php: Backport fix CVE-2023-3247

Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Ashish Sharma <asharma@mvista.com> 2023-08-14 12:00:36 +0530
committer: Armin Kuster <akuster808@gmail.com> 2023-08-16 08:39:45 -0400
commit: 1ff41cb9c6c49373e7a5598e2e444af68428ca46 (patch)
tree: 3aafaa7349a7fe41527f03df98bec4c3555260c8
parent: 172fc48573ab66732ed193f00a49e1159727b402 (diff)
download: meta-openembedded-1ff41cb9c6c49373e7a5598e2e444af68428ca46.tar.gz
3 files changed, 118 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/php/php/CVE-2023-3247-1.patch b/meta-oe/recipes-devtools/php/php/CVE-2023-3247-1.patch
new file mode 100644
index 0000000000..db9e41796c
--- /dev/null
+++ b/meta-oe/recipes-devtools/php/php/CVE-2023-3247-1.patch
@@ -0,0 +1,87 @@
+From ac4254ad764c70cb1f05c9270d8d12689fc3aeb6 Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
+Date: Sun, 16 Apr 2023 15:05:03 +0200
+Subject: [PATCH] Fix missing randomness check and insufficient random bytes
+ for SOAP HTTP Digest
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+If php_random_bytes_throw fails, the nonce will be uninitialized, but
+still sent to the server. The client nonce is intended to protect
+against a malicious server. See section 5.10 and 5.12 of RFC 7616 [1],
+and bullet point 2 below.
+Tim pointed out that even though it's the MD5 of the nonce that gets sent,
+enumerating 31 bits is trivial. So we have still a stack information leak
+of 31 bits.
+Furthermore, Tim found the following issues:
+* The small size of cnonce might cause the server to erroneously reject
+  a request due to a repeated (cnonce, nc) pair. As per the birthday
+  problem 31 bits of randomness will return a duplication with 50%
+  chance after less than 55000 requests and nc always starts counting at 1.
+* The cnonce is intended to protect the client and password against a
+  malicious server that returns a constant server nonce where the server
+  precomputed a rainbow table between passwords and correct client response.
+  As storage is fairly cheap, a server could precompute the client responses
+  for (a subset of) client nonces and still have a chance of reversing the
+  client response with the same probability as the cnonce duplication.
+  Precomputing the rainbow table for all 2^31 cnonces increases the rainbow
+  table size by factor 2 billion, which is infeasible. But precomputing it
+  for 2^14 cnonces only increases the table size by factor 16k and the server
+  would still have a 10% chance of successfully reversing a password with a
+  single client request.
+This patch fixes the issues by increasing the nonce size, and checking
+the return value of php_random_bytes_throw(). In the process we also get
+rid of the MD5 hashing of the nonce.
+[1] RFC 7616: https://www.rfc-editor.org/rfc/rfc7616
+Co-authored-by: Tim Düsterhus <timwolla@php.net>
+Upstream-Status: Backport [https://github.com/php/php-src/commit/ac4254ad764c70cb1f05c9270d8d12689fc3aeb6]
+CVE: CVE-2023-3247
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+ ext/soap/php_http.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+diff --git a/ext/soap/php_http.c b/ext/soap/php_http.c
+index 1da286ad875f..e796dba9619a 100644
+--- a/ext/soap/php_http.c
+++ b/ext/soap/php_http.c
+@@ -664,18 +664,23 @@ int make_http_soap_request(zval        *this_ptr,
+                        if ((digest = zend_hash_str_find(Z_OBJPROP_P(this_ptr), "_digest", sizeof("_digest")-1)) != NULL) {
+                                if (Z_TYPE_P(digest) == IS_ARRAY) {
+                                        char          HA1[33], HA2[33], response[33], cnonce[33], nc[9];
+-                                       zend_long     nonce;
+                                       unsigned char nonce[16];
+                                        PHP_MD5_CTX   md5ctx;
+                                        unsigned char hash[16];
+ 
+-                                       php_random_bytes_throw(&nonce, sizeof(nonce));
+-                                       nonce &= 0x7fffffff;
+                                       if (UNEXPECTED(php_random_bytes_throw(&nonce, sizeof(nonce)) != SUCCESS)) {
+                                               ZEND_ASSERT(EG(exception));
+                                               php_stream_close(stream);
+                                               convert_to_null(Z_CLIENT_HTTPURL_P(this_ptr));
+                                               convert_to_null(Z_CLIENT_HTTPSOCKET_P(this_ptr));
+                                               convert_to_null(Z_CLIENT_USE_PROXY_P(this_ptr));
+                                               smart_str_free(&soap_headers_z);
+                                               smart_str_free(&soap_headers);
+                                               return FALSE;
