CVE-2024-2961

iconv Buffer Overflow in Specific Character Set Conversions

Publication Date2024-04-24
SeverityHigh
TypeRemote Code Execution
Affected PHP Versions
  • 5.6.0-8.3.6
Fixed Product Versions
  • ZendPHP 7.2
  • ZendPHP 7.3
  • ZendPHP 7.4
  • ZendPHP 8.0
  • ZendPHP 8.1
  • ZendPHP 8.2
  • ZendPHP 8.3
  • ZendServer 2019.1
  • ZendServer 2021.3

CVE Details

A bug in glibc 2.39 and older was uncovered whereby a buffer overflow in character set conversions specifically to ISO-2022-CN-EXT can result in remote code execution.

This is exploitable in PHP; however, the bug is not specific to PHP, nor is it directly exploitable remotely. It can only be exploited in PHP via calls to iconv functions or filters with user-supplied character sets.

Windows distributions are not affected.

Recommendations

Applications are not vulnerable if:

  • You are not using the iconv extension
  • You have installed glibc security updates for your Linux distribution
  • The vulnerable character set has been removed from gconv-modules-extra.conf
  • Your application passes only specifically allowed character sets to iconv functions and filters

If you MUST use a user-supplied character set with iconv functions and filters, we recommend using an allow list or, at the very least, excluding the ISO-2022-CN-EXT character set from usage.

If your Linux distribution has not published patches for glibc, a workaround is described in GLIBC Vulnerability on Servers Serving PHP, detailing how to remove the character set from your glibc distribution.

Because this vulnerability is not in PHP itself, no patches have been or will be issued. It is up to organizations deploying PHP to ensure that their underlying operating system is patched or has mitigations in place.