Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 819510 (CVE-2021-21703) - <dev-lang/php-{7.3.31-r1,7.4.25,8.0.12}: Privilege escalation via fpm
Summary: <dev-lang/php-{7.3.31-r1,7.4.25,8.0.12}: Privilege escalation via fpm
Status: RESOLVED FIXED
Alias: CVE-2021-21703
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://bugs.php.net/bug.php?id=81026
Whiteboard: B1 [glsa+]
Keywords:
Depends on: 820221
Blocks:
  Show dependency tree
 
Reported: 2021-10-22 16:23 UTC by Hanno Böck
Modified: 2022-09-29 14:51 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2021-10-22 16:23:10 UTC
There's a possible privilege escalation bug in PHP, CVE-2021-21703.

This sounds quite severe and according to the upstream bug the guy who found it has a reliable exploit and may soon publish it.

It also sounds from the communication from the PHP devs that this may not get a fix for the 7.3 version. It's probably possible to backport a patch, but given PHP 7.3 security support officially ends in less than 2 months (and as this vuln shows inofficially already ended), maybe early deprecation of PHP 7.3 is the way to go here.

This is fixed in 7.4.25 (not in portage yet) and 8.0.12 (already in portage, needs to be stabilized).
Comment 1 Larry the Git Cow gentoo-dev 2021-10-22 16:57:45 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=59978b5ae90bdad9d705ece171cd0d92e676e913

commit 59978b5ae90bdad9d705ece171cd0d92e676e913
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2021-10-22 16:57:17 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2021-10-22 16:57:17 +0000

    dev-lang/php: Version bump for 7.4.25
    
    Bug: https://bugs.gentoo.org/819510
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-lang/php/Manifest          |   1 +
 dev-lang/php/php-7.4.25.ebuild | 745 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 746 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-22 19:01:15 UTC
Please file a stablereq when ready.
Comment 3 Larry the Git Cow gentoo-dev 2021-10-25 14:42:50 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6fb720cfe0c62387092106e1ec5c494ad82cc07f

commit 6fb720cfe0c62387092106e1ec5c494ad82cc07f
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2021-10-25 14:41:47 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2021-10-25 14:41:47 +0000

    dev-lang/php: Revbump 7.3.31 for CVE-2021-21703 security patch
    
    Bug: https://bugs.gentoo.org/819510
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-lang/php/files/php73-CVE2021-21703.patch | 397 ++++++++++++++
 dev-lang/php/php-7.3.31-r1.ebuild            | 754 +++++++++++++++++++++++++++
 2 files changed, 1151 insertions(+)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-11-06 01:47:54 UTC
Please cleanup
Comment 5 Larry the Git Cow gentoo-dev 2021-11-07 13:07:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=73896251628db98d15c64aa65aac004c24b0e38a

commit 73896251628db98d15c64aa65aac004c24b0e38a
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2021-11-07 13:03:02 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2021-11-07 13:03:02 +0000

    dev-lang/php: Clean up vunlernable versions
    
    Bug: https://bugs.gentoo.org/819510
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-lang/php/Manifest             |   4 -
 dev-lang/php/php-7.3.31-r1.ebuild | 754 -------------------------------------
 dev-lang/php/php-7.3.31.ebuild    | 758 --------------------------------------
 dev-lang/php/php-7.4.24.ebuild    | 750 -------------------------------------
 dev-lang/php/php-8.0.11.ebuild    | 749 -------------------------------------
 dev-lang/php/php-8.1.0_rc2.ebuild | 749 -------------------------------------
 6 files changed, 3764 deletions(-)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-26 14:23:24 UTC
GLSA request filed
Comment 7 Larry the Git Cow gentoo-dev 2022-09-29 14:48:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=4447c90f117a8f0928cc5e880f3cfc9fde7ee918

commit 4447c90f117a8f0928cc5e880f3cfc9fde7ee918
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-09-29 14:23:13 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-09-29 14:48:00 +0000

    [ GLSA 202209-20 ] PHP: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/799776
    Bug: https://bugs.gentoo.org/810526
    Bug: https://bugs.gentoo.org/819510
    Bug: https://bugs.gentoo.org/833585
    Bug: https://bugs.gentoo.org/850772
    Bug: https://bugs.gentoo.org/857054
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202209-20.xml | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 71 insertions(+)
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-29 14:51:59 UTC
GLSA released, all done!