Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 929930 - dev-lang/php: multiple vulnerabilities
Summary: dev-lang/php: multiple vulnerabilities
Status: RESOLVED DUPLICATE of bug 929929
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://www.php.net/ChangeLog-8.php
Whiteboard: A3 [ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2024-04-13 16:26 UTC by Christopher Fore
Modified: 2024-04-13 16:33 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Fore 2024-04-13 16:26:32 UTC
CVE-2024-2756 (https://github.com/php/php-src/security/advisories/GHSA-wpj3-hf5j-x4v4):

Due to an incomplete fix to CVE-2022-31629, network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications.


CVE-2024-2757 (https://github.com/php/php-src/security/advisories/GHSA-fjp9-9hwx-59fq):

Certain inputs provided to mb_encode_mimeheader trigger an endless loop.


CVE-2024-3096 (https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr):

If a password stored with password_hash starts with a null byte (\x00), testing a blank string as the password via password_verify will incorrectly return true.

If a user were able to create a password with a leading null byte (unlikely, but syntactically valid), an attacker could trivially compromise the victim's account by attempting to sign in with a blank string.




The above are fixed in: 8.1.28, 8.2.18, 8.3.6 with CVE-2024-2757 only being fixed in 8.3.6.
Comment 1 Christopher Fore 2024-04-13 16:32:12 UTC

*** This bug has been marked as a duplicate of bug 929929 ***