Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 768756 (CVE-2021-21702)

Summary: <dev-lang/php-{7.3.27, 7.4.15, 8.0.2}: Null dereference in SoapClient (CVE-2021-21702)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: mjo, php-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugs.php.net/bug.php?id=80672
Whiteboard: B3 [glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 764314    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-05 03:59:11 UTC
"PHP will crash with a SIGSEGV whenever an XML is provided to the SoapClient query() function without an existing field."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-09 22:53:23 UTC
ppc done
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-11 07:53:50 UTC
x86 done
Comment 3 Rolf Eike Beer archtester 2021-02-11 15:17:15 UTC
sparc stable
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2021-02-11 23:04:35 UTC
ppc64 stable
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-15 06:05:48 UTC
arm64 done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-16 19:20:48 UTC
arm done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-25 11:17:20 UTC
amd64 done

all arches done
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-25 16:18:52 UTC
Please cleanup.
Comment 9 Larry the Git Cow gentoo-dev 2021-02-25 19:23:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d40fc0e30d0c66783fe25ac0f8cbb46ce6f420b4

commit d40fc0e30d0c66783fe25ac0f8cbb46ce6f420b4
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2021-02-25 19:22:30 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2021-02-25 19:22:30 +0000

    dev-lang/php: Clean up vulnerable versions
    
    Bug: https://bugs.gentoo.org/768756
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-lang/php/Manifest                          |   6 -
 dev-lang/php/files/php-7.4.13-issue80368.patch |  17 -
 dev-lang/php/php-7.3.25.ebuild                 | 760 ------------------------
 dev-lang/php/php-7.3.26-r1.ebuild              | 762 -------------------------
 dev-lang/php/php-7.3.26.ebuild                 | 760 ------------------------
 dev-lang/php/php-7.4.13.ebuild                 | 753 ------------------------
 dev-lang/php/php-7.4.14-r1.ebuild              | 754 ------------------------
 dev-lang/php/php-7.4.14.ebuild                 | 752 ------------------------
 dev-lang/php/php-8.0.0.ebuild                  | 747 ------------------------
 dev-lang/php/php-8.0.1-r1.ebuild               | 749 ------------------------
 10 files changed, 6060 deletions(-)
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-25 19:27:22 UTC
Thank you!
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2021-05-25 13:44:55 UTC
Added to an existing GLSA request.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2021-05-26 09:48:43 UTC
This issue was resolved and addressed in
 GLSA 202105-23 at https://security.gentoo.org/glsa/202105-23
by GLSA coordinator Thomas Deutschmann (whissi).