Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 12 Apr 2024 12:04:54 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: PHP security releases 8.1.28, 8.2.18, & 8.3.6

https://news-web.php.net/php.announce/424 (dated April 11) states:
> The PHP development team announces the immediate availability of PHP 8.3.6.
> This is a security release that addresses CVE-2024-1874,
> CVE-2024-2756, CVE-2024-3096, and CVE-2024-2757.
> 
> All PHP 8.3 users are encouraged to upgrade to this version.

https://news-web.php.net/php.announce/423 (dated April 11) states:
> The PHP development team announces the immediate availability of PHP
> 8.2.18. This is a security release that addresses CVE-2024-1874,
> CVE-2024-2756 and CVE-2024-3096.
> 
> All PHP 8.2 users are advised to upgrade to this version.

https://news-web.php.net/php.announce/425 (dated April 12) states:
> The PHP development team announces the immediate availability of PHP
> 8.1.28. This is a security release that addresses CVE-2024-1874,
> CVE-2024-2756, and CVE-2024-3096.
> 
> All PHP 8.1 users are encouraged to upgrade to this version.

https://www.php.net/ChangeLog-8.php gives these descriptions of the CVE fixes:
> Fixed bug GHSA-pc52-254m-w9w7 (Command injection via array-ish $command parameter of proc_open). (CVE-2024-1874)
> Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix). (CVE-2024-2756)
> Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true, opening ATO risk). (CVE-2024-3096)
> Fixed bug GHSA-fjp9-9hwx-59fq (mb_encode_mimeheader runs endlessly for some inputs). (CVE-2024-2757)

Note that CVE-2024-2757 is only fixed in 8.3.6, while the other three
are fixed in all three releases.

https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7
(CVE-2024-1874) reports:
> Due to the improper handling of command line arguments on Windows,
> maliciously crafted arguments can inject arbitrary commands even if
> the bypass_shell option is enabled.
> 
> Details
> --------
> proc_open executes external commands passed via its arguments. The documentation
> of this function states the following:
> 
>     As of PHP 7.4.0, the command may be passed as an array of command parameters.
>     In this case, the process will be opened directly (without going through a
>     shell) and PHP will take care of any necessary argument escaping. 
>     
>     bypass_shell (windows only): bypass cmd.exe shell when set to true
> 
> However, when executing .bat or .cmd files, CreateProcess implicitly spawns
> cmd.exe, resulting in command line arguments being parsed in cmd.exe despite
> the documentation explicitly stating it doesn't spawn the shell.
> 
> While proc_open tries to escape the arguments, command prompts will not
> recognize \ as the escape character. So, the following command line argument
> will spawn calc.exe:
> 
>     test.bat "\"&calc.exe"

https://github.com/php/php-src/security/advisories/GHSA-wpj3-hf5j-x4v4
(CVE-2024-2756) reports:
> Summary
> -------
> Due to an incomplete fix to CVE-2022-31629, network and same-site attackers
> can set a standard insecure cookie in the victim's browser which is treated
> as a __Host- or __Secure- cookie by PHP applications.
> 
> Details
> -------
> The vulnerability is identical to one previously described in
> https://bugs.php.net/bug.php?id=81727. Unfortunatly, since CVE-2022-31629 got
> only partially fixed in PHP >8.1.11, cookies starting with _[Host- are parsed
> by PHP applications as __Host-. 

https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr
(CVE-2024-3096) reports:
> Summary
> -------
> If a password stored with password_hash starts with a null byte (\x00),
> testing a blank string as the password via password_verify will incorrectly
> return true.
> 
> If a user were able to create a password with a leading null byte (unlikely,
> but syntactically valid), an attacker could trivially compromise the victim's
> account by attempting to sign in with a blank string.

https://github.com/php/php-src/security/advisories/GHSA-fjp9-9hwx-59fq
(CVE-2024-2757) reports:
> Summary
> -------
> Certain inputs provided to mb_encode_mimeheader trigger an endless loop.
> 
> Details
> -------
> A discernible pattern has not yet been identified, but a specific string
> consistently reproduces the issue.
> 
> PoC
> ---
> In PHP 8.3.3, execute:
> 
>     <?php
>     mb_internal_encoding('UTF-8');
>     mb_encode_mimeheader(",9868949,9868978,9869015,9689100,9869121,9869615,9870690,9867116,98558119861183. ", "utf-8", "B");
> 
> The mb_encode_mimeheader function seems to enter an infinite loop and fails to return.
> 
> Impact
> ------
> Given that this function is integral to numerous email processing routines,
> including those handling potentially untrusted user inputs, this vulnerability
> could be exploited for denial-of-service attacks. For instance, CakePHP 5
> relies on this function to encode email subjects.
> https://github.com/cakephp/cakephp/blob/5.x/src/Mailer/Message.php#L815



-- 
         -Alan Coopersmith-                 alan.coopersmith@...cle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.