Candidate: CVE-2020-1921
PublicDate: 2021-03-10 16:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1921
 https://github.com/facebook/hhvm/commit/08193b7f0cd3910256e00d599f0f3eb2519c44ca
 https://hhvm.com/blog/2021/02/25/security-update.html
Description:
 In the crypt function, we attempt to null terminate a buffer using the size
 of the input salt without validating that the offset is within the buffer.
 This issue affects HHVM versions prior to 4.56.3, all versions between
 4.57.0 and 4.80.1, all versions between 4.81.0 and 4.93.1, and versions
 4.94.0, 4.95.0, 4.96.0, 4.97.0, 4.98.0.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]


Patches_hhvm:
upstream_hhvm: needs-triage
precise/esm_hhvm: DNE
trusty_hhvm: ignored (out of standard support)
trusty/esm_hhvm: DNE
xenial_hhvm: ignored (end of standard support, was needs-triage)
bionic_hhvm: needs-triage
focal_hhvm: DNE
groovy_hhvm: DNE
hirsute_hhvm: DNE
impish_hhvm: DNE
jammy_hhvm: DNE
devel_hhvm: DNE