Bug 929930

Summary:	dev-lang/php: multiple vulnerabilities
Product:	Gentoo Security	Reporter:	Christopher Fore <csfore>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED DUPLICATE
Severity:	normal	CC:	mjo, php-bugs
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://www.php.net/ChangeLog-8.php
Whiteboard:	A3 [ebuild]
Package list:		Runtime testing required:	---

Description Christopher Fore 2024-04-13 16:26:32 UTC

CVE-2024-2756 (https://github.com/php/php-src/security/advisories/GHSA-wpj3-hf5j-x4v4):

Due to an incomplete fix to CVE-2022-31629, network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications.


CVE-2024-2757 (https://github.com/php/php-src/security/advisories/GHSA-fjp9-9hwx-59fq):

Certain inputs provided to mb_encode_mimeheader trigger an endless loop.


CVE-2024-3096 (https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr):

If a password stored with password_hash starts with a null byte (\x00), testing a blank string as the password via password_verify will incorrectly return true.

If a user were able to create a password with a leading null byte (unlikely, but syntactically valid), an attacker could trivially compromise the victim's account by attempting to sign in with a blank string.




The above are fixed in: 8.1.28, 8.2.18, 8.3.6 with CVE-2024-2757 only being fixed in 8.3.6.

Comment 1 Christopher Fore 2024-04-13 16:32:12 UTC


*** This bug has been marked as a duplicate of bug 929929 ***