764314 – (CVE-2020-7071) <dev-lang/php-{7.3.26,7.4.14}: FILTER_VALIDATE_URL accepts URLs with invalid userinfo (CVE-2020-7071)

Bug 764314 (CVE-2020-7071) - <dev-lang/php-{7.3.26,7.4.14}: FILTER_VALIDATE_URL accepts URLs with invalid userinfo (CVE-2020-7071)

Summary: <dev-lang/php-{7.3.26,7.4.14}: FILTER_VALIDATE_URL accepts URLs with invalid ...

Status:	RESOLVED FIXED

Alias:	CVE-2020-7071

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://bugs.php.net/bug.php?id=77423
Whiteboard:	B3 [glsa+ cve]
Keywords:

Depends on:	764356 764362 CVE-2021-21702
Blocks:
	Show dependency tree

Reported:	2021-01-07 14:29 UTC by Sam James
Modified:	2021-05-26 09:48 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2021-01-07 14:29:34 UTC

From the changelog for 7.3.26:
"(FILTER_VALIDATE_URL accepts URLs with invalid userinfo). (CVE-2020-7071)"

Applies to the others too AFAICT.

Comment 1 Sam James archtester

2021-01-07 14:32:01 UTC

They've patched 7.4 and 7.3 but not 8.0 or 7.2 yet.

The various patches can be found in the bug link.

Comment 2 Brian Evans (RETIRED) gentoo-dev

2021-01-07 14:56:03 UTC

(In reply to Sam James from comment #1)
> They've patched 7.4 and 7.3 but not 8.0 or 7.2 yet.
> 
> The various patches can be found in the bug link.

7.2 will be masked and removed since it is EOL

Comment 3 Larry the Git Cow gentoo-dev

2021-01-07 16:58:33 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=99f61d5e6b6a5e00e2ea44d8f89c57f5bfe61448

commit 99f61d5e6b6a5e00e2ea44d8f89c57f5bfe61448
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2021-01-07 16:55:10 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2021-01-07 16:55:10 +0000

    dev-lang/php: Security bump for 7.4.14
    
    Bug: https://bugs.gentoo.org/764314
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-lang/php/Manifest          |   1 +
 dev-lang/php/php-7.4.14.ebuild | 752 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 753 insertions(+)

Comment 4 NATTkA bot gentoo-dev

2021-01-07 19:08:54 UTC Comment hidden (obsolete)

Unable to check for sanity:

> dependent bug #764356 is missing keywords

Comment 5 NATTkA bot gentoo-dev

2021-01-07 19:12:58 UTC Comment hidden (obsolete)

All sanity-check issues have been resolved

Comment 6 Rolf Eike Beer archtester

2021-01-17 12:33:03 UTC

sparc stable

Comment 7 Agostino Sarubbo gentoo-dev

2021-01-21 07:41:28 UTC

amd64 stable

Comment 8 Agostino Sarubbo gentoo-dev

2021-01-24 12:11:20 UTC

x86 stable

Comment 9 Sam James archtester

2021-01-25 14:14:16 UTC

arm64 done

Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev

2021-02-11 08:01:46 UTC

ppc64 stable

Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev

2021-05-25 13:46:57 UTC

Added to an existing GLSA request.

Comment 12 GLSAMaker/CVETool Bot gentoo-dev

2021-05-26 09:48:40 UTC

This issue was resolved and addressed in
 GLSA 202105-23 at https://security.gentoo.org/glsa/202105-23
by GLSA coordinator Thomas Deutschmann (whissi).