From 4e1bc99284de106ea65bfbede27f48699bd132bd Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Wed, 7 Jun 2023 12:23:13 +0200 Subject: Fix Missing error check and insufficient random bytes in HTTP Digest authentication for SOAP GHSA-76gg-c692-v2mw use oracle client library version 21.10 --- php-ghsa-76gg-c692-v2mw.patch | 124 ++++++++++++++++++++++++++++++++++++++++++ php.spec | 12 +++- 2 files changed, 134 insertions(+), 2 deletions(-) create mode 100644 php-ghsa-76gg-c692-v2mw.patch diff --git a/php-ghsa-76gg-c692-v2mw.patch b/php-ghsa-76gg-c692-v2mw.patch new file mode 100644 index 0000000..fdf9fce --- /dev/null +++ b/php-ghsa-76gg-c692-v2mw.patch @@ -0,0 +1,124 @@ +From b9e09489f8160eb5e38a11e84ef6c8b74c2ec828 Mon Sep 17 00:00:00 2001 +From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> +Date: Sun, 16 Apr 2023 15:05:03 +0200 +Subject: [PATCH] Fix missing randomness check and insufficient random bytes + for SOAP HTTP Digest +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If php_random_bytes_throw fails, the nonce will be uninitialized, but +still sent to the server. The client nonce is intended to protect +against a malicious server. See section 5.10 and 5.12 of RFC 7616 [1], +and bullet point 2 below. + +Tim pointed out that even though it's the MD5 of the nonce that gets sent, +enumerating 31 bits is trivial. So we have still a stack information leak +of 31 bits. + +Furthermore, Tim found the following issues: +* The small size of cnonce might cause the server to erroneously reject + a request due to a repeated (cnonce, nc) pair. As per the birthday + problem 31 bits of randomness will return a duplication with 50% + chance after less than 55000 requests and nc always starts counting at 1. +* The cnonce is intended to protect the client and password against a + malicious server that returns a constant server nonce where the server + precomputed a rainbow table between passwords and correct client response. + As storage is fairly cheap, a server could precompute the client responses + for (a subset of) client nonces and still have a chance of reversing the + client response with the same probability as the cnonce duplication. + + Precomputing the rainbow table for all 2^31 cnonces increases the rainbow + table size by factor 2 billion, which is infeasible. But precomputing it + for 2^14 cnonces only increases the table size by factor 16k and the server + would still have a 10% chance of successfully reversing a password with a + single client request. + +This patch fixes the issues by increasing the nonce size, and checking +the return value of php_random_bytes_throw(). In the process we also get +rid of the MD5 hashing of the nonce. + +[1] RFC 7616: https://www.rfc-editor.org/rfc/rfc7616 + +Co-authored-by: Tim Düsterhus +(cherry picked from commit 126d517ce240e9f638d9a5eaa509eaca49ef562a) +(cherry picked from commit 0cfca9aa1395271833848daec0bace51d965531d) +--- + NEWS | 6 ++++++ + ext/soap/php_http.c | 19 ++++++++++++++----- + 2 files changed, 20 insertions(+), 5 deletions(-) + +diff --git a/NEWS b/NEWS +index 11f6e7ad5a8..0770d913467 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,12 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 8.0.29 ++ ++- Soap: ++ . Fixed bug GHSA-76gg-c692-v2mw (Missing error check and insufficient random ++ bytes in HTTP Digest authentication for SOAP). (nielsdos, timwolla) ++ + Backported from 8.0.28 + + - Core: +diff --git a/ext/soap/php_http.c b/ext/soap/php_http.c +index 