GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence

[oerdnj]

Just a quick summary:

• There's nothing I can do on the PHP side, it needs to be fixed in libc
• Ubuntu libc packages are already fixed
• Debian unstable and stable is fixed, old stable is not

On older Debian, edit /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.d/gconv-modules-extra.conf, comment out vulnerable locale and reload the iconv cache. Here's Rocky Linux guide that should be applicable (with just different paths) to Debian and Ubuntu: https://rockylinux.org/news/glibc-vulnerability-april-2024/

[sleemanj]

Instructions for manually disabling on older systems generally....

https://old.reddit.com/r/PHP/comments/1c9lslg/security_vulnerability_in_php_caused_by_glibc/l0o6zi1/

[oerdnj]

@sleemanj That's what the link to Rocky Linux contains. The Reddit connect looks copied from that page…

[oerdnj]

Here's an update from PHP itself: https://www.php.net/archive/2024.php#2024-04-24-1