From 3e542feeac8e065151836f1bb5fd8c0e66c7f18f Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Thu, 26 Sep 2024 17:00:00 +0200 Subject: Fix Bypass of CVE-2012-1823, Argument Injection in PHP-CGI CVE-2024-4577 Fix Bypass of CVE-2024-4577, Parameter Injection Vulnerability CVE-2024-8926 Fix cgi.force_redirect configuration is bypassable due to the environment variable collision CVE-2024-8927 Fix Logs from childrens may be altered CVE-2024-9026 Fix Erroneous parsing of multipart form data CVE-2024-8925 use ICU 74.2 --- php-cve-2024-9026.patch | 245 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 245 insertions(+) create mode 100644 php-cve-2024-9026.patch (limited to 'php-cve-2024-9026.patch') diff --git a/php-cve-2024-9026.patch b/php-cve-2024-9026.patch new file mode 100644 index 0000000..997917b --- /dev/null +++ b/php-cve-2024-9026.patch @@ -0,0 +1,245 @@ +From 4a8b8fa2592bd8862adeacb5b2faacb30500b9f9 Mon Sep 17 00:00:00 2001 +From: Jakub Zelenka +Date: Thu, 12 Sep 2024 13:11:11 +0100 +Subject: [PATCH 07/11] Fix GHSA-865w-9rf3-2wh5: FPM: Logs from childrens may + be altered + +(cherry picked from commit 1f8e16172c7961045c2b0f34ba7613e3f21cdee8) +(cherry picked from commit 22f4d3504d7613ce78bb96aa53cbfe7d672fa036) +--- + sapi/fpm/fpm/fpm_stdio.c | 2 +- + .../log-bwp-msg-flush-split-sep-pos-end.phpt | 47 +++++++++++++++++++ + ...log-bwp-msg-flush-split-sep-pos-start.phpt | 47 +++++++++++++++++++ + 3 files changed, 95 insertions(+), 1 deletion(-) + create mode 100644 sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-end.phpt + create mode 100644 sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-start.phpt + +diff --git a/sapi/fpm/fpm/fpm_stdio.c b/sapi/fpm/fpm/fpm_stdio.c +index ddedfb48c7c..9d87273314a 100644 +--- a/sapi/fpm/fpm/fpm_stdio.c ++++ b/sapi/fpm/fpm/fpm_stdio.c +@@ -177,7 +177,7 @@ stdio_read: + if ((sizeof(FPM_STDIO_CMD_FLUSH) - cmd_pos) <= in_buf && + !memcmp(buf, &FPM_STDIO_CMD_FLUSH[cmd_pos], sizeof(FPM_STDIO_CMD_FLUSH) - cmd_pos)) { + zlog_stream_finish(log_stream); +- start = cmd_pos; ++ start = sizeof(FPM_STDIO_CMD_FLUSH) - cmd_pos; + } else { + zlog_stream_str(log_stream, &FPM_STDIO_CMD_FLUSH[0], cmd_pos); + } +diff --git a/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-end.phpt b/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-end.phpt +new file mode 100644 +index 00000000000..52826320080 +--- /dev/null ++++ b/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-end.phpt +@@ -0,0 +1,47 @@ ++--TEST-- ++FPM: Buffered worker output plain log with msg with flush split position towards separator end ++--SKIPIF-- ++ ++--FILE-- ++start(); ++$tester->expectLogStartNotices(); ++$tester->request()->expectEmptyBody(); ++$tester->expectLogLine(str_repeat('a', 1013) . "Quarkslab", decorated: false); ++$tester->expectLogLine("Quarkslab", decorated: false); ++$tester->terminate(); ++$tester->expectLogTerminatingNotices(); ++$tester->close(); ++ ++?> ++Done ++--EXPECT-- ++Done ++--CLEAN-- ++ +diff --git a/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-start.phpt b/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-start.phpt +new file mode 100644 +index 00000000000..34905938553 +--- /dev/null ++++ b/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-start.phpt +@@ -0,0 +1,47 @@ ++--TEST-- ++FPM: Buffered worker output plain log with msg with flush split position towards separator start ++--SKIPIF-- ++ ++--FILE-- ++start(); ++$tester->expectLogStartNotices(); ++$tester->request()->expectEmptyBody(); ++$tester->expectLogLine(str_repeat('a', 1009) . "Quarkslab", decorated: false); ++$tester->expectLogLine("Quarkslab", decorated: false); ++$tester->terminate(); ++$tester->expectLogTerminatingNotices(); ++$tester->close(); ++ ++?