Bug 2098521 (CVE-2022-31625)

Summary: CVE-2022-31625 php: Uninitialized array in pg_query_params() leading to RCE
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: fedora, hhorak, jorton, kyoshida, rcollet, saroy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php 7.4.30, php 8.0.20, php 8.1.7 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in PHP due to an uninitialized array in pg_query_params() function. When using the Postgres database extension, supplying invalid parameters to the parameterized query may lead to PHP attempting to free memory, using uninitialized data as pointers. This flaw allows a remote attacker with the ability to control query parameters to execute arbitrary code on the system or may cause a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-07-04 15:42:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2098529, 2098531, 2098532, 2098533, 2098534, 2100755, 2117141    
Bug Blocks: 2097923    

Description TEJ RATHI 2022-06-20 04:41:10 UTC 
In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parametrized query may lead to PHP attempting to free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of service. 

References:
https://bugs.php.net/bug.php?id=81720
https://github.com/php/php-src/commit/55f6895f4b4c677272fd4ee1113acdbd99c4b5ab
Comment 1 Sandipan Roy 2022-06-20 05:02:41 UTC 
Created php tracking bugs for this issue:

Affects: fedora-all [bug 2098529]
Comment 4 errata-xmlrpc 2022-07-04 07:43:16 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:5491 https://access.redhat.com/errata/RHSA-2022:5491
Comment 5 Product Security DevOps Team 2022-07-04 15:42:39 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-31625
Comment 8 errata-xmlrpc 2022-08-24 17:16:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6158 https://access.redhat.com/errata/RHSA-2022:6158
Comment 9 errata-xmlrpc 2022-11-08 09:51:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7624 https://access.redhat.com/errata/RHSA-2022:7624
Comment 10 errata-xmlrpc 2022-11-15 10:35:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8197 https://access.redhat.com/errata/RHSA-2022:8197