Commit e77f582d5a7 for php.net
commit e77f582d5a7b7ba8374c255fb6e2c4adbf13c7c2
Merge: 56ee76f8204 5f5245c8a42
Author: Ilija Tovilo <ilija.tovilo@me.com>
Date: Wed May 6 13:47:39 2026 +0200
Merge branch 'PHP-8.3' into PHP-8.4
* PHP-8.3:
[skip ci] Add NEWS entries for 8.2.31 security issues
diff --cc NEWS
index eb0336f6293,2dc9802e223..c4c7f989638
--- a/NEWS
+++ b/NEWS
@@@ -43,274 -5,37 +43,305 @@@ PH
- Curl:
. Add support for brotli and zstd on Windows. (Shivam Mathur)
+- DOM:
- . Fixed bug GH-21566 (Dom\XMLDocument::C14N() emits duplicate xmlns
- declarations after setAttributeNS()). (David Carlier)
++ . Fixed GHSA-4jhr-8w89-j733 and GH-21566 (Dom\XMLDocument::C14N() emits
++ duplicate xmlns declarations after setAttributeNS()). (CVE-2026-7263)
++ (David Carlier)
+ . Fixed bug GH-21688 (segmentation fault on empty HTMLDocument).
+ (David Carlier)
- . Upgrade to lexbor v2.7.0. (ndossche, ilutov)
++ . Upgrade to lexbor v2.7.0. (CVE-2026-29078, CVE-2026-29079)
++ (ndossche, ilutov)
+ . Fixed bug GH-21544 (Dom\XMLDocument::C14N*( drops namespace declarations
+ on DOM-built documents). (David Carlier, ndossche)
+
+ - FPM:
+ . Fixed GHSA-7qg2-v9fj-4mwv (XSS within status endpoint). (CVE-2026-6735)
+ (Jakub Zelenka)
+
+- Iconv:
+ . Fixed bug GH-17399 (iconv memory leak on bailout). (iliaal)
+
+ - MBString:
+ . Fixed GHSA-wm6j-2649-pv75 (Null pointer dereference in
+ php_mb_check_encoding() via mb_ereg_search_init()). (CVE-2026-7259)
+ (vi3tL0u1s)
++ . Fixed GHSA-74r9-qxhc-fx53 (Out-of-bounds access in mbfl_name2encoding_ex()).
++ (CVE-2026-6104) (ilutov)
++
+- Opcache:
+ . Fixed bug GH-21158 (JIT: Assertion jit->ra[var].flags & (1<<0) failed in
+ zend_jit_use_reg). (Arnaud)
+ . Fixed bug GH-21593 (Borked function JIT JMPNZ smart branch). (ilutov)
+ . Fixed bug GH-21460 (COND optimization regression). (Dmitry, Arnaud)
+ . Fixed faulty returns out of zend_try block in zend_jit_trace(). (ilutov)
- OpenSSL:
- . Fix compatibility issues with OpenSSL 4.0. (jordikroon, Remi)
+ . Fix a bunch of memory leaks and crashes on edge cases. (ndossche)
+ - PDO_Firebird:
+ . Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings).
+ (CVE-2025-14179) (SakiTakamachi)
+
+- Phar:
+ . Restore is_link handler in phar_intercept_functions_shutdown. (iliaal)
+ . Fixed bug GH-21797 (phar: NULL dereference in Phar::webPhar() when
+ SCRIPT_NAME is absent from SAPI environment). (iliaal)
+ . Fix memory leak in Phar::offsetGet(). (iliaal)
+ . Fix memory leak in phar_add_file(). (iliaal)
+ . Fixed bug GH-21799 (phar: propagate phar_stream_flush return value from
+ phar_stream_close). (iliaal)
+ . Fix memory leak in phar_verify_signature() when md_ctx is invalid.
