diff options
author | Remi Collet <remi@remirepo.net> | 2024-04-10 15:14:09 +0200 |
---|---|---|
committer | Remi Collet <remi@php.net> | 2024-04-10 15:14:09 +0200 |
commit | b5323bc96044caafab62b86e2db010c8904a84b2 (patch) | |
tree | 1d9cd894cfe77a7f69e899762c2278576ca76df6 | |
parent | 4b8fde8f2ca42ad47d3f484417f6d0dba35f1280 (diff) |
use oracle client library version 21.13
Fix __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix
CVE-2024-2756
Fix password_verify can erroneously return true opening ATO risk
CVE-2024-3096
-rw-r--r-- | failed.txt | 4 | ||||
-rw-r--r-- | php-cve-2024-2756.patch | 203 | ||||
-rw-r--r-- | php-cve-2024-3096.patch | 92 | ||||
-rw-r--r-- | php.spec | 17 |
4 files changed, 311 insertions, 5 deletions
@@ -1,8 +1,8 @@ -===== 5.6.40-36 (2023-02-15) +===== 5.6.40-40 (2024-04-11) $ grep -r 'Tests failed' /var/lib/mock/scl56*/build.log -/var/lib/mock/scl56el7x/build.log:Tests failed : 20 +/var/lib/mock/scl56el7x/build.log:Tests failed : 22 /var/lib/mock/scl56el8x/build.log:Tests failed : 34 diff --git a/php-cve-2024-2756.patch b/php-cve-2024-2756.patch new file mode 100644 index 0000000..9125ea1 --- /dev/null +++ b/php-cve-2024-2756.patch @@ -0,0 +1,203 @@ +From db7b1beea1805812d62ab787ebea44a918df84b9 Mon Sep 17 00:00:00 2001 +From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> +Date: Sun, 17 Mar 2024 21:04:47 +0100 +Subject: [PATCH 1/4] Fix GHSA-wpj3-hf5j-x4v4: __Host-/__Secure- cookie bypass + due to partial CVE-2022-31629 fix + +The check happened too early as later code paths may perform more +mangling rules. Move the check downwards right before adding the actual +variable. + +(cherry picked from commit 093c08af25fb323efa0c8e6154aa9fdeae3d3b53) +(cherry picked from commit 2e07a3acd7a6b53c55325b94bed97748d7697b53) +(cherry picked from commit a6c1c62a25ac23b08a86af11d68f0e2eaafc102b) +(cherry picked from commit 46b570a1e4aeb4a414898fcc09503ac388d16256) +(cherry picked from commit c213de619a532d35e8f7abe4a245433dbf21c960) +(cherry picked from commit a1b0060906bc4eedaf5bb3577a0d6d4b0e6b9dfd) +(cherry picked from commit ec9b61593fa2b9400d4519b9969645c1266a381d) +--- + ext/standard/tests/ghsa-wpj3-hf5j-x4v4.phpt | 63 +++++++++++++++++++++ + main/php_variables.c | 41 +++++++++----- + 2 files changed, 90 insertions(+), 14 deletions(-) + create mode 100644 ext/standard/tests/ghsa-wpj3-hf5j-x4v4.phpt + +diff --git a/ext/standard/tests/ghsa-wpj3-hf5j-x4v4.phpt b/ext/standard/tests/ghsa-wpj3-hf5j-x4v4.phpt +new file mode 100644 +index 0000000000..77fcb68089 +--- /dev/null ++++ b/ext/standard/tests/ghsa-wpj3-hf5j-x4v4.phpt +@@ -0,0 +1,63 @@ ++--TEST-- ++ghsa-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix) ++--COOKIE-- ++..Host-test=ignore_1; ++._Host-test=ignore_2; ++.[Host-test=ignore_3; ++_.Host-test=ignore_4; ++__Host-test=ignore_5; ++_[Host-test=ignore_6; ++[.Host-test=ignore_7; ++[_Host-test=ignore_8; ++[[Host-test=ignore_9; ++..Host-test[]=ignore_10; ++._Host-test[]=ignore_11; ++.[Host-test[]=ignore_12; ++_.Host-test[]=ignore_13; ++__Host-test[]=legitimate_14; ++_[Host-test[]=legitimate_15; ++[.Host-test[]=ignore_16; ++[_Host-test[]=ignore_17; ++[[Host-test[]=ignore_18; ++..Secure-test=ignore_1; ++._Secure-test=ignore_2; ++.