CVE-2024-5585

Name	CVE-2024-5585
Description	In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
php5 (PTS)	jessie, jessie (lts)	5.6.40+dfsg-0+deb8u21	fixed
php7.0 (PTS)	stretch (security)	7.0.33-0+deb9u12	fixed
	stretch (lts), stretch	7.0.33-0+deb9u19	fixed
php7.3 (PTS)	buster, buster (lts)	7.3.31-1~deb10u8	fixed
	buster (security)	7.3.31-1~deb10u7	fixed
php7.4 (PTS)	bullseye	7.4.33-1+deb11u5	fixed
	bullseye (security)	7.4.33-1+deb11u6	fixed
php8.2 (PTS)	bookworm (security), bookworm	8.2.24-1~deb12u1	fixed
	sid, trixie	8.2.24-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version
php5	source	(unstable)	(not affected)
php7.0	source	(unstable)	(not affected)
php7.3	source	(unstable)	(not affected)
php7.4	source	(unstable)	(not affected)
php8.2	source	(unstable)	(not affected)

Notes

- php8.2 <not-affected> (Windows-specific)
- php7.4 <not-affected> (Windows-specific)
- php7.3 <not-affected> (Windows-specific)
Fixed in 8.3.8, 8.2.20, 8.1.29
https://github.com/php/php-src/security/advisories/GHSA-9fcc-425m-g385
https://github.com/php/php-src/commit/4b15f5d4ec750b31ec8911f5eb0915a45f96feca
- php5 <not-affected> (Windows-specific)
- php7.0 <not-affected> (Windows-specific)