CVE-2024-1874 - Command injection via array-ish $command parameter of proc_open - Githubissues

remicollet / php-src-security

Security backports for EOL versions of PHP.

Other

39 stars 9 forks source link

CVE-2024-1874 - Command injection via array-ish $command parameter of proc_open #14

Closed remicollet closed 7 months ago

remicollet commented 7 months ago

This needs to be backported

As this is a Windows-only issue, I'm not able to do the work, the test build, and run the test suite.

Help welcome on this one ping @Jan-E

Backported in

[x] 8.0
[x] 7.4

Jan-E commented 7 months ago

I do not see any commit to be backported yet. Nor any reference in the NEWS of the master branch of php-src. Where can I find more info?

Jan-E commented 7 months ago

Found it in the NEWS of PHP-8.1.28: https://github.com/php/php-src/blob/PHP-8.1.28/NEWS I will have a look in due time.

remicollet commented 7 months ago

And for memory, this is the related commit (code + new tests) https://github.com/php/php-src/commit/e3c784f2bfb6029b49d27783b2efc87ee6923f79

Jan-E commented 7 months ago

https://github.com/php/php-src/commit/7ad6ff7d5c0c6909c6aad86293669155a3ad2f7e in the PHP-8.1 branch.

Jan-E commented 7 months ago

https://github.com/remicollet/php-src-security/pull/15

Jan-E commented 7 months ago

This needs to be backported

As this is a Windows-only issue, I'm not able to do the work, the test build, and run the test suite.

Help welcome on this one ping @Jan-E

Backported in

[x] 8.0

[ ] 7.4

[ ] 7.3

[ ] 7.2

[ ] 7.1

[ ] 7.0

[ ] 5.6

Yeah, I know...

Jan-E commented 7 months ago

The possibility to use proc_open() with a command array was introduced in PHP 7.4: https://github.com/php/php-src/commit/8be051015e04ce6151da77581922eea65330f354 IMHO backporting to PHP 7.3 and earlier is not needed.

remicollet commented 7 months ago

IMHO backporting to PHP 7.3 and earlier is not needed.

Indeed (from a quick look)

remicollet commented 7 months ago

Thanks a lot to @Jan-E for doing the backports