       php-ghsa-4w77-75f9-2c8w.patch
+Patch21:       php-cve-2024-8929.patch

 BuildRequires: bzip2-devel, curl-devel >= 7.9, httpd-devel >= 2.0.46-1, pam-devel, httpd-filesystem, nginx-filesystem
 BuildRequires: libstdc++-devel, openssl-devel, sqlite-devel >= 3.6.0, zlib-devel, smtpdaemon, libedit-devel
@ -491,11 +492,7 @@ scripting language and therefore develop “system code” more productively.
 For PHP, FFI opens a way to write PHP extensions and bindings to C libraries
 in pure PHP.

-%package help
-Summary: help
-
-%description help
-help
+%package_help

 %prep
 %autosetup -n php-%{upver} -p1
@ -1095,6 +1092,10 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || :


 %changelog
+* Thu Nov 28 2024 Funda Wang <fundawang@yeah.net> - 8.0.30-8
+- Fix Leak partial content of the heap through heap buffer over-read
+  CVE-2024-8929
+
 * Sat Nov 23 2024 Funda Wang <fundawang@yeah.net> - 8.0.30-7
 - Fix Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI Interface
  GHSA-4w77-75f9-2c8w