php/php-cve-2024-3096.patch

From 81794c73068d9a44bf109bbcc9793e7b56a1c051 Mon Sep 17 00:00:00 2001
From: Jakub Zelenka <bukka@php.net>
Date: Fri, 29 Mar 2024 15:27:59 +0000
Subject: [PATCH 3/4] Fix bug GHSA-q6x7-frmf-grcw: password_verify can
 erroneously return true

Disallow null character in bcrypt password

(cherry picked from commit 0ba5229a3f7572846e91c8f5382e87785f543826)
---
 ext/standard/password.c                                 | 5 +++++
 ext/standard/tests/password/password_bcrypt_errors.phpt | 7 +++++++
 2 files changed, 12 insertions(+)

diff --git a/ext/standard/password.c b/ext/standard/password.c
index fb29e7bbba4..40117983f70 100644
--- a/ext/standard/password.c
+++ b/ext/standard/password.c
@@ -184,6 +184,11 @@ static zend_string* php_password_bcrypt_hash(const zend_string *password, zend_a
 	zval *zcost;
 	zend_long cost = PHP_PASSWORD_BCRYPT_COST;
 
+	if (memchr(ZSTR_VAL(password), '\0', ZSTR_LEN(password))) {
+		zend_value_error("Bcrypt password must not contain null character");
+		return NULL;
+	}
+
 	if (options && (zcost = zend_hash_str_find(options, "cost", sizeof("cost")-1)) != NULL) {
 		cost = zval_get_long(zcost);
 	}
diff --git a/ext/standard/tests/password/password_bcrypt_errors.phpt b/ext/standard/tests/password/password_bcrypt_errors.phpt
index 10c3483f5a8..5d823cba021 100644
--- a/ext/standard/tests/password/password_bcrypt_errors.phpt
+++ b/ext/standard/tests/password/password_bcrypt_errors.phpt
@@ -14,7 +14,14 @@ try {
 } catch (ValueError $exception) {
     echo $exception->getMessage() . "\n";
 }
+
+try {
+    var_dump(password_hash("null\0password", PASSWORD_BCRYPT));
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
 ?>
 --EXPECT--
 Invalid bcrypt cost parameter specified: 3
 Invalid bcrypt cost parameter specified: 32
+Bcrypt password must not contain null character
-- 
2.44.0

From 24f77904ee2259d722559f129f96a1f145a2367b Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Wed, 10 Apr 2024 09:01:09 +0200
Subject: [PATCH 4/4] NEWS

---
 NEWS | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/NEWS b/NEWS
index 14fda3a58b9..8b4801d707e 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,8 @@ Backported from 8.1.28
 - Standard:
   . Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to
     partial CVE-2022-31629 fix). (CVE-2024-2756) (nielsdos)
+  . Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true,
+    opening ATO risk). (CVE-2024-3096) (Jakub Zelenka)
 
 03 Aug 2023, PHP 8.0.30
 
-- 
2.44.0
Fix Leak partial content of the heap through heap buffer over-read CVE-2024-8929 Fix Configuring a proxy in a stream context might allow for CRLF injection in URIs CVE-2024-11234 Fix Single byte overread with convert.quoted-printable-decode filter CVE-2024-11233 Fix cgi.force_redirect configuration is bypassable due to the environment variable collision CVE-2024-8927 Fix Logs from childrens may be altered CVE-2024-9026 Fix Erroneous parsing of multipart form data CVE-2024-8925 Fix filter bypass in filter_var FILTER_VALIDATE_URL CVE-2024-5458 Fix __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix CVE-2024-2756 Fix password_verify can erroneously return true opening ATO risk CVE-2024-3096 Resolves: RHEL-71275 2025-01-21 14:36:05 +00:00			`From 81794c73068d9a44bf109bbcc9793e7b56a1c051 Mon Sep 17 00:00:00 2001`
			`From: Jakub Zelenka <bukka@php.net>`
			`Date: Fri, 29 Mar 2024 15:27:59 +0000`
			`Subject: [PATCH 3/4] Fix bug GHSA-q6x7-frmf-grcw: password_verify can`
			`erroneously return true`

			`Disallow null character in bcrypt password`

			`(cherry picked from commit 0ba5229a3f7572846e91c8f5382e87785f543826)`
			`---`
			`ext/standard/password.c \| 5 +++++`
			`ext/standard/tests/password/password_bcrypt_errors.phpt \| 7 +++++++`
			`2 files changed, 12 insertions(+)`

			`diff --git a/ext/standard/password.c b/ext/standard/password.c`
			`index fb29e7bbba4..40117983f70 100644`
			`--- a/ext/standard/password.c`
			`+++ b/ext/standard/password.c`
			`@@ -184,6 +184,11 @@ static zend_string* php_password_bcrypt_hash(const zend_string *password, zend_a`
			`zval *zcost;`
			`zend_long cost = PHP_PASSWORD_BCRYPT_COST;`

			`+ if (memchr(ZSTR_VAL(password), '\0', ZSTR_LEN(password))) {`
			`+ zend_value_error("Bcrypt password must not contain null character");`
			`+ return NULL;`
			`+ }`
			`+`
			`if (options && (zcost = zend_hash_str_find(options, "cost", sizeof("cost")-1)) != NULL) {`
			`cost = zval_get_long(zcost);`
			`}`
			`diff --git a/ext/standard/tests/password/password_bcrypt_errors.phpt b/ext/standard/tests/password/password_bcrypt_errors.phpt`
			`index 10c3483f5a8..5d823cba021 100644`
			`--- a/ext/standard/tests/password/password_bcrypt_errors.phpt`
			`+++ b/ext/standard/tests/password/password_bcrypt_errors.phpt`
			`@@ -14,7 +14,14 @@ try {`
			`} catch (ValueError $exception) {`
			`echo $exception->getMessage() . "\n";`
			`}`
			`+`
			`+try {`
			`+ var_dump(password_hash("null\0password", PASSWORD_BCRYPT));`
			`+} catch (ValueError $e) {`
			`+ echo $e->getMessage(), "\n";`
			`+}`
			`?>`
			`--EXPECT--`
			`Invalid bcrypt cost parameter specified: 3`
			`Invalid bcrypt cost parameter specified: 32`
			`+Bcrypt password must not contain null character`
			`--`
			`2.44.0`

			`From 24f77904ee2259d722559f129f96a1f145a2367b Mon Sep 17 00:00:00 2001`
			`From: Remi Collet <remi@remirepo.net>`
			`Date: Wed, 10 Apr 2024 09:01:09 +0200`
			`Subject: [PATCH 4/4] NEWS`

			`---`
			`NEWS \| 2 ++`
			`1 file changed, 2 insertions(+)`

			`diff --git a/NEWS b/NEWS`
			`index 14fda3a58b9..8b4801d707e 100644`
			`--- a/NEWS`
			`+++ b/NEWS`
			`@@ -6,6 +6,8 @@ Backported from 8.1.28`
			`- Standard:`
			`. Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to`
			`partial CVE-2022-31629 fix). (CVE-2024-2756) (nielsdos)`
			`+ . Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true,`
			`+ opening ATO risk). (CVE-2024-3096) (Jakub Zelenka)`

			`03 Aug 2023, PHP 8.0.30`

			`--`
			`2.44.0`