rpms/php

Fork 0

[security][HIGH] php 8.4.11: 2 CVE require triage #1

New issue

Closed

opened 2026-04-29 04:38:04 +03:00 by sbelikov · 1 comment

sbelikov commented

2026-04-29 04:38:04 +03:00

Owner

CVE triage request / Запрос на разбор CVE

Package / Пакет

Package: php
Version: 8.4.11
EVR: 8.4.11-1
Category: web
Policy class: leaf
NiceOS policy class: -
Owner: network-team
Severity: HIGH
Max CVSS: 8.2
CVE count: 2

LLM recommendation / Рекомендация LLM

RU

Обнаружены два критических уязвимости (CVE-2025-14178, CVE-2025-14180) в PHP 8.4.11. Обе уязвимости затрагивают версии PHP 8.4.x до 8.4.16 и включают переполнение буфера в функции array_merge() и обращение к нулевому указателю в драйвере PDO PostgreSQL. Текущая версия НАЙС.ОС (8.4.11) уязвима.

Немедленно обновить пакет php до версии 8.4.16 или выше для устранения уязвимостей. Проверить наличие драйвера PDO PostgreSQL и отключить эмуляцию подготовки (ATTR_EMULATE_PREPARES) как временную меру, если обновление невозможно в краткосрочной перспективе.

Рекомендуемое действие: update_package

Подсказка по целевой версии: 8.4.16

Проверки: 1. Проверить версию пакета php через rpm -q php (должна быть >= 8.4.16). 2. Проверить наличие уязвимых функций в тестовом скрипте с массивами большого размера. 3. Проверить работу PDO PostgreSQL с последовательностью \x99 при включенной эмуляции подготовки.

Риски: Возможность выполнения произвольного кода или краха сервера (DoS) при обработке специально сформированных массивов или запросов к базе данных PostgreSQL. Высокий риск эксплуатации в веб-сервисах.

EN

Two critical vulnerabilities (CVE-2025-14178, CVE-2025-14180) detected in PHP 8.4.11. Both affect PHP versions 8.4.x prior to 8.4.16, involving a heap buffer overflow in array_merge() and a null pointer dereference in the PDO PostgreSQL driver. The current NAYS.OS version (8.4.11) is vulnerable.

Immediately update the php package to version 8.4.16 or higher to mitigate the vulnerabilities. Verify the presence of the PDO PostgreSQL driver and disable emulation of prepared statements (ATTR_EMULATE_PREPARES) as a temporary measure if an immediate update is not feasible.

Recommended action: update_package

Target version hint: 8.4.16

Tests: 1. Verify php package version via rpm -q php (must be >= 8.4.16). 2. Test array_merge() with large packed arrays to ensure no crash. 3. Test PDO PostgreSQL with sequence \x99 and ATTR_EMULATE_PREPARES enabled to ensure no segmentation fault.

Risks: Potential for arbitrary code execution or server crash (DoS) when processing specially crafted arrays or PostgreSQL database queries. High risk of exploitation in web services.

CVE candidates from NVD/CPE

CVE	Severity	CVSS	Match	NiceOS status	Reason
CVE-2025-14178	HIGH	8.2	cpe-range	needs_triage	package version is inside version range
CVE-2025-14180	HIGH	8.2	cpe-range	needs_triage	package version is inside version range

Descriptions

CVE-2025-14178

In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.

CVE-2025-14180

In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence (such as \x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in pdo_parse_params() function. This may lead to crashes (segmentation fault) and affect the availability of the target server.

Maintainer checklist

Verify whether each CVE applies to the NiceOS build.
Compare NVD data with upstream/vendor advisory.
Set final NiceOS status: affected, fixed, not_affected, false_positive, deferred, or not_in_cloud_image.
If affected, decide update/backport strategy according to package policy class.
Run package-class-specific build, upgrade and regression tests.
Add/update niceos_cve_triage entry.
Create NICE-SA advisory if a security update is shipped.

