summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2024-04-10 14:56:28 +0200
committerRemi Collet <remi@php.net>2024-04-10 14:56:28 +0200
commit997d6f80d9b806bcdad4af50a785d271b65004bf (patch)
tree771b913bf7b6d163b6aeab8542ebb3541bb207af
parente51a3d1aa8197e659b0ed76baf4b9c8799788c48 (diff)
use oracle client library version 21.13 on x86_64, 19.19 on aarch64
Fix __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix CVE-2024-2756 Fix password_verify can erroneously return true opening ATO risk CVE-2024-3096
-rw-r--r--failed.txt4
-rw-r--r--php-cve-2024-2756.patch201
-rw-r--r--php-cve-2024-3096.patch88
-rw-r--r--php.spec19
4 files changed, 305 insertions, 7 deletions
diff --git a/failed.txt b/failed.txt
index 34d75c7..fa60712 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,8 +1,8 @@
-===== 7.0.33-37 (2023-02-15)
+===== 7.0.33-41 (2024-04-11)
$ grep -r 'Tests failed' /var/lib/mock/scl70*/build.log
-/var/lib/mock/scl70el7x/build.log:Tests failed : 16
+/var/lib/mock/scl70el7x/build.log:Tests failed : 18
/var/lib/mock/scl70el8x/build.log:Tests failed : 30
diff --git a/php-cve-2024-2756.patch b/php-cve-2024-2756.patch
new file mode 100644
index 0000000..7a9e942
--- /dev/null
+++ b/php-cve-2024-2756.patch
@@ -0,0 +1,201 @@
+From ec9b61593fa2b9400d4519b9969645c1266a381d Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
+Date: Sun, 17 Mar 2024 21:04:47 +0100
+Subject: [PATCH 1/4] Fix GHSA-wpj3-hf5j-x4v4: __Host-/__Secure- cookie bypass
+ due to partial CVE-2022-31629 fix
+
+The check happened too early as later code paths may perform more
+mangling rules. Move the check downwards right before adding the actual
+variable.
+
+(cherry picked from commit 093c08af25fb323efa0c8e6154aa9fdeae3d3b53)
+(cherry picked from commit 2e07a3acd7a6b53c55325b94bed97748d7697b53)
+(cherry picked from commit a6c1c62a25ac23b08a86af11d68f0e2eaafc102b)
+(cherry picked from commit 46b570a1e4aeb4a414898fcc09503ac388d16256)
+(cherry picked from commit c213de619a532d35e8f7abe4a245433dbf21c960)
+(cherry picked from commit a1b0060906bc4eedaf5bb3577a0d6d4b0e6b9dfd)
+---
+ ext/standard/tests/ghsa-wpj3-hf5j-x4v4.phpt | 63 +++++++++++++++++++++
+ main/php_variables.c | 41 +++++++++-----
+ 2 files changed, 90 insertions(+), 14 deletions(-)
+ create mode 100644 ext/standard/tests/ghsa-wpj3-hf5j-x4v4.phpt
+
+diff --git a/ext/standard/tests/ghsa-wpj3-hf5j-x4v4.phpt b/ext/standard/tests/ghsa-wpj3-hf5j-x4v4.phpt
+new file mode 100644
+index 0000000000..77fcb68089
+--- /dev/null
++++ b/ext/standard/tests/ghsa-wpj3-hf5j-x4v4.phpt
+@@ -0,0 +1,63 @@
++--TEST--
++ghsa-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix)
++--COOKIE--
++..Host-test=ignore_1;
++._Host-test=ignore_2;
++.[Host-test=ignore_3;
++_.Host-test=ignore_4;
++__Host-test=ignore_5;
++_[Host-test=ignore_6;
++[.Host-test=ignore_7;
++[_Host-test=ignore_8;
++[[Host-test=ignore_9;
++..Host-test[]=ignore_10;
++._Host-test[]=ignore_11;
++.[Host-test[]=ignore_12;
++_.Host-test[]=ignore_13;
++__Host-test[]=legitimate_14;
++_[Host-test[]=legitimate_15;
++[.Host-test[]=ignore_16;
++[_Host-test[]=ignore_17;
++[[Host-test[]=ignore_18;
++..Secure-test=ignore_1;
++._Secure-test=ignore_2;
++.[Secure-test=ignore_3;
++_.Secure-test=ignore_4;
++__Secure-test=ignore_5;
++_[Secure-test=ignore_6;
++[.Secure-test=ignore_7;
++[_Secure-test=ignore_8;
++[[Secure-test=ignore_9;
++..Secure-test[]=ignore_10;
