Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 764314 (CVE-2020-7071) - <dev-lang/php-{7.3.26,7.4.14}: FILTER_VALIDATE_URL accepts URLs with invalid userinfo (CVE-2020-7071)
Summary: <dev-lang/php-{7.3.26,7.4.14}: FILTER_VALIDATE_URL accepts URLs with invalid ...
Status: RESOLVED FIXED
Alias: CVE-2020-7071
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugs.php.net/bug.php?id=77423
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on: 764356 764362 CVE-2021-21702
Blocks:
  Show dependency tree
 
Reported: 2021-01-07 14:29 UTC by Sam James
Modified: 2021-05-26 09:48 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-01-07 14:29:34 UTC
From the changelog for 7.3.26:
"(FILTER_VALIDATE_URL accepts URLs with invalid userinfo). (CVE-2020-7071)"

Applies to the others too AFAICT.
Comment 1 Sam James archtester gentoo-dev Security 2021-01-07 14:32:01 UTC
They've patched 7.4 and 7.3 but not 8.0 or 7.2 yet.

The various patches can be found in the bug link.
Comment 2 Brian Evans Gentoo Infrastructure gentoo-dev 2021-01-07 14:56:03 UTC
(In reply to Sam James from comment #1)
> They've patched 7.4 and 7.3 but not 8.0 or 7.2 yet.
> 
> The various patches can be found in the bug link.

7.2 will be masked and removed since it is EOL
Comment 3 Larry the Git Cow gentoo-dev 2021-01-07 16:58:33 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=99f61d5e6b6a5e00e2ea44d8f89c57f5bfe61448

commit 99f61d5e6b6a5e00e2ea44d8f89c57f5bfe61448
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2021-01-07 16:55:10 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2021-01-07 16:55:10 +0000

    dev-lang/php: Security bump for 7.4.14
    
    Bug: https://bugs.gentoo.org/764314
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-lang/php/Manifest          |   1 +
 dev-lang/php/php-7.4.14.ebuild | 752 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 753 insertions(+)
Comment 4 NATTkA bot gentoo-dev 2021-01-07 19:08:54 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-01-07 19:12:58 UTC Comment hidden (obsolete)
Comment 6 Rolf Eike Beer archtester 2021-01-17 12:33:03 UTC
sparc stable
Comment 7 Agostino Sarubbo gentoo-dev 2021-01-21 07:41:28 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2021-01-24 12:11:20 UTC
x86 stable
Comment 9 Sam James archtester gentoo-dev Security 2021-01-25 14:14:16 UTC
arm64 done
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2021-02-11 08:01:46 UTC
ppc64 stable
Comment 11 Thomas Deutschmann gentoo-dev Security 2021-05-25 13:46:57 UTC
Added to an existing GLSA request.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2021-05-26 09:48:40 UTC
This issue was resolved and addressed in
 GLSA 202105-23 at https://security.gentoo.org/glsa/202105-23
by GLSA coordinator Thomas Deutschmann (whissi).