ALASPHP8.2-2025-006

Amazon Linux 2 Security Advisory: ALASPHP8.2-2025-006
Advisory Release Date: 2025-02-12 23:07 Pacific
Advisory Updated Date: 2025-02-25 09:10 Pacific
Severity: Medium
Issue Overview:

The upstream advisory describes this issue as follows:

A memory-related vulnerability in PHP's filter handling system, particularly when processing input with convert.quoted-printable-decode filters, leads to a segmentation fault. This vulnerability is triggered through specific sequences of input data, causing PHP to crash. When exploited, it allows an attacker to extract a single byte of data from the heap or cause a DoS. (CVE-2024-11233)

The upstream advisory describes this issue as follows:

Configuring a proxy in a stream context might allow for CRLF injection in URIs, resulting in HTTP request smuggling attacks. (CVE-2024-11234)

Erroneous parsing of multipart form data

NOTE: Fixed in 8.3.12, 8.2.24
NOTE: https://github.com/php/php-src/security/advisories/GHSA-9pqp-7h25-4f32
NOTE: https://github.com/php/php-src/commit/19b49258d0c5a61398d395d8afde1123e8d161e0 (PHP-8.2.24) (CVE-2024-8925)

cgi.force_redirect configuration is byppassible due to the environment variable collision

NOTE: Fixed in 8.3.12, 8.2.24
NOTE: https://github.com/php/php-src/security/advisories/GHSA-94p6-54jq-9mwp
NOTE: https://github.com/php/php-src/commit/48808d98f4fc2a05193cdcc1aedd6c66816450f1 (PHP-8.2.24) (CVE-2024-8927)

The upstream advisory describes this issue as follows:

By connecting to a fake MySQL server or tampering with network packets and initiating a SQL Query, it is possible to abuse the function static enum_func_status php_mysqlnd_rset_field_read when parsing MySQL fields packets in order to include the rest of the heap content starting from the address of the cursor of the currently read buffer.

Using PHP-FPM which stays alive between request, and between two different SQL query requests, as the previous buffer used to store received data from MySQL is not emptied and malloc allocates a memory region which is very near the previous one, one is able to extract the response content of the previous MySQL request from the PHP-FPM worker. (CVE-2024-8929)

The upstream advisory describes this issue as follows:

Uncontrolled long string inputs to ldap_escape on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write. (CVE-2024-8932)

Logs from childrens may be altered

NOTE: Fixed in 8.3.12, 8.2.24
NOTE: https://github.com/php/php-src/security/advisories/GHSA-865w-9rf3-2wh5
NOTE: https://github.com/php/php-src/commit/1f8e16172c7961045c2b0f34ba7613e3f21cdee8 (PHP-8.2.24) (CVE-2024-9026)


Affected Packages:

php


Note:

This advisory is applicable to Amazon Linux 2 - Php8.2 Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update php to update your system.

New Packages:
aarch64:
    php-8.2.27-1.amzn2.0.5.aarch64
    php-cli-8.2.27-1.amzn2.0.5.aarch64
    php-dbg-8.2.27-1.amzn2.0.5.aarch64
    php-fpm-8.2.27-1.amzn2.0.5.aarch64
    php-common-8.2.27-1.amzn2.0.5.aarch64
    php-devel-8.2.27-1.amzn2.0.5.aarch64
    php-opcache-8.2.27-1.amzn2.0.5.aarch64
    php-ldap-8.2.27-1.amzn2.0.5.aarch64
    php-pdo-8.2.27-1.amzn2.0.5.aarch64
    php-mysqlnd-8.2.27-1.amzn2.0.5.aarch64
    php-pgsql-8.2.27-1.amzn2.0.5.aarch64
    php-process-8.2.27-1.amzn2.0.5.aarch64
    php-odbc-8.2.27-1.amzn2.0.5.aarch64
    php-soap-8.2.27-1.amzn2.0.5.aarch64
    php-snmp-8.2.27-1.amzn2.0.5.aarch64
    php-xml-8.2.27-1.amzn2.0.5.aarch64
    php-mbstring-8.2.27-1.amzn2.0.5.aarch64
    php-gd-8.2.27-1.amzn2.0.5.aarch64
    php-bcmath-8.2.27-1.amzn2.0.5.aarch64
    php-gmp-8.2.27-1.amzn2.0.5.aarch64
    php-dba-8.2.27-1.amzn2.0.5.aarch64
    php-embedded-8.2.27-1.amzn2.0.5.aarch64
    php-pspell-8.2.27-1.amzn2.0.5.aarch64
    php-intl-8.2.27-1.amzn2.0.5.aarch64
    php-enchant-8.2.27-1.amzn2.0.5.aarch64
    php-sodium-8.2.27-1.amzn2.0.5.aarch64
    php-debuginfo-8.2.27-1.amzn2.0.5.aarch64

src:
    php-8.2.27-1.amzn2.0.5.src

x86_64:
    php-8.2.27-1.amzn2.0.5.x86_64
    php-cli-8.2.27-1.amzn2.0.5.x86_64
    php-dbg-8.2.27-1.amzn2.0.5.x86_64
    php-fpm-8.2.27-1.amzn2.0.5.x86_64
    php-common-8.2.27-1.amzn2.0.5.x86_64
    php-devel-8.2.27-1.amzn2.0.5.x86_64
    php-opcache-8.2.27-1.amzn2.0.5.x86_64
    php-ldap-8.2.27-1.amzn2.0.5.x86_64
    php-pdo-8.2.27-1.amzn2.0.5.x86_64
    php-mysqlnd-8.2.27-1.amzn2.0.5.x86_64
    php-pgsql-8.2.27-1.amzn2.0.5.x86_64
    php-process-8.2.27-1.amzn2.0.5.x86_64
    php-odbc-8.2.27-1.amzn2.0.5.x86_64
    php-soap-8.2.27-1.amzn2.0.5.x86_64
    php-snmp-8.2.27-1.amzn2.0.5.x86_64
    php-xml-8.2.27-1.amzn2.0.5.x86_64
    php-mbstring-8.2.27-1.amzn2.0.5.x86_64
    php-gd-8.2.27-1.amzn2.0.5.x86_64
    php-bcmath-8.2.27-1.amzn2.0.5.x86_64
    php-gmp-8.2.27-1.amzn2.0.5.x86_64
    php-dba-8.2.27-1.amzn2.0.5.x86_64
    php-embedded-8.2.27-1.amzn2.0.5.x86_64
    php-pspell-8.2.27-1.amzn2.0.5.x86_64
    php-intl-8.2.27-1.amzn2.0.5.x86_64
    php-enchant-8.2.27-1.amzn2.0.5.x86_64
    php-sodium-8.2.27-1.amzn2.0.5.x86_64
    php-debuginfo-8.2.27-1.amzn2.0.5.x86_64

Additional References

Red Hat: CVE-2024-11233, CVE-2024-11234, CVE-2024-8925, CVE-2024-8927, CVE-2024-8929, CVE-2024-8932, CVE-2024-9026

Mitre: CVE-2024-11233, CVE-2024-11234, CVE-2024-8925, CVE-2024-8927, CVE-2024-8929, CVE-2024-8932, CVE-2024-9026