1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
|
From 747100905eceffb1f67096b437001e42900eb6bb Mon Sep 17 00:00:00 2001
From: Jakub Zelenka <bukka@php.net>
Date: Fri, 29 Mar 2024 15:27:59 +0000
Subject: [PATCH 3/4] Fix bug GHSA-q6x7-frmf-grcw: password_verify can
erroneously return true
Disallow null character in bcrypt password
(cherry picked from commit 0ba5229a3f7572846e91c8f5382e87785f543826)
(cherry picked from commit 81794c73068d9a44bf109bbcc9793e7b56a1c051)
(cherry picked from commit 4a7ceb9d6427f8d368f1a8739267b1f8310ec201)
---
ext/standard/password.c | 5 +++++
ext/standard/tests/password/password_bcrypt_errors.phpt | 6 ++++++
2 files changed, 11 insertions(+)
diff --git a/ext/standard/password.c b/ext/standard/password.c
index 5cf0d397f5..79454e0a1e 100644
--- a/ext/standard/password.c
+++ b/ext/standard/password.c
@@ -467,6 +467,11 @@ PHP_FUNCTION(password_hash)
cost = zval_get_long(option_buffer);
}
+ if (memchr(ZSTR_VAL(password), '\0', ZSTR_LEN(password))) {
+ php_error_docref(NULL, E_WARNING, "Bcrypt password must not contain null character");
+ RETURN_NULL();
+ }
+
if (cost < 4 || cost > 31) {
php_error_docref(NULL, E_WARNING, "Invalid bcrypt cost parameter specified: " ZEND_LONG_FMT, cost);
RETURN_NULL();
diff --git a/ext/standard/tests/password/password_bcrypt_errors.phpt b/ext/standard/tests/password/password_bcrypt_errors.phpt
index a0826080e6..f95b72670a 100644
--- a/ext/standard/tests/password/password_bcrypt_errors.phpt
+++ b/ext/standard/tests/password/password_bcrypt_errors.phpt
@@ -16,6 +16,8 @@ var_dump(password_hash("foo", PASSWORD_BCRYPT, array("salt" => 123)));
var_dump(password_hash("foo", PASSWORD_BCRYPT, array("cost" => "foo")));
+var_dump(password_hash("null\0password", PASSWORD_BCRYPT));
+
?>
--EXPECTF--
Warning: password_hash(): Invalid bcrypt cost parameter specified: 3 in %s on line %d
@@ -41,3 +43,7 @@ NULL
Warning: password_hash(): Invalid bcrypt cost parameter specified: 0 in %s on line %d
NULL
+
+Warning: password_hash(): Bcrypt password must not contain null character in %s on line %d
+NULL
+
--
2.44.0
From fbeed182bb0b0c4c453e064198b5cc3814a10de0 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Wed, 10 Apr 2024 09:01:09 +0200
Subject: [PATCH 4/4] NEWS
(cherry picked from commit 24f77904ee2259d722559f129f96a1f145a2367b)
(cherry picked from commit 027bdbc636632be49ecfad8d4191509faacb34ac)
---
NEWS | 2 ++
1 file changed, 2 insertions(+)
diff --git a/NEWS b/NEWS
index e26f978213..6ad89d2e8e 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,8 @@ Backported from 8.1.28
- Standard:
. Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to
partial CVE-2022-31629 fix). (CVE-2024-2756) (nielsdos)
+ . Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true,
+ opening ATO risk). (CVE-2024-3096) (Jakub Zelenka)
Backported from 8.0.30
--
2.44.0
|
