php 8.2.29: CVE-2025-14177

Upstream Repository: https://github.com/php/php-src.git Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14177 Type: Security Fix CVE: CVE-2025-14177 Score: 7.5 Patch: https://github.com/php/php-src/commit/c5f28c7cf0a0 Signed-off-by: Anil Dongare <adongare@cisco.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-01-27 12:01:38 +01:00 · 2026-01-17 22:50:37 -08:00 · 2026-01-17 22:50:37 -08:00 · 2759d8870e
commit 2759d8870e
parent 0feefa82c0
2 changed files with 85 additions and 0 deletions
--- a/meta-oe/recipes-devtools/php/php/CVE-2025-14177.patch
+++ b/meta-oe/recipes-devtools/php/php/CVE-2025-14177.patch
@ -0,0 +1,84 @@
 From 7aac95c5280ea395ccfcd624cae7e87749ff6eeb Mon Sep 17 00:00:00 2001
 From: Niels Dossche <7771979+ndossche@users.noreply.github.com>
 Date: Tue, 25 Nov 2025 23:11:38 +0100
 Subject: [PATCH] Fix GH-20584: Information Leak of Memory
 The string added had uninitialized memory due to
 php_read_stream_all_chunks() not moving the buffer position, resulting
 in the same data always being overwritten instead of new data being
 added to the end of the buffer.
 This is backport as there is a security impact as described in
 GHSA-3237-qqm7-mfv7 .
 CVE: CVE-2025-14177
 Upstream-Status: Backport [https://github.com/php/php-src/commit/c5f28c7cf0a0]
 (cherry picked from commit c5f28c7cf0a052f48e47877c7aa5c5bcc54f1cfc)
 Signed-off-by: Anil Dongare <adongare@cisco.com>
 ---
 ext/standard/image.c                  |  1 +
 ext/standard/tests/image/gh20584.phpt | 39 +++++++++++++++++++++++++++
 2 files changed, 40 insertions(+)
 create mode 100644 ext/standard/tests/image/gh20584.phpt
 diff --git a/ext/standard/image.c b/ext/standard/image.c
 index 2bd5429efac..15761364c34 100644
 --- a/ext/standard/image.c
 +++ b/ext/standard/image.c
@@ -403,6 +403,7 @@ static size_t php_read_stream_all_chunks(php_stream *stream, char *buffer, size_
 		if (read_now < stream->chunk_size && read_total != length) {
 			return 0;
 		}
 +		buffer += read_now;
 	} while (read_total < length);
 	return read_total;
 diff --git a/ext/standard/tests/image/gh20584.phpt b/ext/standard/tests/image/gh20584.phpt
 new file mode 100644
 index 00000000000..d117f218202
 --- /dev/null
 +++ b/ext/standard/tests/image/gh20584.phpt
@@ -0,0 +1,39 @@
 +--TEST--
 +GH-20584 (Information Leak of Memory)
 +--CREDITS--
 +Nikita Sveshnikov (Positive Technologies)
 +--FILE--
 +<?php
 +// Minimal PoC: corruption/uninitialized memory leak when reading APP1 via php://filter
 +$file = __DIR__ . '/gh20584.jpg';
 +
 +// Make APP1 large enough so it is read in multiple chunks
 +$chunk = 8192;
 +$tail = 123;
 +$payload = str_repeat('A', $chunk) . str_repeat('B', $chunk) . str_repeat('Z',
 +$tail);
 +$app1Len = 2 + strlen($payload);
 +
 +// Minimal JPEG: SOI + APP1 + SOF0(1x1) + EOI
 +$sof = "\xFF\xC0" . pack('n', 11) . "\x08" . pack('n',1) . pack('n',1) .
 +"\x01\x11\x00";
 +$jpeg = "\xFF\xD8" . "\xFF\xE1" . pack('n', $app1Len) . $payload . $sof .
 +"\xFF\xD9";
 +file_put_contents($file, $jpeg);
 +
 +// Read through a filter to enforce multiple reads
 +$src = 'php://filter/read=string.rot13|string.rot13/resource=' . $file;
 +$info = null;
 +@getimagesize($src, $info);
 +$exp = $payload;
 +$ret = $info['APP1'];
 +
 +var_dump($ret === $exp);
 +
 +?>
 +--CLEAN--
 +<?php
 +@unlink(__DIR__ . '/gh20584.jpg');
 +?>
 +--EXPECT--
 +bool(true)
 -- 
 2.43.5
--- a/meta-oe/recipes-devtools/php/php_8.2.29.bb
+++ b/meta-oe/recipes-devtools/php/php_8.2.29.bb
@ -20,6 +20,7 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \
           file://0009-php-don-t-use-broken-wrapper-for-mkdir.patch \
           file://0010-iconv-fix-detection.patch \
           file://0001-Change-whether-to-inline-XXH3_hashLong_withSecret-to.patch \
           file://CVE-2025-14177.patch \
          "
 SRC_URI:append:class-target = " \