From e6583a1b202cc33e3b33d3e9c92b44cf36564e97 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Wed, 10 Apr 2024 09:47:04 +0200 Subject: Fix __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix CVE-2024-2756 Fix password_verify can erroneously return true opening ATO risk CVE-2024-3096 --- php-cve-2024-3096.patch | 77 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 php-cve-2024-3096.patch (limited to 'php-cve-2024-3096.patch') diff --git a/php-cve-2024-3096.patch b/php-cve-2024-3096.patch new file mode 100644 index 0000000..40169dd --- /dev/null +++ b/php-cve-2024-3096.patch @@ -0,0 +1,77 @@ +From 81794c73068d9a44bf109bbcc9793e7b56a1c051 Mon Sep 17 00:00:00 2001 +From: Jakub Zelenka +Date: Fri, 29 Mar 2024 15:27:59 +0000 +Subject: [PATCH 3/4] Fix bug GHSA-q6x7-frmf-grcw: password_verify can + erroneously return true + +Disallow null character in bcrypt password + +(cherry picked from commit 0ba5229a3f7572846e91c8f5382e87785f543826) +--- + ext/standard/password.c | 5 +++++ + ext/standard/tests/password/password_bcrypt_errors.phpt | 7 +++++++ + 2 files changed, 12 insertions(+) + +diff --git a/ext/standard/password.c b/ext/standard/password.c +index fb29e7bbba4..40117983f70 100644 +--- a/ext/standard/password.c ++++ b/ext/standard/password.c +@@ -184,6 +184,11 @@ static zend_string* php_password_bcrypt_hash(const zend_string *password, zend_a + zval *zcost; + zend_long cost = PHP_PASSWORD_BCRYPT_COST; + ++ if (memchr(ZSTR_VAL(password), '\0', ZSTR_LEN(password))) { ++ zend_value_error("Bcrypt password must not contain null character"); ++ return NULL; ++ } ++ + if (options && (zcost = zend_hash_str_find(options, "cost", sizeof("cost")-1)) != NULL) { + cost = zval_get_long(zcost); + } +diff --git a/ext/standard/tests/password/password_bcrypt_errors.phpt b/ext/standard/tests/password/password_bcrypt_errors.phpt +index 10c3483f5a8..5d823cba021 100644 +--- a/ext/standard/tests/password/password_bcrypt_errors.phpt ++++ b/ext/standard/tests/password/password_bcrypt_errors.phpt +@@ -14,7 +14,14 @@ try { + } catch (ValueError $exception) { + echo $exception->getMessage() . "\n"; + } ++ ++try { ++ var_dump(password_hash("null\0password", PASSWORD_BCRYPT)); ++} catch (ValueError $e) { ++ echo $e->getMessage(), "\n"; ++} + ?> + --EXPECT-- + Invalid bcrypt cost parameter specified: 3 + Invalid bcrypt cost parameter specified: 32 ++Bcrypt password must not contain null character +-- +2.44.0 + +From 24f77904ee2259d722559f129f96a1f145a2367b Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Wed, 10 Apr 2024 09:01:09 +0200 +Subject: [PATCH 4/4] NEWS + +--- + NEWS | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/NEWS b/NEWS +index 14fda3a58b9..8b4801d707e 100644 +--- a/NEWS ++++ b/NEWS +@@ -6,6 +6,8 @@ Backported from 8.1.28 + - Standard: + . Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to + partial CVE-2022-31629 fix). (CVE-2024-2756) (nielsdos) ++ . Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true, ++ opening ATO risk). (CVE-2024-3096) (Jakub Zelenka) + + 03 Aug 2023, PHP 8.0.30 + +-- +2.44.0 + -- cgit