Fedora 41 : php (2024-3891a08c9e)

critical Nessus Plugin ID 211742

Language:

Synopsis

The remote Fedora host is missing one or more security updates.

Description

The remote Fedora 41 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-3891a08c9e advisory.

**PHP version 8.3.14** (21 Nov 2024)

**CLI:**

* Fixed bug [GH-16373](https://github.com/php/php-src/issues/16373) (Shebang is not skipped for router script in cli-server started through shebang). (ilutov)
* Fixed bug [GHSA-4w77-75f9-2c8w](https://github.com/php/php-src/security/advisories/GHSA-4w77-75f9-2c8w) (Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI Interface). (nielsdos)

**COM:**

* Fixed out of bound writes to SafeArray data. (cmb)

**Core:**

* Fixed bug [GH-16168](https://github.com/php/php-src/issues/16168) (php 8.1 and earlier crash immediately when compiled with Xcode 16 clang on macOS 15). (nielsdos)
* Fixed bug [GH-16371](https://github.com/php/php-src/issues/16371) (Assertion failure in Zend/zend_weakrefs.c:646). (Arnaud)
* Fixed bug [GH-16515](https://github.com/php/php-src/issues/16515) (Incorrect propagation of ZEND_ACC_RETURN_REFERENCE for call trampoline). (ilutov)
* Fixed bug [GH-16509](https://github.com/php/php-src/issues/16509) (Incorrect line number in function redeclaration error). (ilutov)
* Fixed bug [GH-16508](https://github.com/php/php-src/issues/16508) (Incorrect line number in inheritance errors of delayed early bound classes). (ilutov)
* Fixed bug [GH-16648](https://github.com/php/php-src/issues/16648) (Use-after-free during array sorting).
(ilutov)

**Curl:**

* Fixed bug [GH-16302](https://github.com/php/php-src/issues/16302) (CurlMultiHandle holds a reference to CurlHandle if curl_multi_add_handle fails). (timwolla)

**Date:**

* Fixed bug [GH-16454](https://github.com/php/php-src/issues/16454) (Unhandled INF in date_sunset() with tiny $utcOffset). (cmb)
* Fixed bug [GH-14732](https://github.com/php/php-src/issues/14732) (date_sun_info() fails for non-finite values). (cmb)

**DBA:**

* Fixed bug [GH-16390](https://github.com/php/php-src/issues/16390) (dba_open() can segfault for pathless streams). (cmb)

**DOM:**

* Fixed bug [GH-16316](https://github.com/php/php-src/issues/16316) (DOMXPath breaks when not initialized properly). (nielsdos)
* Add missing hierarchy checks to replaceChild. (nielsdos)
* Fixed bug [GH-16336](https://github.com/php/php-src/issues/16336) (Attribute intern document mismanagement). (nielsdos)
* Fixed bug [GH-16338](https://github.com/php/php-src/issues/16338) (Null-dereference in ext/dom/node.c).
(nielsdos)
* Fixed bug [GH-16473](https://github.com/php/php-src/issues/16473) (dom_import_simplexml stub is wrong).
(nielsdos)
* Fixed bug [GH-16533](https://github.com/php/php-src/issues/16533) (Segfault when adding attribute to parent that is not an element). (nielsdos)
* Fixed bug [GH-16535](https://github.com/php/php-src/issues/16535) (UAF when using document as a child).
(nielsdos)
* Fixed bug [GH-16593](https://github.com/php/php-src/issues/16593) (Assertion failure in DOM->replaceChild). (nielsdos)
* Fixed bug [GH-16595](https://github.com/php/php-src/issues/16595) (Another UAF in DOM -> cloneNode).
(nielsdos)

**EXIF:**

* Fixed bug [GH-16409](https://github.com/php/php-src/issues/16409) (Segfault in exif_thumbnail when not dealing with a real file). (nielsdos, cmb)

**FFI:**

* Fixed bug [GH-16397](https://github.com/php/php-src/issues/16397) (Segmentation fault when comparing FFI object). (nielsdos)

**Filter:**

* Fixed bug [GH-16523](https://github.com/php/php-src/issues/16523) (FILTER_FLAG_HOSTNAME accepts ending hyphen). (cmb)

**FPM:**

* Fixed bug [GH-16628](https://github.com/php/php-src/issues/16628) (FPM logs are getting corrupted with this log statement). (nielsdos)

**GD:**

* Fixed bug [GH-16334](https://github.com/php/php-src/issues/16334) (imageaffine overflow on matrix elements). (David Carlier)
* Fixed bug [GH-16427](https://github.com/php/php-src/issues/16427) (Unchecked libavif return values).
(cmb)
* Fixed bug [GH-16559](https://github.com/php/php-src/issues/16559) (UBSan abort in ext/gd/libgd/gd_interpolation.c:1007). (nielsdos)

**GMP:**

* Fixed floating point exception bug with gmp_pow when using large exposant values. (David Carlier).
* Fixed bug [GH-16411](https://github.com/php/php-src/issues/16411) (gmp_export() can cause overflow).
(cmb)
* Fixed bug [GH-16501](https://github.com/php/php-src/issues/16501) (gmp_random_bits() can cause overflow). (David Carlier)
* Fixed gmp_pow() overflow bug with large base/exponents. (David Carlier)
* Fixed segfaults and other issues related to operator overloading with GMP objects. (Girgias)

**LDAP:**

* Fixed bug [GHSA-g665-fm4p-vhff](https://github.com/php/php-src/security/advisories/GHSA-g665-fm4p-vhff) (OOB access in ldap_escape). (**CVE-2024-8932**) (nielsdos)

**MBstring:**

* Fixed bug [GH-16361](https://github.com/php/php-src/issues/16361) (mb_substr overflow on start/length arguments). (David Carlier)

**MySQLnd:**

* Fixed bug [GHSA-h35g-vwh6-m678](https://github.com/php/php-src/security/advisories/GHSA-h35g-vwh6-m678) (Leak partial content of the heap through heap buffer over-read). (**CVE-2024-8929**) (Jakub Zelenka)

**Opcache:**

* Fixed bug [GH-16408](https://github.com/php/php-src/issues/16408) (Array to string conversion warning emitted in optimizer). (ilutov)

**OpenSSL:**

* Fixed bug [GH-16357](https://github.com/php/php-src/issues/16357) (openssl may modify member types of certificate arrays). (cmb)
* Fixed bug [GH-16433](https://github.com/php/php-src/issues/16433) (Large values for openssl_csr_sign() $days overflow). (cmb)
* Fix various memory leaks on error conditions in openssl_x509_parse(). (nielsdos)

**PDO DBLIB:**

* Fixed bug [GHSA-5hqh-c84r-qjcv](https://github.com/php/php-src/security/advisories/GHSA-5hqh-c84r-qjcv) (Integer overflow in the dblib quoter causing OOB writes). (**CVE-2024-11236**) (nielsdos)

**PDO Firebird:**

* Fixed bug [GHSA-5hqh-c84r-qjcv](https://github.com/php/php-src/security/advisories/GHSA-5hqh-c84r-qjcv) (Integer overflow in the firebird quoter causing OOB writes). (**CVE-2024-11236**) (nielsdos)

**PDO ODBC:**

* Fixed bug [GH-16450](https://github.com/php/php-src/issues/16450) (PDO_ODBC can inject garbage into field values). (cmb)

**Phar:**

* Fixed bug [GH-16406](https://github.com/php/php-src/issues/16406) (Assertion failure in ext/phar/phar.c:2808). (nielsdos)

**PHPDBG:**

* Fixed bug [GH-16174](https://github.com/php/php-src/issues/16174) (Empty string is an invalid expression for ev). (cmb)

**Reflection:**

* Fixed bug [GH-16601](https://github.com/php/php-src/issues/16601) (Memory leak in Reflection constructors). (nielsdos)

**Session:**

* Fixed bug [GH-16385](https://github.com/php/php-src/issues/16385) (Unexpected null returned by session_set_cookie_params). (nielsdos)
* Fixed bug [GH-16290](https://github.com/php/php-src/issues/16290) (overflow on cookie_lifetime ini value). (David Carlier)

**SOAP:**

* Fixed bug [GH-16318](https://github.com/php/php-src/issues/16318) (Recursive array segfaults soap encoding). (nielsdos)
* Fixed bug [GH-16429](https://github.com/php/php-src/issues/16429) (Segmentation fault access null pointer in SoapClient). (nielsdos)

**Sockets:**

* Fixed bug with overflow socket_recvfrom $length argument. (David Carlier)

**SPL:**

* Fixed bug [GH-16337](https://github.com/php/php-src/issues/16337) (Use-after-free in SplHeap).
(nielsdos)
* Fixed bug [GH-16464](https://github.com/php/php-src/issues/16464) (Use-after-free in SplDoublyLinkedList::offsetSet()). (ilutov)
* Fixed bug [GH-16479](https://github.com/php/php-src/issues/16479) (Use-after-free in SplObjectStorage::setInfo()). (ilutov)
* Fixed bug [GH-16478](https://github.com/php/php-src/issues/16478) (Use-after-free in SplFixedArray::unset()). (ilutov)
* Fixed bug [GH-16588](https://github.com/php/php-src/issues/16588) (UAF in Observer->serialize).
(nielsdos)
* Fix [GH-16477](https://github.com/php/php-src/issues/16477) (Segmentation fault when calling
__debugInfo() after failed SplFileObject::__constructor). (Girgias)
* Fixed bug [GH-16589](https://github.com/php/php-src/issues/16589) (UAF in SplDoublyLinked->serialize()).
(nielsdos)
* Fixed bug [GH-14687](https://github.com/php/php-src/issues/14687) (segfault on SplObjectIterator instance). (David Carlier)
* Fixed bug [GH-16604](https://github.com/php/php-src/issues/16604) (Memory leaks in SPL constructors).
(nielsdos)
* Fixed bug [GH-16646](https://github.com/php/php-src/issues/16646) (UAF in ArrayObject::unset() and ArrayObject::exchangeArray()). (ilutov)

**Standard:**

* Fixed bug [GH-16293](https://github.com/php/php-src/issues/16293) (Failed assertion when throwing in assert() callback with bail enabled). (ilutov)

**Streams:**

* Fixed bug [GHSA-c5f2-jwm7-mmq2](https://github.com/php/php-src/security/advisories/GHSA-c5f2-jwm7-mmq2) (Configuring a proxy in a stream context might allow for CRLF injection in URIs). (**CVE-2024-11234**) (Jakub Zelenka)
* Fixed bug [GHSA-r977-prxv-hc43](https://github.com/php/php-src/security/advisories/GHSA-r977-prxv-hc43) (Single byte overread with convert.quoted-printable-decode filter). (**CVE-2024-11233**) (nielsdos)

**SysVMsg:**

* Fixed bug [GH-16592](https://github.com/php/php-src/issues/16592) (msg_send() crashes when a type does not properly serialized). (David Carlier / cmb)

**SysVShm:**

* Fixed bug [GH-16591](https://github.com/php/php-src/issues/16591) (Assertion error in shm_put_var).
(nielsdos, cmb)

**XMLReader:**

* Fixed bug [GH-16292](https://github.com/php/php-src/issues/16292) (Segmentation fault in ext/xmlreader/php_xmlreader.c). (nielsdos)

**Zlib:**

* Fixed bug [GH-16326](https://github.com/php/php-src/issues/16326) (Memory management is broken for bad dictionaries.) (cmb)



Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected php package.

See Also

https://bodhi.fedoraproject.org/updates/FEDORA-2024-3891a08c9e

Plugin Details

Severity: Critical

ID: 211742

File Name: fedora_2024-3891a08c9e.nasl

Version: 1.3

Type: local

Agent: unix

Published: 11/23/2024

Updated: 11/27/2024

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2024-11236

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:php, cpe:/o:fedoraproject:fedora:41

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/19/2024

Vulnerability Publication Date: 11/21/2024

Reference Information

CVE: CVE-2024-11233, CVE-2024-11234, CVE-2024-11236, CVE-2024-8929, CVE-2024-8932

FEDORA: 2024-3891a08c9e

IAVA: 2024-A-0763