ELA-849-1 php5 security update

multiple vulnerabilities

2023-05-13
Packagephp5
Version5.6.40+dfsg-0+deb8u17 (jessie)
Related CVEs CVE-2022-31631 CVE-2023-0567 CVE-2023-0568 CVE-2023-0662


Multiple security issues were found in PHP, a widely-used open source general purpose scripting language, which could result in denial of service or incorrect validation of BCrypt hashes.

CVE-2022-31631

Due to an uncaught integer overflow, `PDO::quote()` of PDO_SQLite
may return an improperly quoted string.  The exact details likely
depend on the implementation of `sqlite3_snprintf()`, but with some
versions it is possible to force the function to return a single
apostrophe, if the function is called on user supplied input without
any length restrictions in place.

CVE-2023-0567

Tim Düsterhus discovered that malformed BCrypt hashes that include a
`$` within their salt part trigger a buffer overread and may
erroneously validate any password as valid.  (`Password_verify()`
always return `true` with such inputs.)

CVE-2023-0568

1-byte array overrun when appending slash to paths during path
resolution.

CVE-2023-0662

Jakob Ackermann discovered a Denial of Service vulnerability when
parsing multipart request body: the request body parsing in PHP
allows any unauthenticated attacker to consume a large amount of CPU
time and trigger excessive logging.


For Debian 8 jessie, these problems have been fixed in version 5.6.40+dfsg-0+deb8u17.

We recommend that you upgrade your php5 packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.