PHP 8.1.11, 8.0.24, and 7.4.32 released with security and bug fixes
PHP versions 8.1.11, 8.0.24, and 7.4.32 are released with several bug fixes and two security fixes.
The updated releases should be available shortly in software distributions channels of operating systems, and they are already available on official Docker Hub, as well as windows.php.net for compiled Windows executables.
PHP versions 8.1.11, 8.0.24, and 7.4.32 contain two security fixes, with assigned CVE numbers CVE-2022-31628 and CVE-2022-31629. Additionally, all three versions contain bug fixes in FPM, DOM, GMP, Intl, and a few other extensions as well as PHP core.
Vulnerabilities fixed in 8.1.11, 8.0.24, and 7.4.32
CVE-2022-31628: Phar: DOS when using quine gzip file
The new releases contain a fix for a Denial of Service security vulnerability in PHP's Phar extension when it attempts to decompress Gzip quines.
A "Gzip quine" is a gzip archive that contains itself, and when a program attempts to extract it, it can fall into an infinite recursive loop. Prior to PHP 8.1.11, 8.0.24, and 7.4.32, PHP's Phar wrapper could be tricked into an infinite recursive loop with a Gzip quine, thereby causing a Denial of Service.
The new releases fix this by adding a hard limit of 3 recursions, preventing too deep or infinite recursions.
Attempting to open a Phar archive with such a malicious recursion is now refused, and PHP emits warning:
Warning: fopen(phar://...): failed to open stream: unable to decompress gzipped phar archive "..." in ... on line ...
CVE-2022-31629: Cookie integrity vulnerability
When processing super-global variables, PHP automatically transforms space (`) and dot (
.) characters in HTTP parameters to underscore (
_`) characters. This has been the behavior since the era of PHP's Register Globals functionality, which automatically converted HTTP parameters to PHP global variables.
For example, sending HTTP parameters full name=PHP&home.address=test
are parsed to the $_GET
superglobal array as full_name
and home_address
, replacing the ` and
.characters with
_`.
Browser cookie names prefixed with __Secure-
or __Host-
have special semantic meanings, and additional restrictions such as that they can only be set with a Secure
flag. PHP versions 8.1.11, 8.0.24, and 7.4.32 fix a vulnerability in PHP that could allow a same-site or network attacker to set cookies that PHP parses with __Host-
and __Secure-
prefixes (and applications treating them as real __Host-
/__Secure-
prefixes), even when the cookies were set as ..Host
and ..Secure
.
Also see the similar previous vulnerability CVE-2020-7070.
Full Changelogs
PHP 8.1.11
- Core:
- Fix #81727 - CVE-2022-31629: Don't mangle HTTP variable names that clash with ones that have a specific semantic meaning.
- Fix GH-9323: Crash in
ZEND_RETURN
/GC
/zend_call_function
- Fix GH-9361: Segmentation fault on script exit
- Fix GH-9447: Invalid class FQN emitted by AST dump for new and class constants in constant expressions
- Phar:
- Fix #81726 - CVE-2022-31628: Phar wrapper: DOS when using quine gzip file.
- DOM:
- Fix #79451:
DOMDocument->replaceChild
on doctype causes double free
- Fix #79451:
- FPM:
- GMP:
- Fix GH-9308: GMP throws the wrong error when a GMP object is passed to
gmp_init()
- Fix GH-9308: GMP throws the wrong error when a GMP object is passed to
- Intl:
- Fix GH-9421: Incorrect argument number for
ValueError
inNumberFormatter
- Fix GH-9421: Incorrect argument number for
- PCRE:
- Fixed
pcre.jit
on Apple Silicon
- Fixed
- PDO_PGSQL:
- Fix GH-9411: PgSQL large object resource is incorrectly closed
- Reflection:
- Fix GH-8932:
ReflectionFunction
provides no way to get the called class of a Closure
- Fix GH-8932:
- Streams:
- Fix GH-9316:
$http_response_header
is wrong for long status line
- Fix GH-9316:
PHP 8.0.24
- Core:
- Fix #81727 - CVE-2022-31629: Don't mangle HTTP variable names that clash with ones that have a specific semantic meaning.
- Fix GH-9323: Crash in
ZEND_RETURN
/GC
/zend_call_function
- Fix GH-9361: Segmentation fault on script exit
- Fix GH-9407: LSP error in
eval
'd code refers to wrong class for static type
- Phar:
- Fix #81726 - CVE-2022-31628: Phar wrapper: DOS when using quine gzip file.
- DOM:
- Fix #79451:
DOMDocument->replaceChild
on doctype causes double free
- Fix #79451:
- FPM:
- GMP:
- Fix GH-9308: GMP throws the wrong error when a GMP object is passed to
gmp_init()
- Fix GH-9308: GMP throws the wrong error when a GMP object is passed to
- Intl:
- Fix GH-9421: Incorrect argument number for
ValueError
inNumberFormatter
- Fix GH-9421: Incorrect argument number for
- PDO_PGSQL:
- Fix GH-9411: PgSQL large object resource is incorrectly closed
- Reflection:
- Streams:
- Fix GH-9316:
$http_response_header
is wrong for long status line
- Fix GH-9316:
7.4.11
PHP 7.4 no longer receives active bug fixes PHP 7.4 is currently only receiving security updates. PHP 7.4 is scheduled to reach its End-of-Life on 28 Nov 2022.
- Core:
- Fix #81727 - CVE-2022-31629: Don't mangle HTTP variable names that clash with ones that have a specific semantic meaning.
- Phar:
- Fix #81726 - CVE-2022-31628: Phar wrapper: DOS when using quine gzip file.