Re: [oe][meta-oe][scarthgap][PATCH 1/1] php: Fix CVE-2024-5458
Kindly ignore this patch. This CVE will be fixed with php upgradation - https://lore.kernel.org/openembedded-devel/20240626085038.2951548-1-soumya.sa...@windriver.com/ Regards, Soumya From: openembedded-devel@lists.openembedded.org on behalf of Soumya via lists.openembedded.org Sent: Monday, June 24, 2024 7:59 AM To: openembedded-devel@lists.openembedded.org Subject: [oe][meta-oe][scarthgap][PATCH 1/1] php: Fix CVE-2024-5458 From: Soumya Sambu In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly. References: https://nvd.nist.gov/vuln/detail/CVE-2024-5458 Upstream-patches: https://github.com/php/php-src/commit/c7486130d97d592aee8809a5bce97e11deac94a5 Signed-off-by: Soumya Sambu --- .../php/php/CVE-2024-5458.patch | 153 ++ meta-oe/recipes-devtools/php/php_8.2.18.bb| 1 + 2 files changed, 154 insertions(+) create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2024-5458.patch diff --git a/meta-oe/recipes-devtools/php/php/CVE-2024-5458.patch b/meta-oe/recipes-devtools/php/php/CVE-2024-5458.patch new file mode 100644 index 0..8f139f0cc --- /dev/null +++ b/meta-oe/recipes-devtools/php/php/CVE-2024-5458.patch @@ -0,0 +1,153 @@ +From 7e0e3cc820c493301409a0ce2b6ef95e0ab06b0c Mon Sep 17 00:00:00 2001 +From: Niels Dossche <7771979+niels...@users.noreply.github.com> +Date: Wed, 22 May 2024 22:25:02 +0200 +Subject: [PATCH] Fix GHSA-w8qr-v226-r27w + +We should not early-out with success status if we found an ipv6 +hostname, we should keep checking the rest of the conditions. +Because integrating the if-check of the ipv6 hostname in the +"Validate domain" if-check made the code hard to read, I extracted the +condition out to a separate function. This also required to make +a few pointers const in order to have some clean code. + +CVE: CVE-2024-5458 + +Upstream-Status: Backport [https://github.com/php/php-src/commit/7e0e3cc820c493301409a0ce2b6ef95e0ab06b0c] + +Signed-off-by: Soumya Sambu +--- + ext/filter/logical_filters.c | 35 ++- + ext/filter/tests/ghsa-w8qr-v226-r27w.phpt | 41 +++ + 2 files changed, 61 insertions(+), 15 deletions(-) + create mode 100644 ext/filter/tests/ghsa-w8qr-v226-r27w.phpt + +diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c +index 3f58b2a3..ca8e65c1 100644 +--- a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c +@@ -89,7 +89,7 @@ + #define FORMAT_IPV44 + #define FORMAT_IPV66 + +-static int _php_filter_validate_ipv6(char *str, size_t str_len, int ip[8]); ++static int _php_filter_validate_ipv6(const char *str, size_t str_len, int ip[8]); + + static int php_filter_parse_int(const char *str, size_t str_len, zend_long *ret) { /* {{{ */ + zend_long ctx_value; +@@ -580,6 +580,14 @@ static int is_userinfo_valid(zend_string *str) + return 1; + } + ++static bool php_filter_is_valid_ipv6_hostname(const char *s, size_t l) ++{ ++ const char *e = s + l; ++ const char *t = e - 1; ++ ++ return *s == '[' && *t == ']' && _php_filter_validate_ipv6(s + 1, l - 2, NULL); ++} ++ + void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */ + { + php_url *url; +@@ -600,7 +608,7 @@ void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */ + + if (url->scheme != NULL && + (zend_string_equals_literal_ci(url->scheme, "http") || zend_string_equals_literal_ci(url->scheme, "https"))) { +- char *e, *s, *t; ++ const char *s; + size_t l; + + if (url->host == NULL) { +@@ -609,17 +617,14 @@ void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */ + + s = ZSTR_VAL(url->host); + l = ZSTR_LEN(url->host); +- e = s + l; +- t = e - 1; +- +- /* An IPv6 enclosed by square brackets is a valid hostname */ +- if (*s == '[' && *t == ']' && _php_filter_validate_ipv6((s + 1), l - 2, NULL)) { +- php_url_free(url); +- return; +- } + +- // Validate domain +- if (!_php_filter_validate_domain(ZSTR_VAL(url->host), l, FILTER_FLAG_HOSTNAME)) { ++ if ( ++ /* An IPv6 enclosed by square brackets is a valid hostname.*/ ++ !php_filter_is_valid_ipv6_hostname(s, l) && ++
[oe][meta-oe][scarthgap][PATCH 1/1] php: Fix CVE-2024-5458
