Ubuntu
php7.4 package

  1. Bug #2054511
  2. Comment #1

Comment 1 for bug 2054511

Revision history for this message
Daniel Tang (daniel-z-tg) wrote :

# Original question

I have a focal machine ("Ubuntu 20.04.6 LTS") with php 7.4 installed (7.4.3-4ubuntu2.19), a vulnerability scan warned me about CVE-2023-3824, CVE-2023-3823 in PHP but the following:

https://ubuntu.com/security/CVE-2023-3824

https://ubuntu.com/security/CVE-2023-3823

https://ubuntu.com/security/cves?q=&package=php7.4

It states that this machine is "Not vulnerable"; does anybody know how to get more details on this? I took a look into the packages changelog but there's no mention of the above CVEs.

# Wrong answer

I think the CVE descriptions are pretty clear, since they start with:

> In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 ...

It's blatantly obvious that PHP 7.4 is not affected by these.

So the conclusion is your vulnerability scan yields a false positive here.

# Correct answer

For CVE-2023-3824 for example you can see [the PHP issue](https://github.com/php/php-src/security/advisories/GHSA-jqcx-ccgc-xwhv) and see the problem code referred to there in [`ext/phar/dirstream.c`](https://github.com/php/php-src/blob/be71cadc2f899bc39fe27098042139392e2187db/ext/phar/dirstream.c#L89C1-L116). You can see the fix that was applied (https://github.com/php/php-src/commit/80316123f3e9dcce8ac419bd9dd43546e2ccb5ef) and see that the problem code existed and still exists in [the final php 7.4.33 code][1].

So yes, PHP 7.4 has that issue, it just isn't mentioned in the CVE because 7.4 is end of life and CNAs don't (have to) report on EOL software.

Ubuntu has not backported any fix. Grep the [source (7.4.3-4ubuntu2.19)]( https://packages.ubuntu.com/source/focal-updates/php7.4) for `phar_dir_read` and you will find the vulnerable code and no patch. Once they backport they would mentioned it and https://ubuntu.com/security/CVE-2023-3824 would say something other than "Not vulnerable" against the 7.4 versions where it exists.

But well done to your security tool, some naive ones also misinterpret what the CVEs mean, whoever is working on your security tool has done the additional work to assess what EOL versions are effected too, not just import the CVE.

  [1]: https://github.com/php/php-src/blob/php-7.4.33/ext/phar/dirstream.c#L92