+                                       }
+ 
+-                                       PHP_MD5Init(&md5ctx);
+-                                       snprintf(cnonce, sizeof(cnonce), ZEND_LONG_FMT, nonce);
+-                                       PHP_MD5Update(&md5ctx, (unsigned char*)cnonce, strlen(cnonce));
+-                                       PHP_MD5Final(hash, &md5ctx);
+-                                       make_digest(cnonce, hash);
+                                       php_hash_bin2hex(cnonce, nonce, sizeof(nonce));
+                                       cnonce[32] = 0;
+ 
+                                        if ((tmp = zend_hash_str_find(Z_ARRVAL_P(digest), "nc", sizeof("nc")-1)) != NULL &&
+                                            Z_TYPE_P(tmp) == IS_LONG) {
diff --git a/meta-oe/recipes-devtools/php/php/CVE-2023-3247-2.patch b/meta-oe/recipes-devtools/php/php/CVE-2023-3247-2.patch
new file mode 100644
index 0000000000..80c1961aa1
--- /dev/null
+++ b/meta-oe/recipes-devtools/php/php/CVE-2023-3247-2.patch
@@ -0,0 +1,29 @@
+From 32c7c433ac1983c4497349051681a4f361d3d33e Mon Sep 17 00:00:00 2001
+From: Pierrick Charron <pierrick@php.net>
+Date: Tue, 6 Jun 2023 18:49:32 -0400
+Subject: [PATCH] Fix wrong backporting of previous soap patch
+Upstream-Status: Backport [https://github.com/php/php-src/commit/32c7c433ac1983c4497349051681a4f361d3d33e]
+CVE: CVE-2023-3247
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+ ext/soap/php_http.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+diff --git a/ext/soap/php_http.c b/ext/soap/php_http.c
+index 77ed21d4f0f4..37250a6bdcd1 100644
+--- a/ext/soap/php_http.c
+++ b/ext/soap/php_http.c
+@@ -672,9 +672,9 @@ int make_http_soap_request(zval        *this_ptr,
+                                        if (UNEXPECTED(php_random_bytes_throw(&nonce, sizeof(nonce)) != SUCCESS)) {
+                                                ZEND_ASSERT(EG(exception));
+                                                php_stream_close(stream);
+-                                               convert_to_null(Z_CLIENT_HTTPURL_P(this_ptr));
+-                                               convert_to_null(Z_CLIENT_HTTPSOCKET_P(this_ptr));
+-                                               convert_to_null(Z_CLIENT_USE_PROXY_P(this_ptr));
+                                               zend_hash_str_del(Z_OBJPROP_P(this_ptr), "httpurl", sizeof("httpurl")-1);
+                                               zend_hash_str_del(Z_OBJPROP_P(this_ptr), "httpsocket", sizeof("httpsocket")-1);
+                                               zend_hash_str_del(Z_OBJPROP_P(this_ptr), "_use_proxy", sizeof("_use_proxy")-1);
+                                                smart_str_free(&soap_headers_z);
+                                                smart_str_free(&soap_headers);
+                                                return FALSE;
diff --git a/meta-oe/recipes-devtools/php/php_7.4.33.bb b/meta-oe/recipes-devtools/php/php_7.4.33.bb
index caaaa23426..cde482079e 100644
--- a/meta-oe/recipes-devtools/php/php_7.4.33.bb
+++ b/meta-oe/recipes-devtools/php/php_7.4.33.bb
@@ -30,6 +30,8 @@ SRC_URI_append_class-target = " \
            file://phar-makefile.patch \
            file://0001-opcache-config.m4-enable-opcache.patch \
            file://xfail_two_bug_tests.patch \
+            file://CVE-2023-3247-1.patch \
+            file://CVE-2023-3247-2.patch \
          "
 S = "${WORKDIR}/php-${PV}"
author	Ashish Sharma <asharma@mvista.com>	2023-08-14 12:00:36 +0530
committer	Armin Kuster <akuster808@gmail.com>	2023-08-16 08:39:45 -0400
commit	1ff41cb9c6c49373e7a5598e2e444af68428ca46 (patch)
tree	3aafaa7349a7fe41527f03df98bec4c3555260c8
parent	172fc48573ab66732ed193f00a49e1159727b402 (diff)
download	meta-openembedded-1ff41cb9c6c49373e7a5598e2e444af68428ca46.tar.gz

diff --git a/meta-oe/recipes-devtools/php/php/CVE-2023-3247-1.patch b/meta-oe/recipes-devtools/php/php/CVE-2023-3247-1.patch new file mode 100644 index 0000000000..db9e41796c --- /dev/null +++ b/meta-oe/recipes-devtools/php/php/CVE-2023-3247-1.patch
@@ -0,0 +1,87 @@
		1	From ac4254ad764c70cb1f05c9270d8d12689fc3aeb6 Mon Sep 17 00:00:00 2001
		2	From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
		3	Date: Sun, 16 Apr 2023 15:05:03 +0200
		4	Subject: [PATCH] Fix missing randomness check and insufficient random bytes
		5	for SOAP HTTP Digest
		6	MIME-Version: 1.0
		7	Content-Type: text/plain; charset=UTF-8
		8	Content-Transfer-Encoding: 8bit
		9
		10	If php_random_bytes_throw fails, the nonce will be uninitialized, but
		11	still sent to the server. The client nonce is intended to protect
		12	against a malicious server. See section 5.10 and 5.12 of RFC 7616 [1],
		13	and bullet point 2 below.
