Malicious in php-8.2.4.tar.xz

[evgnblkn]

Hi! Does this archive contain the malicious bug81726.gz file? Its path is ext/phar/tests. This php archive file is loaded in Dockerfile on line 64:

ENV PHP_URL="https://www.php.net/distributions/php-8.2.4.tar.xz" PHP_ASC_URL="https://www.php.net/distributions/php-8.2.4.tar.xz.asc"

On the virustotal website, 3 vendors are identified as Trojan-ArcBomb.GZip.Agent.e. https://www.virustotal.com/gui/file/74d8c6721497c7103c082d489ed913d5cf509ed44520f0e15a55302e1faacb8f/detection.

[evgnblkn]

Due to the fact that this file remains in the layers of the image, antivirus programs can detect it as malicious and block use in prod or try to delete it. Probably the tests folder in the php archive is not needed at all.

[yosifkit]

That is unfortunate. We leave the tar.xz so that users can add/compile PHP extensions. We do not want to modify the tar.xz as that would ruin the ability to re-verify that it is what upstream published.

[g5wx]

So is this image safe to use?

[tianon]

That depends on your use case and what you plan to do with it, and is definitely not something we can answer for you (generally).

However, it is extremely unlikely that anything you do with this image is going to be affected in any way (positively or negatively) by the inclusion of this file in the source tarball's test data.

[alef-carvalho]

I also had the same problem. Detected by Kaspersky Antivirus

[cadeath]

php-8.3.4\ext\phar\tests\bug81726.gz is the affected file, and it contains "quine.gz" file that is malicious. when you extract it, another quine.gz file is shown, and it is recursive.

Is this corrupted or truly malicious?

[yosifkit]

On its own, the bug81726.gz is nether malicious nor corrupt. It is just the source for testing that the named bug is fixed (https://bugs.php.net/bug.php?id=81726).

[mavlutovr]

I made a docker-compose images of my application for a company. And when the company checks this images, their antivirus tell them what the application has a virus:

docker3_php_1.tar\0bdbf8f5c21217afca86bf69d34314f4c07d62d4703d61d7fc1ffa7d76f51915\layer.tar\usr\src\php.tar.xz\php.tar\php-8.2.17\ext\phar\tests\bug81726.gz

Because the file bug81726.gz works as Zip Bomp.

I can remove the file from docker container by:

RUN rm -f /usr/src/php.tar.xz

But in this case the file stays inside image layers. And when I save php image by:

docker save -o ./images/docker3_php_1.tar php

Antivirus says what the image contains the virus.

How can I solve the issue? How can I remove the file from php image?

[yosifkit]

@mavlutovr, because of docker image layering, you have to remove it in the same docker layer it is added. There are many ways to do so; here are a few

• build the php:* image locally with a modified Dockerfile that deletes php.tar.xz (this will likely break any later docker-php-ext-* commands, so docker-php-source would need modifications as well)
• squash the image so that the final image has only one layer, like --squash on docker build (this has the drawback of no reuse between images, so if you have multiple images from the same php or base debian they will all take up extra space)

Or, avoid it altogether and don't use the php:* images; just use a base distro like debian and install php from distro-provided packages.