summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2024-04-10 09:47:04 +0200
committerRemi Collet <remi@php.net>2024-04-10 09:47:04 +0200
commite6583a1b202cc33e3b33d3e9c92b44cf36564e97 (patch)
treee5beb093c4e881a65dd97a70edad7a63db2d415a
parent1ac6ca14403fc59e67bbf98d0a22e764cef74230 (diff)
Fix __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix
CVE-2024-2756 Fix password_verify can erroneously return true opening ATO risk CVE-2024-3096
-rw-r--r--failed.txt4
-rw-r--r--php-8.0.30-zlib-tests.patch3
-rw-r--r--php-cve-2024-2756.patch191
-rw-r--r--php-cve-2024-3096.patch77
-rw-r--r--php80.spec12
5 files changed, 283 insertions, 4 deletions
diff --git a/failed.txt b/failed.txt
index 36d4f65..61ddf4b 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,4 +1,4 @@
-===== 8.0.30-3 (2023-12-12)
+===== 8.0.30-5 (2024-04-11)
$ grep -ar 'Tests failed' /var/lib/mock/*/build.log
@@ -14,8 +14,6 @@ $ grep -ar 'Tests failed' /var/lib/mock/*/build.log
/var/lib/mock/fc40x80/build.log:Tests failed : 3
-el8x:
- 5 ext/standard/tests/strings/setlocale_variation2.phpt
fc38, fc39, el9:
3 openssl_error_string() tests (OpenSSL >= 3.0) [ext/openssl/tests/openssl_error_string_basic_openssl3.phpt]
3 openssl_private_decrypt() tests [ext/openssl/tests/openssl_private_decrypt_basic.phpt]
diff --git a/php-8.0.30-zlib-tests.patch b/php-8.0.30-zlib-tests.patch
index f0b9bcc..165b0c5 100644
--- a/php-8.0.30-zlib-tests.patch
+++ b/php-8.0.30-zlib-tests.patch
@@ -1,3 +1,6 @@
+Adapted for 8.0 from
+
+
From 5e12844d4d0053f3c3f1b20635efdb6f30e85190 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Thu, 29 Feb 2024 10:52:54 +0100
diff --git a/php-cve-2024-2756.patch b/php-cve-2024-2756.patch
new file mode 100644
index 0000000..9f27189
--- /dev/null
+++ b/php-cve-2024-2756.patch
@@ -0,0 +1,191 @@
+From 2e07a3acd7a6b53c55325b94bed97748d7697b53 Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
+Date: Sun, 17 Mar 2024 21:04:47 +0100
+Subject: [PATCH 1/4] Fix GHSA-wpj3-hf5j-x4v4: __Host-/__Secure- cookie bypass
+ due to partial CVE-2022-31629 fix
+
+The check happened too early as later code paths may perform more
+mangling rules. Move the check downwards right before adding the actual
+variable.
+
+(cherry picked from commit 093c08af25fb323efa0c8e6154aa9fdeae3d3b53)
+---
+ ext/standard/tests/ghsa-wpj3-hf5j-x4v4.phpt | 63 +++++++++++++++++++++
+ main/php_variables.c | 41 +++++++++-----
+ 2 files changed, 90 insertions(+), 14 deletions(-)
+ create mode 100644 ext/standard/tests/ghsa-wpj3-hf5j-x4v4.phpt
+
+diff --git a/ext/standard/tests/ghsa-wpj3-hf5j-x4v4.phpt b/ext/standard/tests/ghsa-wpj3-hf5j-x4v4.phpt
+new file mode 100644
+index 00000000000..77fcb680894
+--- /dev/null
++++ b/ext/standard/tests/ghsa-wpj3-hf5j-x4v4.phpt
+@@ -0,0 +1,63 @@
++--TEST--
++ghsa-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix)
++--COOKIE--
++..Host-test=ignore_1;
++._Host-test=ignore_2;
++.[Host-test=ignore_3;
++_.Host-test=ignore_4;
++__Host-test=ignore_5;
++_[Host-test=ignore_6;
++[.Host-test=ignore_7;
++[_Host-test=ignore_8;
++[[Host-test=ignore_9;
++..Host-test[]=ignore_10;
++._Host-test[]=ignore_11;
++.[Host-test[]=ignore_12;
++_.Host-test[]=ignore_13;
++__Host-test[]=legitimate_14;
++_[Host-test[]=legitimate_15;
++[.Host-test[]=ignore_16;
++[_Host-test[]=ignore_17;
++[[Host-test[]=ignore_18;
++..Secure-test=ignore_1;
++._Secure-test=ignore_2;
++.[Secure-test=ignore_3;
++_.Secure-test=ignore_4;
++__Secure-test=ignore_5;
++_[Secure-test=ignore_6;
++[.Secure-test=ignore_7;
++[_Secure-test=ignore_8;
++[[Secure-test=ignore_9;
++..Secure-test[]=ignore_10;
++._Secure-test[]=ignore_11;
++.[Secure-test[]=ignore_12;
++_.Secure-test[]=ignore_13;
++__Secure-test[]=legitimate_14;
++_[Secure-test[]=legitimate_15;
++[.Secure-test[]=ignore_16;
++[_Secure-test[]=ignore_17;
