Fix Bypass of CVE-2012-1823, Argument Injection in PHP-CGI

CVE-2024-4577 Fix Bypass of CVE-2024-4577, Parameter Injection Vulnerability CVE-2024-8926 Fix cgi.force_redirect configuration is bypassable due to the environment variable collision CVE-2024-8927 Fix Logs from childrens may be altered CVE-2024-9026 Fix Erroneous parsing of multipart form data CVE-2024-8925 use ICU 74.2
author: Remi Collet <remi@remirepo.net> 2024-09-26 17:00:00 +0200
committer: Remi Collet <remi@php.net> 2024-09-26 17:00:00 +0200
commit: 3e542feeac8e065151836f1bb5fd8c0e66c7f18f (patch)
tree: 0e8d2eda8a804a12d1541474bd8857bc424d8047 /php-cve-2024-9026.patch
parent: 950ea724334b6cbc8a51aa9a7d32f42d5dced8b7 (diff)
1 files changed, 245 insertions, 0 deletions
diff --git a/php-cve-2024-9026.patch b/php-cve-2024-9026.patch
new file mode 100644
index 0000000..997917b
--- /dev/null
+++ b/php-cve-2024-9026.patch
@@ -0,0 +1,245 @@
+From 4a8b8fa2592bd8862adeacb5b2faacb30500b9f9 Mon Sep 17 00:00:00 2001
+From: Jakub Zelenka <bukka@php.net>
+Date: Thu, 12 Sep 2024 13:11:11 +0100
+Subject: [PATCH 07/11] Fix GHSA-865w-9rf3-2wh5: FPM: Logs from childrens may
+ be altered
+
+(cherry picked from commit 1f8e16172c7961045c2b0f34ba7613e3f21cdee8)
+(cherry picked from commit 22f4d3504d7613ce78bb96aa53cbfe7d672fa036)
+---
+ sapi/fpm/fpm/fpm_stdio.c                      |  2 +-
+ .../log-bwp-msg-flush-split-sep-pos-end.phpt  | 47 +++++++++++++++++++
+ ...log-bwp-msg-flush-split-sep-pos-start.phpt | 47 +++++++++++++++++++
+ 3 files changed, 95 insertions(+), 1 deletion(-)
+ create mode 100644 sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-end.phpt
+ create mode 100644 sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-start.phpt
+
+diff --git a/sapi/fpm/fpm/fpm_stdio.c b/sapi/fpm/fpm/fpm_stdio.c
+index ddedfb48c7c..9d87273314a 100644
+--- a/sapi/fpm/fpm/fpm_stdio.c
++++ b/sapi/fpm/fpm/fpm_stdio.c
+@@ -177,7 +177,7 @@ stdio_read:
+ 			if 	((sizeof(FPM_STDIO_CMD_FLUSH) - cmd_pos) <= in_buf &&
+ 					!memcmp(buf, &FPM_STDIO_CMD_FLUSH[cmd_pos], sizeof(FPM_STDIO_CMD_FLUSH) - cmd_pos)) {
+ 				zlog_stream_finish(log_stream);
+-				start = cmd_pos;
++				start = sizeof(FPM_STDIO_CMD_FLUSH) - cmd_pos;
+ 			} else {
+ 				zlog_stream_str(log_stream, &FPM_STDIO_CMD_FLUSH[0], cmd_pos);
+ 			}
+diff --git a/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-end.phpt b/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-end.phpt
+new file mode 100644
+index 00000000000..52826320080
+--- /dev/null
++++ b/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-end.phpt
+@@ -0,0 +1,47 @@
++--TEST--
++FPM: Buffered worker output plain log with msg with flush split position towards separator end
++--SKIPIF--
++<?php include "skipif.inc"; ?>
++--FILE--
++<?php
++
++require_once "tester.inc";
++
++$cfg = <<<EOT
++[global]
++error_log = {{FILE:LOG}}
++[unconfined]
++listen = {{ADDR}}
++pm = dynamic
++pm.max_children = 5
++pm.start_servers = 1
++pm.min_spare_servers = 1
++pm.max_spare_servers = 3
++catch_workers_output = yes
++decorate_workers_output = no
++EOT;
++
++$code = <<<EOT
++<?php
++file_put_contents('php://stderr', str_repeat('a', 1013) . "Quarkslab\0fscf\0Quarkslab");
++EOT;
++
++$tester = new FPM\Tester($cfg, $code);
++$tester->start();
++$tester->expectLogStartNotices();
++$tester->request()->expectEmptyBody();
++$tester->expectLogLine(str_repeat('a', 1013)  . "Quarkslab", decorated: false);
++$tester->expectLogLine("Quarkslab", decorated: false);
++$tester->terminate();
++$tester->expectLogTerminatingNotices();
++$tester->close();
++
++?>
++Done
++--EXPECT--
++Done
++--CLEAN--
++<?php
++require_once "tester.inc";
++FPM\Tester::clean();
++?>
+diff --git a/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-start.phpt b/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-start.phpt
+new file mode 100644
+index 00000000000..34905938553
+--- /dev/null
++++ b/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-start.phpt
+@@ -0,0 +1,47 @@
++--TEST--
++FPM: Buffered worker output plain log with msg with flush split position towards separator start
++--SKIPIF--
++<?php include "skipif.inc"; ?>
++--FILE--
++<?php
++
++require_once "tester.inc";
++
++$cfg = <<<EOT
++[global]
++error_log = {{FILE:LOG}}
++[unconfined]
++listen = {{ADDR}}
++pm = dynamic
++pm.max_children = 5
++pm.start_servers = 1
++pm.min_spare_servers = 1
++pm.max_spare_servers = 3
++catch_workers_output = yes
++decorate_workers_output = no
++EOT;
++
++$code = <<<EOT
++<?php
++file_put_contents('php://stderr', str_repeat('a', 1009) . "Quarkslab\0fscf\0Quarkslab");
++EOT;
++
++$tester = new FPM\Tester($cfg, $code);
++$tester->start();
++$tester->expectLogStartNotices();
++$tester->request()->expectEmptyBody();
++$tester->expectLogLine(str_repeat('a', 1009)  . "Quarkslab", decorated: false);
