Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 764314 (CVE-2020-7071) - <dev-lang/php-{7.3.26,7.4.14}: FILTER_VALIDATE_URL accepts URLs with invalid userinfo (CVE-2020-7071)
Summary: <dev-lang/php-{7.3.26,7.4.14}: FILTER_VALIDATE_URL accepts URLs with invalid ...
Status: RESOLVED FIXED
Alias: CVE-2020-7071
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://bugs.php.net/bug.php?id=77423
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on: 764356 764362 CVE-2021-21702
Blocks:
  Show dependency tree
 
Reported: 2021-01-07 14:29 UTC by Sam James
Modified: 2021-05-26 09:48 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-07 14:29:34 UTC 
From the changelog for 7.3.26:
"(FILTER_VALIDATE_URL accepts URLs with invalid userinfo). (CVE-2020-7071)"

Applies to the others too AFAICT.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-07 14:32:01 UTC 
They've patched 7.4 and 7.3 but not 8.0 or 7.2 yet.

The various patches can be found in the bug link.
Comment 2 Brian Evans (RETIRED) gentoo-dev 2021-01-07 14:56:03 UTC 
(In reply to Sam James from comment #1)
> They've patched 7.4 and 7.3 but not 8.0 or 7.2 yet.
> 
> The various patches can be found in the bug link.

7.2 will be masked and removed since it is EOL
Comment 3 Larry the Git Cow gentoo-dev 2021-01-07 16:58:33 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=99f61d5e6b6a5e00e2ea44d8f89c57f5bfe61448

commit 99f61d5e6b6a5e00e2ea44d8f89c57f5bfe61448
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2021-01-07 16:55:10 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2021-01-07 16:55:10 +0000

    dev-lang/php: Security bump for 7.4.14
    
    Bug: https://bugs.gentoo.org/764314
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-lang/php/Manifest          |   1 +
 dev-lang/php/php-7.4.14.ebuild | 752 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 753 insertions(+)
Comment 4 NATTkA bot gentoo-dev 2021-01-07 19:08:54 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-01-07 19:12:58 UTC Comment hidden (obsolete)
Comment 6 Rolf Eike Beer archtester 2021-01-17 12:33:03 UTC 
sparc stable
Comment 7 Agostino Sarubbo gentoo-dev 2021-01-21 07:41:28 UTC 
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2021-01-24 12:11:20 UTC 
x86 stable
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-25 14:14:16 UTC 
arm64 done
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2021-02-11 08:01:46 UTC 
ppc64 stable
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2021-05-25 13:46:57 UTC 
Added to an existing GLSA request.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2021-05-26 09:48:40 UTC 
This issue was resolved and addressed in
 GLSA 202105-23 at https://security.gentoo.org/glsa/202105-23
by GLSA coordinator Thomas Deutschmann (whissi).