Re: [oe][meta-oe][scarthgap][PATCH 1/1] php: Fix CVE-2024-5458
Kindly ignore this patch. This CVE will be fixed with php upgradation -
https://lore.kernel.org/openembedded-devel/20240626085038.2951548-1-soumya.sa...@windriver.com/
Regards,
Soumya
From: openembedded-devel@lists.openembedded.org
on behalf of Soumya via
lists.openembedded.org
Sent: Monday, June 24, 2024 7:59 AM
To: openembedded-devel@lists.openembedded.org
Subject: [oe][meta-oe][scarthgap][PATCH 1/1] php: Fix CVE-2024-5458
From: Soumya Sambu
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8,
due to a code logic error, filtering functions such as filter_var when
validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function
will result in invalid user information (username + password part of URLs)
being treated as valid user information. This may lead to the downstream code
accepting invalid URLs as valid and parsing them incorrectly.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-5458
Upstream-patches:
https://github.com/php/php-src/commit/c7486130d97d592aee8809a5bce97e11deac94a5
Signed-off-by: Soumya Sambu
---
.../php/php/CVE-2024-5458.patch | 153 ++
meta-oe/recipes-devtools/php/php_8.2.18.bb| 1 +
2 files changed, 154 insertions(+)
create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2024-5458.patch
diff --git a/meta-oe/recipes-devtools/php/php/CVE-2024-5458.patch
b/meta-oe/recipes-devtools/php/php/CVE-2024-5458.patch
new file mode 100644
index 0..8f139f0cc
--- /dev/null
+++ b/meta-oe/recipes-devtools/php/php/CVE-2024-5458.patch
@@ -0,0 +1,153 @@
+From 7e0e3cc820c493301409a0ce2b6ef95e0ab06b0c Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+niels...@users.noreply.github.com>
+Date: Wed, 22 May 2024 22:25:02 +0200
+Subject: [PATCH] Fix GHSA-w8qr-v226-r27w
+
+We should not early-out with success status if we found an ipv6
+hostname, we should keep checking the rest of the conditions.
+Because integrating the if-check of the ipv6 hostname in the
+"Validate domain" if-check made the code hard to read, I extracted the
+condition out to a separate function. This also required to make
+a few pointers const in order to have some clean code.
+
+CVE: CVE-2024-5458
+
+Upstream-Status: Backport
[https://github.com/php/php-src/commit/7e0e3cc820c493301409a0ce2b6ef95e0ab06b0c]
+
+Signed-off-by: Soumya Sambu
+---
+ ext/filter/logical_filters.c | 35 ++-
+ ext/filter/tests/ghsa-w8qr-v226-r27w.phpt | 41 +++
+ 2 files changed, 61 insertions(+), 15 deletions(-)
+ create mode 100644 ext/filter/tests/ghsa-w8qr-v226-r27w.phpt
+
+diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c
+index 3f58b2a3..ca8e65c1 100644
+--- a/ext/filter/logical_filters.c
b/ext/filter/logical_filters.c
+@@ -89,7 +89,7 @@
+ #define FORMAT_IPV44
+ #define FORMAT_IPV66
+
+-static int _php_filter_validate_ipv6(char *str, size_t str_len, int ip[8]);
++static int _php_filter_validate_ipv6(const char *str, size_t str_len, int
ip[8]);
+
+ static int php_filter_parse_int(const char *str, size_t str_len, zend_long
*ret) { /* {{{ */
+ zend_long ctx_value;
+@@ -580,6 +580,14 @@ static int is_userinfo_valid(zend_string *str)
+ return 1;
+ }
+
++static bool php_filter_is_valid_ipv6_hostname(const char *s, size_t l)
++{
++ const char *e = s + l;
++ const char *t = e - 1;
++
++ return *s == '[' && *t == ']' && _php_filter_validate_ipv6(s + 1, l -
2, NULL);
++}
++
+ void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */
+ {
+ php_url *url;
+@@ -600,7 +608,7 @@ void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL)
/* {{{ */
+
+ if (url->scheme != NULL &&
+ (zend_string_equals_literal_ci(url->scheme, "http") ||
zend_string_equals_literal_ci(url->scheme, "https"))) {
+- char *e, *s, *t;
++ const char *s;
+ size_t l;
+
+ if (url->host == NULL) {
+@@ -609,17 +617,14 @@ void
php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */
+
+ s = ZSTR_VAL(url->host);
+ l = ZSTR_LEN(url->host);
+- e = s + l;
+- t = e - 1;
+-
+- /* An IPv6 enclosed by square brackets is a valid hostname */
+- if (*s == '[' && *t == ']' && _php_filter_validate_ipv6((s +
1), l - 2, NULL)) {
+- php_url_free(url);
+- return;
+- }
+
+- // Validate domain
+- if (!_php_filter_validate_domain(ZSTR_VAL(url->host), l,
FILTER_FLAG_HOSTNAME)) {
++ if (
++ /* An IPv6 enclosed by square brackets is a valid
hostname.*/
++ !php_filter_is_valid_ipv6_hostname(s, l) &&
++
[oe][meta-oe][scarthgap][PATCH 1/1] php: Fix CVE-2024-5458
From: Soumya Sambu
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8,
due to a code logic error, filtering functions such as filter_var when
validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function
will result in invalid user information (username + password part of URLs)
being treated as valid user information. This may lead to the downstream code
accepting invalid URLs as valid and parsing them incorrectly.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-5458
Upstream-patches:
https://github.com/php/php-src/commit/c7486130d97d592aee8809a5bce97e11deac94a5
Signed-off-by: Soumya Sambu
---
.../php/php/CVE-2024-5458.patch | 153 ++
meta-oe/recipes-devtools/php/php_8.2.18.bb| 1 +
2 files changed, 154 insertions(+)
create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2024-5458.patch
diff --git a/meta-oe/recipes-devtools/php/php/CVE-2024-5458.patch
b/meta-oe/recipes-devtools/php/php/CVE-2024-5458.patch
new file mode 100644
index 0..8f139f0cc
--- /dev/null
+++ b/meta-oe/recipes-devtools/php/php/CVE-2024-5458.patch
@@ -0,0 +1,153 @@
+From 7e0e3cc820c493301409a0ce2b6ef95e0ab06b0c Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+niels...@users.noreply.github.com>
+Date: Wed, 22 May 2024 22:25:02 +0200
+Subject: [PATCH] Fix GHSA-w8qr-v226-r27w
+
+We should not early-out with success status if we found an ipv6
+hostname, we should keep checking the rest of the conditions.
