Security update to the script language "PHP" -Problems with the handling of zip archives

news

"PHP 8.0.11 "" PHP 7.4.24 "" PHP 7.3."31" is released

September 24, 2021 15:45

"PHP 8.0.11 "" PHP 7.4.24 "" PHP 7.3."31" is released

　The script language "PHP" was updated on September 23.Currently the official website "PHP.net」から"PHP 8.0.11 "" PHP 7.4.24 "" PHP 7.3."31" can be downloaded.Please note that it is a security update that has been modified vulnerabilities.

　The vulnerability (CVE-2021-21706) corrected this time is related to the handling of ZIP format documentary files.The implementation of "p_zip_make_relative_path ()" does not properly handle the absolute path of Windows (handles the path that starts with slash as an absolute path), so it is placed outside the output folder given by "Ziparchive :: EXTRACTTO ().It is said that files can be included in the ZIP archive.

　This problem seems to have existed for a long time, and the range of impact seems to be large.If you are dealing with ZIP archives in the old "PHP" version, you will need to update to the correction version.

　In addition, in this version, the integer overflow when connecting the string and the heap overflow confirmed in "MSG_SEND" have been corrected.