Bugzilla – Bug 1226073
VUL-0: CVE-2024-5458: php5,php53,php7,php72,php74,php8: filter bypass in filter_var FILTER_VALIDATE_URL
Last modified: 2024-07-02 13:44:34 UTC
From: Alan Coopersmith <alan.coopersmith () oracle com> Date: Thu, 6 Jun 2024 17:04:53 -0700 In https://fosstodon.org/@php/112570710411472992 it is written: The Changelog link includes further details: - Fixed bug GHSA-3qgc-jrrr-25jv (Bypass of CVE-2012-1823, Argument Injection in PHP-CGI). (CVE-2024-4577) - Fixed bug GHSA-w8qr-v226-r27w (Filter bypass in filter_var FILTER_VALIDATE_URL). (CVE-2024-5458) - Fixed bug GHSA-9fcc-425m-g385 (Bypass of CVE-2024-1874). (CVE-2024-5585) - The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable. Unfortunately the related advisories don't seem to be published yet under those GHSA id's on https://github.com/php/php-src/security . -- -Alan Coopersmith- alan.coopersmith () oracle com Oracle Solaris Engineering - https://blogs.oracle.com/solaris References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-5458 https://seclists.org/oss-sec/2024/q2/273
Patch: https://github.com/php/php-src/commit/5c6d47372cff9ac01113763cce5bdc097bb90f33
This is an autogenerated message for OBS integration: This bug (1226073) was mentioned in https://build.opensuse.org/request/show/1179149 Factory / php8
This is an autogenerated message for OBS integration: This bug (1226073) was mentioned in https://build.opensuse.org/request/show/1179157 Factory / php8
SLFO submission: https://build.suse.de/request/show/335054
ALP submission: https://build.suse.de/request/show/335055
15sp6 submission: https://build.suse.de/request/show/335074
See the testcase in the commit. My results are: BEFORE --- These ones should fail --- bool(false) string(18) "http://t[est@[::1]" bool(false) bool(false) bool(false) bool(false) bool(false) bool(false) --- These ones should work --- string(21) "http://test@127.0.0.1" string(50) "http://test@[2001:db8:3333:4444:5555:6666:1.2.3.4]" string(17) "http://test@[::1]" AFTER --- These ones should fail --- bool(false) bool(false) bool(false) bool(false) bool(false) bool(false) bool(false) bool(false) --- These ones should work --- string(21) "http://test@127.0.0.1" string(50) "http://test@[2001:db8:3333:4444:5555:6666:1.2.3.4]" string(17) "http://test@[::1]"
Submitted also for: 15sp4/php8, 15sp4/php7, 15sp2/php7, 12/php74. I believe all fixed.
SUSE-SU-2024:2027-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1226073 CVE References: CVE-2024-5458 Maintenance Incident: [SUSE:Maintenance:34258](https://smelt.suse.de/incident/34258/) Sources used: Web and Scripting Module 12 (src): php74-7.4.33-1.68.2 SUSE Linux Enterprise Software Development Kit 12 SP5 (src): php74-7.4.33-1.68.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:2039-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1226073 CVE References: CVE-2024-5458 Maintenance Incident: [SUSE:Maintenance:34256](https://smelt.suse.de/incident/34256/) Sources used: openSUSE Leap 15.4 (src): apache2-mod_php8-8.0.30-150400.4.43.1, php8-8.0.30-150400.4.43.1, php8-fpm-8.0.30-150400.4.43.1, php8-fastcgi-8.0.30-150400.4.43.1, php8-embed-8.0.30-150400.4.43.1, php8-test-8.0.30-150400.4.43.1 openSUSE Leap 15.5 (src): apache2-mod_php8-8.0.30-150400.4.43.1, php8-8.0.30-150400.4.43.1, php8-fpm-8.0.30-150400.4.43.1, php8-fastcgi-8.0.30-150400.4.43.1, php8-embed-8.0.30-150400.4.43.1, php8-test-8.0.30-150400.4.43.1 Web and Scripting Module 15-SP5 (src): apache2-mod_php8-8.0.30-150400.4.43.1, php8-8.0.30-150400.4.43.1, php8-fpm-8.0.30-150400.4.43.1, php8-fastcgi-8.0.30-150400.4.43.1, php8-embed-8.0.30-150400.4.43.1, php8-test-8.0.30-150400.4.43.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): apache2-mod_php8-8.0.30-150400.4.43.1, php8-8.0.30-150400.4.43.1, php8-fpm-8.0.30-150400.4.43.1, php8-fastcgi-8.0.30-150400.4.43.1, php8-embed-8.0.30-150400.4.43.1, php8-test-8.0.30-150400.4.43.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): apache2-mod_php8-8.0.30-150400.4.43.1, php8-8.0.30-150400.4.43.1, php8-fpm-8.0.30-150400.4.43.1, php8-fastcgi-8.0.30-150400.4.43.1, php8-embed-8.0.30-150400.4.43.1, php8-test-8.0.30-150400.4.43.1 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): apache2-mod_php8-8.0.30-150400.4.43.1, php8-8.0.30-150400.4.43.1, php8-fpm-8.0.30-150400.4.43.1, php8-fastcgi-8.0.30-150400.4.43.1, php8-embed-8.0.30-150400.4.43.1, php8-test-8.0.30-150400.4.43.