Debian Bug report logs -
#1014533
php8.1: CVE-2022-31625 CVE-2022-31626
Reported by: Moritz Mühlenhoff <jmm@inutil.org>
Date: Thu, 7 Jul 2022 15:45:09 UTC
Severity: important
Tags: security
Fixed in version php8.1/8.1.7-1
Done: Ondřej Surý <ondrej@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian PHP Maintainers <team+pkg-php@tracker.debian.org>:
Bug#1014533; Package src:php8.1.
(Thu, 07 Jul 2022 15:45:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian PHP Maintainers <team+pkg-php@tracker.debian.org>.
(Thu, 07 Jul 2022 15:45:11 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: php8.1
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for php8.1.
CVE-2022-31625[0]:
| In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x
| below 8.1.7, when using Postgres database extension, supplying invalid
| parameters to the parametrized query may lead to PHP attempting to
| free memory using uninitialized data as pointers. This could lead to
| RCE vulnerability or denial of service.
https://bugs.php.net/bug.php?id=81720
CVE-2022-31626[1]:
| In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x
| below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the
| third party is allowed to supply host to connect to and the password
| for the connection, password of excessive length can trigger a buffer
| overflow in PHP, which can lead to a remote code execution
| vulnerability.
https://bugs.php.net/bug.php?id=81719
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-31625
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31625
[1] https://security-tracker.debian.org/tracker/CVE-2022-31626
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31626
Please adjust the affected versions in the BTS as needed.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <team+pkg-php@tracker.debian.org>:
Bug#1014533; Package src:php8.1.
(Thu, 07 Jul 2022 16:00:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Ondřej Surý <ondrej@sury.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <team+pkg-php@tracker.debian.org>.
(Thu, 07 Jul 2022 16:00:04 GMT) (full text, mbox, link).
Message #10 received at 1014533@bugs.debian.org (full text, mbox, reply):
Hi,
thanks for the poke.
Would it be also ok to do the php7.4 via bullseye-security or do you
want me specifically to do the stable-updates?
Ondrej
--
Ondřej Surý (He/Him)
ondrej@sury.org
> On 7. 7. 2022, at 17:42, Moritz Mühlenhoff <jmm@inutil.org> wrote:
>
> Source: php8.1
> X-Debbugs-CC: team@security.debian.org
> Severity: important
> Tags: security
>
> Hi,
>
> The following vulnerabilities were published for php8.1.
>
> CVE-2022-31625[0]:
> | In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x
> | below 8.1.7, when using Postgres database extension, supplying invalid
> | parameters to the parametrized query may lead to PHP attempting to
> | free memory using uninitialized data as pointers. This could lead to
> | RCE vulnerability or denial of service.
>
> https://bugs.php.net/bug.php?id=81720
>
> CVE-2022-31626[1]:
> | In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x
> | below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the
> | third party is allowed to supply host to connect to and the password
> | for the connection, password of excessive length can trigger a buffer
> | overflow in PHP, which can lead to a remote code execution
> | vulnerability.
>
> https://bugs.php.net/bug.php?id=81719
>
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2022-31625
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31625
> [1] https://security-tracker.debian.org/tracker/CVE-2022-31626
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31626
>
> Please adjust the affected versions in the BTS as needed.
>
Reply sent
to Ondřej Surý <ondrej@debian.org>:
You have taken responsibility.
(Thu, 07 Jul 2022 17:12:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Thu, 07 Jul 2022 17:12:03 GMT) (full text, mbox, link).
Message #15 received at 1014533-close@bugs.debian.org (full text, mbox, reply):
Source: php8.1
Source-Version: 8.1.7-1
Done: Ondřej Surý <ondrej@debian.org>
We believe that the bug you reported is fixed in the latest version of
php8.1, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1014533@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ondřej Surý <ondrej@debian.org> (supplier of updated php8.1 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 25 Jun 2022 09:57:04 +0200
Source: php8.1
Architecture: source
Version: 8.1.7-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PHP Maintainers <team+pkg-php@tracker.debian.org>
Changed-By: Ondřej Surý <ondrej@debian.org>
Closes: 1014533
Changes:
php8.1 (8.1.7-1) unstable; urgency=medium
.
* New upstream version 8.1.7 (Closes: #1014533)
+ [CVE-2022-31626]: Fixed mysqlnd/pdo password buffer overflow.
+ [CVE-2022-31625]: Fixed uninitialized array in pg_query_params().