++[[Secure-test[]=ignore_18;
++--FILE--
++<?php
++var_dump($_COOKIE);
++?>
++--EXPECT--
++array(3) {
++ ["__Host-test"]=>
++ array(1) {
++ [0]=>
++ string(13) "legitimate_14"
++ }
++ ["_"]=>
++ array(2) {
++ ["Host-test["]=>
++ string(13) "legitimate_15"
++ ["Secure-test["]=>
++ string(13) "legitimate_15"
++ }
++ ["__Secure-test"]=>
++ array(1) {
++ [0]=>
++ string(13) "legitimate_14"
++ }
++}
+diff --git a/main/php_variables.c b/main/php_variables.c
+index 27a9ad089e7..dc888bdfc64 100644
+--- a/main/php_variables.c
++++ b/main/php_variables.c
+@@ -54,6 +54,21 @@ static zend_always_inline void php_register_variable_quick(const char *name, siz
+ zend_string_release_ex(key, 0);
+ }
+
++/* Discard variable if mangling made it start with __Host-, where pre-mangling it did not start with __Host-
++ * Discard variable if mangling made it start with __Secure-, where pre-mangling it did not start with __Secure- */
++static bool php_is_forbidden_variable_name(const char *mangled_name, size_t mangled_name_len, const char *pre_mangled_name)
++{
++ if (mangled_name_len >= sizeof("__Host-")-1 && strncmp(mangled_name, "__Host-", sizeof("__Host-")-1) == 0 && strncmp(pre_mangled_name, "__Host-", sizeof("__Host-")-1) != 0) {
++ return true;
++ }
++
++ if (mangled_name_len >= sizeof("__Secure-")-1 && strncmp(mangled_name, "__Secure-", sizeof("__Secure-")-1) == 0 && strncmp(pre_mangled_name, "__Secure-", sizeof("__Secure-")-1) != 0) {
++ return true;
++ }
++
++ return false;
++}
++
+ PHPAPI void php_register_variable_ex(const char *var_name, zval *val, zval *track_vars_array)
+ {
+ char *p = NULL;
+@@ -104,20 +119,6 @@ PHPAPI void php_register_variable_ex(const char *var_name, zval *val, zval *trac
+ }
+ var_len = p - var;
+
+- /* Discard variable if mangling made it start with __Host-, where pre-mangling it did not start with __Host- */
+- if (strncmp(var, "__Host-", sizeof("__Host-")-1) == 0 && strncmp(var_name, "__Host-", sizeof("__Host-")-1) != 0) {
+- zval_ptr_dtor_nogc(val);
+- free_alloca(var_orig, use_heap);
+- return;
+- }
+-
+- /* Discard variable if mangling made it start with __Secure-, where pre-mangling it did not start with __Secure- */
+- if (strncmp(var, "__Secure-", sizeof("__Secure-")-1) == 0 && strncmp(var_name, "__Secure-", sizeof("__Secure-")-1) != 0) {
+- zval_ptr_dtor_nogc(val);
+- free_alloca(var_orig, use_heap);
+- return;
+- }
+-
+ if (var_len==0) { /* empty variable name, or variable name with a space in it */
+ zval_ptr_dtor_nogc(val);
+ free_alloca(var_orig, use_heap);
+@@ -221,6 +222,12 @@ PHPAPI void php_register_variable_ex(const char *var_name, zval *val, zval *trac
+ return;
+ }
+ } else {
++ if (php_is_forbidden_variable_name(index, index_len, var_name)) {
++ zval_ptr_dtor_nogc(val);
++ free_alloca(var_orig, use_heap);
++ return;
++ }
++
+ gpc_element_p = zend_symtable_str_find(symtable1, index, index_len);
+ if (!gpc_element_p) {
+ zval tmp;
+@@ -258,6 +265,12 @@ plain_var:
+ zval_ptr_dtor_nogc(val);
+ }
+ } else {
++ if (php_is_forbidden_variable_name(index, index_len, var_name)) {
++ zval_ptr_dtor_nogc(val);
++ free_alloca(var_orig, use_heap);
++ return;
++ }
++
+ zend_ulong idx;
+
+ /*
+--
+2.44.0
+
+From 366cc249b7d54707572beb7096e8f6c65ee79719 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Wed, 10 Apr 2024 08:59:32 +0200
+Subject: [PATCH 2/4] NEWS
+
+---
+ NEWS | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 8147a7e517c..14fda3a58b9 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,5 +1,12 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
++
++Backported from 8.1.28
++
++- Standard:
++ . Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to
++ partial CVE-2022-31629 fix). (CVE-2024-2756) (nielsdos)
++
+ 03 Aug 2023, PHP 8.0.30
+
+ - Libxml:
+--
+2.44.0
+