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): apache2-mod_php8-8.0.30-150400.4.43.1, php8-8.0.30-150400.4.43.1, php8-fpm-8.0.30-150400.4.43.1, php8-fastcgi-8.0.30-150400.4.43.1, php8-embed-8.0.30-150400.4.43.1, php8-test-8.0.30-150400.4.43.1 SUSE Manager Server 4.3 (src): apache2-mod_php8-8.0.30-150400.4.43.1, php8-8.0.30-150400.4.43.1, php8-fpm-8.0.30-150400.4.43.1, php8-fastcgi-8.0.30-150400.4.43.1, php8-embed-8.0.30-150400.4.43.1, php8-test-8.0.30-150400.4.43.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:2038-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1226073 CVE References: CVE-2024-5458 Maintenance Incident: [SUSE:Maintenance:34257](https://smelt.suse.de/incident/34257/) Sources used: Legacy Module 15-SP5 (src): php7-fpm-7.4.33-150400.4.37.1, php7-7.4.33-150400.4.37.1, php7-fastcgi-7.4.33-150400.4.37.1, apache2-mod_php7-7.4.33-150400.4.37.1 Legacy Module 15-SP6 (src): php7-fpm-7.4.33-150400.4.37.1, php7-7.4.33-150400.4.37.1, php7-fastcgi-7.4.33-150400.4.37.1, apache2-mod_php7-7.4.33-150400.4.37.1 SUSE Package Hub 15 15-SP5 (src): php7-embed-7.4.33-150400.4.37.1 SUSE Package Hub 15 15-SP6 (src): php7-embed-7.4.33-150400.4.37.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): php7-fpm-7.4.33-150400.4.37.1, php7-7.4.33-150400.4.37.1, php7-fastcgi-7.4.33-150400.4.37.1, apache2-mod_php7-7.4.33-150400.4.37.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): php7-fpm-7.4.33-150400.4.37.1, php7-7.4.33-150400.4.37.1, php7-fastcgi-7.4.33-150400.4.37.1, apache2-mod_php7-7.4.33-150400.4.37.1 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): php7-fpm-7.4.33-150400.4.37.1, php7-7.4.33-150400.4.37.1, php7-fastcgi-7.4.33-150400.4.37.1, apache2-mod_php7-7.4.33-150400.4.37.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): php7-fpm-7.4.33-150400.4.37.1, php7-7.4.33-150400.4.37.1, php7-fastcgi-7.4.33-150400.4.37.1, apache2-mod_php7-7.4.33-150400.4.37.1 openSUSE Leap 15.4 (src): php7-fpm-7.4.33-150400.4.37.1, php7-test-7.4.33-150400.4.37.1, php7-7.4.33-150400.4.37.1, php7-fastcgi-7.4.33-150400.4.37.1, apache2-mod_php7-7.4.33-150400.4.37.1, php7-embed-7.4.33-150400.4.37.1 openSUSE Leap 15.5 (src): php7-fpm-7.4.33-150400.4.37.1, php7-test-7.4.33-150400.4.37.1, php7-7.4.33-150400.4.37.1, php7-fastcgi-7.4.33-150400.4.37.1, apache2-mod_php7-7.4.33-150400.4.37.1, php7-embed-7.4.33-150400.4.37.1 openSUSE Leap 15.6 (src): php7-fpm-7.4.33-150400.4.37.1, php7-test-7.4.33-150400.4.37.1, php7-7.4.33-150400.4.37.1, php7-fastcgi-7.4.33-150400.4.37.1, apache2-mod_php7-7.4.33-150400.4.37.1, php7-embed-7.4.33-150400.4.37.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:2037-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1222857, 1222858, 1226073 CVE References: CVE-2024-2756, CVE-2024-3096, CVE-2024-5458 Maintenance Incident: [SUSE:Maintenance:33467](https://smelt.suse.de/incident/33467/) Sources used: SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): php7-7.4.33-150200.3.65.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): php7-7.4.33-150200.3.65.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): php7-7.4.33-150200.3.65.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): php7-7.4.33-150200.3.65.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): php7-7.4.33-150200.3.65.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): php7-7.4.33-150200.3.65.1 SUSE Enterprise Storage 7.1 (src): php7-7.4.33-150200.3.65.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
we also need it for our php 8.1: openSUSE:Backports:SLE-15-SP5:Update/php81
(In reply to Marcus Meissner from comment #15) > we also need it for our php 8.1: > > openSUSE:Backports:SLE-15-SP5:Update/php81 Yep, working on it already.
b15sp5 submission https://build.opensuse.org/request/show/1181879
Reassigning back to security team.
The following code streams are also still unfixed: SUSE:ALP:Source:Standard:1.0/php8 v8.2.16 SUSE:SLFO:Main/php8 v8.2.19
Hi Alex, (In reply to Alexander Bergmann from comment #19) > The following code streams are also still unfixed: > > SUSE:ALP:Source:Standard:1.0/php8 v8.2.16 > SUSE:SLFO:Main/php8 v8.2.19 they have corresponding requests already, see comment 6 and comment 5. Something else is missing?
> > SUSE:ALP:Source:Standard:1.0/php8 v8.2.16 > > SUSE:SLFO:Main/php8 v8.2.19 > > they have corresponding requests already, see comment 6 and comment 5. > Something else is missing? Missed that, looks all good. (In reply to Petr Gajdos from comment #20)
Okay, reassigning that back again, if something odd or missing, let me know. Thanks