[Secure-test=ignore_3; ++_.Secure-test=ignore_4; ++__Secure-test=ignore_5; ++_[Secure-test=ignore_6; ++[.Secure-test=ignore_7; ++[_Secure-test=ignore_8; ++[[Secure-test=ignore_9; ++..Secure-test[]=ignore_10; ++._Secure-test[]=ignore_11; ++.[Secure-test[]=ignore_12; ++_.Secure-test[]=ignore_13; ++__Secure-test[]=legitimate_14; ++_[Secure-test[]=legitimate_15; ++[.Secure-test[]=ignore_16; ++[_Secure-test[]=ignore_17; ++[[Secure-test[]=ignore_18; ++--FILE-- ++<?php ++var_dump($_COOKIE); ++?> ++--EXPECT-- ++array(3) { ++ ["__Host-test"]=> ++ array(1) { ++ [0]=> ++ string(13) "legitimate_14" ++ } ++ ["_"]=> ++ array(2) { ++ ["Host-test["]=> ++ string(13) "legitimate_15" ++ ["Secure-test["]=> ++ string(13) "legitimate_15" ++ } ++ ["__Secure-test"]=> ++ array(1) { ++ [0]=> ++ string(13) "legitimate_14" ++ } ++} +diff --git a/main/php_variables.c b/main/php_variables.c +index fb58986f20..fbd9562e8d 100644 +--- a/main/php_variables.c ++++ b/main/php_variables.c +@@ -56,6 +56,21 @@ PHPAPI void php_register_variable_safe(char *var, char *strval, int str_len, zva + php_register_variable_ex(var, &new_entry, track_vars_array TSRMLS_CC); + } + ++/* Discard variable if mangling made it start with __Host-, where pre-mangling it did not start with __Host- ++ * Discard variable if mangling made it start with __Secure-, where pre-mangling it did not start with __Secure- */ ++static zend_bool php_is_forbidden_variable_name(const char *mangled_name, size_t mangled_name_len, const char *pre_mangled_name) ++{ ++ if (mangled_name_len >= sizeof("__Host-")-1 && strncmp(mangled_name, "__Host-", sizeof("__Host-")-1) == 0 && strncmp(pre_mangled_name, "__Host-", sizeof("__Host-")-1) != 0) { ++ return 1; ++ } ++ ++ if (mangled_name_len >= sizeof("__Secure-")-1 && strncmp(mangled_name, "__Secure-", sizeof("__Secure-")-1) == 0 && strncmp(pre_mangled_name, "__Secure-", sizeof("__Secure-")-1) != 0) { ++ return 1; ++ } ++ ++ return 0; ++} ++ + PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars_array TSRMLS_DC) + { + char *p = NULL; +@@ -106,20 +121,6 @@ PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars + } + var_len = p - var; + +- /* Discard variable if mangling made it start with __Host-, where pre-mangling it did not start with __Host- */ +- if (strncmp(var, "__Host-", sizeof("__Host-")-1) == 0 && strncmp(var_name, "__Host-", sizeof("__Host-")-1) != 0) { +- zval_dtor(val); +- free_alloca(var_orig, use_heap); +- return; +- } +- +- /* Discard variable if mangling made it start with __Secure-, where pre-mangling it did not start with __Secure- */ +- if (strncmp(var, "__Secure-", sizeof("__Secure-")-1) == 0 && strncmp(var_name, "__Secure-", sizeof("__Secure-")-1) != 0) { +- zval_dtor(val); +- free_alloca(var_orig, use_heap); +- return; +- } +- + if (var_len==0) { /* empty variable name, or variable name with a space in it */ + zval_dtor(val); + free_alloca(var_orig, use_heap); +@@ -198,6 +199,12 @@ PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars + return; + } + } else { ++ if (php_is_forbidden_variable_name(index, index_len, var_name)) { ++ zval_dtor(val); ++ free_alloca(var_orig, use_heap); ++ return; ++ } ++ + if (zend_symtable_find(symtable1, index, index_len + 1, (void **) &gpc_element_p) == FAILURE + || Z_TYPE_PP(gpc_element_p) != IS_ARRAY) { + MAKE_STD_ZVAL(gpc_element); +@@ -228,6 +235,12 @@ plain_var: + zval_ptr_dtor(&gpc_element); + } + } else { ++ if (php_is_forbidden_variable_name(index, index_len, var_name)) { ++ zval_dtor(val); ++ free_alloca(var_orig, use_heap); ++ return; ++ } ++ + /* + * According to rfc2965, more specific paths are listed above the less specific ones. + * If we encounter a duplicate cookie name, we should skip it, since it is not possible +-- +2.44.0 + +From ea294ad880a4e1f7ba788150538c0ee405d32d7c Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@remirepo.net> +Date: Wed, 10 Apr 2024 08:59:32 +0200 +Subject: [PATCH 2/4] NEWS + +(cherry picked from commit 366cc249b7d54707572beb7096e8f6c65ee79719) +(cherry picked from commit dcdd49ef3bfbd8ccc778850d6a0f9b98adf625d4) +(cherry picked from commit 8642473b624f809b768180b104c013f74e3a99a0) +(cherry picked from commit ee591001f7a3db7405b4fa027659768c2355df6d) +(cherry picked from commit 035bc48bafe5d567f4ab8de6d1752a724e361690) +(cherry picked from commit d8e42d4a8471e19710dbb60018ed956eed34af90) +--- + NEWS | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/NEWS b/NEWS +index 0e7d9abf11..69736ccb08 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,12 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 8.1.28 ++ ++- Standard: ++ . Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to ++ partial CVE-2022-31629 fix). (CVE-2024-2756) (nielsdos) ++ + Backported from 8.0.30 + + - Libxml: +-- +2.44.0 + diff --git a/php-cve-2024-3096.patch b/php-cve-2024-3096.patch new file mode 100644 index 0000000..b111ab1 --- /dev/null +++ b/php-cve-2024-3096.patch @@ -0,0 +1,92 @@ +From 275555907e5c56b63ca2ae3259009e5537f970e5 Mon Sep 17 00:00:00 2001 +From: Jakub Zelenka <bukka@php.net> +Date: Fri, 29 Mar 2024 15:27:59 +0000 +Subject: [PATCH 3/4] Fix bug GHSA-q6x7-frmf-grcw: password_verify can + erroneously return true + +Disallow null character in bcrypt password + +(cherry picked from commit 0ba5229a3f7572846e91c8f5382e87785f543826) +(cherry picked from commit 81794c73068d9a44bf109bbcc9793e7b56a1c051) +(cherry picked from commit 4a7ceb9d6427f8d368f1a8739267b1f8310ec201) +(cherry picked from commit 747100905eceffb1f67096b437001e42900eb6bb) +(cherry picked from commit d22d9ebb29dce86edd622205dd1196a2796c08c7) +(cherry picked from commit cd9a376c28c6f4ce83aab53ec069234fe1d2a819) +(cherry picked from commit 459b4ac6a8d9bec32110b68ac194d71ec2b72182) +--- + ext/standard/password.c | 7 ++++++- + ext/standard/tests/password/password_bcrypt_errors.phpt | 4 ++++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/ext/standard/password.c b/ext/standard/password.c +index 5a8edad4df..757d0865c4 100644 +--- a/ext/standard/password.c ++++ b/ext/standard/password.c +@@ -334,7 +334,12 @@ PHP_FUNCTION(password_hash) + cost = Z_LVAL_PP(option_buffer); + } + } +- ++ ++ if (memchr(password, '\0', password_len)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Bcrypt password must not contain null character"); ++ RETURN_NULL(); ++ } ++ + if (cost < 4 || cost > 31) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid bcrypt cost parameter specified: %ld", cost); + RETURN_NULL(); +diff --git a/ext/standard/tests/password/password_bcrypt_errors.phpt b/ext/standard/tests/password/password_bcrypt_errors.phpt +index 2548c9accb..617f468449 100644 +--- a/ext/standard/tests/password/password_bcrypt_errors.phpt ++++ b/ext/standard/tests/password/password_bcrypt_errors.phpt +@@ -16,6 +16,8 @@ var_dump(password_hash("foo", PASSWORD_BCRYPT, array("salt" => 123))); + + var_dump(password_hash("foo", PASSWORD_BCRYPT, array("cost" => "foo"))); + ++var_dump(password_hash("null\0password", PASSWORD_BCRYPT)); ++ + ?