Re: PHP ReDoS question

To: debian-lts@lists.debian.org
Cc: Adrian Bunk <bunk@debian.org>
Subject: Re: PHP ReDoS question
From: Bastien Roucariès <rouca@debian.org>
Date: Sat, 21 Dec 2024 11:07:01 +0000
Message-id: <[🔎] 1838094.VApE3GkFCy@portable-bastien>
In-reply-to: <[🔎] Z2Uk5SvXEO6wDNOu@localhost>
References: <[🔎] Z2Uk5SvXEO6wDNOu@localhost>

Le vendredi 20 décembre 2024, 08:03:49 UTC Adrian Bunk a écrit :
> Hi,
> 
> could someone with more knowledge about PHP look at the following:
> 
> https://security-tracker.debian.org/tracker/CVE-2024-22640
> https://github.com/zunak/CVE-2024-22640
> https://security-tracker.debian.org/tracker/CVE-2024-22641
> https://github.com/zunak/CVE-2024-22641
> 
> Changing the PoCs to
>   require_once('/usr/share/php/tcpdf/tcpdf.php');


> I cannot reproduce the issue in bookworm or jessie,
> it just seems to work fine already without the fix.

Redos is a timing issue, 

Did you test preg_last_error() after the last line ?
> 
> Am I doing something stupid here, or is there some reason why we might 
> not be affected by these CVEs?

Depends of the pcre library of the day and option
https://www.php.net/manual/fr/pcre.configuration.php

Redos are usually patched easilly so go ahead

Bastien
> 
> Thanks
> Adrian
> 
>

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

References:
- PHP ReDoS question
  - From: Adrian Bunk <bunk@debian.org>

Prev by Date: Re: Bug#1089033: xen: Please package xen version 4.19
Next by Date: Re: ceph 14.2.22 for bullseye
Previous by thread: PHP ReDoS question
Next by thread: CVE-2024-23944 : ignored for LTS ELTS ?
Index(es):
- Date
- Thread