PHP 8.1.11, 8.0.24, and 7.4.32 released with security and bug fixes

PHP versions 8.1.11, 8.0.24, and 7.4.32 are released with several bug fixes and two security fixes.

The updated releases should be available shortly in software distributions channels of operating systems, and they are already available on official Docker Hub, as well as windows.php.net for compiled Windows executables.

PHP versions 8.1.11, 8.0.24, and 7.4.32 contain two security fixes, with assigned CVE numbers CVE-2022-31628 and CVE-2022-31629. Additionally, all three versions contain bug fixes in FPM, DOM, GMP, Intl, and a few other extensions as well as PHP core.

Vulnerabilities fixed in 8.1.11, 8.0.24, and 7.4.32

CVE-2022-31628: Phar: DOS when using quine gzip file

The new releases contain a fix for a Denial of Service security vulnerability in PHP's Phar extension when it attempts to decompress Gzip quines.

A "Gzip quine" is a gzip archive that contains itself, and when a program attempts to extract it, it can fall into an infinite recursive loop. Prior to PHP 8.1.11, 8.0.24, and 7.4.32, PHP's Phar wrapper could be tricked into an infinite recursive loop with a Gzip quine, thereby causing a Denial of Service.

The new releases fix this by adding a hard limit of 3 recursions, preventing too deep or infinite recursions.

Attempting to open a Phar archive with such a malicious recursion is now refused, and PHP emits warning:

Warning: fopen(phar://...): failed to open stream: unable to decompress gzipped phar archive "..." in ... on line ...

CVE-2022-31629: Cookie integrity vulnerability

When processing super-global variables, PHP automatically transforms space (`) and dot (.) characters in HTTP parameters to underscore (_`) characters. This has been the behavior since the era of PHP's Register Globals functionality, which automatically converted HTTP parameters to PHP global variables.

For example, sending HTTP parameters full name=PHP&home.address=test are parsed to the $_GET superglobal array as full_name and home_address, replacing the ` and.characters with_`.

Browser cookie names prefixed with __Secure- or __Host- have special semantic meanings, and additional restrictions such as that they can only be set with a Secure flag. PHP versions 8.1.11, 8.0.24, and 7.4.32 fix a vulnerability in PHP that could allow a same-site or network attacker to set cookies that PHP parses with __Host- and __Secure- prefixes (and applications treating them as real __Host-/__Secure- prefixes), even when the cookies were set as ..Host and ..Secure.

Also see the similar previous vulnerability CVE-2020-7070.

---

Full Changelogs

PHP 8.1.11

• Core:
  • Fix #81727 - CVE-2022-31629: Don't mangle HTTP variable names that clash with ones that have a specific semantic meaning.
  • Fix GH-9323: Crash in ZEND_RETURN/GC/zend_call_function
  • Fix GH-9361: Segmentation fault on script exit
  • Fix GH-9447: Invalid class FQN emitted by AST dump for new and class constants in constant expressions
• Phar:
  • Fix #81726 - CVE-2022-31628: Phar wrapper: DOS when using quine gzip file.
• DOM:
  • Fix #79451: DOMDocument->replaceChild on doctype causes double free
• FPM:
  • Fix GH-8885: FPM access.log with stderr begins to write logs to error_log after daemon reload
  • Fix #77780: Headers already sent... when previous connection was aborted
• GMP:
  • Fix GH-9308: GMP throws the wrong error when a GMP object is passed to gmp_init()
• Intl:
  • Fix GH-9421: Incorrect argument number for ValueError in NumberFormatter
• PCRE:
  • Fixed pcre.jit on Apple Silicon
• PDO_PGSQL:
  • Fix GH-9411: PgSQL large object resource is incorrectly closed
• Reflection:
  • Fix GH-8932: ReflectionFunction provides no way to get the called class of a Closure
• Streams:
  • Fix GH-9316: $http_response_header is wrong for long status line

PHP 8.0.24

• Core:
  • Fix #81727 - CVE-2022-31629: Don't mangle HTTP variable names that clash with ones that have a specific semantic meaning.
  • Fix GH-9323: Crash in ZEND_RETURN/GC/zend_call_function
  • Fix GH-9361: Segmentation fault on script exit
  • Fix GH-9407: LSP error in eval'd code refers to wrong class for static type
• Phar:
  • Fix #81726 - CVE-2022-31628: Phar wrapper: DOS when using quine gzip file.
• DOM:
  • Fix #79451: DOMDocument->replaceChild on doctype causes double free
• FPM:
  • Fix GH-8885: FPM access.log with stderr begins to write logs to error_log after daemon reload
  • Fix #77780: Headers already sent... when previous connection was aborted
• GMP:
  • Fix GH-9308: GMP throws the wrong error when a GMP object is passed to gmp_init()
• Intl:
  • Fix GH-9421: Incorrect argument number for ValueError in NumberFormatter
• PDO_PGSQL:
  • Fix GH-9411: PgSQL large object resource is incorrectly closed
• Reflection:
  • Fix GH-8932: ReflectionFunction provides no way to get the called class of a Closure
  • Fix GH-9409: Private method is incorrectly dumped as "overwrites"
• Streams:
  • Fix GH-9316: $http_response_header is wrong for long status line

7.4.11

PHP 7.4 no longer receives active bug fixes
PHP 7.4 is currently only receiving security updates. PHP 7.4 is scheduled to reach its End-of-Life on 28 Nov 2022.

• Core:
  • Fix #81727 - CVE-2022-31629: Don't mangle HTTP variable names that clash with ones that have a specific semantic meaning.
• Phar:
  • Fix #81726 - CVE-2022-31628: Phar wrapper: DOS when using quine gzip file.