3a890d7c36f..3bfa4f6f54c 100644 +--- a/ext/soap/php_http.c ++++ b/ext/soap/php_http.c +@@ -646,14 +646,23 @@ int make_http_soap_request(zval *this_ptr, + if ((digest = zend_hash_str_find(Z_OBJPROP_P(this_ptr), "_digest", sizeof("_digest")-1)) != NULL) { + if (Z_TYPE_P(digest) == IS_ARRAY) { + char HA1[33], HA2[33], response[33], cnonce[33], nc[9]; ++ unsigned char nonce[16]; + PHP_MD5_CTX md5ctx; + unsigned char hash[16]; + +- PHP_MD5Init(&md5ctx); +- snprintf(cnonce, sizeof(cnonce), ZEND_LONG_FMT, php_rand()); +- PHP_MD5Update(&md5ctx, (unsigned char*)cnonce, strlen(cnonce)); +- PHP_MD5Final(hash, &md5ctx); +- make_digest(cnonce, hash); ++ if (UNEXPECTED(php_random_bytes_throw(&nonce, sizeof(nonce)) != SUCCESS)) { ++ ZEND_ASSERT(EG(exception)); ++ php_stream_close(stream); ++ zend_hash_str_del(Z_OBJPROP_P(this_ptr), "httpurl", sizeof("httpurl")-1); ++ zend_hash_str_del(Z_OBJPROP_P(this_ptr), "httpsocket", sizeof("httpsocket")-1); ++ zend_hash_str_del(Z_OBJPROP_P(this_ptr), "_use_proxy", sizeof("_use_proxy")-1); ++ smart_str_free(&soap_headers_z); ++ smart_str_free(&soap_headers); ++ return FALSE; ++ } ++ ++ php_hash_bin2hex(cnonce, nonce, sizeof(nonce)); ++ cnonce[32] = 0; + + if ((tmp = zend_hash_str_find(Z_ARRVAL_P(digest), "nc", sizeof("nc")-1)) != NULL && + Z_TYPE_P(tmp) == IS_LONG) { +From e4dd20803ac5579deec54dc6b699d359890f96f0 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Tue, 6 Jun 2023 18:05:22 +0200 +Subject: [PATCH] Fix GH-11382 add missing hash header for bin2hex + +(cherry picked from commit 40439039c224bb8cdebd1b7b3d03b8cc11e7cce7) +--- + ext/soap/php_http.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ext/soap/php_http.c b/ext/soap/php_http.c +index 3bfa4f6f54..72b5bdec2b 100644 +--- a/ext/soap/php_http.c ++++ b/ext/soap/php_http.c +@@ -22,7 +22,8 @@ + #include "php_soap.h" + #include "ext/standard/base64.h" + #include "ext/standard/md5.h" +-#include "ext/standard/php_rand.h" ++#include "ext/standard/php_random.h" ++#include "ext/hash/php_hash.h" + + static char *get_http_header_value(char *headers, char *type); + static zend_string *get_http_body(php_stream *socketd, int close, char *headers); diff --git a/php.spec b/php.spec index fff791c..ae18340 100644 --- a/php.spec +++ b/php.spec @@ -55,7 +55,7 @@ %global mysql_sock %(mysql_config --socket 2>/dev/null || echo /var/lib/mysql/mysql.sock) -%global oraclever 21.8 +%global oraclever 21.10 %global oraclelib 21.1 # Build for LiteSpeed Web Server (LSAPI) @@ -127,7 +127,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: %{upver}%{?rcver:~%{rcver}} -Release: 37%{?dist} +Release: 38%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -256,6 +256,7 @@ Patch259: php-bug81740.patch Patch260: php-bug81744.patch Patch261: php-bug81746.patch Patch262: php-cve-2023-0662.patch +Patch263: php-ghsa-76gg-c692-v2mw.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -1060,6 +1061,7 @@ sed -e 's/php-devel/%{?scl_prefix}php-devel/' -i scripts/phpize.in %patch260 -p1 -b .bug81744 %patch261 -p1 -b .bug81746 %patch262 -p1 -b .cve0662 +%patch263 -p1 -b .ghsa-76gg-c692-v2mw : --------------------------- #exit 1 @@ -2017,6 +2019,12 @@ EOF %changelog +* Wed Jun 7 2023 Remi Collet - 7.0.33-38 +- Fix Missing error check and insufficient random bytes in HTTP Digest + authentication for SOAP + GHSA-76gg-c692-v2mw +- use oracle client library version 21.10 + * Tue Feb 14 2023 Remi Collet - 7.0.33-37 - fix #81744: Password_verify() always return true with some hash CVE-2023-0567 -- cgit