Ubuntu
php7.4 package

Backport CVE-2023-3824 fix

Bug #2054511 reported by Daniel Tang
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
php7.4 (Ubuntu)
Fix Released
Undecided
Leonidas S. Barbosa

Bug Description

Please backport the fix for CVE-2023-3824, CVE-2023-3823 on PHP.
This is from https://askubuntu.com/a/1504226/1004020 .
I expect https://github.com/php/php-src/commit/80316123f3e9dcce8ac419bd9dd43546e2ccb5ef to be cherry-picked.

Furthermore, the CVE screen is misleading to some people:
> But well done to your security tool, some naive ones also misinterpret what the CVEs mean, whoever is working on your security tool has done the additional work to assess what EOL versions are effected too, not just import the CVE.

I am looking at https://packages.ubuntu.com/source/focal-updates/php7.4 (7.4.3-4ubuntu2.19).
I didn't find any patch and I found the old vulnerable code.

# http://archive.ubuntu.com/ubuntu/pool/main/p/php7.4/php7.4_7.4.3.orig.tar.xz

In php-7.4.3/ext/phar/dirstream.c line 92 (`phar_dir_read`),
the vulnerable `size_t to_read` is present and the fixed `count != sizeof(php_stream_dirent)` is missing.

# http://archive.ubuntu.com/ubuntu/pool/main/p/php7.4/php7.4_7.4.3-4ubuntu2.19.debian.tar.xz

The patches end at CVE-2023-3247-2.patch .
There are no grep matches for `php_stream_dirent` nor `phar_dir_read`

# The release of Ubuntu you are using

Browsing the source for 20.04

# The version of the package you are using

php7.4=7.4.3-4ubuntu2.19

# What you expected to happen

The vulnerability should be fixed and the website should not mislead people.

# What happened instead

The vulnerability is still there and misinformation spread to AskUbuntu and stayed for more than 1 month.

CVE References

Revision history for this message
Daniel Tang (daniel-z-tg) wrote :

# Original question

I have a focal machine ("Ubuntu 20.04.6 LTS") with php 7.4 installed (7.4.3-4ubuntu2.19), a vulnerability scan warned me about CVE-2023-3824, CVE-2023-3823 in PHP but the following:

https://ubuntu.com/security/CVE-2023-3824

https://ubuntu.com/security/CVE-2023-3823

https://ubuntu.com/security/cves?q=&package=php7.4

It states that this machine is "Not vulnerable"; does anybody know how to get more details on this? I took a look into the packages changelog but there's no mention of the above CVEs.

# Wrong answer

I think the CVE descriptions are pretty clear, since they start with:

> In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 ...

It's blatantly obvious that PHP 7.4 is not affected by these.

So the conclusion is your vulnerability scan yields a false positive here.

# Correct answer

For CVE-2023-3824 for example you can see [the PHP issue](https://github.com/php/php-src/security/advisories/GHSA-jqcx-ccgc-xwhv) and see the problem code referred to there in [`ext/phar/dirstream.c`](https://github.com/php/php-src/blob/be71cadc2f899bc39fe27098042139392e2187db/ext/phar/dirstream.c#L89C1-L116). You can see the fix that was applied (https://github.com/php/php-src/commit/80316123f3e9dcce8ac419bd9dd43546e2ccb5ef) and see that the problem code existed and still exists in [the final php 7.4.33 code][1].

So yes, PHP 7.4 has that issue, it just isn't mentioned in the CVE because 7.4 is end of life and CNAs don't (have to) report on EOL software.

Ubuntu has not backported any fix. Grep the [source (7.4.3-4ubuntu2.19)]( https://packages.ubuntu.com/source/focal-updates/php7.4) for `phar_dir_read` and you will find the vulnerable code and no patch. Once they backport they would mentioned it and https://ubuntu.com/security/CVE-2023-3824 would say something other than "Not vulnerable" against the 7.4 versions where it exists.

But well done to your security tool, some naive ones also misinterpret what the CVEs mean, whoever is working on your security tool has done the additional work to assess what EOL versions are effected too, not just import the CVE.

  [1]: https://github.com/php/php-src/blob/php-7.4.33/ext/phar/dirstream.c#L92

information type: Private Security → Public Security
Leonidas S. Barbosa (leosilvab)
Changed in php7.4 (Ubuntu):
assignee: nobody → Leonidas S. Barbosa (leosilvab)
Revision history for this message
Paul McGarry (paul-paulmcgarry) wrote :

Please note the Ask Ubuntu question only goes into one particular CVE, CVE-2023-3824

There will be a bunch of others security issues in PHP 7.4 and it would be quite a lot of work to go through every PHP CVE issued since PHP 7.4 was EOL and determine whether they also effect PHP 7.4 and to backport the fix.

It would probably be a good idea for Ubuntu to review it's policies for creation of pages like:

https://ubuntu.com/security/CVE-2023-3824

Reporting "Not vulnerable" for EOL software because the version isn't specifically mentioned in the CVE is misleading as CVE policies allow CNAs to simply not report on EOL software

https://www.cve.org/Resources/General/End-of-Life-EOL-Assignment-Process.pdf

EOL software would be better classified as "Unknown" or "Probably Vulnerable - EOL"

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

For all CVEs handled by the security team, we always assume older versions of the software in our archive are vulnerable, and when we research the issue we make sure the vulnerability isn't present in older versions.

We never report "not vulnerable" for EOL software unless we specifically checked.

For the CVEs mentioned in this bug report, a mistake was made during our research, which we have now corrected.

Revision history for this message
Leonidas S. Barbosa (leosilvab) wrote :

Fixed release: https://ubuntu.com/security/notices/USN-6305-2

Changed in php7.4 (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.