+ (JarneClauw)
+
+- Random:
+ . Fixed bug GH-21731 (Random\Engine\Xoshiro256StarStar::__unserialize()
+ accepts all-zero state). (iliaal)
+
+- Session:
+ . Fixed memory leak when session GC callback return a refcounted value.
+ (jorgsowa)
+
+ - SOAP:
+ . Fixed GHSA-85c2-q967-79q5 (Stale SOAP_GLOBAL(ref_map) pointer with Apache
+ Map). (CVE-2026-6722) (ilutov)
+ . Fixed GHSA-m33r-qmcv-p97q (Use-after-free after header parsing failure with
+ SOAP_PERSISTENCE_SESSION). (CVE-2026-7261) (ilutov)
+ . Fixed GHSA-hmxp-6pc4-f3vv (Broken Apache map value NULL check).
+ (CVE-2026-7262) (ilutov)
+
+- SPL:
+ . Fixed bug GH-21499 (RecursiveArrayIterator getChildren UAF after parent
+ free). (Girgias)
+ . Fix concurrent iteration and deletion issues in SplObjectStorage.
+ (ndossche)
+
+ - Standard:
+ . Fixed GHSA-96wq-48vp-hh57 (Signed integer overflow of char array offset).
+ (CVE-2026-7568) (TimWolla)
+ . Fixed GHSA-m8rr-4c36-8gq4 (Consistently pass unsigned char to ctype.h
+ functions). (CVE-2026-7258) (ilutov)
+
-15 Jan 2026, PHP 8.3.30
+- Streams:
+ . Fixed bug GH-21468 (Segfault in file_get_contents w/ a https URL
+ and a proxy set). (ndossche)
+
+- XSL:
+ . Fixed bug GH-21600 (Segfault on module shutdown). (David Carlier)
+
+- Zip:
+ . Fixed bug GH-21698 (memory leak with ZipArchive::addGlob()
+ early return statements). (David Carlier)
+
+09 Apr 2026, PHP 8.4.20
+
+- Bz2:
+ . Fix truncation of total output size causing erroneous errors. (ndossche)
+
+- Core:
+ . Fixed bugs GH-20875, GH-20873, GH-20854 (Propagate IN_GET guard in
+ get_property_ptr_ptr for lazy proxies). (iliaal)
+
+- DOM:
+ . Fixed bug GH-21486 (Dom\HTMLDocument parser mangles xml:space and
+ xml:lang attributes). (ndossche)
+
+- FFI:
+ . Fixed resource leak in FFI::cdef() onsymbol resolution failure.
+ (David Carlier)
+
+- GD:
+ . Fixed bug GH-21431 (phpinfo() to display libJPEG 10.0 support).
+ (David Carlier)
+
+- Opcache:
+ . Fixed bug GH-20838 (JIT compiler produces wrong arithmetic results).
+ (Dmitry, iliaal)
+ . Fixed bug GH-21267 (JIT tracing: infinite loop on FETCH_OBJ_R with
+ IS_UNDEF property in polymorphic context). (Dmitry, iliaal)
+ . Fixed bug GH-21395 (uaf in jit). (ndossche)
+
+- OpenSSL:
+ . Fixed bug GH-21083 (Skip private_key_bits validation for EC/curve-based
+ keys). (iliaal)
+ . Fix missing error propagation for BIO_printf() calls. (ndossche)
+
+- PCRE:
+ . Fixed re-entrancy issue on php_pcre_match_impl, php_pcre_replace_impl,
+ php_pcre_split_impl, and php_pcre_grep_impl. (David Carlier)
+
+- PGSQL:
+ . Fixed preprocessor silently guarding PGSQL_SUPPRESS_TIMESTAMPS support
+ due to a typo. (KentarouTakeda)
+
+- SNMP:
+ . Fixed bug GH-21336 (SNMP::setSecurity() undefined behavior with
+ NULL arguments). (David Carlier)
+
+- SOAP:
+ . Fixed Set-Cookie parsing bug wrong offset while scanning attributes.
