Bug 2098523 (CVE-2022-31626) - CVE-2022-31626 php: password of excessive length triggers buffer overflow leading to RCE
Summary: CVE-2022-31626 php: password of excessive length triggers buffer overflow lea...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-31626
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2098528 2098538 2098539 2098540 2098541 2098542 2098543 2098544 2098545 2098546 2098547 2098548 2098549 2098550 2098551
Blocks: 2097923
TreeView+ depends on / blocked
 
Reported: 2022-06-20 04:50 UTC by TEJ RATHI
Modified: 2022-10-20 09:40 UTC (History)
4 users (show)

Fixed In Version: php-7.4.30, php-8.0.20, php-8.1.7
Doc Type: If docs needed, set a value
Doc Text:
A buffer overflow vulnerability was found in PHP when processing passwords in mysqlnd/pdo in mysqlnd_wireprotocol.c. When using the pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply a MySQL database server password in the mysqlnd driver to the host for the connection, a password of excessive length can trigger a buffer overflow in PHP. This flaw allows a remote attacker to pass a password (with an excessive length) via PDO to the MySQL server, triggering arbitrary code execution on the target system.
Clone Of:
Environment:
Last Closed: 2022-07-04 16:12:39 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:5488 0 None None None 2022-07-04 01:07:25 UTC
Red Hat Product Errata RHBA-2022:5493 0 None None None 2022-07-04 11:38:23 UTC
Red Hat Product Errata RHBA-2022:5494 0 None None None 2022-07-04 13:08:20 UTC
Red Hat Product Errata RHBA-2022:5539 0 None None None 2022-07-11 01:20:38 UTC
Red Hat Product Errata RHBA-2022:5547 0 None None None 2022-07-11 18:41:03 UTC
Red Hat Product Errata RHBA-2022:6056 0 None None None 2022-08-15 01:26:28 UTC
Red Hat Product Errata RHSA-2022:5467 0 None None None 2022-06-30 23:21:25 UTC
Red Hat Product Errata RHSA-2022:5468 0 None None None 2022-06-30 23:21:33 UTC
Red Hat Product Errata RHSA-2022:5471 0 None None None 2022-06-30 23:17:37 UTC
Red Hat Product Errata RHSA-2022:5491 0 None None None 2022-07-04 07:43:26 UTC
Red Hat Product Errata RHSA-2022:5904 0 None None None 2022-08-04 10:33:31 UTC

Description TEJ RATHI 2022-06-20 04:50:46 UTC
In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the connection, password of excessive length can trigger a buffer overflow in PHP, which can lead to a remote code execution vulnerability. 

References:
https://bugs.php.net/bug.php?id=81719
https://github.com/php/php-src/commit/58006537fc5f133ae8549efe5118cde418b3ace9

Comment 1 Sandipan Roy 2022-06-20 05:02:17 UTC
Created php tracking bugs for this issue:

Affects: fedora-all [bug 2098528]

Comment 4 errata-xmlrpc 2022-06-30 23:17:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:5471 https://access.redhat.com/errata/RHSA-2022:5471

Comment 5 errata-xmlrpc 2022-06-30 23:21:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5467 https://access.redhat.com/errata/RHSA-2022:5467

Comment 6 errata-xmlrpc 2022-06-30 23:21:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5468 https://access.redhat.com/errata/RHSA-2022:5468

Comment 7 errata-xmlrpc 2022-07-04 07:43:23 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:5491 https://access.redhat.com/errata/RHSA-2022:5491

Comment 8 Product Security DevOps Team 2022-07-04 16:12:38 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-31626

Comment 9 errata-xmlrpc 2022-08-04 10:33:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5904 https://access.redhat.com/errata/RHSA-2022:5904


Note You need to log in before you can comment on or make changes to this bug.