Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 824562 (CVE-2021-21707) - <dev-lang/php-{7.3.33,7.4.26}: special character breaks path in xml parsing
Summary: <dev-lang/php-{7.3.33,7.4.26}: special character breaks path in xml parsing
Status: IN_PROGRESS
Alias: CVE-2021-21707
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugs.php.net/bug.php?id=79971
Whiteboard: B4 [noglsa stable?]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-11-18 15:40 UTC by John Helmert III
Modified: 2021-11-18 18:50 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-11-18 15:40:04 UTC
Not much insight as to security impact here, "special character is breaking the path in xml function". Anyway, fixed in 7.4.26 and 7.3.33. Please stabilize when ready.
Comment 1 Brian Evans Gentoo Infrastructure gentoo-dev 2021-11-18 15:46:20 UTC
(In reply to John Helmert III from comment #0)
> Not much insight as to security impact here, "special character is breaking
> the path in xml function". Anyway, fixed in 7.4.26 and 7.3.33. Please
> stabilize when ready.

Personally think this CVE is a bit silly.  Reporter claims that "%00" added to the end of an XML file load should fail when it is just stripped after decoding.  Waiting on 8.0 slot to appear before continuing
Comment 2 John Helmert III gentoo-dev Security 2021-11-18 18:50:47 UTC
(In reply to Brian Evans from comment #1)
> (In reply to John Helmert III from comment #0)
> > Not much insight as to security impact here, "special character is breaking
> > the path in xml function". Anyway, fixed in 7.4.26 and 7.3.33. Please
> > stabilize when ready.
> 
> Personally think this CVE is a bit silly.  Reporter claims that "%00" added
> to the end of an XML file load should fail when it is just stripped after
> decoding.  Waiting on 8.0 slot to appear before continuing

That was my perception too, but wanted to wait for maintainer feedback. Reporter does say "If this patch has been implemented then I would like to request CVE for this please. It would be helpful for my resume/CV", which doesn't bode well for the validity of the "vulnerability".