Debian: DLA-3345-1 Critical: PHP Denial Of Service Issues
debian lts
February 26, 2023
Multiple security issues were found in PHP, a widely-used open source general purpose scripting language, which could result in denial of service or incorrect validation of BCry...
Topics Covered
Summary
CVE-2022-31631
Due to an uncaught integer overflow, `PDO::quote()` of PDO_SQLite
may return an improperly quoted string. The exact details likely
depend on the implementation of `sqlite3_snprintf()`, but with some
versions it is possible to force the function to return a single
apostrophe, if the function is called on user supplied input without
any length restrictions in place.
CVE-2023-0567
Tim Düsterhus discovered that malformed BCrypt hashes that include a
`$` within their salt part trigger a buffer overread and may
erroneously validate any password as valid. (`Password_verify()`
always return `true` with such inputs.)
CVE-2023-0568
1-byte array overrun when appending slash to paths during path
resolution.
CVE-2023-0662
Jakob Ackermann discovered a Denial of Service vulnerability when
parsing multipart request body: the request body parsing in PHP
allows any unauthenticated attacker to consume a large amount of CPU
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
-------------------------------------------------------------------------Package: php7.3
Version: 7.3.31-1~deb10u3
CVE ID: CVE-2022-31631 CVE-2023-0567 CVE-2023-0568 CVE-2023-0662
Debian Bug: 1031368
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!