Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 819510 (CVE-2021-21703)

Summary: <dev-lang/php-{7.3.31-r1,7.4.25,8.0.12}: Privilege escalation via fpm
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: major CC: mjo, php-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugs.php.net/bug.php?id=81026
Whiteboard: B1 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 820221    
Bug Blocks:    

Description Hanno Böck gentoo-dev 2021-10-22 16:23:10 UTC
There's a possible privilege escalation bug in PHP, CVE-2021-21703.

This sounds quite severe and according to the upstream bug the guy who found it has a reliable exploit and may soon publish it.

It also sounds from the communication from the PHP devs that this may not get a fix for the 7.3 version. It's probably possible to backport a patch, but given PHP 7.3 security support officially ends in less than 2 months (and as this vuln shows inofficially already ended), maybe early deprecation of PHP 7.3 is the way to go here.

This is fixed in 7.4.25 (not in portage yet) and 8.0.12 (already in portage, needs to be stabilized).
Comment 1 Larry the Git Cow gentoo-dev 2021-10-22 16:57:45 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=59978b5ae90bdad9d705ece171cd0d92e676e913

commit 59978b5ae90bdad9d705ece171cd0d92e676e913
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2021-10-22 16:57:17 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2021-10-22 16:57:17 +0000

    dev-lang/php: Version bump for 7.4.25
    
    Bug: https://bugs.gentoo.org/819510
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-lang/php/Manifest          |   1 +
 dev-lang/php/php-7.4.25.ebuild | 745 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 746 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-22 19:01:15 UTC
Please file a stablereq when ready.
Comment 3 Larry the Git Cow gentoo-dev 2021-10-25 14:42:50 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6fb720cfe0c62387092106e1ec5c494ad82cc07f

commit 6fb720cfe0c62387092106e1ec5c494ad82cc07f
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2021-10-25 14:41:47 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2021-10-25 14:41:47 +0000

    dev-lang/php: Revbump 7.3.31 for CVE-2021-21703 security patch
    
    Bug: https://bugs.gentoo.org/819510
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-lang/php/files/php73-CVE2021-21703.patch | 397 ++++++++++++++
 dev-lang/php/php-7.3.31-r1.ebuild            | 754 +++++++++++++++++++++++++++
 2 files changed, 1151 insertions(+)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-11-06 01:47:54 UTC
Please cleanup
Comment 5 Larry the Git Cow gentoo-dev 2021-11-07 13:07:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=73896251628db98d15c64aa65aac004c24b0e38a

commit 73896251628db98d15c64aa65aac004c24b0e38a
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2021-11-07 13:03:02 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2021-11-07 13:03:02 +0000

    dev-lang/php: Clean up vunlernable versions
    
    Bug: https://bugs.gentoo.org/819510
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-lang/php/Manifest             |   4 -
 dev-lang/php/php-7.3.31-r1.ebuild | 754 -------------------------------------
 dev-lang/php/php-7.3.31.ebuild    | 758 --------------------------------------
 dev-lang/php/php-7.4.24.ebuild    | 750 -------------------------------------
 dev-lang/php/php-8.0.11.ebuild    | 749 -------------------------------------
 dev-lang/php/php-8.1.0_rc2.ebuild | 749 -------------------------------------
 6 files changed, 3764 deletions(-)