summaryrefslogtreecommitdiffstats
path: root/php-cve-2024-3096.patch
diff options
context:
space:
mode:
Diffstat (limited to 'php-cve-2024-3096.patch')
-rw-r--r--php-cve-2024-3096.patch77
1 files changed, 77 insertions, 0 deletions
diff --git a/php-cve-2024-3096.patch b/php-cve-2024-3096.patch
new file mode 100644
index 0000000..40169dd
--- /dev/null
+++ b/php-cve-2024-3096.patch
@@ -0,0 +1,77 @@
+From 81794c73068d9a44bf109bbcc9793e7b56a1c051 Mon Sep 17 00:00:00 2001
+From: Jakub Zelenka <bukka@php.net>
+Date: Fri, 29 Mar 2024 15:27:59 +0000
+Subject: [PATCH 3/4] Fix bug GHSA-q6x7-frmf-grcw: password_verify can
+ erroneously return true
+
+Disallow null character in bcrypt password
+
+(cherry picked from commit 0ba5229a3f7572846e91c8f5382e87785f543826)
+---
+ ext/standard/password.c | 5 +++++
+ ext/standard/tests/password/password_bcrypt_errors.phpt | 7 +++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/ext/standard/password.c b/ext/standard/password.c
+index fb29e7bbba4..40117983f70 100644
+--- a/ext/standard/password.c
++++ b/ext/standard/password.c
+@@ -184,6 +184,11 @@ static zend_string* php_password_bcrypt_hash(const zend_string *password, zend_a
+ zval *zcost;
+ zend_long cost = PHP_PASSWORD_BCRYPT_COST;
+
++ if (memchr(ZSTR_VAL(password), '\0', ZSTR_LEN(password))) {
++ zend_value_error("Bcrypt password must not contain null character");
++ return NULL;
++ }
++
+ if (options && (zcost = zend_hash_str_find(options, "cost", sizeof("cost")-1)) != NULL) {
+ cost = zval_get_long(zcost);
+ }
+diff --git a/ext/standard/tests/password/password_bcrypt_errors.phpt b/ext/standard/tests/password/password_bcrypt_errors.phpt
+index 10c3483f5a8..5d823cba021 100644
+--- a/ext/standard/tests/password/password_bcrypt_errors.phpt
++++ b/ext/standard/tests/password/password_bcrypt_errors.phpt
+@@ -14,7 +14,14 @@ try {
+ } catch (ValueError $exception) {
+ echo $exception->getMessage() . "\n";
+ }
++
++try {
++ var_dump(password_hash("null\0password", PASSWORD_BCRYPT));
++} catch (ValueError $e) {
++ echo $e->getMessage(), "\n";
++}
+ ?>
+ --EXPECT--
+ Invalid bcrypt cost parameter specified: 3
+ Invalid bcrypt cost parameter specified: 32
++Bcrypt password must not contain null character
+--
+2.44.0
+
+From 24f77904ee2259d722559f129f96a1f145a2367b Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Wed, 10 Apr 2024 09:01:09 +0200
+Subject: [PATCH 4/4] NEWS
+
+---
+ NEWS | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 14fda3a58b9..8b4801d707e 100644
+--- a/NEWS
++++ b/NEWS
+@@ -6,6 +6,8 @@ Backported from 8.1.28
+ - Standard:
+ . Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to
+ partial CVE-2022-31629 fix). (CVE-2024-2756) (nielsdos)
++ . Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true,
++ opening ATO risk). (CVE-2024-3096) (Jakub Zelenka)
+
+ 03 Aug 2023, PHP 8.0.30
+
+--
+2.44.0
+