Summary: | <dev-lang/php-{7.3.33,7.4.26}: special character breaks path in xml parsing | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | mjo, php-bugs |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugs.php.net/bug.php?id=79971 | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
John Helmert III
2021-11-18 15:40:04 UTC
(In reply to John Helmert III from comment #0) > Not much insight as to security impact here, "special character is breaking > the path in xml function". Anyway, fixed in 7.4.26 and 7.3.33. Please > stabilize when ready. Personally think this CVE is a bit silly. Reporter claims that "%00" added to the end of an XML file load should fail when it is just stripped after decoding. Waiting on 8.0 slot to appear before continuing (In reply to Brian Evans from comment #1) > (In reply to John Helmert III from comment #0) > > Not much insight as to security impact here, "special character is breaking > > the path in xml function". Anyway, fixed in 7.4.26 and 7.3.33. Please > > stabilize when ready. > > Personally think this CVE is a bit silly. Reporter claims that "%00" added > to the end of an XML file load should fail when it is just stripped after > decoding. Waiting on 8.0 slot to appear before continuing That was my perception too, but wanted to wait for maintainer feedback. Reporter does say "If this patch has been implemented then I would like to request CVE for this please. It would be helpful for my resume/CV", which doesn't bode well for the validity of the "vulnerability". Oops, tree is clean. All done. |