https://news-web.php.net/php.announce/424 (dated April 11) states:
> The PHP development team announces the immediate availability of PHP 8.3.6.
> This is a security release that addresses CVE-2024-1874,
> CVE-2024-2756, CVE-2024-3096, and CVE-2024-2757.
>
> All PHP 8.3 users are encouraged to upgrade to this version.
https://news-web.php.net/php.announce/423 (dated April 11) states:
> The PHP development team announces the immediate availability of PHP
> 8.2.18. This is a security release that addresses CVE-2024-1874,
> CVE-2024-2756 and CVE-2024-3096.
>
> All PHP 8.2 users are advised to upgrade to this version.
https://news-web.php.net/php.announce/425 (dated April 12) states:
> The PHP development team announces the immediate availability of PHP
> 8.1.28. This is a security release that addresses CVE-2024-1874,
> CVE-2024-2756, and CVE-2024-3096.
>
> All PHP 8.1 users are encouraged to upgrade to this version.
https://www.php.net/ChangeLog-8.php gives these descriptions of the CVE fixes:
> Fixed bug GHSA-pc52-254m-w9w7 (Command injection via array-ish $command parameter of proc_open). (CVE-2024-1874)
> Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix). (CVE-2024-2756)
> Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true, opening ATO risk). (CVE-2024-3096)
> Fixed bug GHSA-fjp9-9hwx-59fq (mb_encode_mimeheader runs endlessly for some inputs). (CVE-2024-2757)
Note that CVE-2024-2757 is only fixed in 8.3.6, while the other three
are fixed in all three releases.
https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7
(CVE-2024-1874) reports:
> Due to the improper handling of command line arguments on Windows,
> maliciously crafted arguments can inject arbitrary commands even if
> the bypass_shell option is enabled.
>
> Details
> --------
> proc_open executes external commands passed via its arguments. The documentation
> of this function states the following:
>
> As of PHP 7.4.0, the command may be passed as an array of command parameters.
> In this case, the process will be opened directly (without going through a
> shell) and PHP will take care of any necessary argument escaping.
>
> bypass_shell (windows only): bypass cmd.exe shell when set to true
>
> However, when executing .bat or .cmd files, CreateProcess implicitly spawns
> cmd.exe, resulting in command line arguments being parsed in cmd.exe despite
> the documentation explicitly stating it doesn't spawn the shell.
>
> While proc_open tries to escape the arguments, command prompts will not
> recognize \ as the escape character. So, the following command line argument
> will spawn calc.exe:
>
> test.bat "\"&calc.exe"
https://github.com/php/php-src/security/advisories/GHSA-wpj3-hf5j-x4v4
(CVE-2024-2756) reports:
> Summary
> -------
> Due to an incomplete fix to CVE-2022-31629, network and same-site attackers
> can set a standard insecure cookie in the victim's browser which is treated
> as a __Host- or __Secure- cookie by PHP applications.
>
> Details
> -------
> The vulnerability is identical to one previously described in
> https://bugs.php.net/bug.php?id=81727. Unfortunatly, since CVE-2022-31629 got
> only partially fixed in PHP >8.1.11, cookies starting with _[Host- are parsed
> by PHP applications as __Host-.
https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr
(CVE-2024-3096) reports:
> Summary
> -------
> If a password stored with password_hash starts with a null byte (\x00),
> testing a blank string as the password via password_verify will incorrectly
> return true.
>
> If a user were able to create a password with a leading null byte (unlikely,
> but syntactically valid), an attacker could trivially compromise the victim's
> account by attempting to sign in with a blank string.
https://github.com/php/php-src/security/advisories/GHSA-fjp9-9hwx-59fq
(CVE-2024-2757) reports:
> Summary
> -------
> Certain inputs provided to mb_encode_mimeheader trigger an endless loop.
>
> Details
> -------
> A discernible pattern has not yet been identified, but a specific string
> consistently reproduces the issue.
>
> PoC
> ---
> In PHP 8.3.3, execute:
>
> <?php
> mb_internal_encoding('UTF-8');
> mb_encode_mimeheader(",9868949,9868978,9869015,9689100,9869121,9869615,9870690,9867116,98558119861183. ", "utf-8", "B");
>
> The mb_encode_mimeheader function seems to enter an infinite loop and fails to return.
>
> Impact
> ------
> Given that this function is integral to numerous email processing routines,
> including those handling potentially untrusted user inputs, this vulnerability
> could be exploited for denial-of-service attacks. For instance, CakePHP 5
> relies on this function to encode email subjects.
> https://github.com/cakephp/cakephp/blob/5.x/src/Mailer/Message.php#L815
--
-Alan Coopersmith- [email protected]
Oracle Solaris Engineering - https://blogs.oracle.com/solaris