diff options
author | Remi Collet <remi@remirepo.net> | 2024-04-10 15:14:09 +0200 |
---|---|---|
committer | Remi Collet <remi@php.net> | 2024-04-10 15:14:09 +0200 |
commit | b5323bc96044caafab62b86e2db010c8904a84b2 (patch) | |
tree | 1d9cd894cfe77a7f69e899762c2278576ca76df6 /php-cve-2024-3096.patch | |
parent | 4b8fde8f2ca42ad47d3f484417f6d0dba35f1280 (diff) |
use oracle client library version 21.13
Fix __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix
CVE-2024-2756
Fix password_verify can erroneously return true opening ATO risk
CVE-2024-3096
Diffstat (limited to 'php-cve-2024-3096.patch')
-rw-r--r-- | php-cve-2024-3096.patch | 92 |
1 files changed, 92 insertions, 0 deletions
diff --git a/php-cve-2024-3096.patch b/php-cve-2024-3096.patch new file mode 100644 index 0000000..b111ab1 --- /dev/null +++ b/php-cve-2024-3096.patch @@ -0,0 +1,92 @@ +From 275555907e5c56b63ca2ae3259009e5537f970e5 Mon Sep 17 00:00:00 2001 +From: Jakub Zelenka <bukka@php.net> +Date: Fri, 29 Mar 2024 15:27:59 +0000 +Subject: [PATCH 3/4] Fix bug GHSA-q6x7-frmf-grcw: password_verify can + erroneously return true + +Disallow null character in bcrypt password + +(cherry picked from commit 0ba5229a3f7572846e91c8f5382e87785f543826) +(cherry picked from commit 81794c73068d9a44bf109bbcc9793e7b56a1c051) +(cherry picked from commit 4a7ceb9d6427f8d368f1a8739267b1f8310ec201) +(cherry picked from commit 747100905eceffb1f67096b437001e42900eb6bb) +(cherry picked from commit d22d9ebb29dce86edd622205dd1196a2796c08c7) +(cherry picked from commit cd9a376c28c6f4ce83aab53ec069234fe1d2a819) +(cherry picked from commit 459b4ac6a8d9bec32110b68ac194d71ec2b72182) +--- + ext/standard/password.c | 7 ++++++- + ext/standard/tests/password/password_bcrypt_errors.phpt | 4 ++++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/ext/standard/password.c b/ext/standard/password.c +index 5a8edad4df..757d0865c4 100644 +--- a/ext/standard/password.c ++++ b/ext/standard/password.c +@@ -334,7 +334,12 @@ PHP_FUNCTION(password_hash) + cost = Z_LVAL_PP(option_buffer); + } + } +- ++ ++ if (memchr(password, '\0', password_len)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Bcrypt password must not contain null character"); ++ RETURN_NULL(); ++ } ++ + if (cost < 4 || cost > 31) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid bcrypt cost parameter specified: %ld", cost); + RETURN_NULL(); +diff --git a/ext/standard/tests/password/password_bcrypt_errors.phpt b/ext/standard/tests/password/password_bcrypt_errors.phpt +index 2548c9accb..617f468449 100644 +--- a/ext/standard/tests/password/password_bcrypt_errors.phpt ++++ b/ext/standard/tests/password/password_bcrypt_errors.phpt +@@ -16,6 +16,8 @@ var_dump(password_hash("foo", PASSWORD_BCRYPT, array("salt" => 123))); + + var_dump(password_hash("foo", PASSWORD_BCRYPT, array("cost" => "foo"))); + ++var_dump(password_hash("null\0password", PASSWORD_BCRYPT)); ++ + ?> + --EXPECTF-- + Warning: password_hash(): Invalid bcrypt cost parameter specified: 3 in %s on line %d +@@ -36,4 +38,6 @@ NULL + Warning: password_hash(): Invalid bcrypt cost parameter specified: 0 in %s on line %d + NULL + ++Warning: password_hash(): Bcrypt password must not contain null character in %s on line %d ++NULL + +-- +2.44.0 + +From d6837c8fc4caff97716c56d6540aea0e8790a5f6 Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@remirepo.net> +Date: Wed, 10 Apr 2024 09:01:09 +0200 +Subject: [PATCH 4/4] NEWS + +(cherry picked from commit 24f77904ee2259d722559f129f96a1f145a2367b) +(cherry picked from commit 027bdbc636632be49ecfad8d4191509faacb34ac) +(cherry picked from commit fbeed182bb0b0c4c453e064198b5cc3814a10de0) +(cherry picked from commit be830600a8e4c33a25e965d0782903e885e91c6d) +(cherry picked from commit 9ec5a1ed8bed7ca5a14e991ff3e767dbfa773dcd) +(cherry picked from commit d339e614f1e4cbf1aeb5fbee76bb0583885aeb30) +--- + NEWS | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/NEWS b/NEWS +index 69736ccb08..163bc6bdba 100644 +--- a/NEWS ++++ b/NEWS +@@ -6,6 +6,8 @@ Backported from 8.1.28 + - Standard: + . Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to + partial CVE-2022-31629 fix). (CVE-2024-2756) (nielsdos) ++ . Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true, ++ opening ATO risk). (CVE-2024-3096) (Jakub Zelenka) + + Backported from 8.0.30 + +-- +2.44.0 + |