		14
		15	Tim pointed out that even though it's the MD5 of the nonce that gets sent,
		16	enumerating 31 bits is trivial. So we have still a stack information leak
		17	of 31 bits.
		18
		19	Furthermore, Tim found the following issues:
		20	* The small size of cnonce might cause the server to erroneously reject
		21	a request due to a repeated (cnonce, nc) pair. As per the birthday
		22	problem 31 bits of randomness will return a duplication with 50%
		23	chance after less than 55000 requests and nc always starts counting at 1.
		24	* The cnonce is intended to protect the client and password against a
		25	malicious server that returns a constant server nonce where the server
		26	precomputed a rainbow table between passwords and correct client response.
		27	As storage is fairly cheap, a server could precompute the client responses
		28	for (a subset of) client nonces and still have a chance of reversing the
		29	client response with the same probability as the cnonce duplication.
		30
		31	Precomputing the rainbow table for all 2^31 cnonces increases the rainbow
		32	table size by factor 2 billion, which is infeasible. But precomputing it
		33	for 2^14 cnonces only increases the table size by factor 16k and the server
		34	would still have a 10% chance of successfully reversing a password with a
		35	single client request.
		36
		37	This patch fixes the issues by increasing the nonce size, and checking
		38	the return value of php_random_bytes_throw(). In the process we also get
		39	rid of the MD5 hashing of the nonce.
		40
		41	[1] RFC 7616: https://www.rfc-editor.org/rfc/rfc7616
		42
		43	Co-authored-by: Tim Düsterhus <timwolla@php.net>
		44
		45	Upstream-Status: Backport [https://github.com/php/php-src/commit/ac4254ad764c70cb1f05c9270d8d12689fc3aeb6]
		46	CVE: CVE-2023-3247
		47	Signed-off-by: Ashish Sharma <asharma@mvista.com>
		48
		49	ext/soap/php_http.c \| 21 +++++++++++++--------
		50	1 file changed, 13 insertions(+), 8 deletions(-)
		51
		52	diff --git a/ext/soap/php_http.c b/ext/soap/php_http.c
		53	index 1da286ad875f..e796dba9619a 100644
		54	--- a/ext/soap/php_http.c
		55	+++ b/ext/soap/php_http.c
		56	@@ -664,18 +664,23 @@ int make_http_soap_request(zval *this_ptr,
		57	if ((digest = zend_hash_str_find(Z_OBJPROP_P(this_ptr), "_digest", sizeof("_digest")-1)) != NULL) {
		58	if (Z_TYPE_P(digest) == IS_ARRAY) {
		59	char HA1[33], HA2[33], response[33], cnonce[33], nc[9];
		60	- zend_long nonce;
		61	+ unsigned char nonce[16];
		62	PHP_MD5_CTX md5ctx;
		63	unsigned char hash[16];
		64
		65	- php_random_bytes_throw(&nonce, sizeof(nonce));
		66	- nonce &= 0x7fffffff;
		67	+ if (UNEXPECTED(php_random_bytes_throw(&nonce, sizeof(nonce)) != SUCCESS)) {
		68	+ ZEND_ASSERT(EG(exception));
		69	+ php_stream_close(stream);
		70	+ convert_to_null(Z_CLIENT_HTTPURL_P(this_ptr));
		71	+ convert_to_null(Z_CLIENT_HTTPSOCKET_P(this_ptr));
		72	+ convert_to_null(Z_CLIENT_USE_PROXY_P(this_ptr));
