Bug 2133688 (CVE-2022-31628)

Summary: CVE-2022-31628 php: phar: infinite loop when decompressing quine gzip file
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: fedora, hhorak, jorton, mhoward, rcollet
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in PHP due to an infinite loop within the phar uncompressor code when processing "quines" gzip files. This vulnerability allows a remote attacker to pass a specially crafted archive to the application, and consume all available system resources, causing a denial of service condition.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-17 01:44:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2133690, 2135291, 2135293, 2135294, 2135295, 2135296, 2161666, 2161667    
Bug Blocks: 2130767    

Description TEJ RATHI 2022-10-11 07:52:07 UTC 
In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.

https://bugs.php.net/bug.php?id=81726
Comment 1 TEJ RATHI 2022-10-11 07:54:43 UTC 
Created php tracking bugs for this issue:

Affects: fedora-all [bug 2133690]
Comment 3 TEJ RATHI 2022-10-17 08:57:11 UTC 
Upstream Commits:
https://github.com/php/php-src/commit/404e8bdb68350931176a5bdc86fc417b34fb583d
https://github.com/php/php-src/commit/432bf196d59bcb661fcf9cb7029cea9b43f490af
Comment 4 errata-xmlrpc 2023-02-21 09:31:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0848 https://access.redhat.com/errata/RHSA-2023:0848
Comment 5 errata-xmlrpc 2023-02-28 08:20:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0965 https://access.redhat.com/errata/RHSA-2023:0965
Comment 6 mhoward 2023-04-29 02:40:59 UTC 
Will this be fixed in the PHP 7.4 Full Life Application Stream for RHEL8?
Comment 7 errata-xmlrpc 2023-05-09 07:45:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2417 https://access.redhat.com/errata/RHSA-2023:2417
Comment 8 errata-xmlrpc 2023-05-16 08:26:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2903 https://access.redhat.com/errata/RHSA-2023:2903
Comment 9 Product Security DevOps Team 2023-05-17 01:44:07 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-31628