> ++Done ++--EXPECT-- ++Done ++--CLEAN-- ++ +-- +2.46.1 + +From 1154fbd3ddfa418bf2492c5366adaefb47c47737 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Thu, 26 Sep 2024 11:50:54 +0200 +Subject: [PATCH 09/11] NEWS for 8.1.30 backports + +(cherry picked from commit af3fb385e7b328ab89db26ec712d89c7096f0743) +--- + NEWS | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/NEWS b/NEWS +index a96518695fb..62616d6312d 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,23 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 8.1.30 ++ ++- CGI: ++ . Fixed bug GHSA-p99j-rfp4-xqvq (Bypass of CVE-2024-4577, Parameter Injection ++ Vulnerability). (CVE-2024-8926) (nielsdos) ++ . Fixed bug GHSA-94p6-54jq-9mwp (cgi.force_redirect configuration is ++ bypassable due to the environment variable collision). (CVE-2024-8927) ++ (nielsdos) ++ ++- FPM: ++ . Fixed bug GHSA-865w-9rf3-2wh5 (Logs from childrens may be altered). ++ (CVE-2024-9026) (Jakub Zelenka) ++ ++- SAPI: ++ . Fixed bug GHSA-9pqp-7h25-4f32 (Erroneous parsing of multipart form data). ++ (CVE-2024-8925) (Arnaud) ++ + Backported from 8.1.29 + + - CGI: +-- +2.46.1 + +From bc574c256596abc4966e7f0e3e0913839092151e Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Thu, 26 Sep 2024 15:48:11 +0200 +Subject: [PATCH 10/11] adapt GHSA-865w-9rf3-2wh5 test for 7.x + +--- + sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-end.phpt | 4 ++-- + sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-start.phpt | 4 ++-- + sapi/fpm/tests/tester.inc | 4 ++-- + 3 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-end.phpt b/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-end.phpt +index 52826320080..bdd61782bfa 100644 +--- a/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-end.phpt ++++ b/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-end.phpt +@@ -30,8 +30,8 @@ $tester = new FPM\Tester($cfg, $code); + $tester->start(); + $tester->expectLogStartNotices(); + $tester->request()->expectEmptyBody(); +-$tester->expectLogLine(str_repeat('a', 1013) . "Quarkslab", decorated: false); +-$tester->expectLogLine("Quarkslab", decorated: false); ++$tester->expectLogLine(str_repeat('a', 1013) . "Quarkslab", true, false); ++$tester->expectLogLine("Quarkslab", true, false); + $tester->terminate(); + $tester->expectLogTerminatingNotices(); + $tester->close(); +diff --git a/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-start.phpt b/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-start.phpt +index 34905938553..f3461e4a0c8 100644 +--- a/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-start.phpt ++++ b/sapi/fpm/tests/log-bwp-msg-flush-split-sep-pos-start.phpt +@@ -30,8 +30,8 @@ $tester = new FPM\Tester($cfg, $code); + $tester->start(); + $tester->expectLogStartNotices(); + $tester->request()->expectEmptyBody(); +-$tester->expectLogLine(str_repeat('a', 1009) . "Quarkslab", decorated: false); +-$tester->expectLogLine("Quarkslab", decorated: false); ++$tester->expectLogLine(str_repeat('a', 1009) . "Quarkslab", true, false); ++$tester->expectLogLine("Quarkslab", true, false); + $tester->terminate(); + $tester->expectLogTerminatingNotices(); + $tester->close(); +diff --git a/sapi/fpm/tests/tester.inc b/sapi/fpm/tests/tester.inc +index 7868afc4ac1..fe5f0c2fde7 100644 +--- a/sapi/fpm/tests/tester.inc ++++ b/sapi/fpm/tests/tester.inc +@@ -1315,7 +1315,7 @@ class Tester + * @param string $message + * @return bool + */ +- public function expectLogLine(string $message, bool $is_stderr = true) ++ public function expectLogLine(string $message, bool $is_stderr = true, bool $decorated = true) + { + $messageLen = strlen($message); + $limit = $messageLen > 1024 ? $messageLen + 16 : 1024; +@@ -1325,7 +1325,7 @@ class Tester + $this->message("LOG LINE: " . ($logLines[0] ?? '')); + } + +- return $this->logTool->checkWrappedMessage($logLines, false, true, $is_stderr); ++ return $this->logTool->checkWrappedMessage($logLines, false, $decorated, $is_stderr); + } + + /** +-- +2.46.1 + -- cgit