From aa64914647126cbc436872eccf8aed6eda8c182e Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Thu, 26 Sep 2024 13:40:35 +0200 Subject: Fix Bypass of CVE-2012-1823, Argument Injection in PHP-CGI CVE-2024-4577 Fix Bypass of CVE-2024-4577, Parameter Injection Vulnerability CVE-2024-8926 Fix cgi.force_redirect configuration is bypassable due to the environment variable collision CVE-2024-8927 Fix Logs from childrens may be altered CVE-2024-9026 Fix Erroneous parsing of multipart form data CVE-2024-8925 use ICU 74.2 --- php-cve-2024-9026.patch | 177 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 177 insertions(+) create mode 100644 php-cve-2024-9026.patch (limited to 'php-cve-2024-9026.patch') diff --git a/php-cve-2024-9026.patch b/php-cve-2024-9026.patch new file mode 100644 index 0000000..1372cc0 --- /dev/null +++ b/php-cve-2024-9026.patch @@ -0,0 +1,177 @@ +From 22f4d3504d7613ce78bb96aa53cbfe7d672fa036 Mon Sep 17 00:00:00 2001 +From: Jakub Zelenka +Date: Thu, 12 Sep 2024 13:11:11 +0100 +Subject: [PATCH 6/8] Fix GHSA-865w-9rf3-2wh5: FPM: Logs from childrens may be + altered + +(cherry picked from commit 1f8e16172c7961045c2b0f34ba7613e3f21cdee8) +--- + sapi/fpm/fpm/fpm_stdio.c | 2 +- + .../log-bwp-msg-flush-split-sep-pos-end.phpt | 47 +++++++++++++++++++ + ...log-bwp-msg-flush-split-sep-pos-start.phpt | 47 +++++++++++++++++++ + 3 files changed, 95 insertions(+), 1 deletion(-) + create mode 100644 sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-end.phpt + create mode 100644 sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-start.phpt + +diff --git a/sapi/fpm/fpm/fpm_stdio.c b/sapi/fpm/fpm/fpm_stdio.c +index d75f9158cda..7983d6217b2 100644 +--- a/sapi/fpm/fpm/fpm_stdio.c ++++ b/sapi/fpm/fpm/fpm_stdio.c +@@ -228,7 +228,7 @@ stdio_read: + if ((sizeof(FPM_STDIO_CMD_FLUSH) - cmd_pos) <= in_buf && + !memcmp(buf, &FPM_STDIO_CMD_FLUSH[cmd_pos], sizeof(FPM_STDIO_CMD_FLUSH) - cmd_pos)) { + zlog_stream_finish(log_stream); +- start = cmd_pos; ++ start = sizeof(FPM_STDIO_CMD_FLUSH) - cmd_pos; + } else { + zlog_stream_str(log_stream, &FPM_STDIO_CMD_FLUSH[0], cmd_pos); + } +diff --git a/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-end.phpt b/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-end.phpt +new file mode 100644 +index 00000000000..52826320080 +--- /dev/null ++++ b/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-end.phpt +@@ -0,0 +1,47 @@ ++--TEST-- ++FPM: Buffered worker output plain log with msg with flush split position towards separator end ++--SKIPIF-- ++ ++--FILE-- ++start(); ++$tester->expectLogStartNotices(); ++$tester->request()->expectEmptyBody(); ++$tester->expectLogLine(str_repeat('a', 1013) . "Quarkslab", decorated: false); ++$tester->expectLogLine("Quarkslab", decorated: false); ++$tester->terminate(); ++$tester->expectLogTerminatingNotices(); ++$tester->close(); ++ ++?> ++Done ++--EXPECT-- ++Done ++--CLEAN-- ++ +diff --git a/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-start.phpt b/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-start.phpt +new file mode 100644 +index 00000000000..34905938553 +--- /dev/null ++++ b/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-start.phpt +@@ -0,0 +1,47 @@ ++--TEST-- ++FPM: Buffered worker output plain log with msg with flush split position towards separator start ++--SKIPIF-- ++ ++--FILE-- ++start(); ++$tester->expectLogStartNotices(); ++$tester->request()->expectEmptyBody(); ++$tester->expectLogLine(str_repeat('a', 1009) . "Quarkslab", decorated: false); ++$tester->expectLogLine("Quarkslab", decorated: false); ++$tester->terminate(); ++$tester->expectLogTerminatingNotices(); ++$tester->close(); ++ ++?> ++Done ++--EXPECT-- ++Done ++--CLEAN-- ++ +-- +2.46.1 + +From af3fb385e7b328ab89db26ec712d89c7096f0743 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Thu, 26 Sep 2024 11:50:54 +0200 +Subject: [PATCH 8/8] NEWS for 8.1.30 backports + +--- + NEWS | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/NEWS b/NEWS +index 79133f558af..bad0a719aae 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,23 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 8.1.30 ++ ++- CGI: ++ . Fixed bug GHSA-p99j-rfp4-xqvq (Bypass of CVE-2024-4577, Parameter Injection ++ Vulnerability). (CVE-2024-8926) (nielsdos) ++ . Fixed bug GHSA-94p6-54jq-9mwp (cgi.force_redirect configuration is ++ bypassable due to the environment variable collision). (CVE-2024-8927) ++ (nielsdos) ++ ++- FPM: ++ . Fixed bug GHSA-865w-9rf3-2wh5 (Logs from childrens may be altered). ++ (CVE-2024-9026) (Jakub Zelenka) ++ ++- SAPI: ++ . Fixed bug GHSA-9pqp-7h25-4f32 (Erroneous parsing of multipart form data). ++ (CVE-2024-8925) (Arnaud) ++ + Backported from 8.1.29 + + - CGI: +-- +2.46.1 + -- cgit