> + --EXPECTF-- + Warning: password_hash(): Invalid bcrypt cost parameter specified: 3 in %s on line %d +@@ -36,4 +38,6 @@ NULL + Warning: password_hash(): Invalid bcrypt cost parameter specified: 0 in %s on line %d + NULL + ++Warning: password_hash(): Bcrypt password must not contain null character in %s on line %d ++NULL + +-- +2.44.0 + +From d6837c8fc4caff97716c56d6540aea0e8790a5f6 Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@remirepo.net> +Date: Wed, 10 Apr 2024 09:01:09 +0200 +Subject: [PATCH 4/4] NEWS + +(cherry picked from commit 24f77904ee2259d722559f129f96a1f145a2367b) +(cherry picked from commit 027bdbc636632be49ecfad8d4191509faacb34ac) +(cherry picked from commit fbeed182bb0b0c4c453e064198b5cc3814a10de0) +(cherry picked from commit be830600a8e4c33a25e965d0782903e885e91c6d) +(cherry picked from commit 9ec5a1ed8bed7ca5a14e991ff3e767dbfa773dcd) +(cherry picked from commit d339e614f1e4cbf1aeb5fbee76bb0583885aeb30) +--- + NEWS | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/NEWS b/NEWS +index 69736ccb08..163bc6bdba 100644 +--- a/NEWS ++++ b/NEWS +@@ -6,6 +6,8 @@ Backported from 8.1.28 + - Standard: + . Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to + partial CVE-2022-31629 fix). (CVE-2024-2756) (nielsdos) ++ . Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true, ++ opening ATO risk). (CVE-2024-3096) (Jakub Zelenka) + + Backported from 8.0.30 + +-- +2.44.0 + @@ -64,7 +64,7 @@ %global oraclelib 19.1 %global oracledir 19.19 %else -%global oraclever 21.11 +%global oraclever 21.13 %global oraclelib 21.1 %global oracledir 21 %endif @@ -139,7 +139,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: 5.6.40 -Release: 39%{?dist} +Release: 40%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -259,6 +259,8 @@ Patch262: php-cve-2023-0662.patch Patch263: php-cve-2023-3247.patch Patch264: php-cve-2023-3823.patch Patch265: php-cve-2023-3824.patch +Patch266: php-cve-2024-2756.patch +Patch267: php-cve-2024-3096.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -1051,6 +1053,8 @@ sed -e 's/php-devel/%{?scl_prefix}php-devel/' -i scripts/phpize.in %patch -P263 -p1 -b .cve3247 %patch -P264 -p1 -b .cve3823 %patch -P265 -p1 -b .cve3824 +%patch -P266 -p1 -b .cve2756 +%patch -P267 -p1 -b .cve3096 # Fixes for tests %patch -P300 -p1 -b .datetests @@ -1823,7 +1827,7 @@ cat << EOF WARNING : PHP 5.6 have reached its "End of Life" in January 2019. Even, if this package includes some of - the important security fixes, backported from 8.0, the + the important security fixes, backported from 8.1, the UPGRADE to a maintained version is very strongly RECOMMENDED. ===================================================================== @@ -2001,6 +2005,13 @@ EOF %changelog +* Wed Apr 10 2024 Remi Collet <remi@remirepo.net> - 5.6.40-40 +- use oracle client library version 21.13 +- Fix __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix + CVE-2024-2756 +- Fix password_verify can erroneously return true opening ATO risk + CVE-2024-3096 + * Wed Aug 2 2023 Remi Collet <remi@remirepo.net> - 5.6.40-39 - Fix Security issue with external entity loading in XML without enabling it GHSA-3qrf-m4j2-pcrr CVE-2023-3823 |