Bugzilla – Bug 1222858
VUL-0: CVE-2024-3096: php5,php53,php7,php72,php74,php8: php: password_verify can erroneously return true, opening ATO risk
Last modified: 2024-06-17 08:30:23 UTC
If a password stored with password_hash starts with a null byte (\x00), testing a blank string as the password via password_verify will incorrectly return true. If a user were able to create a password with a leading null byte (unlikely, but syntactically valid), an attacker could trivially compromise the victim's account by attempting to sign in with a blank string. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-3096 https://seclists.org/oss-sec/2024/q2/113 https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7 https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr https://github.com/php/php-src/security/advisories/GHSA-wpj3-hf5j-x4v4 https://github.com/php/php-src/security/advisories/GHSA-fjp9-9hwx-59fq https://bugzilla.redhat.com/show_bug.cgi?id=2275061
https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr QA REPRODUCER: <?php declare(strict_types=1); $pw = "\x00\x30"; $hash = password_hash($pw, PASSWORD_DEFAULT); assert(password_verify(password: 'wrong', hash: $hash) === false, 'Incorect password should not verify'); assert(password_verify(password: '', hash: $hash) === false, 'Blank password should not verify'); assert(password_verify(password: $pw, hash: $hash) === true, 'Correct password should verify'); assert(password_verify(password: strrev($pw), hash: $hash) === false, 'Reversed correct password not should verify'); $ php pw_bug.php AssertionError: Blank password should not verify in .../pw_bug.php on line 9 Call Stack: 0.0002 496408 1. {main}() .../pw_bug.php:0 0.1998 496536 2. assert($assertion = FALSE, $description = 'Blank password should not verify') .../pw_bug.php:9
Advisory related to this CVE: https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr
https://github.com/php/php-src/commit/0ba5229a3f7572846e91c8f5382e87785f543826 but the GHSA identifier does not match?
(In reply to Petr Gajdos from comment #3) > https://github.com/php/php-src/commit/ > 0ba5229a3f7572846e91c8f5382e87785f543826 > but the GHSA identifier does not match? (I mean identifier in the commit message does not match?)
15sp4 BEFORE / # php -r 'var_dump(password_hash("null\0password", PASSWORD_BCRYPT));' string(60) "$2y$10$0MjvUAfJqrTG9clruD4CHOJ7ZnQsU3.xohjbsZ4VVeXLfxB9Bz/2e" / # AFTER / # php -r 'var_dump(password_hash("null\0password", PASSWORD_BCRYPT));' PHP Fatal error: Uncaught ValueError: Bcrypt password must not contain null character in Command line code:1 Stack trace: #0 Command line code(1): password_hash() #1 {main} thrown in Command line code on line 1 :/ #
Submitted for: b15sp1/php81 (a version update) 15sp4/php8,php7, 15sp2/php7, 12/php74.
