Bug 1222856 (CVE-2024-1874)

Summary: VUL-0: CVE-2024-1874: php5,php53,php7,php72,php74,php8: improper cmdline handling on windows
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Petr Gajdos <pgajdos>
Status: RESOLVED UPSTREAM QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/401686/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-04-15 15:54:02 UTC 
https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7
(CVE-2024-1874) reports:

    Due to the improper handling of command line arguments on Windows,
    maliciously crafted arguments can inject arbitrary commands even if
    the bypass_shell option is enabled.

    Details
    --------
    proc_open executes external commands passed via its arguments. The documentation
    of this function states the following:

        As of PHP 7.4.0, the command may be passed as an array of command parameters.
        In this case, the process will be opened directly (without going through a

    shell) and PHP will take care of any necessary argument escaping. bypass_shell (windows only): bypass cmd.exe shell when set to true


    However, when executing .bat or .cmd files, CreateProcess implicitly spawns
    cmd.exe, resulting in command line arguments being parsed in cmd.exe despite
    the documentation explicitly stating it doesn't spawn the shell.

    While proc_open tries to escape the arguments, command prompts will not
    recognize \ as the escape character. So, the following command line argument
    will spawn calc.exe:

        test.bat "\"&calc.exe"
Comment 1 Marcus Meissner 2024-04-15 15:58:09 UTC 
no need to fix windows issues.