PHP 8.1.11, 8.0.24, and 7.4.32 released with security and bug fixes
PHP versions 8.1.11, 8.0.24, and 7.4.32 are released with several bug fixes and two security fixes.
The updated releases should be available shortly in software distributions channels of operating systems, and they are already available on official Docker Hub, as well as windows.php.net for compiled Windows executables.
PHP versions 8.1.11, 8.0.24, and 7.4.32 contain two security fixes, with assigned CVE numbers CVE-2022-31628 and CVE-2022-31629. Additionally, all three versions contain bug fixes in FPM, DOM, GMP, Intl, and a few other extensions as well as PHP core.
Vulnerabilities fixed in 8.1.11, 8.0.24, and 7.4.32
CVE-2022-31628: Phar: DOS when using quine gzip file
The new releases contain a fix for a Denial of Service security vulnerability in PHP’s Phar extension when it attempts to decompress Gzip quines.
A “Gzip quine” is a gzip archive that contains itself, and when a program attempts to extract it, it can fall into an infinite recursive loop. Prior to PHP 8.1.11, 8.0.24, and 7.4.32, PHP’s Phar wrapper could be tricked into an infinite recursive loop with a Gzip quine, thereby causing a Denial of Service.
The new releases fix this by adding a hard limit of 3 recursions, preventing too deep or infinite recursions.
Attempting to open a Phar archive with such a malicious recursion is now refused, and PHP emits warning:
Warning: fopen(phar://...): failed to open stream: unable to decompress gzipped phar archive "..." in ... on line ...CVE-2022-31629: Cookie integrity vulnerability
When processing super-global variables, PHP automatically transforms space (`) and dot (.) characters in HTTP parameters to underscore (_`) characters. This has been the behavior since the era of PHP’s Register Globals functionality, which automatically converted HTTP parameters to PHP global variables.
For example, sending HTTP parameters full name=PHP&home.address=test are parsed to the $_GET superglobal array as full_name and home_address, replacing the ` and.characters with_`.
Browser cookie names prefixed with __Secure- or __Host- have special semantic meanings, and additional restrictions such as that they can only be set with a Secure flag. PHP versions 8.1.11, 8.0.24, and 7.4.32 fix a vulnerability in PHP that could allow a same-site or network attacker to set cookies that PHP parses with __Host- and __Secure- prefixes (and applications treating them as real __Host-/__Secure- prefixes), even when the cookies were set as ..Host and ..Secure.
Also see the similar previous vulnerability CVE-2020-7070.
Full Changelogs
PHP 8.1.11
- Core:
- Fix #81727 – CVE-2022-31629: Don’t mangle HTTP variable names that clash with ones that have a specific semantic meaning.
- Fix GH-9323: Crash in
ZEND_RETURN/GC/zend_call_function - Fix GH-9361: Segmentation fault on script exit
- Fix GH-9447: Invalid class FQN emitted by AST dump for new and class constants in constant expressions
- Phar:
- Fix #81726 – CVE-2022-31628: Phar wrapper: DOS when using quine gzip file.
- DOM:
- Fix #79451:
DOMDocument->replaceChildon doctype causes double free
- Fix #79451:
- FPM:
- Fix GH-8885: FPM
access.logwithstderrbegins to write logs toerror_logafter daemon reload - Fix #77780:
Headers already sent...when previous connection was aborted
- Fix GH-8885: FPM
- GMP:
- Fix GH-9308: GMP throws the wrong error when a GMP object is passed to
gmp_init()
- Fix GH-9308: GMP throws the wrong error when a GMP object is passed to
- Intl:
- Fix GH-9421: Incorrect argument number for
ValueErrorinNumberFormatter
- Fix GH-9421: Incorrect argument number for
- PCRE:
- Fixed
pcre.jiton Apple Silicon
- Fixed
- PDO_PGSQL:
- Fix GH-9411: PgSQL large object resource is incorrectly closed
- Reflection:
- Fix GH-8932:
ReflectionFunctionprovides no way to get the called class of a Closure
- Fix GH-8932:
- Streams:
- Fix GH-9316:
$http_response_headeris wrong for long status line
- Fix GH-9316:
PHP 8.0.24
- Core:
- Fix #81727 – CVE-2022-31629: Don’t mangle HTTP variable names that clash with ones that have a specific semantic meaning.
- Fix GH-9323: Crash in
ZEND_RETURN/GC/zend_call_function - Fix GH-9361: Segmentation fault on script exit
- Fix GH-9407: LSP error in
eval‘d code refers to wrong class for static type
- Phar:
- Fix #81726 – CVE-2022-31628: Phar wrapper: DOS when using quine gzip file.
- DOM:
- Fix #79451:
DOMDocument->replaceChildon doctype causes double free
- Fix #79451:
- FPM:
- Fix GH-8885: FPM
access.logwithstderrbegins to write logs toerror_logafter daemon reload - Fix #77780:
Headers already sent...when previous connection was aborted
- Fix GH-8885: FPM
- GMP:
- Fix GH-9308: GMP throws the wrong error when a GMP object is passed to
gmp_init()
- Fix GH-9308: GMP throws the wrong error when a GMP object is passed to
- Intl:
- Fix GH-9421: Incorrect argument number for
ValueErrorinNumberFormatter
- Fix GH-9421: Incorrect argument number for
- PDO_PGSQL:
- Fix GH-9411: PgSQL large object resource is incorrectly closed
- Reflection:
- Fix GH-8932:
ReflectionFunctionprovides no way to get the called class of a Closure - Fix GH-9409: Private method is incorrectly dumped as “overwrites”
- Fix GH-8932:
- Streams:
- Fix GH-9316:
$http_response_headeris wrong for long status line
- Fix GH-9316:
7.4.11
PHP 7.4 no longer receives active bug fixes
PHP 7.4 is currently only receiving security updates. PHP 7.4 is scheduled to reach its End-of-Life on 28 Nov 2022.
- Core:
- Fix #81727 – CVE-2022-31629: Don’t mangle HTTP variable names that clash with ones that have a specific semantic meaning.
- Phar:
- Fix #81726 – CVE-2022-31628: Phar wrapper: DOS when using quine gzip file.