This is an autogenerated message for OBS integration: This bug (1222858) was mentioned in https://build.opensuse.org/request/show/1169082 Backports:SLE-15-SP5 / php81
SUSE-SU-2024:1446-1: An update that solves two vulnerabilities can now be installed. Category: security (moderate) Bug References: 1222857, 1222858 CVE References: CVE-2024-2756, CVE-2024-3096 Maintenance Incident: [SUSE:Maintenance:33460](https://smelt.suse.de/incident/33460/) Sources used: openSUSE Leap 15.4 (src): php8-8.0.30-150400.4.40.1, php8-fastcgi-8.0.30-150400.4.40.1, php8-test-8.0.30-150400.4.40.1, apache2-mod_php8-8.0.30-150400.4.40.1, php8-embed-8.0.30-150400.4.40.1, php8-fpm-8.0.30-150400.4.40.1 openSUSE Leap 15.5 (src): php8-8.0.30-150400.4.40.1, php8-fastcgi-8.0.30-150400.4.40.1, php8-test-8.0.30-150400.4.40.1, apache2-mod_php8-8.0.30-150400.4.40.1, php8-embed-8.0.30-150400.4.40.1, php8-fpm-8.0.30-150400.4.40.1 Web and Scripting Module 15-SP5 (src): php8-8.0.30-150400.4.40.1, php8-fastcgi-8.0.30-150400.4.40.1, php8-test-8.0.30-150400.4.40.1, apache2-mod_php8-8.0.30-150400.4.40.1, php8-embed-8.0.30-150400.4.40.1, php8-fpm-8.0.30-150400.4.40.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1445-1: An update that solves two vulnerabilities can now be installed. Category: security (moderate) Bug References: 1222857, 1222858 CVE References: CVE-2024-2756, CVE-2024-3096 Maintenance Incident: [SUSE:Maintenance:33462](https://smelt.suse.de/incident/33462/) Sources used: Web and Scripting Module 12 (src): php74-7.4.33-1.65.1 SUSE Linux Enterprise Software Development Kit 12 SP5 (src): php74-7.4.33-1.65.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1444-1: An update that solves two vulnerabilities can now be installed. Category: security (moderate) Bug References: 1222857, 1222858 CVE References: CVE-2024-2756, CVE-2024-3096 Maintenance Incident: [SUSE:Maintenance:33461](https://smelt.suse.de/incident/33461/) Sources used: openSUSE Leap 15.4 (src): php7-7.4.33-150400.4.34.1, php7-embed-7.4.33-150400.4.34.1, php7-fpm-7.4.33-150400.4.34.1, apache2-mod_php7-7.4.33-150400.4.34.1, php7-test-7.4.33-150400.4.34.1, php7-fastcgi-7.4.33-150400.4.34.1 openSUSE Leap 15.5 (src): php7-7.4.33-150400.4.34.1, php7-embed-7.4.33-150400.4.34.1, php7-fpm-7.4.33-150400.4.34.1, apache2-mod_php7-7.4.33-150400.4.34.1, php7-test-7.4.33-150400.4.34.1, php7-fastcgi-7.4.33-150400.4.34.1 Legacy Module 15-SP5 (src): php7-7.4.33-150400.4.34.1, php7-fpm-7.4.33-150400.4.34.1, apache2-mod_php7-7.4.33-150400.4.34.1, php7-fastcgi-7.4.33-150400.4.34.1 SUSE Package Hub 15 15-SP5 (src): php7-embed-7.4.33-150400.4.34.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2024:0115-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1222857,1222858 CVE References: CVE-2022-31629,CVE-2024-2756,CVE-2024-3096 JIRA References: Sources used: openSUSE Backports SLE-15-SP5 (src): apache2-mod_php81-8.1.28-bp155.8.1, php81-8.1.28-bp155.8.1, php81-embed-8.1.28-bp155.8.1, php81-fastcgi-8.1.28-bp155.8.1, php81-fpm-8.1.28-bp155.8.1, php81-test-8.1.28-bp155.8.3
Submitted for ALP: https://build.suse.de/request/show/329903 Submitted for SFFO: https://build.suse.de/request/show/329904
(In reply to Petr Gajdos from comment #21) > Submitted for ALP: > https://build.suse.de/request/show/329903 Reopened.
This is an autogenerated message for OBS integration: This bug (1222858) was mentioned in https://build.opensuse.org/request/show/1180000 Factory / php8
SUSE-SU-2024:2037-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1222857, 1222858, 1226073 CVE References: CVE-2024-2756, CVE-2024-3096, CVE-2024-5458 Maintenance Incident: [SUSE:Maintenance:33467](https://smelt.suse.de/incident/33467/) Sources used: SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): php7-7.4.33-150200.3.65.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): php7-7.4.33-150200.3.65.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): php7-7.4.33-150200.3.65.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): php7-7.4.33-150200.3.65.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): php7-7.4.33-150200.3.65.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): php7-7.4.33-150200.3.65.1 SUSE Enterprise Storage 7.1 (src): php7-7.4.33-150200.3.65.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.