From: Soumya Sambu In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly. References: https://nvd.nist.gov/vuln/detail/CVE-2024-5458 Upstream-patches: https://github.com/php/php-src/commit/c7486130d97d592aee8809a5bce97e11deac94a5 Signed-off-by: Soumya Sambu --- .../php/php/CVE-2024-5458.patch | 153 ++ meta-oe/recipes-devtools/php/php_8.2.18.bb| 1 + 2 files changed, 154 insertions(+) create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2024-5458.patch diff --git a/meta-oe/recipes-devtools/php/php/CVE-2024-5458.patch b/meta-oe/recipes-devtools/php/php/CVE-2024-5458.patch new file mode 100644 index 0..8f139f0cc --- /dev/null +++ b/meta-oe/recipes-devtools/php/php/CVE-2024-5458.patch @@ -0,0 +1,153 @@ +From 7e0e3cc820c493301409a0ce2b6ef95e0ab06b0c Mon Sep 17 00:00:00 2001 +From: Niels Dossche <7771979+niels...@users.noreply.github.com> +Date: Wed, 22 May 2024 22:25:02 +0200 +Subject: [PATCH] Fix GHSA-w8qr-v226-r27w + +We should not early-out with success status if we found an ipv6 +hostname, we should keep checking the rest of the conditions. +Because integrating the if-check of the ipv6 hostname in the +"Validate domain" if-check made the code hard to read, I extracted the +condition out to a separate function. This also required to make +a few pointers const in order to have some clean code. + +CVE: CVE-2024-5458 + +Upstream-Status: Backport [https://github.com/php/php-src/commit/7e0e3cc820c493301409a0ce2b6ef95e0ab06b0c] + +Signed-off-by: Soumya Sambu +--- + ext/filter/logical_filters.c | 35 ++- + ext/filter/tests/ghsa-w8qr-v226-r27w.phpt | 41 +++ + 2 files changed, 61 insertions(+), 15 deletions(-) + create mode 100644 ext/filter/tests/ghsa-w8qr-v226-r27w.phpt + +diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c +index 3f58b2a3..ca8e65c1 100644 +--- a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c +@@ -89,7 +89,7 @@ + #define FORMAT_IPV44 + #define FORMAT_IPV66 + +-static int _php_filter_validate_ipv6(char *str, size_t str_len, int ip[8]); ++static int _php_filter_validate_ipv6(const char *str, size_t str_len, int ip[8]); + + static int php_filter_parse_int(const char *str, size_t str_len, zend_long *ret) { /* {{{ */ + zend_long ctx_value; +@@ -580,6 +580,14 @@ static int is_userinfo_valid(zend_string *str) + return 1; + } + ++static bool php_filter_is_valid_ipv6_hostname(const char *s, size_t l) ++{ ++ const char *e = s + l; ++ const char *t = e - 1; ++ ++ return *s == '[' && *t == ']' && _php_filter_validate_ipv6(s + 1, l - 2, NULL); ++} ++ + void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */ + { + php_url *url; +@@ -600,7 +608,7 @@ void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */ + + if (url->scheme != NULL && + (zend_string_equals_literal_ci(url->scheme, "http") || zend_string_equals_literal_ci(url->scheme, "https"))) { +- char *e, *s, *t; ++ const char *s; + size_t l; + + if (url->host == NULL) { +@@ -609,17 +617,14 @@ void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */ + + s = ZSTR_VAL(url->host); + l = ZSTR_LEN(url->host); +- e = s + l; +- t = e - 1; +- +- /* An IPv6 enclosed by square brackets is a valid hostname */ +- if (*s == '[' && *t == ']' && _php_filter_validate_ipv6((s + 1), l - 2, NULL)) { +- php_url_free(url); +- return; +- } + +- // Validate domain +- if (!_php_filter_validate_domain(ZSTR_VAL(url->host), l, FILTER_FLAG_HOSTNAME)) { ++ if ( ++ /* An IPv6 enclosed by square brackets is a valid hostname.*/ ++ !php_filter_is_valid_ipv6_hostname(s, l) && ++ /* Validate domain. ++ * This includes a loose check for an IPv4 address. */ ++ !_php_filter_validate_domain(ZSTR_VAL(url->host), l, FILTER_FLAG_HOSTNAME) ++ ) { + php_url_free(url); + RETURN_VALIDATION_FAILED + } +@@ -753,15 +758,15 @@ static int _php_filter_validate_ipv4(char *str, size_t str_len, int *ip) /* {{{ + } + /* }}} */ + +-static int _php_filter_validate_ipv6(char *str, size_t str_len, int ip[8]) /* {{{ */ ++static int _php_filter_validate_ipv6(const char *str, size_t str_len, int