PHP security releases 8.1.28, 8.2.18, & 8.3.6

                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
PHP security releases 8.1.28, 8.2.18, &amp; 8.3.6

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Alan Coopersmith &lt;alan.coopersmith () oracle com&gt;

Date: Fri, 12 Apr 2024 12:04:54 -0700

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
https://news-web.php.net/php.announce/424 (dated April 11) states:
The PHP development team announces the immediate availability of PHP 8.3.6.
This is a security release that addresses CVE-2024-1874,
CVE-2024-2756, CVE-2024-3096, and CVE-2024-2757.

All PHP 8.3 users are encouraged to upgrade to this version.

https://news-web.php.net/php.announce/423 (dated April 11) states:
The PHP development team announces the immediate availability of PHP
8.2.18. This is a security release that addresses CVE-2024-1874,
CVE-2024-2756 and CVE-2024-3096.

All PHP 8.2 users are advised to upgrade to this version.

https://news-web.php.net/php.announce/425 (dated April 12) states:
The PHP development team announces the immediate availability of PHP
8.1.28. This is a security release that addresses CVE-2024-1874,
CVE-2024-2756, and CVE-2024-3096.

All PHP 8.1 users are encouraged to upgrade to this version.

https://www.php.net/ChangeLog-8.php gives these descriptions of the CVE fixes:
Fixed bug GHSA-pc52-254m-w9w7 (Command injection via array-ish $command parameter of proc_open). (CVE-2024-1874)
Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix). (CVE-2024-2756)
Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true, opening ATO risk). (CVE-2024-3096)
Fixed bug GHSA-fjp9-9hwx-59fq (mb_encode_mimeheader runs endlessly for some inputs). (CVE-2024-2757)

Note that CVE-2024-2757 is only fixed in 8.3.6, while the other three
are fixed in all three releases.

https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7
(CVE-2024-1874) reports:
Due to the improper handling of command line arguments on Windows,
maliciously crafted arguments can inject arbitrary commands even if
the bypass_shell option is enabled.

Details
--------
proc_open executes external commands passed via its arguments. The documentation
of this function states the following:

    As of PHP 7.4.0, the command may be passed as an array of command parameters.
    In this case, the process will be opened directly (without going through a
    shell) and PHP will take care of any necessary argument escaping. 
    
    bypass_shell (windows only): bypass cmd.exe shell when set to true

However, when executing .bat or .cmd files, CreateProcess implicitly spawns
cmd.exe, resulting in command line arguments being parsed in cmd.exe despite
the documentation explicitly stating it doesn't spawn the shell.

While proc_open tries to escape the arguments, command prompts will not
recognize \ as the escape character. So, the following command line argument
will spawn calc.exe:

    test.bat "\"&amp;calc.exe"

https://github.com/php/php-src/security/advisories/GHSA-wpj3-hf5j-x4v4
(CVE-2024-2756) reports:
Summary
-------
Due to an incomplete fix to CVE-2022-31629, network and same-site attackers
can set a standard insecure cookie in the victim's browser which is treated
as a __Host- or __Secure- cookie by PHP applications.

Details
-------
The vulnerability is identical to one previously described in
https://bugs.php.net/bug.php?id=81727. Unfortunatly, since CVE-2022-31629 got
only partially fixed in PHP &gt;8.1.11, cookies starting with _[Host- are parsed
by PHP applications as __Host-. 

https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr
(CVE-2024-3096) reports:
Summary
-------
If a password stored with password_hash starts with a null byte (\x00),
testing a blank string as the password via password_verify will incorrectly
return true.

If a user were able to create a password with a leading null byte (unlikely,
but syntactically valid), an attacker could trivially compromise the victim's
account by attempting to sign in with a blank string.

https://github.com/php/php-src/security/advisories/GHSA-fjp9-9hwx-59fq
(CVE-2024-2757) reports:
Summary
-------
Certain inputs provided to mb_encode_mimeheader trigger an endless loop.

Details
-------
A discernible pattern has not yet been identified, but a specific string
consistently reproduces the issue.

PoC
---
In PHP 8.3.3, execute:

    &lt;?php
    mb_internal_encoding('UTF-8');
    mb_encode_mimeheader(",9868949,9868978,9869015,9689100,9869121,9869615,9870690,9867116,98558119861183. ", "utf-8", 
"B");

The mb_encode_mimeheader function seems to enter an infinite loop and fails to return.

Impact
------
Given that this function is integral to numerous email processing routines,
including those handling potentially untrusted user inputs, this vulnerability
could be exploited for denial-of-service attacks. For instance, CakePHP 5
relies on this function to encode email subjects.
https://github.com/cakephp/cakephp/blob/5.x/src/Mailer/Message.php#L815

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

PHP security releases 8.1.28, 8.2.18, &amp; 8.3.6 Alan Coopersmith (Apr 12)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->