The developers of the PHP project have warned about the compromise of the project's Git repository and the discovery of two malicious commits added on March 28 to the php-src repository on behalf of Rasmus Lerdorf, the founder of PHP, and Nikita Popov, one of the key developers of PHP.
Since there is no confidence in the reliability of the server hosting the Git repository, the developers decided that maintaining the Git infrastructure on their own creates additional security risks and transferred the reference repository to the GitHub platform, which is proposed to be used as the primary one. From now on, all changes should be submitted to GitHub, and not to git.php.net, including when developing, you can now use the GitHub web interface.
In the first malicious commit, under the guise of fixing a typo in the ext/zlib/zlib.c file, a change was made that runs the PHP code passed in the User Agent HTTP header if the content begins with the word "zerodium". After the developers noticed the malicious change and reverted it, a second commit appeared in the repository, which reversed the action of the PHP developers and returned the malicious change.
The added code contains the line "REMOVETHIS: sold to zerodium, mid 2017", which may hint that since 2017 there is another, qualitatively camouflaged, malicious change in the code, or an unpatched vulnerability sold to Zerodium, a company that buys 0-day vulnerabilities ( Zerodium responded that it did not buy the vulnerability information in PHP).
At this time, there is no detailed information about the incident yet, it is only assumed that the changes were added as a result of a hijacking of the git.php.net server, and not a compromise of individual developer accounts. The analysis of the repository for the presence of other malicious changes in addition to the identified problems has begun. Everyone is invited to review, if suspicious changes are found, information should be sent to [email protected].
With regards to moving to GitHub, development contributors must be part of the PHP organization in order to gain write access to the new repository. For those not listed as PHP developers on GitHub, please contact Nikita Popov via email [email protected]. To add, a mandatory requirement is to enable two-factor authentication. After obtaining the proper rights to change the repository, it is enough to execute the command "git remote set-url origin [email protected]:php/php-src.git". In addition, the issue of switching to mandatory certification of commits with a digital signature of the developer is being considered. It is also proposed to prohibit the direct addition of changes that have not undergone preliminary review.
Source: opennet.ru