Machine metadata

{
  "cves": [
    "CVE-2025-14178",
    "CVE-2025-14180"
  ],
  "fingerprint": "9d3f409d13b920aee1bf",
  "generated_at": "2026-04-29T01:38:03Z",
  "package": "php",
  "prompt_version": "niceos_cve_issue_analysis_v1",
  "tool": "niceos_cve_create_issues.py",
  "tool_version": "1.0",
  "version": "8.4.11"
}

# CVE triage request / Запрос на разбор CVE ## Package / Пакет - Package: `php` - Version: `8.4.11` - EVR: `8.4.11-1` - Category: `web` - Policy class: `leaf` - NiceOS policy class: `-` - Owner: `network-team` - Severity: `HIGH` - Max CVSS: `8.2` - CVE count: `2` ## LLM recommendation / Рекомендация LLM ### RU Обнаружены два критических уязвимости (CVE-2025-14178, CVE-2025-14180) в PHP 8.4.11. Обе уязвимости затрагивают версии PHP 8.4.x до 8.4.16 и включают переполнение буфера в функции array_merge() и обращение к нулевому указателю в драйвере PDO PostgreSQL. Текущая версия НАЙС.ОС (8.4.11) уязвима. Немедленно обновить пакет php до версии 8.4.16 или выше для устранения уязвимостей. Проверить наличие драйвера PDO PostgreSQL и отключить эмуляцию подготовки (ATTR_EMULATE_PREPARES) как временную меру, если обновление невозможно в краткосрочной перспективе. **Рекомендуемое действие:** `update_package` **Подсказка по целевой версии:** `8.4.16` **Проверки:** 1. Проверить версию пакета php через rpm -q php (должна быть >= 8.4.16). 2. Проверить наличие уязвимых функций в тестовом скрипте с массивами большого размера. 3. Проверить работу PDO PostgreSQL с последовательностью \x99 при включенной эмуляции подготовки. **Риски:** Возможность выполнения произвольного кода или краха сервера (DoS) при обработке специально сформированных массивов или запросов к базе данных PostgreSQL. Высокий риск эксплуатации в веб-сервисах. ### EN Two critical vulnerabilities (CVE-2025-14178, CVE-2025-14180) detected in PHP 8.4.11. Both affect PHP versions 8.4.x prior to 8.4.16, involving a heap buffer overflow in array_merge() and a null pointer dereference in the PDO PostgreSQL driver. The current NAYS.OS version (8.4.11) is vulnerable. Immediately update the php package to version 8.4.16 or higher to mitigate the vulnerabilities. Verify the presence of the PDO PostgreSQL driver and disable emulation of prepared statements (ATTR_EMULATE_PREPARES) as a temporary measure if an immediate update is not feasible. **Recommended action:** `update_package` **Target version hint:** `8.4.16` **Tests:** 1. Verify php package version via rpm -q php (must be >= 8.4.16). 2. Test array_merge() with large packed arrays to ensure no crash. 3. Test PDO PostgreSQL with sequence \x99 and ATTR_EMULATE_PREPARES enabled to ensure no segmentation fault. **Risks:** Potential for arbitrary code execution or server crash (DoS) when processing specially crafted arrays or PostgreSQL database queries. High risk of exploitation in web services. ## CVE candidates from NVD/CPE | CVE | Severity | CVSS | Match | NiceOS status | Reason | |---|---|---:|---|---|---| | CVE-2025-14178 | HIGH | 8.2 | cpe-range | needs_triage | package version is inside version range | | CVE-2025-14180 | HIGH | 8.2 | cpe-range | needs_triage | package version is inside version range | ## Descriptions ### CVE-2025-14178 In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server. ### CVE-2025-14180 In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence (such as \x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in pdo_parse_params() function. This may lead to crashes (segmentation fault) and affect the availability of the target server. ## Maintainer checklist - [ ] Verify whether each CVE applies to the NiceOS build. - [ ] Compare NVD data with upstream/vendor advisory. - [ ] Set final NiceOS status: `affected`, `fixed`, `not_affected`, `false_positive`, `deferred`, or `not_in_cloud_image`. - [ ] If affected, decide update/backport strategy according to package policy class. - [ ] Run package-class-specific build, upgrade and regression tests. - [ ] Add/update `niceos_cve_triage` entry. - [ ] Create `NICE-SA` advisory if a security update is shipped. ## Machine metadata ```json { "cves": [ "CVE-2025-14178", "CVE-2025-14180" ], "fingerprint": "9d3f409d13b920aee1bf", "generated_at": "2026-04-29T01:38:03Z", "package": "php", "prompt_version": "niceos_cve_issue_analysis_v1", "tool": "niceos_cve_create_issues.py", "tool_version": "1.0", "version": "8.4.11" } ```

