1<?xml version="1.0" encoding="utf-8"?> 2<entry xmlns="http://www.w3.org/2005/Atom"> 3 <title>Statement on glibc/iconv Vulnerability</title> 4 <id>https://www.php.net/archive/2024.php#2024-04-24-1</id> 5 <published>2024-04-24T18:40:29+00:00</published> 6 <updated>2024-04-24T18:40:29+00:00</updated> 7 <link href="https://www.php.net/index.php#2024-04-24-1" rel="alternate" type="text/html"/> 8 <link href="https://www.php.net/archive/2024.php#2024-04-24-1" rel="via" type="text/html"/> 9 <category term="frontpage" label="PHP.net frontpage news"/> 10 <content type="xhtml"> 11 <div xmlns="http://www.w3.org/1999/xhtml"> 12 <p>EDIT 2024-04-25: Clarified when a PHP application is vulnerable to this bug.</p> 13 <p>Recently, a bug in <strong>glibc</strong> version 2.39 and older (<a 14 href="https://nvd.nist.gov/vuln/detail/CVE-2024-2961">CVE-2024-2961</a>) was uncovered 15 where a buffer overflow in character set conversions <strong>to</strong> 16 the ISO-2022-CN-EXT character set can result in remote code execution. 17 </p> 18 19 <p> 20 This specific buffer overflow in glibc is exploitable through PHP, 21 which exposes the iconv functionality of glibc to do character set 22 conversions via the <a href="https://www.php.net/manual/en/function.iconv.php">iconv extension</a>. 23 Although the bug is exploitable in the context of the PHP 24 Engine, the bug is not in PHP. It is also not directly exploitable 25 remotely. 26 </p> 27 28 <p> 29 The bug is exploitable, <strong>if and only if</strong>, 30 the PHP application calls iconv <a href="https://www.php.net/manual/en/ref.iconv.php">functions</a> 31 or <a href="https://www.php.net/manual/en/filters.convert.php#filters.convert.iconv">filters</a> 32 with user-supplied character sets. 33 </p> 34 35 <p> 36 Applications are <strong>not</strong> vulnerable if: 37 </p> 38 39 <ul> 40 <li>Glibc security updates from the distribution have been installed.</li> 41 <li>Or the iconv extension is not loaded.</li> 42 <li>Or the vulnerable character set has been removed from gconv-modules-extra.conf.</li> 43 <li>Or the application passes only specifically allowed character sets to iconv.</li> 44 </ul> 45 46 <p> 47 Moreover, when using a user-supplied character set, 48 it is good practice for applications to accept only 49 specific charsets that have been explicitly allowed by the application. 50 One example of how this can be done is by using an allow-list and the 51 <a href="https://www.php.net/manual/en/function.array-search"><code>array_search()</code></a> function 52 to check the encoding before passing it to iconv. 53 For example: <code>array_search($charset, $allowed_list, true)</code> 54 </p> 55 56 <p>There are numerous reports online with titles like "Mitigating the 57 iconv Vulnerability for PHP (CVE-2024-2961)" or "PHP Under Attack". These 58 titles are misleading as this is <strong>not</strong> a bug in PHP itself.</p> 59 60 <p> 61 If your PHP application is vulnerable, we first recommend to check if your Linux distribution 62 has already published patched variants of glibc. 63 <a href="https://security-tracker.debian.org/tracker/CVE-2024-2961">Debian</a>, 64 CentOS, and others, have already done so, and please upgrade as soon as possible. 65 </p> 66 67 <p>Once an update is available in glibc, updating that package on your 68 Linux machine will be enough to alleviate the issue. You do not need to 69 update PHP, as glibc is a dynamically linked library.</p> 70 71 <p> 72 If your Linux distribution has not published a patched version of glibc, 73 there is no fix for this issue. However, there exists a workaround described in 74 <a href="https://rockylinux.org/news/glibc-vulnerability-april-2024/">GLIBC 75 Vulnerability on Servers Serving PHP</a> which explains a way on how to remove 76 the problematic character set from glibc. Perform this procedure for every 77 gconv-modules-extra.conf file that is available on your system.</p> 78 79 <p>PHP users on Windows are not affected.</p> 80 81 <p>Therefore, a new version of PHP will not be released for this vulnerability.</p> 82 </div> 83 </content> 84</entry> 85