++._Secure-test[]=ignore_11;
++.[Secure-test[]=ignore_12;
++_.Secure-test[]=ignore_13;
++__Secure-test[]=legitimate_14;
++_[Secure-test[]=legitimate_15;
++[.Secure-test[]=ignore_16;
++[_Secure-test[]=ignore_17;
++[[Secure-test[]=ignore_18;
++--FILE--
++<?php
++var_dump($_COOKIE);
++?>
++--EXPECT--
++array(3) {
++ ["__Host-test"]=>
++ array(1) {
++ [0]=>
++ string(13) "legitimate_14"
++ }
++ ["_"]=>
++ array(2) {
++ ["Host-test["]=>
++ string(13) "legitimate_15"
++ ["Secure-test["]=>
++ string(13) "legitimate_15"
++ }
++ ["__Secure-test"]=>
++ array(1) {
++ [0]=>
++ string(13) "legitimate_14"
++ }
++}
+diff --git a/main/php_variables.c b/main/php_variables.c
+index e5d3ffcf52..46de3477ca 100644
+--- a/main/php_variables.c
++++ b/main/php_variables.c
+@@ -53,6 +53,21 @@ PHPAPI void php_register_variable_safe(char *var, char *strval, size_t str_len,
+ php_register_variable_ex(var, &new_entry, track_vars_array);
+ }
+
++/* Discard variable if mangling made it start with __Host-, where pre-mangling it did not start with __Host-
++ * Discard variable if mangling made it start with __Secure-, where pre-mangling it did not start with __Secure- */
++static zend_bool php_is_forbidden_variable_name(const char *mangled_name, size_t mangled_name_len, const char *pre_mangled_name)
++{
++ if (mangled_name_len >= sizeof("__Host-")-1 && strncmp(mangled_name, "__Host-", sizeof("__Host-")-1) == 0 && strncmp(pre_mangled_name, "__Host-", sizeof("__Host-")-1) != 0) {
++ return 1;
++ }
++
++ if (mangled_name_len >= sizeof("__Secure-")-1 && strncmp(mangled_name, "__Secure-", sizeof("__Secure-")-1) == 0 && strncmp(pre_mangled_name, "__Secure-", sizeof("__Secure-")-1) != 0) {
++ return 1;
++ }
++
++ return 0;
++}
++
+ PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars_array)
+ {
+ char *p = NULL;
+@@ -103,20 +118,6 @@ PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars
+ }
+ var_len = p - var;
+
+- /* Discard variable if mangling made it start with __Host-, where pre-mangling it did not start with __Host- */
+- if (strncmp(var, "__Host-", sizeof("__Host-")-1) == 0 && strncmp(var_name, "__Host-", sizeof("__Host-")-1) != 0) {
+- zval_ptr_dtor_nogc(val);
+- free_alloca(var_orig, use_heap);
+- return;
+- }
+-
+- /* Discard variable if mangling made it start with __Secure-, where pre-mangling it did not start with __Secure- */
+- if (strncmp(var, "__Secure-", sizeof("__Secure-")-1) == 0 && strncmp(var_name, "__Secure-", sizeof("__Secure-")-1) != 0) {
+- zval_ptr_dtor_nogc(val);
+- free_alloca(var_orig, use_heap);
+- return;
+- }
+-
+ if (var_len==0) { /* empty variable name, or variable name with a space in it */
+ zval_dtor(val);
+ free_alloca(var_orig, use_heap);
+@@ -194,6 +195,12 @@ PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars
+ return;
+ }
+ } else {
++ if (php_is_forbidden_variable_name(index, index_len, var_name)) {
++ zval_ptr_dtor_nogc(val);
++ free_alloca(var_orig, use_heap);
++ return;
++ }
++
+ gpc_element_p = zend_symtable_str_find(symtable1, index, index_len);
+ if (!gpc_element_p) {
+ zval tmp;
+@@ -230,6 +237,12 @@ plain_var:
+ zval_ptr_dtor(&gpc_element);
+ }
+ } else {
++ if (php_is_forbidden_variable_name(index, index_len, var_name)) {
++ zval_ptr_dtor_nogc(val);
++ free_alloca(var_orig, use_heap);
++ return;
++ }
++
+ /*
+ * According to rfc2965, more specific paths are listed above the less specific ones.
