PHP 8.1.11, 8.0.24, and 7.4.32 released with security and bug fixes

Published On2022-09-29

PHP versions 8.1.11, 8.0.24, and 7.4.32 released

PHP versions 8.1.11, 8.0.24, and 7.4.32 are released with several bug fixes and two security fixes.

The updated releases should be available shortly in software distributions channels of operating systems, and they are already available on official Docker Hub, as well as windows.php.net for compiled Windows executables.

PHP versions 8.1.11, 8.0.24, and 7.4.32 contain two security fixes, with assigned CVE numbers CVE-2022-31628 and CVE-2022-31629. Additionally, all three versions contain bug fixes in FPM, DOM, GMP, Intl, and a few other extensions as well as PHP core.

Vulnerabilities fixed in 8.1.11, 8.0.24, and 7.4.32

CVE-2022-31628: Phar: DOS when using quine gzip file

The new releases contain a fix for a Denial of Service security vulnerability in PHP's Phar extension when it attempts to decompress Gzip quines.

A "Gzip quine" is a gzip archive that contains itself, and when a program attempts to extract it, it can fall into an infinite recursive loop. Prior to PHP 8.1.11, 8.0.24, and 7.4.32, PHP's Phar wrapper could be tricked into an infinite recursive loop with a Gzip quine, thereby causing a Denial of Service.

The new releases fix this by adding a hard limit of 3 recursions, preventing too deep or infinite recursions.

Attempting to open a Phar archive with such a malicious recursion is now refused, and PHP emits warning:

Warning: fopen(phar://...): failed to open stream: unable to decompress gzipped phar archive "..." in ... on line ...

CVE-2022-31629: Cookie integrity vulnerability

When processing super-global variables, PHP automatically transforms space (`) and dot (.) characters in HTTP parameters to underscore (_`) characters. This has been the behavior since the era of PHP's Register Globals functionality, which automatically converted HTTP parameters to PHP global variables.

For example, sending HTTP parameters full name=PHP&home.address=test are parsed to the $_GET superglobal array as full_name and home_address, replacing the ` and.characters with_`.

Browser cookie names prefixed with __Secure- or __Host- have special semantic meanings, and additional restrictions such as that they can only be set with a Secure flag. PHP versions 8.1.11, 8.0.24, and 7.4.32 fix a vulnerability in PHP that could allow a same-site or network attacker to set cookies that PHP parses with __Host- and __Secure- prefixes (and applications treating them as real __Host-/__Secure- prefixes), even when the cookies were set as ..Host and ..Secure.

Also see the similar previous vulnerability CVE-2020-7070.


Full Changelogs

PHP 8.1.11

  • Core:
    • Fix #81727 - CVE-2022-31629: Don't mangle HTTP variable names that clash with ones that have a specific semantic meaning.
    • Fix GH-9323: Crash in ZEND_RETURN/GC/zend_call_function
    • Fix GH-9361: Segmentation fault on script exit
    • Fix GH-9447: Invalid class FQN emitted by AST dump for new and class constants in constant expressions
  • Phar:
  • DOM:
    • Fix #79451: DOMDocument->replaceChild on doctype causes double free
  • FPM:
    • Fix GH-8885: FPM access.log with stderr begins to write logs to error_log after daemon reload
    • Fix #77780: Headers already sent... when previous connection was aborted
  • GMP:
    • Fix GH-9308: GMP throws the wrong error when a GMP object is passed to gmp_init()
  • Intl:
    • Fix GH-9421: Incorrect argument number for ValueError in NumberFormatter
  • PCRE:
    • Fixed pcre.jit on Apple Silicon
  • PDO_PGSQL:
    • Fix GH-9411: PgSQL large object resource is incorrectly closed
  • Reflection:
    • Fix GH-8932: ReflectionFunction provides no way to get the called class of a Closure
  • Streams:
    • Fix GH-9316: $http_response_header is wrong for long status line

PHP 8.0.24

  • Core:
    • Fix #81727 - CVE-2022-31629: Don't mangle HTTP variable names that clash with ones that have a specific semantic meaning.
    • Fix GH-9323: Crash in ZEND_RETURN/GC/zend_call_function
    • Fix GH-9361: Segmentation fault on script exit
    • Fix GH-9407: LSP error in eval'd code refers to wrong class for static type
  • Phar:
  • DOM:
    • Fix #79451: DOMDocument->replaceChild on doctype causes double free
  • FPM:
    • Fix GH-8885: FPM access.log with stderr begins to write logs to error_log after daemon reload
    • Fix #77780: Headers already sent... when previous connection was aborted
  • GMP:
    • Fix GH-9308: GMP throws the wrong error when a GMP object is passed to gmp_init()
  • Intl:
    • Fix GH-9421: Incorrect argument number for ValueError in NumberFormatter
  • PDO_PGSQL:
    • Fix GH-9411: PgSQL large object resource is incorrectly closed
  • Reflection:
    • Fix GH-8932: ReflectionFunction provides no way to get the called class of a Closure
    • Fix GH-9409: Private method is incorrectly dumped as "overwrites"
  • Streams:
    • Fix GH-9316: $http_response_header is wrong for long status line

7.4.11

PHP 7.4 no longer receives active bug fixes
PHP 7.4 is currently only receiving security updates. PHP 7.4 is scheduled to reach its End-of-Life on 28 Nov 2022.

  • Core:
    • Fix #81727 - CVE-2022-31629: Don't mangle HTTP variable names that clash with ones that have a specific semantic meaning.
  • Phar:

In other news on PHP.Watch

All NewsFeed
PHP 8.2.0 Release Rescheduled to December 8

PHP 8.2.0 Release Rescheduled to December 8

PHP 8.2 Release managers announced today that due to a newly found bug in PHP's Opcache, PHP 8.2.0 release will be rescheduled to December 8th.
Longhorn PHP 2022 CFP Open

Longhorn PHP 2022 CFP Open

Longhorn PHP, one of the biggest PHP conferences in Texas, is now accepting talks for Longhorn PHP 2022, scheduled for November 3-5 in Austin, Texas.
Drupal 7.91, 9.3.19, and 9.4.3 released with several critical security fixes

Drupal 7.91, 9.3.19, and 9.4.3 released with several critical security fixes

Drupal 7.91, 9.3.19, and 9.4.3 versions are released with security fixes for information disclosure, code execution, cross-site scripting, and access bypass vulnerabilities.
Subscribe to PHP.Watch newsletter for monthly updates

You will receive an email on last Wednesday of every month and on major PHP releases with new articles related to PHP, upcoming changes, new features and what's changing in the language. No marketing emails, no selling of your contacts, no click-tracking, and one-click instant unsubscribe from any email you receive.