+Because integrating the if-check of the ipv6 hostname in the
+"Validate domain" if-check made the code hard to read, I extracted the
+condition out to a separate function. This also required to make
+a few pointers const in order to have some clean code.
+
+CVE: CVE-2024-5458
+
+Upstream-Status: Backport
[https://github.com/php/php-src/commit/7e0e3cc820c493301409a0ce2b6ef95e0ab06b0c]
+
+Signed-off-by: Soumya Sambu
+---
+ ext/filter/logical_filters.c | 35 ++-
+ ext/filter/tests/ghsa-w8qr-v226-r27w.phpt | 41 +++
+ 2 files changed, 61 insertions(+), 15 deletions(-)
+ create mode 100644 ext/filter/tests/ghsa-w8qr-v226-r27w.phpt
+
+diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c
+index 3f58b2a3..ca8e65c1 100644
+--- a/ext/filter/logical_filters.c
b/ext/filter/logical_filters.c
+@@ -89,7 +89,7 @@
+ #define FORMAT_IPV44
+ #define FORMAT_IPV66
+
+-static int _php_filter_validate_ipv6(char *str, size_t str_len, int ip[8]);
++static int _php_filter_validate_ipv6(const char *str, size_t str_len, int
ip[8]);
+
+ static int php_filter_parse_int(const char *str, size_t str_len, zend_long
*ret) { /* {{{ */
+ zend_long ctx_value;
+@@ -580,6 +580,14 @@ static int is_userinfo_valid(zend_string *str)
+ return 1;
+ }
+
++static bool php_filter_is_valid_ipv6_hostname(const char *s, size_t l)
++{
++ const char *e = s + l;
++ const char *t = e - 1;
++
++ return *s == '[' && *t == ']' && _php_filter_validate_ipv6(s + 1, l -
2, NULL);
++}
++
+ void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */
+ {
+ php_url *url;
+@@ -600,7 +608,7 @@ void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL)
/* {{{ */
+
+ if (url->scheme != NULL &&
+ (zend_string_equals_literal_ci(url->scheme, "http") ||
zend_string_equals_literal_ci(url->scheme, "https"))) {
+- char *e, *s, *t;
++ const char *s;
+ size_t l;
+
+ if (url->host == NULL) {
+@@ -609,17 +617,14 @@ void
php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */
+
+ s = ZSTR_VAL(url->host);
+ l = ZSTR_LEN(url->host);
+- e = s + l;
+- t = e - 1;
+-
+- /* An IPv6 enclosed by square brackets is a valid hostname */
+- if (*s == '[' && *t == ']' && _php_filter_validate_ipv6((s +
1), l - 2, NULL)) {
+- php_url_free(url);
+- return;
+- }
+
+- // Validate domain
+- if (!_php_filter_validate_domain(ZSTR_VAL(url->host), l,
FILTER_FLAG_HOSTNAME)) {
++ if (
++ /* An IPv6 enclosed by square brackets is a valid
hostname.*/
++ !php_filter_is_valid_ipv6_hostname(s, l) &&
++ /* Validate domain.
++ * This includes a loose check for an IPv4 address. */
++ !_php_filter_validate_domain(ZSTR_VAL(url->host), l,
FILTER_FLAG_HOSTNAME)
++ ) {
+ php_url_free(url);
+ RETURN_VALIDATION_FAILED
+ }
+@@ -753,15 +758,15 @@ static int _php_filter_validate_ipv4(char *str, size_t
str_len, int *ip) /* {{{
+ }
+ /* }}} */
+
+-static int _php_filter_validate_ipv6(char *str, size_t str_len, int ip[8]) /*
{{{ */
++static int _php_filter_validate_ipv6(const char *str, size_t str_len, int