+ * If we encounter a duplicate cookie name, we should skip it, since it is not possible
+--
+2.44.0
+
+From d8e42d4a8471e19710dbb60018ed956eed34af90 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Wed, 10 Apr 2024 08:59:32 +0200
+Subject: [PATCH 2/4] NEWS
+
+(cherry picked from commit 366cc249b7d54707572beb7096e8f6c65ee79719)
+(cherry picked from commit dcdd49ef3bfbd8ccc778850d6a0f9b98adf625d4)
+(cherry picked from commit 8642473b624f809b768180b104c013f74e3a99a0)
+(cherry picked from commit ee591001f7a3db7405b4fa027659768c2355df6d)
+(cherry picked from commit 035bc48bafe5d567f4ab8de6d1752a724e361690)
+---
+ NEWS | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 53ca87c8e6..fae611c48c 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,12 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 8.1.28
++
++- Standard:
++ . Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to
++ partial CVE-2022-31629 fix). (CVE-2024-2756) (nielsdos)
++
+ Backported from 8.0.30
+
+ - Libxml:
+--
+2.44.0
+
diff --git a/php-cve-2024-3096.patch b/php-cve-2024-3096.patch
new file mode 100644
index 0000000..7ba38c1
--- /dev/null
+++ b/php-cve-2024-3096.patch
@@ -0,0 +1,88 @@
+From 459b4ac6a8d9bec32110b68ac194d71ec2b72182 Mon Sep 17 00:00:00 2001
+From: Jakub Zelenka <bukka@php.net>
+Date: Fri, 29 Mar 2024 15:27:59 +0000
+Subject: [PATCH 3/4] Fix bug GHSA-q6x7-frmf-grcw: password_verify can
+ erroneously return true
+
+Disallow null character in bcrypt password
+
+(cherry picked from commit 0ba5229a3f7572846e91c8f5382e87785f543826)
+(cherry picked from commit 81794c73068d9a44bf109bbcc9793e7b56a1c051)
+(cherry picked from commit 4a7ceb9d6427f8d368f1a8739267b1f8310ec201)
+(cherry picked from commit 747100905eceffb1f67096b437001e42900eb6bb)
+(cherry picked from commit d22d9ebb29dce86edd622205dd1196a2796c08c7)
+(cherry picked from commit cd9a376c28c6f4ce83aab53ec069234fe1d2a819)
+---
+ ext/standard/password.c | 5 +++++
+ ext/standard/tests/password/password_bcrypt_errors.phpt | 4 ++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/ext/standard/password.c b/ext/standard/password.c
+index 33c6e5c718..e2466d1179 100644
+--- a/ext/standard/password.c
++++ b/ext/standard/password.c
+@@ -283,6 +283,11 @@ PHP_FUNCTION(password_hash)
+ cost = zval_get_long(option_buffer);
+ }
+
++ if (memchr(password, '\0', password_len)) {
++ php_error_docref(NULL, E_WARNING, "Bcrypt password must not contain null character");
++ RETURN_NULL();
++ }
++
+ if (cost < 4 || cost > 31) {
+ php_error_docref(NULL, E_WARNING, "Invalid bcrypt cost parameter specified: " ZEND_LONG_FMT, cost);
+ RETURN_NULL();
+diff --git a/ext/standard/tests/password/password_bcrypt_errors.phpt b/ext/standard/tests/password/password_bcrypt_errors.phpt
+index e8f7600b63..f95b72670a 100644
+--- a/ext/standard/tests/password/password_bcrypt_errors.phpt
++++ b/ext/standard/tests/password/password_bcrypt_errors.phpt
+@@ -16,6 +16,8 @@ var_dump(password_hash("foo", PASSWORD_BCRYPT, array("salt" => 123)));
+
+ var_dump(password_hash("foo", PASSWORD_BCRYPT, array("cost" => "foo")));
+
++var_dump(password_hash("null\0password", PASSWORD_BCRYPT));
++
+ ?>
+ --EXPECTF--
+ Warning: password_hash(): Invalid bcrypt cost parameter specified: 3 in %s on line %d
