CVE-2022-31628 PHP versions before 7.4.31, 8.0.24 and 8.1.11 had a bug in the gzip uncompressor that could cause an infinite loop.
This has been fixed in version 7.4.31 and later. For more information, visit the phar uncompressor GitHub page.
XSS in unpacked phar files
Unpacking a phar file in PHP versions before 7.4.31 would result in a memory leak. This has been fixed in version 7.4.31 and later. For more information, visit the unpacked phar GitHub page.
Password protected archives
In PHP versions before 7.3.11 and 7.1.17, archives with password protection would fail if the password was changed during unpacking. This has been fixed in version 7.3.11 and later. For more information, visit the password protected archives GitHub page.
Unhandled exception in unpacked phar
In PHP versions before 7.4.31, unpacked phar archives would result in an unhandled exception. This has been fixed in version 7.4.31 and later. For more information, visit the unhandled exception in unpacked phar GitHub page.
XSS in unpacked phar archives
Unpacked phar archives in PHP versions before 7.4.31 would result in an XSS vulnerability if the unpacked archive included user-controllable data. This has been fixed in version 7.4.31 and later. For more information, visit the unpacked phar archives XSS GitHub page.
Phar version detection
PHP version 3.6.7 :
Phar::isCompressed() was not given explicit documentation, and so did not provide a specific error message. This has been fixed in PHP 7.4. For more information, visit the Phar version detection GitHub page.
Phar::isCompressed()
In PHP versions before 7.4, Phar::isCompressed() would return TRUE if the phar file was compressed, even if the file wasn't actually compressed (it had no data). This has been fixed in PHP 7.4. For more information, visit the Phar isCompressed GitHub page.
Upcoming major version changes
PHP versions 5.4 and later will detect the version of phar files that has been unpacked and take appropriate action. For more information, visit the phar versions GitHub page.
PHP versions prior to 7.3.10
PHP versions prior to 7.3.10 are affected by a bug that would result in an XSS vulnerability when unpacked PHAR archives include user-controllable data. This has been fixed in version 7.4.31 and later. For more information, visit the phar version detection GitHub page.
Timeline
Published on: 09/28/2022 23:15:00 UTC
Last modified on: 11/22/2022 06:15:00 UTC
References
- https://bugs.php.net/bug.php?id=81726
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNIEABBH5XCXLFWWZYIDE457SPEDZTXV/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VI3E6A3ZTH2RP7OMLJHSVFIEQBIFM6RF/
- https://www.debian.org/security/2022/dsa-5277
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2L5SUVYGAKSWODUQPZFBUB3AL6E6CSEV/
- https://security.gentoo.org/glsa/202211-03
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31628