Ubuntu
php7.4 package

CVE-2021-21703: PHP-FPM oob R/W in root process leading to privilege escalation

Bug #1948957 reported by Johannes Rohr on 2021-10-27

262

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	php7.4 (Ubuntu)	Fix Released	Undecided	Leonidas S. Barbosa

Here is a detailed description.

I guess you just have to take the fixes from Debian

Johannes Rohr (jorohr) on 2021-10-27

information type:

Private Security → Public Security

Revision history for this message

Leonidas S. Barbosa (leosilvab) wrote on 2021-10-27:

Hi Johannes,

It'll be published today.

Thanks

Changed in php7.4 (Ubuntu):
status:	New → In Progress
assignee:	nobody → Leonidas S. Barbosa (leosilvab)

Revision history for this message

Johannes Rohr (jorohr) wrote on 2021-10-27:

Hi,thanks Leonidas, you mean, the fixed packages will be out today? Great!

Revision history for this message

hanshenrik (hanshenrik) wrote on 2021-12-05:

just installed php-fpm + nginx on a 20.04 system today (2021-12-05) which installed 7.4.3-4ubuntu2.7 , which seems vulnerable, POC code still causes segfaults: https://github.com/cfreal/exploits/blob/master/php-SplDoublyLinkedList-offsetUnset/exploit.php

i don't think this is fixed yet? at least not on 20.04

Revision history for this message

Athos Ribeiro (athos-ribeiro) wrote on 2022-05-27:

Since the changelog for this fix had no mentions to this bug, and as per Marc's comments on https://bugs.launchpad.net/ubuntu/+source/php7.4/+bug/1953244, I am closing this as fixed.

Changed in php7.4 (Ubuntu):
status:	In Progress → Fix Released

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Bug watches keep track of this bug in other bug trackers.