sbelikov added the

labels

2026-04-29 04:38:04 +03:00

sbelikov commented

2026-04-30 01:51:20 +03:00

Author

Owner

Fixed in php-8.4.20-1 on branch niceos-5.2.

Triage result:

CVE	NiceOS status	Resolution
CVE-2025-14178	fixed	Updated PHP from `8.4.11-1` to `8.4.20-1`. PHP 8.4.x before `8.4.16` is affected by the `array_merge()` heap buffer overflow; `8.4.20` is above the fixed version.
CVE-2025-14180	fixed	Updated PHP from `8.4.11-1` to `8.4.20-1`. PHP 8.4.x before `8.4.16` is affected by the PDO PostgreSQL quoting NULL dereference; `8.4.20` is above the fixed version.

Details:

Kept PHP within the NiceOS 5.2 pinned 8.4.x line.
Did not update to PHP 8.5.x; cross-minor PHP updates require application compatibility review.
No downstream backport patches were needed.
The NiceOS build enables --with-pdo-pgsql, so CVE-2025-14180 was considered applicable before the update.

Verification:

rpmbuild -ba SPECS/php.spec completed successfully.
Upgrade transaction test completed successfully.
php -v reports 8.4.20.
php -m completed successfully and confirms expected extensions.
php-fpm -t completed successfully.
Basic CLI smoke tests completed successfully.
package-index reports EVR: 8.4.20-1.
Portal card: php 8.4.11 -> 8.4.20.

Closing as fixed.

Fixed in `php-8.4.20-1` on branch `niceos-5.2`. Triage result: | CVE | NiceOS status | Resolution | |---|---|---| | CVE-2025-14178 | fixed | Updated PHP from `8.4.11-1` to `8.4.20-1`. PHP 8.4.x before `8.4.16` is affected by the `array_merge()` heap buffer overflow; `8.4.20` is above the fixed version. | | CVE-2025-14180 | fixed | Updated PHP from `8.4.11-1` to `8.4.20-1`. PHP 8.4.x before `8.4.16` is affected by the PDO PostgreSQL quoting NULL dereference; `8.4.20` is above the fixed version. | Details: - Kept PHP within the NiceOS 5.2 pinned `8.4.x` line. - Did not update to PHP `8.5.x`; cross-minor PHP updates require application compatibility review. - No downstream backport patches were needed. - The NiceOS build enables `--with-pdo-pgsql`, so CVE-2025-14180 was considered applicable before the update. Verification: - `rpmbuild -ba SPECS/php.spec` completed successfully. - Upgrade transaction test completed successfully. - `php -v` reports `8.4.20`. - `php -m` completed successfully and confirms expected extensions. - `php-fpm -t` completed successfully. - Basic CLI smoke tests completed successfully. - `package-index` reports `EVR: 8.4.20-1`. - Portal card: `php 8.4.11 -> 8.4.20`. Closing as fixed.

sbelikov

2026-04-30 01:51:20 +03:00