		73	+ smart_str_free(&soap_headers_z);
		74	+ smart_str_free(&soap_headers);
		75	+ return FALSE;
		76	+ }
		77
		78	- PHP_MD5Init(&md5ctx);
		79	- snprintf(cnonce, sizeof(cnonce), ZEND_LONG_FMT, nonce);
		80	- PHP_MD5Update(&md5ctx, (unsigned char*)cnonce, strlen(cnonce));
		81	- PHP_MD5Final(hash, &md5ctx);
		82	- make_digest(cnonce, hash);
		83	+ php_hash_bin2hex(cnonce, nonce, sizeof(nonce));
		84	+ cnonce[32] = 0;
		85
		86	if ((tmp = zend_hash_str_find(Z_ARRVAL_P(digest), "nc", sizeof("nc")-1)) != NULL &&
		87	Z_TYPE_P(tmp) == IS_LONG) {


diff --git a/meta-oe/recipes-devtools/php/php/CVE-2023-3247-2.patch b/meta-oe/recipes-devtools/php/php/CVE-2023-3247-2.patch new file mode 100644 index 0000000000..80c1961aa1 --- /dev/null +++ b/meta-oe/recipes-devtools/php/php/CVE-2023-3247-2.patch
@@ -0,0 +1,29 @@
		1	From 32c7c433ac1983c4497349051681a4f361d3d33e Mon Sep 17 00:00:00 2001
		2	From: Pierrick Charron <pierrick@php.net>
		3	Date: Tue, 6 Jun 2023 18:49:32 -0400
		4	Subject: [PATCH] Fix wrong backporting of previous soap patch
		5
		6	Upstream-Status: Backport [https://github.com/php/php-src/commit/32c7c433ac1983c4497349051681a4f361d3d33e]
		7	CVE: CVE-2023-3247
		8	Signed-off-by: Ashish Sharma <asharma@mvista.com>
		9
		10	ext/soap/php_http.c \| 6 +++---
		11	1 file changed, 3 insertions(+), 3 deletions(-)
		12
		13	diff --git a/ext/soap/php_http.c b/ext/soap/php_http.c
		14	index 77ed21d4f0f4..37250a6bdcd1 100644
		15	--- a/ext/soap/php_http.c
		16	+++ b/ext/soap/php_http.c
		17	@@ -672,9 +672,9 @@ int make_http_soap_request(zval *this_ptr,
		18	if (UNEXPECTED(php_random_bytes_throw(&nonce, sizeof(nonce)) != SUCCESS)) {
		19	ZEND_ASSERT(EG(exception));
		20	php_stream_close(stream);
		21	- convert_to_null(Z_CLIENT_HTTPURL_P(this_ptr));
		22	- convert_to_null(Z_CLIENT_HTTPSOCKET_P(this_ptr));
		23	- convert_to_null(Z_CLIENT_USE_PROXY_P(this_ptr));
		24	+ zend_hash_str_del(Z_OBJPROP_P(this_ptr), "httpurl", sizeof("httpurl")-1);
		25	+ zend_hash_str_del(Z_OBJPROP_P(this_ptr), "httpsocket", sizeof("httpsocket")-1);
		26	+ zend_hash_str_del(Z_OBJPROP_P(this_ptr), "_use_proxy", sizeof("_use_proxy")-1);
		27	smart_str_free(&soap_headers_z);
		28	smart_str_free(&soap_headers);
		29	return FALSE;


diff --git a/meta-oe/recipes-devtools/php/php_7.4.33.bb b/meta-oe/recipes-devtools/php/php_7.4.33.bb index caaaa23426..cde482079e 100644 --- a/meta-oe/recipes-devtools/php/php_7.4.33.bb +++ b/meta-oe/recipes-devtools/php/php_7.4.33.bb
@@ -30,6 +30,8 @@ SRC_URI_append_class-target = " \
30	file://phar-makefile.patch \	30	file://phar-makefile.patch \
31	file://0001-opcache-config.m4-enable-opcache.patch \	31	file://0001-opcache-config.m4-enable-opcache.patch \
32	file://xfail_two_bug_tests.patch \	32	file://xfail_two_bug_tests.patch \
		33	file://CVE-2023-3247-1.patch \
		34	file://CVE-2023-3247-2.patch \
33	"	35	"
34		36
35	S = "${WORKDIR}/php-${PV}"	37	S = "${WORKDIR}/php-${PV}"