1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
|
From 459b4ac6a8d9bec32110b68ac194d71ec2b72182 Mon Sep 17 00:00:00 2001
From: Jakub Zelenka <bukka@php.net>
Date: Fri, 29 Mar 2024 15:27:59 +0000
Subject: [PATCH 3/4] Fix bug GHSA-q6x7-frmf-grcw: password_verify can
erroneously return true
Disallow null character in bcrypt password
(cherry picked from commit 0ba5229a3f7572846e91c8f5382e87785f543826)
(cherry picked from commit 81794c73068d9a44bf109bbcc9793e7b56a1c051)
(cherry picked from commit 4a7ceb9d6427f8d368f1a8739267b1f8310ec201)
(cherry picked from commit 747100905eceffb1f67096b437001e42900eb6bb)
(cherry picked from commit d22d9ebb29dce86edd622205dd1196a2796c08c7)
(cherry picked from commit cd9a376c28c6f4ce83aab53ec069234fe1d2a819)
---
ext/standard/password.c | 5 +++++
ext/standard/tests/password/password_bcrypt_errors.phpt | 4 ++++
2 files changed, 9 insertions(+)
diff --git a/ext/standard/password.c b/ext/standard/password.c
index 33c6e5c718..e2466d1179 100644
--- a/ext/standard/password.c
+++ b/ext/standard/password.c
@@ -283,6 +283,11 @@ PHP_FUNCTION(password_hash)
cost = zval_get_long(option_buffer);
}
+ if (memchr(password, '\0', password_len)) {
+ php_error_docref(NULL, E_WARNING, "Bcrypt password must not contain null character");
+ RETURN_NULL();
+ }
+
if (cost < 4 || cost > 31) {
php_error_docref(NULL, E_WARNING, "Invalid bcrypt cost parameter specified: " ZEND_LONG_FMT, cost);
RETURN_NULL();
diff --git a/ext/standard/tests/password/password_bcrypt_errors.phpt b/ext/standard/tests/password/password_bcrypt_errors.phpt
index e8f7600b63..f95b72670a 100644
--- a/ext/standard/tests/password/password_bcrypt_errors.phpt
+++ b/ext/standard/tests/password/password_bcrypt_errors.phpt
@@ -16,6 +16,8 @@ var_dump(password_hash("foo", PASSWORD_BCRYPT, array("salt" => 123)));
var_dump(password_hash("foo", PASSWORD_BCRYPT, array("cost" => "foo")));
+var_dump(password_hash("null\0password", PASSWORD_BCRYPT));
+
?>
--EXPECTF--
Warning: password_hash(): Invalid bcrypt cost parameter specified: 3 in %s on line %d
@@ -42,4 +44,6 @@ NULL
Warning: password_hash(): Invalid bcrypt cost parameter specified: 0 in %s on line %d
NULL
+Warning: password_hash(): Bcrypt password must not contain null character in %s on line %d
+NULL
--
2.44.0
From d339e614f1e4cbf1aeb5fbee76bb0583885aeb30 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Wed, 10 Apr 2024 09:01:09 +0200
Subject: [PATCH 4/4] NEWS
(cherry picked from commit 24f77904ee2259d722559f129f96a1f145a2367b)
(cherry picked from commit 027bdbc636632be49ecfad8d4191509faacb34ac)
(cherry picked from commit fbeed182bb0b0c4c453e064198b5cc3814a10de0)
(cherry picked from commit be830600a8e4c33a25e965d0782903e885e91c6d)
(cherry picked from commit 9ec5a1ed8bed7ca5a14e991ff3e767dbfa773dcd)
---
NEWS | 2 ++
1 file changed, 2 insertions(+)
diff --git a/NEWS b/NEWS
index fae611c48c..fed03499f6 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,8 @@ Backported from 8.1.28
- Standard:
. Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to
partial CVE-2022-31629 fix). (CVE-2024-2756) (nielsdos)
+ . Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true,
+ opening ATO risk). (CVE-2024-3096) (Jakub Zelenka)
Backported from 8.0.30
--
2.44.0
|
