| Summary: | dev-lang/php: ZipArchive::extractTo directory traversal (CVE-2021-21706) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED INVALID | ||
| Severity: | minor | CC: | mjo, php-bugs |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugs.php.net/bug.php?id=81420 | ||
| Whiteboard: | B4 [ebuild] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
John Helmert III
2021-09-25 16:10:13 UTC
(In reply to John Helmert III from comment #0) > See URL for details, seems like this is only fixed in 7.3.31. Are the other > branches vulnerable? As per the upstream bug, only affects Windows. Other branches include the fix as per their ChangeLogs[1][2]. [1] https://www.php.net/ChangeLog-7.php#7.4.24 [2] https://www.php.net/ChangeLog-8.php#8.0.11 (In reply to Brian Evans from comment #1) > (In reply to John Helmert III from comment #0) > > See URL for details, seems like this is only fixed in 7.3.31. Are the other > > branches vulnerable? > > As per the upstream bug, only affects Windows. Sorry, missed that bit! The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b1cebb0fa0a2b28fd35ee764ffc26cb0a26d2154 commit b1cebb0fa0a2b28fd35ee764ffc26cb0a26d2154 Author: Brian Evans <grknight@gentoo.org> AuthorDate: 2021-09-25 23:43:43 +0000 Commit: Brian Evans <grknight@gentoo.org> CommitDate: 2021-09-25 23:44:46 +0000 dev-lang/php: Version bump for 8.0.11 Bug: https://bugs.gentoo.org/814821 Signed-off-by: Brian Evans <grknight@gentoo.org> dev-lang/php/Manifest | 1 + dev-lang/php/php-8.0.11.ebuild | 749 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 750 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9f6e35dba3f527d0467dbaf19015a5d92bb66447 commit 9f6e35dba3f527d0467dbaf19015a5d92bb66447 Author: Brian Evans <grknight@gentoo.org> AuthorDate: 2021-09-25 23:24:46 +0000 Commit: Brian Evans <grknight@gentoo.org> CommitDate: 2021-09-25 23:44:46 +0000 dev-lang/php: Version bump for 7.4.24 Bug: https://bugs.gentoo.org/814821 Signed-off-by: Brian Evans <grknight@gentoo.org> dev-lang/php/Manifest | 1 + dev-lang/php/php-7.4.24.ebuild | 750 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 751 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e5d83b155fdc25fece6a3bf38f2092e189f88da9 commit e5d83b155fdc25fece6a3bf38f2092e189f88da9 Author: Brian Evans <grknight@gentoo.org> AuthorDate: 2021-09-25 23:08:03 +0000 Commit: Brian Evans <grknight@gentoo.org> CommitDate: 2021-09-25 23:44:45 +0000 dev-lang/php: Version bump for 7.3.31 Bug: https://bugs.gentoo.org/814821 Signed-off-by: Brian Evans <grknight@gentoo.org> dev-lang/php/Manifest | 1 + dev-lang/php/php-7.3.31.ebuild | 758 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 759 insertions(+) |