diff options
| author | Remi Collet <remi@remirepo.net> | 2024-09-26 16:59:43 +0200 | 
|---|---|---|
| committer | Remi Collet <remi@php.net> | 2024-09-26 16:59:43 +0200 | 
| commit | 56699414f3808502aa299e7f8c78015c801455fa (patch) | |
| tree | aa47fee35c58dbd55f48202f05643dd45d271dd0 /php-cve-2024-8927.patch | |
| parent | 11cdddba8b85449e00369f581a9d535bd42b3fe2 (diff) | |
Fix Bypass of CVE-2012-1823, Argument Injection in PHP-CGI
  CVE-2024-4577
Fix Bypass of CVE-2024-4577, Parameter Injection Vulnerability
  CVE-2024-8926
Fix cgi.force_redirect configuration is bypassable due to the environment variable collision
  CVE-2024-8927
Fix Logs from childrens may be altered
  CVE-2024-9026
Fix Erroneous parsing of multipart form data
  CVE-2024-8925
use ICU 74.2
Diffstat (limited to 'php-cve-2024-8927.patch')
| -rw-r--r-- | php-cve-2024-8927.patch | 57 | 
1 files changed, 57 insertions, 0 deletions
| diff --git a/php-cve-2024-8927.patch b/php-cve-2024-8927.patch new file mode 100644 index 0000000..ed1e4cf --- /dev/null +++ b/php-cve-2024-8927.patch @@ -0,0 +1,57 @@ +From c7308ba7cd0533501b40eba255602bb5e085550f Mon Sep 17 00:00:00 2001 +From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> +Date: Tue, 18 Jun 2024 21:28:26 +0200 +Subject: [PATCH 06/11] Fix GHSA-94p6-54jq-9mwp + +Apache only generates REDIRECT_STATUS, so explicitly check for that +if the server name is Apache, don't allow other variable names. +Furthermore, redirect.so and Netscape no longer exist, so +remove those entries as we can't check their server name anymore. + +We now also check for the configuration override *first* such that it +always take precedence. This would allow for a mitigation path if +something like this happens in the future. + +(cherry picked from commit 48808d98f4fc2a05193cdcc1aedd6c66816450f1) +(cherry picked from commit 8aa748ee0657cdee8d883ba50d04b68bc450f686) +--- + sapi/cgi/cgi_main.c | 23 +++++++++++------------ + 1 file changed, 11 insertions(+), 12 deletions(-) + +diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c +index a2761aafd7b..ebce6302b93 100644 +--- a/sapi/cgi/cgi_main.c ++++ b/sapi/cgi/cgi_main.c +@@ -1939,18 +1939,17 @@ int main(int argc, char *argv[]) +  + 	/* check force_cgi after startup, so we have proper output */ + 	if (cgi && CGIG(force_redirect)) { +-		/* Apache will generate REDIRECT_STATUS, +-		 * Netscape and redirect.so will generate HTTP_REDIRECT_STATUS. +-		 * redirect.so and installation instructions available from +-		 * http://www.koehntopp.de/php. +-		 *   -- kk@netuse.de +-		 */ +-		if (!getenv("REDIRECT_STATUS") && +-			!getenv ("HTTP_REDIRECT_STATUS") && +-			/* this is to allow a different env var to be configured +-			 * in case some server does something different than above */ +-			(!CGIG(redirect_status_env) || !getenv(CGIG(redirect_status_env))) +-		) { ++		/* This is to allow a different environment variable to be configured ++		 * in case the we cannot auto-detect which environment variable to use. ++		 * Checking this first to allow user overrides in case the environment ++		 * variable can be set by an untrusted party. */ ++		const char *redirect_status_env = CGIG(redirect_status_env); ++		if (!redirect_status_env) { ++			/* Apache will generate REDIRECT_STATUS. */ ++			redirect_status_env = "REDIRECT_STATUS"; ++		} ++ ++		if (!getenv(redirect_status_env)) { + 			zend_try { + 				SG(sapi_headers).http_response_code = 400; + 				PUTS("<b>Security Alert!</b> The PHP CGI cannot be accessed directly.\n\n\ +--  +2.46.1 + | 
