Vulnerability CVE-2022-31628: Information

Description

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.

Severity: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2022-31628

Published: Sept. 29, 2022

Modified: Nov. 7, 2023

Error type identifier: CWE-835

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
php7	p10	7.4.32-alt1	7.4.33-alt1	ALT-PU-2022-2810-1	307829	Fixed
php7	p10_e2k	7.4.32-alt1	7.4.33-alt1	ALT-PU-2022-6520-1	-	Fixed
php7	c10f1	7.4.32-alt1	7.4.33-alt1	ALT-PU-2022-2810-1	307829	Fixed
php7	c9f2	7.4.32-alt1	7.4.33-alt1	ALT-PU-2022-2755-1	307875	Fixed
php7-curl	p10_e2k	7.4.32-alt1	7.4.33-alt1	ALT-PU-2022-6521-1	-	Fixed
php7-gd	p10_e2k	7.4.32-alt1	7.4.33-alt1	ALT-PU-2022-6522-1	-	Fixed
php7-intl	p10_e2k	7.4.32-alt1	7.4.33-alt1	ALT-PU-2022-6528-1	-	Fixed
php7-opcache	p10_e2k	7.4.32-alt1.2	7.4.33-alt1.2	ALT-PU-2022-6529-1	-	Fixed
php7-openssl	p10_e2k	7.4.32-alt1	7.4.33-alt1	ALT-PU-2022-6523-1	-	Fixed
php7-pdo_mysql	p10_e2k	7.4.32-alt1	7.4.33-alt1	ALT-PU-2022-6524-1	-	Fixed
php7-pgsql	p10_e2k	7.4.32-alt1	7.4.33-alt1	ALT-PU-2022-6525-1	-	Fixed
php7-tidy	p10_e2k	7.4.32-alt1	7.4.33-alt1	ALT-PU-2022-6531-1	-	Fixed
php7-xmlrpc	p10_e2k	7.4.32-alt1	7.4.33-alt1	ALT-PU-2022-6530-1	-	Fixed
php7-xsl	p10_e2k	7.4.32-alt1.1	7.4.33-alt1.1	ALT-PU-2022-6527-1	-	Fixed
php7-zip	p10_e2k	7.4.32-alt1	7.4.33-alt1	ALT-PU-2022-6526-1	-	Fixed
php8.0	p10	8.0.24-alt1	8.0.30-alt1	ALT-PU-2022-2827-1	307752	Fixed
php8.0	p10_e2k	8.0.24-alt1	8.0.30-alt1	ALT-PU-2022-6519-1	-	Fixed
php8.0	c10f1	8.0.24-alt1	8.0.30-alt1	ALT-PU-2022-2827-1	307752	Fixed
php8.1	sisyphus	8.1.11-alt1	8.1.28-alt1	ALT-PU-2022-2698-1	307626	Fixed
php8.1	sisyphus_e2k	8.1.11-alt1	8.1.28-alt1	ALT-PU-2022-6346-1	-	Fixed
php8.1	sisyphus_riscv64	8.1.11-alt1	8.1.28-alt1	ALT-PU-2022-6338-1	-	Fixed
php8.1	p10	8.1.11-alt1	8.1.28-alt1	ALT-PU-2022-2767-1	307734	Fixed
php8.1	p10_e2k	8.1.11-alt1	8.1.28-alt1	ALT-PU-2022-6517-1	-	Fixed
php8.1	c10f1	8.1.11-alt1	8.1.28-alt1	ALT-PU-2022-2767-1	307734	Fixed
php8.1	c9f2	8.1.11-alt1	8.1.16-alt1	ALT-PU-2022-3022-1	307765	Fixed
php8.1	p11	8.1.11-alt1	8.1.28-alt1	ALT-PU-2022-2698-1	307626	Fixed

References to Advisories, Solutions, and Tools

Hyperlink	Resource
https://bugs.php.net/bug.php?id=81726	Permissions Required Third Party Advisory
DSA-5277	Third Party Advisory
GLSA-202211-03	Third Party Advisory
https://security.netapp.com/advisory/ntap-20221209-0001/	Third Party Advisory
[debian-lts-announce] 20221215 [SECURITY] [DLA 3243-1] php7.3 security update	Mailing List Third Party Advisory
FEDORA-2022-0b77fbd9e7
FEDORA-2022-afdea1c747
FEDORA-2022-f204e1d0ed

Affected configurations:
1. Configuration 1
  cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
  Start including
  8.1.0
  End excliding
  8.1.11
  cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
  Start including
  8.0.0
  End excliding
  8.0.24
  cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
  End excliding
  7.4.31
  
  Configuration 2
  cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
  cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
  cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
  
  Configuration 3
  cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
  cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Version: v24.5.3

Vulnerability CVE-2022-31628: Information

Description

Fixed packages

References to Advisories, Solutions, and Tools

Configuration 1

Configuration 2

Configuration 3