Backport CVE-2023-3824 fix
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
php7.4 (Ubuntu) |
Fix Released
|
Undecided
|
Leonidas S. Barbosa |
Bug Description
Please backport the fix for CVE-2023-3824, CVE-2023-3823 on PHP.
This is from https:/
I expect https:/
Furthermore, the CVE screen is misleading to some people:
> But well done to your security tool, some naive ones also misinterpret what the CVEs mean, whoever is working on your security tool has done the additional work to assess what EOL versions are effected too, not just import the CVE.
I am looking at https:/
I didn't find any patch and I found the old vulnerable code.
# http://
In php-7.4.
the vulnerable `size_t to_read` is present and the fixed `count != sizeof(
# http://
The patches end at CVE-2023-
There are no grep matches for `php_stream_dirent` nor `phar_dir_read`
# The release of Ubuntu you are using
Browsing the source for 20.04
# The version of the package you are using
php7.4=
# What you expected to happen
The vulnerability should be fixed and the website should not mislead people.
# What happened instead
The vulnerability is still there and misinformation spread to AskUbuntu and stayed for more than 1 month.
Changed in php7.4 (Ubuntu): | |
assignee: | nobody → Leonidas S. Barbosa (leosilvab) |
# Original question
I have a focal machine ("Ubuntu 20.04.6 LTS") with php 7.4 installed (7.4.3- 4ubuntu2. 19), a vulnerability scan warned me about CVE-2023-3824, CVE-2023-3823 in PHP but the following:
https:/ /ubuntu. com/security/ CVE-2023- 3824
https:/ /ubuntu. com/security/ CVE-2023- 3823
https:/ /ubuntu. com/security/ cves?q= &package= php7.4
It states that this machine is "Not vulnerable"; does anybody know how to get more details on this? I took a look into the packages changelog but there's no mention of the above CVEs.
# Wrong answer
I think the CVE descriptions are pretty clear, since they start with:
> In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 ...
It's blatantly obvious that PHP 7.4 is not affected by these.
So the conclusion is your vulnerability scan yields a false positive here.
# Correct answer
For CVE-2023-3824 for example you can see [the PHP issue](https:/ /github. com/php/ php-src/ security/ advisories/ GHSA-jqcx- ccgc-xwhv) and see the problem code referred to there in [`ext/phar/ dirstream. c`](https:/ /github. com/php/ php-src/ blob/be71cadc2f 899bc39fe270980 42139392e2187db /ext/phar/ dirstream. c#L89C1- L116). You can see the fix that was applied (https:/ /github. com/php/ php-src/ commit/ 80316123f3e9dcc e8ac419bd9dd435 46e2ccb5ef) and see that the problem code existed and still exists in [the final php 7.4.33 code][1].
So yes, PHP 7.4 has that issue, it just isn't mentioned in the CVE because 7.4 is end of life and CNAs don't (have to) report on EOL software.
Ubuntu has not backported any fix. Grep the [source (7.4.3- 4ubuntu2. 19)]( https:/ /packages. ubuntu. com/source/ focal-updates/ php7.4) for `phar_dir_read` and you will find the vulnerable code and no patch. Once they backport they would mentioned it and https:/ /ubuntu. com/security/ CVE-2023- 3824 would say something other than "Not vulnerable" against the 7.4 versions where it exists.
But well done to your security tool, some naive ones also misinterpret what the CVEs mean, whoever is working on your security tool has done the additional work to assess what EOL versions are effected too, not just import the CVE.
[1]: https:/ /github. com/php/ php-src/ blob/php- 7.4.33/ ext/phar/ dirstream. c#L92