Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 764314 (CVE-2020-7071)

Summary: <dev-lang/php-{7.3.26,7.4.14}: FILTER_VALIDATE_URL accepts URLs with invalid userinfo (CVE-2020-7071)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: mjo, php-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugs.php.net/bug.php?id=77423
Whiteboard: B3 [glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on: 764356, 764362, 768756    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-07 14:29:34 UTC 
From the changelog for 7.3.26:
"(FILTER_VALIDATE_URL accepts URLs with invalid userinfo). (CVE-2020-7071)"

Applies to the others too AFAICT.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-07 14:32:01 UTC 
They've patched 7.4 and 7.3 but not 8.0 or 7.2 yet.

The various patches can be found in the bug link.
Comment 2 Brian Evans (RETIRED) gentoo-dev 2021-01-07 14:56:03 UTC 
(In reply to Sam James from comment #1)
> They've patched 7.4 and 7.3 but not 8.0 or 7.2 yet.
> 
> The various patches can be found in the bug link.

7.2 will be masked and removed since it is EOL
Comment 3 Larry the Git Cow gentoo-dev 2021-01-07 16:58:33 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=99f61d5e6b6a5e00e2ea44d8f89c57f5bfe61448

commit 99f61d5e6b6a5e00e2ea44d8f89c57f5bfe61448
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2021-01-07 16:55:10 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2021-01-07 16:55:10 +0000

    dev-lang/php: Security bump for 7.4.14
    
    Bug: https://bugs.gentoo.org/764314
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-lang/php/Manifest          |   1 +
 dev-lang/php/php-7.4.14.ebuild | 752 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 753 insertions(+)
Comment 4 NATTkA bot gentoo-dev Security 2021-01-07 19:08:54 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev Security 2021-01-07 19:12:58 UTC Comment hidden (obsolete)
Comment 6 Rolf Eike Beer archtester 2021-01-17 12:33:03 UTC 
sparc stable
Comment 7 Agostino Sarubbo gentoo-dev 2021-01-21 07:41:28 UTC 
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2021-01-24 12:11:20 UTC 
x86 stable
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-25 14:14:16 UTC 
arm64 done
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2021-02-11 08:01:46 UTC 
ppc64 stable
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2021-05-25 13:46:57 UTC 
Added to an existing GLSA request.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2021-05-26 09:48:40 UTC 
This issue was resolved and addressed in
 GLSA 202105-23 at https://security.gentoo.org/glsa/202105-23
by GLSA coordinator Thomas Deutschmann (whissi).