diff --git a/php-cve-2024-3096.patch b/php-cve-2024-3096.patch
new file mode 100644
index 0000000..40169dd
--- /dev/null
+++ b/php-cve-2024-3096.patch
@@ -0,0 +1,77 @@
+From 81794c73068d9a44bf109bbcc9793e7b56a1c051 Mon Sep 17 00:00:00 2001
+From: Jakub Zelenka <bukka@php.net>
+Date: Fri, 29 Mar 2024 15:27:59 +0000
+Subject: [PATCH 3/4] Fix bug GHSA-q6x7-frmf-grcw: password_verify can
+ erroneously return true
+
+Disallow null character in bcrypt password
+
+(cherry picked from commit 0ba5229a3f7572846e91c8f5382e87785f543826)
+---
+ ext/standard/password.c | 5 +++++
+ ext/standard/tests/password/password_bcrypt_errors.phpt | 7 +++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/ext/standard/password.c b/ext/standard/password.c
+index fb29e7bbba4..40117983f70 100644
+--- a/ext/standard/password.c
++++ b/ext/standard/password.c
+@@ -184,6 +184,11 @@ static zend_string* php_password_bcrypt_hash(const zend_string *password, zend_a
+ zval *zcost;
+ zend_long cost = PHP_PASSWORD_BCRYPT_COST;
+
++ if (memchr(ZSTR_VAL(password), '\0', ZSTR_LEN(password))) {
++ zend_value_error("Bcrypt password must not contain null character");
++ return NULL;
++ }
++
+ if (options && (zcost = zend_hash_str_find(options, "cost", sizeof("cost")-1)) != NULL) {
+ cost = zval_get_long(zcost);
+ }
+diff --git a/ext/standard/tests/password/password_bcrypt_errors.phpt b/ext/standard/tests/password/password_bcrypt_errors.phpt
+index 10c3483f5a8..5d823cba021 100644
+--- a/ext/standard/tests/password/password_bcrypt_errors.phpt
++++ b/ext/standard/tests/password/password_bcrypt_errors.phpt
+@@ -14,7 +14,14 @@ try {
+ } catch (ValueError $exception) {
+ echo $exception->getMessage() . "\n";
+ }
++
++try {
++ var_dump(password_hash("null\0password", PASSWORD_BCRYPT));
++} catch (ValueError $e) {
++ echo $e->getMessage(), "\n";
++}
+ ?>
+ --EXPECT--
+ Invalid bcrypt cost parameter specified: 3
+ Invalid bcrypt cost parameter specified: 32
++Bcrypt password must not contain null character
+--
+2.44.0
+
+From 24f77904ee2259d722559f129f96a1f145a2367b Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Wed, 10 Apr 2024 09:01:09 +0200
+Subject: [PATCH 4/4] NEWS
+
+---
+ NEWS | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 14fda3a58b9..8b4801d707e 100644
+--- a/NEWS
++++ b/NEWS
+@@ -6,6 +6,8 @@ Backported from 8.1.28
+ - Standard:
+ . Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to
+ partial CVE-2022-31629 fix). (CVE-2024-2756) (nielsdos)
++ . Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true,
++ opening ATO risk). (CVE-2024-3096) (Jakub Zelenka)
+
+ 03 Aug 2023, PHP 8.0.30
+
+--
+2.44.0
+
diff --git a/php80.spec b/php80.spec
index 813a50f..6bf2b89 100644
--- a/php80.spec
+++ b/php80.spec
@@ -118,7 +118,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: php
Version: %{upver}%{?rcver:~%{rcver}}
-Release: 4%{?dist}
+Release: 5%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -195,6 +195,8 @@ Patch91: php-7.2.0-oci8conf.patch
# Upstream fixes (100+)
# Security fixes (200+)
+Patch200: php-cve-2024-2756.patch
+Patch201: php-cve-2024-3096.patch
# Fixes for tests (300+)
# Factory is droped from system tzdata
@@ -1214,6 +1216,8 @@ rm ext/openssl/tests/p12_with_extra_certs.p12
# upstream patches
# security patches
+%patch -P200 -p1 -b .cve2756
+%patch -P201 -p1 -b .cve3096
# Fixes for tests related to tzdata
%patch -P300 -p1 -b .datetests
@@ -2219,6 +2223,12 @@ EOF
%changelog
+* Wed Apr 10 2024 Remi Collet <remi@remirepo.net> - 8.0.30-5
+- Fix __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix
+ CVE-2024-2756
+- Fix password_verify can erroneously return true opening ATO risk
+ CVE-2024-3096
+
* Wed Mar 6 2024 Remi Collet <remi@remirepo.net> - 8.0.30-4
- use oracle client library version 21.13 on x86_64
- patch test suite for zlib-ng