From 04a009d3791ab5c8aeead7988076e6a5ffb6cbc9 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Fri, 27 Sep 2024 09:58:37 +0200
Subject: Fix Bypass of CVE-2012-1823, Argument Injection in PHP-CGI

  CVE-2024-4577
Fix Bypass of CVE-2024-4577, Parameter Injection Vulnerability
  CVE-2024-8926
Fix cgi.force_redirect configuration is bypassable due to the environment variable collision
  CVE-2024-8927
Fix Erroneous parsing of multipart form data
  CVE-2024-8925
---
 php-cve-2024-8927.patch | 102 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 102 insertions(+)
 create mode 100644 php-cve-2024-8927.patch

(limited to 'php-cve-2024-8927.patch')

diff --git a/php-cve-2024-8927.patch b/php-cve-2024-8927.patch
new file mode 100644
index 0000000..1442d74
--- /dev/null
+++ b/php-cve-2024-8927.patch
@@ -0,0 +1,102 @@
+From 234a673bb5bee58ce752d6fefa4cba99435ae21c Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
+Date: Tue, 18 Jun 2024 21:28:26 +0200
+Subject: [PATCH 5/8] Fix GHSA-94p6-54jq-9mwp
+
+Apache only generates REDIRECT_STATUS, so explicitly check for that
+if the server name is Apache, don't allow other variable names.
+Furthermore, redirect.so and Netscape no longer exist, so
+remove those entries as we can't check their server name anymore.
+
+We now also check for the configuration override *first* such that it
+always take precedence. This would allow for a mitigation path if
+something like this happens in the future.
+
+(cherry picked from commit 48808d98f4fc2a05193cdcc1aedd6c66816450f1)
+(cherry picked from commit 8aa748ee0657cdee8d883ba50d04b68bc450f686)
+(cherry picked from commit c7308ba7cd0533501b40eba255602bb5e085550f)
+(cherry picked from commit 21e2b0ab382a898f627c97d39f5e5afc2431afe7)
+(cherry picked from commit 74f1553070cb6237e25945407be7f75a43736113)
+(cherry picked from commit 1e522a66b2b5376545c3e3dfc743e4e6614aade9)
+---
+ sapi/cgi/cgi_main.c | 23 +++++++++++------------
+ 1 file changed, 11 insertions(+), 12 deletions(-)
+
+diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c
+index f3b75bf7e7..7b3ff2e17c 100644
+--- a/sapi/cgi/cgi_main.c
++++ b/sapi/cgi/cgi_main.c
+@@ -1916,18 +1916,17 @@ int main(int argc, char *argv[])
+ 
+ 	/* check force_cgi after startup, so we have proper output */
+ 	if (cgi && CGIG(force_redirect)) {
+-		/* Apache will generate REDIRECT_STATUS,
+-		 * Netscape and redirect.so will generate HTTP_REDIRECT_STATUS.
+-		 * redirect.so and installation instructions available from
+-		 * http://www.koehntopp.de/php.
+-		 *   -- kk@netuse.de
+-		 */
+-		if (!getenv("REDIRECT_STATUS") &&
+-			!getenv ("HTTP_REDIRECT_STATUS") &&
+-			/* this is to allow a different env var to be configured
+-			 * in case some server does something different than above */
+-			(!CGIG(redirect_status_env) || !getenv(CGIG(redirect_status_env)))
+-		) {
++		/* This is to allow a different environment variable to be configured
++		 * in case the we cannot auto-detect which environment variable to use.
++		 * Checking this first to allow user overrides in case the environment
++		 * variable can be set by an untrusted party. */
++		const char *redirect_status_env = CGIG(redirect_status_env);
++		if (!redirect_status_env) {
++			/* Apache will generate REDIRECT_STATUS. */
++			redirect_status_env = "REDIRECT_STATUS";
++		}
++
++		if (!getenv(redirect_status_env)) {
+ 			zend_try {
+ 				SG(sapi_headers).http_response_code = 400;
+ 				PUTS("<b>Security Alert!</b> The PHP CGI cannot be accessed directly.\n\n\
+-- 
+2.46.1
+
+From 9a3477d3c48272520840f9e20a7135e929e68c0e Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Thu, 26 Sep 2024 11:50:54 +0200
+Subject: [PATCH 7/8] NEWS for 8.1.30 backports
+
+(cherry picked from commit af3fb385e7b328ab89db26ec712d89c7096f0743)
+(cherry picked from commit 1154fbd3ddfa418bf2492c5366adaefb47c47737)
+(cherry picked from commit b4667e4ebe241d95775962b1e8b24788e7945de2)
+(cherry picked from commit e80cb90b00aa403a5aa995f612ecb358323e9572)
+(cherry picked from commit fbd3eff22ba8becf30263ddf6ab92a9c2ca93181)
+---
+ NEWS | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 6f26c17ead..cf90002253 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,19 @@
+ PHP                                                                        NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+ 
++Backported from 8.1.30
++
++- CGI:
++  . Fixed bug GHSA-p99j-rfp4-xqvq (Bypass of CVE-2024-4577, Parameter Injection
++    Vulnerability). (CVE-2024-8926) (nielsdos)
++  . Fixed bug GHSA-94p6-54jq-9mwp (cgi.force_redirect configuration is
++    bypassable due to the environment variable collision). (CVE-2024-8927)
++    (nielsdos)
++
++- SAPI:
++  . Fixed bug GHSA-9pqp-7h25-4f32 (Erroneous parsing of multipart form data).
++    (CVE-2024-8925) (Arnaud)
++
+ Backported from 8.1.29
+ 
+ - CGI:
+-- 
+2.46.1
+
-- 
cgit