Incomplete fix for CVE-2022-31625
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| php7.2 (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
| Bionic |
Fix Released
|
Undecided
|
Rodrigo Figueiredo Zaiden | ||
Bug Description
The upstream fix for CVE-2022-31625 is the following patch: https:/
Upstream applied it for php7.4, php8.0 and php8.1, all of them have a pretty similar code for 'ext/pgsql/
In php7.2, the code is slight different and I believe the fix suggested in the patch should be applied in some other methods.
Mainly, the fix is to apply the following where we have calls to safe_emalloc() for params:
- _php_pgsql_
+ _php_pgsql_
and we have this code for the following methods in php7.2:
pg_query_params
pg_execute
pg_send_
pg_send_execute
the version '7.2.24-
as suggested in the upstream bug: https:/
"There are other functions where you use basically the same code (if cannot convert to string,
then free all params) so it might be worth a look."
I think we should be including in the other methods listed above for php7.2
CVE References
| Changed in php7.2 (Ubuntu): | |
| assignee: | nobody → Rodrigo Figueiredo Zaiden (rodrigo-zaiden) |
| Marc Deslauriers (mdeslaur) wrote | #1 |
| Changed in php7.2 (Ubuntu): | |
| assignee: | Rodrigo Figueiredo Zaiden (rodrigo-zaiden) → nobody |
| Changed in php7.2 (Ubuntu Bionic): | |
| assignee: | nobody → Rodrigo Figueiredo Zaiden (rodrigo-zaiden) |
| Changed in php7.2 (Ubuntu Bionic): | |
| status: | New → Confirmed |
| Changed in php7.2 (Ubuntu): | |
| status: | New → Confirmed |
| Launchpad Janitor (janitor) wrote | #2 |
| Changed in php7.2 (Ubuntu Bionic): | |
| status: | Confirmed → Fix Released |
| information type: | Private Security → Public Security |
ACK, we should fix the other instances of this in 7.2 and earlier. Nice catch!