PHP 8.5.2RC1, 8.4.17RC1, and 8.3.30RC1 released
PHP 8.5.2, along with updates to PHP 8.4 and 8.3, has release candidates ready for your testing right now. These builds tackle a range of security problems and bugs found in older versions.
There's one particular issue fixed that involved an observation from the OSS-Fuzz program, specifically #465488618. This addressed incorrect assumptions made when handling function signatures containing default arguments related to dynamic class constants during object dumps.
Also on PHP 8.5.2: A fix for an internal assertion failure happened in normalize_value() whenever parse_ini_string dealt with improperly formatted INI data. There were more generator-related glitches fixed too, including a specific one from GitHub (GH-20714) that caused exceptions that could be cached.
Then there's the UAF (Use After Free) vulnerability addressed through php_output_handler_free. This was patched by ensuring ob_start() calls are reentrant during error handler deactivation, which is essentially preventing unsafe memory usage after freeing something.
The DOM module saw some action too, getting fixes for null pointer issues and problems with cloning objects that were improperly formed.
Beyond these points, you'll find improvements spread across several areas, including the EXIF, Intl, LDAP, Lexbor, Mbstring, PCNTLError, Phar, POSIX, SPL, Sqlite3, Standard, and Zlib modules. For instance, PHP 8.5.2 cleaned up memory leaks in functions like ldap_set_options() or umsg_format_helper(), while also beefing up build support for older OpenSSL version 1.1.0 systems.
You can grab the RCs from these GitHub pages:
Release php-8.5.2RC1
Tag for php-8.5.2RC1
Release php-8.4.17RC1
Tag for php-8.4.17RC1
Release php-8.3.30RC1
Tag for php-8.3.30RC1