++$tester->expectLogLine("Quarkslab", decorated: false);
++$tester->terminate();
++$tester->expectLogTerminatingNotices();
++$tester->close();
++
++?>
++Done
++--EXPECT--
++Done
++--CLEAN--
++<?php
++require_once "tester.inc";
++FPM\Tester::clean();
++?>
+-- 
+2.46.1
+
+From 1154fbd3ddfa418bf2492c5366adaefb47c47737 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Thu, 26 Sep 2024 11:50:54 +0200
+Subject: [PATCH 09/11] NEWS for 8.1.30 backports
+
+(cherry picked from commit af3fb385e7b328ab89db26ec712d89c7096f0743)
+---
+ NEWS | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index a96518695fb..62616d6312d 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,23 @@
+ PHP                                                                        NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+ 
++Backported from 8.1.30
++
++- CGI:
++  . Fixed bug GHSA-p99j-rfp4-xqvq (Bypass of CVE-2024-4577, Parameter Injection
++    Vulnerability). (CVE-2024-8926) (nielsdos)
++  . Fixed bug GHSA-94p6-54jq-9mwp (cgi.force_redirect configuration is
++    bypassable due to the environment variable collision). (CVE-2024-8927)
++    (nielsdos)
++
++- FPM:
++  . Fixed bug GHSA-865w-9rf3-2wh5 (Logs from childrens may be altered).
++    (CVE-2024-9026) (Jakub Zelenka)
++
++- SAPI:
++  . Fixed bug GHSA-9pqp-7h25-4f32 (Erroneous parsing of multipart form data).
++    (CVE-2024-8925) (Arnaud)
++
+ Backported from 8.1.29
+ 
+ - CGI:
+-- 
+2.46.1
+
+From bc574c256596abc4966e7f0e3e0913839092151e Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Thu, 26 Sep 2024 15:48:11 +0200
+Subject: [PATCH 10/11] adapt GHSA-865w-9rf3-2wh5 test for 7.x
+
+---
+ sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-end.phpt   | 4 ++--
+ sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-start.phpt | 4 ++--
+ sapi/fpm/tests/tester.inc                                 | 4 ++--
+ 3 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-end.phpt b/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-end.phpt
+index 52826320080..bdd61782bfa 100644
+--- a/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-end.phpt
++++ b/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-end.phpt
+@@ -30,8 +30,8 @@ $tester = new FPM\Tester($cfg, $code);
+ $tester->start();
+ $tester->expectLogStartNotices();
+ $tester->request()->expectEmptyBody();
+-$tester->expectLogLine(str_repeat('a', 1013)  . "Quarkslab", decorated: false);
+-$tester->expectLogLine("Quarkslab", decorated: false);
++$tester->expectLogLine(str_repeat('a', 1013)  . "Quarkslab", true, false);
++$tester->expectLogLine("Quarkslab", true, false);
+ $tester->terminate();
+ $tester->expectLogTerminatingNotices();
+ $tester->close();
+diff --git a/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-start.phpt b/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-start.phpt
+index 34905938553..f3461e4a0c8 100644
+--- a/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-start.phpt
++++ b/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-start.phpt
+@@ -30,8 +30,8 @@ $tester = new FPM\Tester($cfg, $code);
+ $tester->start();
+ $tester->expectLogStartNotices();
+ $tester->request()->expectEmptyBody();
+-$tester->expectLogLine(str_repeat('a', 1009)  . "Quarkslab", decorated: false);
+-$tester->expectLogLine("Quarkslab", decorated: false);
++$tester->expectLogLine(str_repeat('a', 1009)  . "Quarkslab", true, false);
++$tester->expectLogLine("Quarkslab", true, false);
+ $tester->terminate();
+ $tester->expectLogTerminatingNotices();
+ $tester->close();
+diff --git a/sapi/fpm/tests/tester.inc b/sapi/fpm/tests/tester.inc
+index 7868afc4ac1..fe5f0c2fde7 100644
+--- a/sapi/fpm/tests/tester.inc
++++ b/sapi/fpm/tests/tester.inc
+@@ -1315,7 +1315,7 @@ class Tester
+      * @param string $message
+      * @return bool
+      */
+-    public function expectLogLine(string $message, bool $is_stderr = true)
++    public function expectLogLine(string $message, bool $is_stderr = true, bool $decorated = true)
+     {
+         $messageLen = strlen($message);
+         $limit = $messageLen > 1024 ? $messageLen + 16 : 1024;
+@@ -1325,7 +1325,7 @@ class Tester
+             $this->message("LOG LINE: " . ($logLines[0] ?? ''));
+         }
+ 
+-        return $this->logTool->checkWrappedMessage($logLines, false, true, $is_stderr);
++        return $this->logTool->checkWrappedMessage($logLines, false, $decorated, $is_stderr);
+     }
+ 
+     /**
+-- 
+2.46.1
+
author	Remi Collet <remi@remirepo.net>	2024-09-26 17:00:00 +0200
committer	Remi Collet <remi@php.net>	2024-09-26 17:00:00 +0200
commit	3e542feeac8e065151836f1bb5fd8c0e66c7f18f (patch)
tree	0e8d2eda8a804a12d1541474bd8857bc424d8047 /php-cve-2024-9026.patch
parent	950ea724334b6cbc8a51aa9a7d32f42d5dced8b7 (diff)