diff options
| author | Remi Collet <remi@remirepo.net> | 2024-09-27 09:58:37 +0200 |
|---|---|---|
| committer | Remi Collet <remi@php.net> | 2024-09-27 09:58:37 +0200 |
| commit | 04a009d3791ab5c8aeead7988076e6a5ffb6cbc9 (patch) | |
| tree | 77bd88def3d350021bcf72ffc277fafccc0a6bdb /php-cve-2024-8927.patch | |
| parent | 6325fa517ce34105f1614520543b2da49b786263 (diff) | |
CVE-2024-4577
Fix Bypass of CVE-2024-4577, Parameter Injection Vulnerability
CVE-2024-8926
Fix cgi.force_redirect configuration is bypassable due to the environment variable collision
CVE-2024-8927
Fix Erroneous parsing of multipart form data
CVE-2024-8925
Diffstat (limited to 'php-cve-2024-8927.patch')
| -rw-r--r-- | php-cve-2024-8927.patch | 102 |
1 files changed, 102 insertions, 0 deletions
diff --git a/php-cve-2024-8927.patch b/php-cve-2024-8927.patch new file mode 100644 index 0000000..1442d74 --- /dev/null +++ b/php-cve-2024-8927.patch @@ -0,0 +1,102 @@ +From 234a673bb5bee58ce752d6fefa4cba99435ae21c Mon Sep 17 00:00:00 2001 +From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> +Date: Tue, 18 Jun 2024 21:28:26 +0200 +Subject: [PATCH 5/8] Fix GHSA-94p6-54jq-9mwp + +Apache only generates REDIRECT_STATUS, so explicitly check for that +if the server name is Apache, don't allow other variable names. +Furthermore, redirect.so and Netscape no longer exist, so +remove those entries as we can't check their server name anymore. + +We now also check for the configuration override *first* such that it +always take precedence. This would allow for a mitigation path if +something like this happens in the future. + +(cherry picked from commit 48808d98f4fc2a05193cdcc1aedd6c66816450f1) +(cherry picked from commit 8aa748ee0657cdee8d883ba50d04b68bc450f686) +(cherry picked from commit c7308ba7cd0533501b40eba255602bb5e085550f) +(cherry picked from commit 21e2b0ab382a898f627c97d39f5e5afc2431afe7) +(cherry picked from commit 74f1553070cb6237e25945407be7f75a43736113) +(cherry picked from commit 1e522a66b2b5376545c3e3dfc743e4e6614aade9) +--- + sapi/cgi/cgi_main.c | 23 +++++++++++------------ + 1 file changed, 11 insertions(+), 12 deletions(-) + +diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c +index f3b75bf7e7..7b3ff2e17c 100644 +--- a/sapi/cgi/cgi_main.c ++++ b/sapi/cgi/cgi_main.c +@@ -1916,18 +1916,17 @@ int main(int argc, char *argv[]) + + /* check force_cgi after startup, so we have proper output */ + if (cgi && CGIG(force_redirect)) { +- /* Apache will generate REDIRECT_STATUS, +- * Netscape and redirect.so will generate HTTP_REDIRECT_STATUS. +- * redirect.so and installation instructions available from +- * http://www.koehntopp.de/php. +- * -- kk@netuse.de +- */ +- if (!getenv("REDIRECT_STATUS") && +- !getenv ("HTTP_REDIRECT_STATUS") && +- /* this is to allow a different env var to be configured +- * in case some server does something different than above */ +- (!CGIG(redirect_status_env) || !getenv(CGIG(redirect_status_env))) +- ) { ++ /* This is to allow a different environment variable to be configured ++ * in case the we cannot auto-detect which environment variable to use. ++ * Checking this first to allow user overrides in case the environment ++ * variable can be set by an untrusted party. */ ++ const char *redirect_status_env = CGIG(redirect_status_env); ++ if (!redirect_status_env) { ++ /* Apache will generate REDIRECT_STATUS. */ ++ redirect_status_env = "REDIRECT_STATUS"; ++ } ++ ++ if (!getenv(redirect_status_env)) { + zend_try { + SG(sapi_headers).http_response_code = 400; + PUTS("<b>Security Alert!</b> The PHP CGI cannot be accessed directly.\n\n\ +-- +2.46.1 + +From 9a3477d3c48272520840f9e20a7135e929e68c0e Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@remirepo.net> +Date: Thu, 26 Sep 2024 11:50:54 +0200 +Subject: [PATCH 7/8] NEWS for 8.1.30 backports + +(cherry picked from commit af3fb385e7b328ab89db26ec712d89c7096f0743) +(cherry picked from commit 1154fbd3ddfa418bf2492c5366adaefb47c47737) +(cherry picked from commit b4667e4ebe241d95775962b1e8b24788e7945de2) +(cherry picked from commit e80cb90b00aa403a5aa995f612ecb358323e9572) +(cherry picked from commit fbd3eff22ba8becf30263ddf6ab92a9c2ca93181) +--- + NEWS | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/NEWS b/NEWS +index 6f26c17ead..cf90002253 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,19 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 8.1.30 ++ ++- CGI: ++ . Fixed bug GHSA-p99j-rfp4-xqvq (Bypass of CVE-2024-4577, Parameter Injection ++ Vulnerability). (CVE-2024-8926) (nielsdos) ++ . Fixed bug GHSA-94p6-54jq-9mwp (cgi.force_redirect configuration is ++ bypassable due to the environment variable collision). (CVE-2024-8927) ++ (nielsdos) ++ ++- SAPI: ++ . Fixed bug GHSA-9pqp-7h25-4f32 (Erroneous parsing of multipart form data). ++ (CVE-2024-8925) (Arnaud) ++ + Backported from 8.1.29 + + - CGI: +-- +2.46.1 + |