+ (David Carlier)
+
+- SPL:
+ . Fixed bug GH-21454 (missing write lock validation in SplHeap).
+ (ndossche)
+
+- Standard:
+ . Fixed bug GH-20906 (Assertion failure when messing up output buffers).
+ (ndossche)
+ . Fixed bug GH-20627 (Cannot identify some avif images with getimagesize).
+ (y-guyon)
+
+- Sysvshm:
+ . Fix memory leak in shm_get_var() when variable is corrupted. (ndossche)
+
+- XSL:
+ . Fix GH-21357 (XSLTProcessor works with DOMDocument, but fails with
+ Dom\XMLDocument). (ndossche)
+ . Fixed bug GH-21496 (UAF in dom_objects_free_storage).
+ (David Carlier/ndossche)
+
+12 Mar 2026, PHP 8.4.19
+
+- Core:
+ . Fixed bug GH-21029 (zend_mm_heap corrupted on Aarch64, LTO builds). (Arnaud)
+ . Fixed bug GH-20657 (Assertion failure in zend_lazy_object_get_info triggered
+ by setRawValueWithoutLazyInitialization() and newLazyGhost()). (Arnaud)
+ . Fixed bug GH-20504 (Assertion failure in zend_get_property_guard when
+ accessing properties on Reflection LazyProxy via isset()). (Arnaud)
+ . Fixed OSS-Fuzz #478009707 (Borked assign-op/inc/dec on untyped hooked
+ property backing value). (ilutov)
+ . Fixed bug GH-21215 (Build fails with -std=). (Arnaud)
+ . Fixed bug GH-13674 (Build system installs libtool wrappers when using
+ slibtool). (Michael Orlitzky)
+
+- Curl:
+ . Fixed bug GH-21023 (CURLOPT_XFERINFOFUNCTION crash with a null callback).
+ (David Carlier)
+ . Don't truncate length. (ndossche)
+
+- Date:
+ . Fixed bug GH-20936 (DatePeriod::__set_state() cannot handle null start).
+ (ndossche)
+ . Fix timezone offset with seconds losing precision. (ndossche)
+
+- DOM:
+ . Fixed bug GH-21077 (Accessing Dom\Node::baseURI can throw TypeError).
+ (ndossche)
+ . Fixed bug GH-21097 (Accessing Dom\Node properties can can throw TypeError).
+ (ndossche)
+
+- MBString:
+ . Fixed bug GH-21223; mb_guess_encoding no longer crashes when passed huge
+ list of candidate encodings (with 200,000+ entries). (Jordi Kroon)
+
+- Opcache:
+ . Fixed bug GH-20718 ("Insufficient shared memory" when using JIT on Solaris).
+ (Petr Sumbera)
+ . Fixed bug GH-21227 (Borked SCCP of array containing partial object).
+ (ilutov)
+ . Fixed bug GH-21052 (Preloaded constant erroneously propagated to file-cached
+ script). (ilutov)
+
+- OpenSSL:
+ . Fix a bunch of leaks and error propagation. (ndossche)
+
+- PCNTL:
+ . Fixed pcntl_setns() internal errors handling regarding errnos.
+ (David Carlier/ndossche)
+ . Fixed cpuset leak in pcntl_setcpuaffinity on out-of-range CPU ID
+ on NetBSD/Solaris platforms. (David Carlier)
+ . Fixed pcntl_signal() signal table registering the callback first
+ OS-wise before the internal list. (David Carlier)
+ . Fixed pcntl_signal_dispatch() stale pointer and exception
+ handling. (David Carlier)
+
+- PCRE:
+ . Fixed preg_match memory leak with invalid regexes. (David Carlier)
+ . Fixed pcre2_code leak when pcre2_pattern_info() fails after a
+ successful pcre2_compile(), and match_sets/match_data/marks leaks
+ in php_pcre_match_impl(). (David Carlier)
+
+- PDO_PGSQL:
+ . Fixed bug GH-21055 (connection attribute status typo for GSS negotiation).
