php 8.2.29: CVE-2025-14177

Upstream Repository: https://github.com/php/php-src.git Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14177 Type: Security Fix CVE: CVE-2025-14177 Score: 7.5 Patch: https://github.com/php/php-src/commit/c5f28c7cf0a0 Signed-off-by: Anil Dongare <adongare@cisco.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-01-27 12:01:38 +01:00 · 2026-01-17 22:50:37 -08:00 · 2026-01-17 22:50:37 -08:00 · 2759d8870e
commit 2759d8870e
parent 0feefa82c0
2 changed files with 85 additions and 0 deletions
--- a/meta-oe/recipes-devtools/php/php/CVE-2025-14177.patch
+++ b/meta-oe/recipes-devtools/php/php/CVE-2025-14177.patch
@ -0,0 +1,84 @@
+From 7aac95c5280ea395ccfcd624cae7e87749ff6eeb Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+ndossche@users.noreply.github.com>
+Date: Tue, 25 Nov 2025 23:11:38 +0100
+Subject: [PATCH] Fix GH-20584: Information Leak of Memory
+
+The string added had uninitialized memory due to
+php_read_stream_all_chunks() not moving the buffer position, resulting
+in the same data always being overwritten instead of new data being
+added to the end of the buffer.
+
+This is backport as there is a security impact as described in
+GHSA-3237-qqm7-mfv7 .
+
+CVE: CVE-2025-14177
+Upstream-Status: Backport [https://github.com/php/php-src/commit/c5f28c7cf0a0]
+
+(cherry picked from commit c5f28c7cf0a052f48e47877c7aa5c5bcc54f1cfc)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ ext/standard/image.c                  |  1 +
+ ext/standard/tests/image/gh20584.phpt | 39 +++++++++++++++++++++++++++
+ 2 files changed, 40 insertions(+)
+ create mode 100644 ext/standard/tests/image/gh20584.phpt
+
+diff --git a/ext/standard/image.c b/ext/standard/image.c
+index 2bd5429efac..15761364c34 100644
+--- a/ext/standard/image.c
+++ b/ext/standard/image.c
+@@ -403,6 +403,7 @@ static size_t php_read_stream_all_chunks(php_stream *stream, char *buffer, size_
+ 		if (read_now < stream->chunk_size && read_total != length) {
+ 			return 0;
+ 		}
+		buffer += read_now;
+ 	} while (read_total < length);
+ 
+ 	return read_total;
+diff --git a/ext/standard/tests/image/gh20584.phpt b/ext/standard/tests/image/gh20584.phpt
+new file mode 100644
+index 00000000000..d117f218202
+--- /dev/null
+++ b/ext/standard/tests/image/gh20584.phpt
+@@ -0,0 +1,39 @@
+--TEST--
+GH-20584 (Information Leak of Memory)
+--CREDITS--
+Nikita Sveshnikov (Positive Technologies)
+--FILE--
+<?php
+// Minimal PoC: corruption/uninitialized memory leak when reading APP1 via php://filter
+$file = __DIR__ . '/gh20584.jpg';
+
+// Make APP1 large enough so it is read in multiple chunks
+$chunk = 8192;
+$tail = 123;
+$payload = str_repeat('A', $chunk) . str_repeat('B', $chunk) . str_repeat('Z',
+$tail);
+$app1Len = 2 + strlen($payload);
+
+// Minimal JPEG: SOI + APP1 + SOF0(1x1) + EOI
+$sof = "\xFF\xC0" . pack('n', 11) . "\x08" . pack('n',1) . pack('n',1) .
+"\x01\x11\x00";
+$jpeg = "\xFF\xD8" . "\xFF\xE1" . pack('n', $app1Len) . $payload . $sof .
+"\xFF\xD9";
+file_put_contents($file, $jpeg);
+
+// Read through a filter to enforce multiple reads
+$src = 'php://filter/read=string.rot13|string.rot13/resource=' . $file;
+$info = null;
+@getimagesize($src, $info);
+$exp = $payload;
+$ret = $info['APP1'];
+
+var_dump($ret === $exp);
+
+?>
+--CLEAN--
+<?php
+@unlink(__DIR__ . '/gh20584.jpg');
+?>
+--EXPECT--
+bool(true)
+-- 
+2.43.5
+
--- a/meta-oe/recipes-devtools/php/php_8.2.29.bb
+++ b/meta-oe/recipes-devtools/php/php_8.2.29.bb
@ -20,6 +20,7 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \
           file://0009-php-don-t-use-broken-wrapper-for-mkdir.patch \
           file://0010-iconv-fix-detection.patch \
           file://0001-Change-whether-to-inline-XXH3_hashLong_withSecret-to.patch \
+           file://CVE-2025-14177.patch \
          "

 SRC_URI:append:class-target = " \