oss-sec mailing list archives
PHP security releases 8.1.28, 8.2.18, & 8.3.6
From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Fri, 12 Apr 2024 12:04:54 -0700
https://news-web.php.net/php.announce/424 (dated April 11) states:
The PHP development team announces the immediate availability of PHP 8.3.6. This is a security release that addresses CVE-2024-1874, CVE-2024-2756, CVE-2024-3096, and CVE-2024-2757. All PHP 8.3 users are encouraged to upgrade to this version.
https://news-web.php.net/php.announce/423 (dated April 11) states:
The PHP development team announces the immediate availability of PHP 8.2.18. This is a security release that addresses CVE-2024-1874, CVE-2024-2756 and CVE-2024-3096. All PHP 8.2 users are advised to upgrade to this version.
https://news-web.php.net/php.announce/425 (dated April 12) states:
The PHP development team announces the immediate availability of PHP 8.1.28. This is a security release that addresses CVE-2024-1874, CVE-2024-2756, and CVE-2024-3096. All PHP 8.1 users are encouraged to upgrade to this version.
https://www.php.net/ChangeLog-8.php gives these descriptions of the CVE fixes:
Fixed bug GHSA-pc52-254m-w9w7 (Command injection via array-ish $command parameter of proc_open). (CVE-2024-1874) Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix). (CVE-2024-2756) Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true, opening ATO risk). (CVE-2024-3096) Fixed bug GHSA-fjp9-9hwx-59fq (mb_encode_mimeheader runs endlessly for some inputs). (CVE-2024-2757)
Note that CVE-2024-2757 is only fixed in 8.3.6, while the other three are fixed in all three releases. https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7 (CVE-2024-1874) reports:
Due to the improper handling of command line arguments on Windows, maliciously crafted arguments can inject arbitrary commands even if the bypass_shell option is enabled. Details -------- proc_open executes external commands passed via its arguments. The documentation of this function states the following: As of PHP 7.4.0, the command may be passed as an array of command parameters. In this case, the process will be opened directly (without going through ashell) and PHP will take care of any necessary argument escaping. bypass_shell (windows only): bypass cmd.exe shell when set to trueHowever, when executing .bat or .cmd files, CreateProcess implicitly spawns cmd.exe, resulting in command line arguments being parsed in cmd.exe despite the documentation explicitly stating it doesn't spawn the shell. While proc_open tries to escape the arguments, command prompts will not recognize \ as the escape character. So, the following command line argument will spawn calc.exe: test.bat "\"&calc.exe"
https://github.com/php/php-src/security/advisories/GHSA-wpj3-hf5j-x4v4 (CVE-2024-2756) reports:
Summary ------- Due to an incomplete fix to CVE-2022-31629, network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications. Details ------- The vulnerability is identical to one previously described in https://bugs.php.net/bug.php?id=81727. Unfortunatly, since CVE-2022-31629 got only partially fixed in PHP >8.1.11, cookies starting with _[Host- are parsedby PHP applications as __Host-.
https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr (CVE-2024-3096) reports:
Summary ------- If a password stored with password_hash starts with a null byte (\x00), testing a blank string as the password via password_verify will incorrectly return true. If a user were able to create a password with a leading null byte (unlikely, but syntactically valid), an attacker could trivially compromise the victim's account by attempting to sign in with a blank string.
https://github.com/php/php-src/security/advisories/GHSA-fjp9-9hwx-59fq (CVE-2024-2757) reports:
Summary ------- Certain inputs provided to mb_encode_mimeheader trigger an endless loop. Details ------- A discernible pattern has not yet been identified, but a specific string consistently reproduces the issue. PoC --- In PHP 8.3.3, execute: <?php mb_internal_encoding('UTF-8'); mb_encode_mimeheader(",9868949,9868978,9869015,9689100,9869121,9869615,9870690,9867116,98558119861183. ", "utf-8", "B"); The mb_encode_mimeheader function seems to enter an infinite loop and fails to return. Impact ------ Given that this function is integral to numerous email processing routines, including those handling potentially untrusted user inputs, this vulnerability could be exploited for denial-of-service attacks. For instance, CakePHP 5 relies on this function to encode email subjects. https://github.com/cakephp/cakephp/blob/5.x/src/Mailer/Message.php#L815
-- -Alan Coopersmith- alan.coopersmith () oracle com Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Current thread:
- PHP security releases 8.1.28, 8.2.18, & 8.3.6 Alan Coopersmith (Apr 12)