|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2024-3096: php5,php53,php7,php72,php74,php8: php: password_verify can erroneously return true, opening ATO risk | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | SMASH SMASH <smash_bz> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | NEW --- | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | camila.matos, meissner |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/401684/ | ||
| Whiteboard: | CVSSv3.1:SUSE:CVE-2024-3096:4.8:(AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
SMASH SMASH
2024-04-15 16:00:00 UTC
https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr QA REPRODUCER: <?php declare(strict_types=1); $pw = "\x00\x30"; $hash = password_hash($pw, PASSWORD_DEFAULT); assert(password_verify(password: 'wrong', hash: $hash) === false, 'Incorect password should not verify'); assert(password_verify(password: '', hash: $hash) === false, 'Blank password should not verify'); assert(password_verify(password: $pw, hash: $hash) === true, 'Correct password should verify'); assert(password_verify(password: strrev($pw), hash: $hash) === false, 'Reversed correct password not should verify'); $ php pw_bug.php AssertionError: Blank password should not verify in .../pw_bug.php on line 9 Call Stack: 0.0002 496408 1. {main}() .../pw_bug.php:0 0.1998 496536 2. assert($assertion = FALSE, $description = 'Blank password should not verify') .../pw_bug.php:9 Advisory related to this CVE: https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr https://github.com/php/php-src/commit/0ba5229a3f7572846e91c8f5382e87785f543826 but the GHSA identifier does not match? (In reply to Petr Gajdos from comment #3) > https://github.com/php/php-src/commit/ > 0ba5229a3f7572846e91c8f5382e87785f543826 > but the GHSA identifier does not match? (I mean identifier in the commit message does not match?) 15sp4
BEFORE
/ # php -r 'var_dump(password_hash("null\0password", PASSWORD_BCRYPT));'
string(60) "$2y$10$0MjvUAfJqrTG9clruD4CHOJ7ZnQsU3.xohjbsZ4VVeXLfxB9Bz/2e"
/ #
AFTER
/ # php -r 'var_dump(password_hash("null\0password", PASSWORD_BCRYPT));'
PHP Fatal error: Uncaught ValueError: Bcrypt password must not contain null character in Command line code:1
Stack trace:
#0 Command line code(1): password_hash()
#1 {main}
thrown in Command line code on line 1
:/ #
Submitted for: b15sp1/php81 (a version update) 15sp4/php8,php7, 15sp2/php7, 12/php74. This is an autogenerated message for OBS integration: This bug (1222858) was mentioned in https://build.opensuse.org/request/show/1169082 Backports:SLE-15-SP5 / php81 SUSE-SU-2024:1446-1: An update that solves two vulnerabilities can now be installed. Category: security (moderate) Bug References: 1222857, 1222858 CVE References: CVE-2024-2756, CVE-2024-3096 Maintenance Incident: [SUSE:Maintenance:33460](https://smelt.suse.de/incident/33460/) Sources used: openSUSE Leap 15.4 (src): php8-8.0.30-150400.4.40.1, php8-fastcgi-8.0.30-150400.4.40.1, php8-test-8.0.30-150400.4.40.1, apache2-mod_php8-8.0.30-150400.4.40.1, php8-embed-8.0.30-150400.4.40.1, php8-fpm-8.0.30-150400.4.40.1 openSUSE Leap 15.5 (src): php8-8.0.30-150400.4.40.1, php8-fastcgi-8.0.30-150400.4.40.1, php8-test-8.0.30-150400.4.40.1, apache2-mod_php8-8.0.30-150400.4.40.1, php8-embed-8.0.30-150400.4.40.1, php8-fpm-8.0.30-150400.4.40.1 Web and Scripting Module 15-SP5 (src): php8-8.0.30-150400.4.40.1, php8-fastcgi-8.0.30-150400.4.40.1, php8-test-8.0.30-150400.4.40.1, apache2-mod_php8-8.0.30-150400.4.40.1, php8-embed-8.0.30-150400.4.40.1, php8-fpm-8.0.30-150400.4.40.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2024:1445-1: An update that solves two vulnerabilities can now be installed. Category: security (moderate) Bug References: 1222857, 1222858 CVE References: CVE-2024-2756, CVE-2024-3096 Maintenance Incident: [SUSE:Maintenance:33462](https://smelt.suse.de/incident/33462/) Sources used: Web and Scripting Module 12 (src): php74-7.4.33-1.65.1 SUSE Linux Enterprise Software Development Kit 12 SP5 (src): php74-7.4.33-1.65.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2024:1444-1: An update that solves two vulnerabilities can now be installed. Category: security (moderate) Bug References: 1222857, 1222858 CVE References: CVE-2024-2756, CVE-2024-3096 Maintenance Incident: [SUSE:Maintenance:33461](https://smelt.suse.de/incident/33461/) Sources used: openSUSE Leap 15.4 (src): php7-7.4.33-150400.4.34.1, php7-embed-7.4.33-150400.4.34.1, php7-fpm-7.4.33-150400.4.34.1, apache2-mod_php7-7.4.33-150400.4.34.1, php7-test-7.4.33-150400.4.34.1, php7-fastcgi-7.4.33-150400.4.34.1 openSUSE Leap 15.5 (src): php7-7.4.33-150400.4.34.1, php7-embed-7.4.33-150400.4.34.1, php7-fpm-7.4.33-150400.4.34.1, apache2-mod_php7-7.4.33-150400.4.34.1, php7-test-7.4.33-150400.4.34.1, php7-fastcgi-7.4.33-150400.4.34.1 Legacy Module 15-SP5 (src): php7-7.4.33-150400.4.34.1, php7-fpm-7.4.33-150400.4.34.1, apache2-mod_php7-7.4.33-150400.4.34.1, php7-fastcgi-7.4.33-150400.4.34.1 SUSE Package Hub 15 15-SP5 (src): php7-embed-7.4.33-150400.4.34.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. openSUSE-SU-2024:0115-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1222857,1222858 CVE References: CVE-2022-31629,CVE-2024-2756,CVE-2024-3096 JIRA References: Sources used: openSUSE Backports SLE-15-SP5 (src): apache2-mod_php81-8.1.28-bp155.8.1, php81-8.1.28-bp155.8.1, php81-embed-8.1.28-bp155.8.1, php81-fastcgi-8.1.28-bp155.8.1, php81-fpm-8.1.28-bp155.8.1, php81-test-8.1.28-bp155.8.3 Submitted for ALP: https://build.suse.de/request/show/329903 Submitted for SFFO: https://build.suse.de/request/show/329904 (In reply to Petr Gajdos from comment #21) > Submitted for ALP: > https://build.suse.de/request/show/329903 Reopened. This is an autogenerated message for OBS integration: This bug (1222858) was mentioned in https://build.opensuse.org/request/show/1180000 Factory / php8 SUSE-SU-2024:2037-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1222857, 1222858, 1226073 CVE References: CVE-2024-2756, CVE-2024-3096, CVE-2024-5458 Maintenance Incident: [SUSE:Maintenance:33467](https://smelt.suse.de/incident/33467/) Sources used: SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): php7-7.4.33-150200.3.65.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): php7-7.4.33-150200.3.65.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): php7-7.4.33-150200.3.65.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): php7-7.4.33-150200.3.65.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): php7-7.4.33-150200.3.65.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): php7-7.4.33-150200.3.65.1 SUSE Enterprise Storage 7.1 (src): php7-7.4.33-150200.3.65.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. |