* Add Provides: php-json to PHP SAPIS
Checksums-Sha1:
9547dcb9422b06ff99970494345f54879c48f5d4 5684 php8.1_8.1.7-1.dsc
bc3536a5c4ef92043db0735c87fdfe5b375ca533 11718520 php8.1_8.1.7.orig.tar.xz
4af1ec0c8c16a715a1c722510aad30857ea48a6f 833 php8.1_8.1.7.orig.tar.xz.asc
34f3791e5929667ecea7f0fe97ca910a5b9a2d4f 66800 php8.1_8.1.7-1.debian.tar.xz
e0ca1e75c209693cf79481e55f9b0ae0674c4389 32399 php8.1_8.1.7-1_amd64.buildinfo
Checksums-Sha256:
a251b04cdf0cb3b7c5ffdf90e015985821082bcd1b883af45d39d0636232975f 5684 php8.1_8.1.7-1.dsc
f042322f1b5a9f7c2decb84b7086ef676896c2f7178739b9672afafa964ed0e5 11718520 php8.1_8.1.7.orig.tar.xz
097266dfed19c84a165db703ce41d0522a120d9d8243942a2ee72d5b93510488 833 php8.1_8.1.7.orig.tar.xz.asc
457657efa2abe08e98fb74632498bed086ae3714951f11ad122e29a5a33e6eec 66800 php8.1_8.1.7-1.debian.tar.xz
457aeae0db89e2311a5c15867cdfc32bbdcb3bfe7702859fc33041f341c35b29 32399 php8.1_8.1.7-1_amd64.buildinfo
Files:
d0967265b0a6ff190a35638a0feae591 5684 php optional php8.1_8.1.7-1.dsc
f8be7dfca5c241e780f75f3f3ce83b76 11718520 php optional php8.1_8.1.7.orig.tar.xz
22b3f85a28390921e204fd3f9eef7584 833 php optional php8.1_8.1.7.orig.tar.xz.asc
6dc3972d499627e9f4ab4d829f99bb89 66800 php optional php8.1_8.1.7-1.debian.tar.xz
b566bad223d5ac159a5e09e903fa657f 32399 php optional php8.1_8.1.7-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEw2Gx4wKVQ+vGJel9g3Kkd++uWcIFAmLHCvBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEMz
NjFCMUUzMDI5NTQzRUJDNjI1RTk3RDgzNzJBNDc3RUZBRTU5QzIACgkQg3Kkd++u
WcKH4Q/9HtO17Ys+IXzfaBiAm/GV9bZC1Edph4wc0TAtDSmYU/783GGHlOJ4PwZp
PKpI2pRvKd3RFjenk/7yonmEOrpC/ovVBOZaB95eAMhFbl7sXJnd74XPbuVmxr9s
7GDdAEvLnUhrD4C0jiQBLvPsS+g+hICIsaI+YiCk0iNRkgKKFRSZL1TPtJFdWCGi
r38kbYGZqlS2G8OE7ySndsgzi3KN3EXp00UeJGWYPiCX1JYjFykegCBkxBNihIy4
mJrNfsADXmuLRG7DYkVkN8gM64QJ79+U4cBkA0L2SZq+s6NBrOWj3uw2pbGQ1bT/
5LKes4NLd5o2c87FuwZYLRjSJ2fxDPmitGR6s07vx/Jzn3hK0dRA5osg5BpPZOV8
p9PV2FoEKPSA98q5HyPrrowOgRVwVaOaBiLkz8p9S5jPZMWmtL59p1AItUXV0nOq
lxmxXy2qqUE6/uTueTaeIE6fRYmuZwZh5d7aEodVWl/3m2S4lgAlt96a/In0aqUo
esUT//iw//3Tg9PoYzsFOw07TwB3RSz/bYgexQx3ayALcffdoWOkWfSNdkOjdDv0
aJXBA32G2/XRTRtg7QChNjCxLTqn8VJRqHpbJnSZ3pFDd/hqtV7crFErC2bvvUQi
QdRKT6kNp+1V9tXZGNZwhMgQ7ijuNF9cfvFnsBfwRIF6WZQgH+U=
=O+Vs
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <team+pkg-php@tracker.debian.org>:
Bug#1014533; Package src:php8.1.
(Thu, 07 Jul 2022 17:39:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <team+pkg-php@tracker.debian.org>.
(Thu, 07 Jul 2022 17:39:02 GMT) (full text, mbox, link).
Message #20 received at 1014533@bugs.debian.org (full text, mbox, reply):
Hi Ondřej,
On Thu, Jul 07, 2022 at 05:57:24PM +0200, Ondřej Surý wrote:
> Hi,
>
> thanks for the poke.
>
> Would it be also ok to do the php7.4 via bullseye-security or do you
> want me specifically to do the stable-updates?
The two issues are not the most severe, but we can do a DSA. I'll
look into your upload in the next 1-2 days.
Cheers,
Moritz
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Jul 8 13:16:04 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon