Package: php7.4 Version: 7.4.21-1+deb11u1 Severity: important Hello,
recently a PoC for https://bugs.php.net/bug.php?id=54350 has been made public https://github.com/mm0r1/exploits/blob/master/php-filter-bypass/exploit.php Current package is vulnerable, and the exploit seem to be very stable in the lab and also in the wild ``` root@phpbypass:~/exploits/php-filter-bypass# php -d disable_functions=system test.php PHP Warning: system() has been disabled for security reasons in /root/exploits/php-filter-bypass/test.php on line 3 root@phpbypass:~/exploits/php-filter-bypass# php -d disable_functions=system exploit.php Linux phpbypass 5.10.0-8-amd64 #1 SMP Debian 5.10.46-5 (2021-09-23) x86_64 GNU/Linux ``` Most likely the fix (compiled from current github master head) is not solving the issue entirely, but at least it resolves currently available attack code path. ``` root@phpbypass:~/exploits/php-filter-bypass# /root/php-src/sapi/cli/php -d disable_functions=system test.php Fatal error: Uncaught Error: Call to undefined function system() in /root/exploits/php-filter-bypass/test.php:3 Stack trace: #0 {main} thrown in /root/exploits/php-filter-bypass/test.php on line 3 root@phpbypass:~/exploits/php-filter-bypass# /root/php-src/sapi/cli/php -d disable_functions=system exploit.php | head -n20 Deprecated: Return type of Pwn::filter($in, $out, &$consumed, $closing) should either be compatible with php_user_filter::filter($in, $out, &$consumed, bool $closing): int, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in /root/exploits/php-filter-bypass/exploit.php on line 35 Warning: fclose(): 5 is not a valid stream resource in /root/exploits/php-filter-bypass/exploit.php on line 39 ``` Please consider picking up the security fix asap. Best regards bodik
signature.asc
Description: OpenPGP digital signature