Security announce April 2024

Statement on glibc/iconv Vulnerability

Below we reproduce an important PHP security announcement from April 24, 2024.

WIKINDX is not affected by this iconv() vulnerability because the conversion to ISO-2022-CN-EXT encoding is not used and not allowed.

Stéphane Aulery

---

Recently, a bug in glibc version 2.39 and older (CVE-2024-2961) was uncovered where a buffer overflow in character set conversions to the ISO-2022-CN-EXT character set.

This specific buffer overflow in glibc is exploitable through PHP, which uses the iconv functionality in glibc to do character set conversions. Although the bug is exploitable in the context of the PHP Engine, the bug is not in PHP. It is also not directly exploitable remotely.

There are numerous reports online with titles like "Mitigating the iconv Vulnerability for PHP (CVE-2024-2961)" or "PHP Under Attack". These titles are misleading as this is not a bug in PHP itself.

Currently there is no fix for this issue, but there is a workaround described in GLIBC Vulnerability on Servers Serving PHP. It explains a way how to remove the problematic character set from glibc. Perform this procedure for every gconv-modules-extra.conf file that is available on your system.

Additionally it is also good practice for applications to accept only specific charsets, with an allow-list.

Some Linux distributions such as Debian, CentOS, and others, already have published patched variants of glibc. Please upgrade as soon as possible.

Once an update is available in glibc, updating that package on your Linux machine will be enough to alleviate the issue. You do not need to update PHP, as glibc is a dynamically linked library.

PHP users on Windows are not affected.

There will therefore also not be a new version of PHP for this vulnerability.