+ (lsaos)
+
+- PGSQL:
+ . Fixed bug GH-21162 (pg_connect() memory leak on error).
+ (David Carlier)
+
+- Sockets:
+ . Fixed bug GH-21161 (socket_set_option() crash with array 'addr'
+ entry as null). (David Carlier)
+ . Fixed possible addr length overflow with socket_connect() and AF_UNIX
+ family sockets. (David Carlier)
+
+- Windows:
+ . Fixed compilation with clang (missing intrin.h include). (Kévin Dunglas)
+
+12 Feb 2026, PHP 8.4.18
+
+- Core:
+ . Fixed bug GH-20837 (NULL dereference when calling ob_start() in shutdown
+ function triggered by bailout in php_output_lock_error()). (timwolla)
+ . Fix OSS-Fuzz #471533782 (Infinite loop in GC destructor fiber). (ilutov)
+ . Fix OSS-Fuzz #472563272 (Borked block_pass JMP[N]Z optimization). (ilutov)
+ . Fixed bug GH-GH-20914 (Internal enums can be cloned and compared). (Arnaud)
+ . Fix OSS-Fuzz #474613951 (Leaked parent property default value). (ilutov)
+ . Fixed bug GH-20766 (Use-after-free in FE_FREE with GC interaction). (Bob)
+ . Fix OSS-Fuzz #471486164 (Broken by-ref assignment to uninitialized hooked
+ backing value). (ilutov)
+ . Fix OSS-Fuzz #438780145 (Nested finally with repeated return type check may
+ uaf). (ilutov)
+ . Fixed bug GH-20905 (Lazy proxy bailing __clone assertion). (ilutov)
+ . Fixed bug GH-20479 (Hooked object properties overflow). (ndossche)
+
+- Date:
+ . Update timelib to 2022.16. (Derick)
+
+- DOM:
+ . Fixed GH-21041 (Dom\HTMLDocument corrupts closing tags within scripts).
+ (lexborisov)
+
+- MbString:
+ . Fixed bug GH-20833 (mb_str_pad() divide by zero if padding string is
+ invalid in the encoding). (ndossche)
+ . Fixed bug GH-20836 (Stack overflow in mb_convert_variables with
+ recursive array references). (alexandre-daubois)
+
+- Opcache:
+ . Fixed bug GH-20818 (Segfault in Tracing JIT with object reference).
+ (khasinski)
+
+- OpenSSL:
+ . Fix memory leaks when sk_X509_new_null() fails. (ndossche)
+ . Fix crash when in openssl_x509_parse() when i2s_ASN1_INTEGER() fails.
+ (ndossche)
+ . Fix crash in openssl_x509_parse() when X509_NAME_oneline() fails.
+ (ndossche)
+
+- Phar:
+ . Fixed bug GH-20882 (buildFromIterator breaks with missing base directory).
+ (ndossche)
+
+- PGSQL:
+ . Fixed INSERT/UPDATE queries building with PQescapeIdentifier() and possible
+ UB. (David Carlier)
+
+- Readline:
+ . Fixed bug GH-18139 (Memory leak when overriding some settings
+ via readline_info()). (ndossche)
+
+- SPL:
+ . Fixed bug GH-20856 (heap-use-after-free in SplDoublyLinkedList iterator
+ when modifying during iteration). (ndossche)
+
+- Standard:
+ . Fixed bug #74357 (lchown fails to change ownership of symlink with ZTS)
+ (Jakub Zelenka)
+ . Fixed bug GH-20843 (var_dump() crash with nested objects)
+ (David Carlier)
+
+15 Jan 2026, PHP 8.4.17
- Core:
. Fix OSS-Fuzz #465488618 (Wrong assumptions when dumping function signature