+@@ -42,4 +44,6 @@ NULL
+ Warning: password_hash(): Invalid bcrypt cost parameter specified: 0 in %s on line %d
+ NULL
+
++Warning: password_hash(): Bcrypt password must not contain null character in %s on line %d
++NULL
+
+--
+2.44.0
+
+From d339e614f1e4cbf1aeb5fbee76bb0583885aeb30 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Wed, 10 Apr 2024 09:01:09 +0200
+Subject: [PATCH 4/4] NEWS
+
+(cherry picked from commit 24f77904ee2259d722559f129f96a1f145a2367b)
+(cherry picked from commit 027bdbc636632be49ecfad8d4191509faacb34ac)
+(cherry picked from commit fbeed182bb0b0c4c453e064198b5cc3814a10de0)
+(cherry picked from commit be830600a8e4c33a25e965d0782903e885e91c6d)
+(cherry picked from commit 9ec5a1ed8bed7ca5a14e991ff3e767dbfa773dcd)
+---
+ NEWS | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index fae611c48c..fed03499f6 100644
+--- a/NEWS
++++ b/NEWS
+@@ -6,6 +6,8 @@ Backported from 8.1.28
+ - Standard:
+ . Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to
+ partial CVE-2022-31629 fix). (CVE-2024-2756) (nielsdos)
++ . Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true,
++ opening ATO risk). (CVE-2024-3096) (Jakub Zelenka)
+
+ Backported from 8.0.30
+
+--
+2.44.0
+
diff --git a/php.spec b/php.spec
index 3dc98d9..4e43e52 100644
--- a/php.spec
+++ b/php.spec
@@ -60,7 +60,7 @@
%global oraclelib 19.1
%global oracledir 19.19
%else
-%global oraclever 21.11
+%global oraclever 21.13
%global oraclelib 21.1
%global oracledir 21
%endif
@@ -134,7 +134,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: %{?scl_prefix}php
Version: %{upver}%{?rcver:~%{rcver}}
-Release: 40%{?dist}
+Release: 41%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -266,6 +266,8 @@ Patch262: php-cve-2023-0662.patch
Patch263: php-cve-2023-3247.patch
Patch264: php-cve-2023-3823.patch
Patch265: php-cve-2023-3824.patch
+Patch266: php-cve-2024-2756.patch
+Patch267: php-cve-2024-3096.patch
# Fixes for tests (300+)
# Factory is droped from system tzdata
@@ -1074,8 +1076,8 @@ sed -e 's/php-devel/%{?scl_prefix}php-devel/' -i scripts/phpize.in
%patch -P263 -p1 -b .cve3247
%patch -P264 -p1 -b .cve3823
%patch -P265 -p1 -b .cve3824
-: ---------------------------
-#exit 1
+%patch -P266 -p1 -b .cve2756
+%patch -P267 -p1 -b .cve3096
# Fixes for tests
%patch -P300 -p1 -b .datetests
@@ -1847,7 +1849,7 @@ cat << EOF
WARNING : PHP 7.0 have reached its "End of Life" in
December 2018. Even, if this package includes some of
- the important security fixes, backported from 8.0, the
+ the important security fixes, backported from 8.1, the
UPGRADE to a maintained version is very strongly RECOMMENDED.
=====================================================================
@@ -2031,6 +2033,13 @@ EOF
%changelog
+* Wed Apr 10 2024 Remi Collet <remi@remirepo.net> - 7.0.33-41
+- use oracle client library version 21.13 on x86_64, 19.19 on aarch64
+- Fix __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix
+ CVE-2024-2756
+- Fix password_verify can erroneously return true opening ATO risk
+ CVE-2024-3096
+
* Wed Aug 2 2023 Remi Collet <remi@remirepo.net> - 7.0.33-40
- Fix Security issue with external entity loading in XML without enabling it
GHSA-3qrf-m4j2-pcrr CVE-2023-3823