PublicDateAtUSN: 2021-11-29 07:15:00 UTC
Candidate: CVE-2021-21707
PublicDate: 2021-11-29 07:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21707
 https://ubuntu.com/security/notices/USN-5300-1
 https://ubuntu.com/security/notices/USN-5300-2
 https://ubuntu.com/security/notices/USN-5300-3
Description:
 In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below
 8.0.13, certain XML parsing functions, like simplexml_load_file(),
 URL-decode the filename passed to them. If that filename contains
 URL-encoded NUL character, this may cause the function to interpret this as
 the end of the filename, thus interpreting the filename differently from
 what the user intended, which may lead it to reading a different file than
 intended.
Ubuntu-Description:
Notes:
 sbeattie> PEAR issues should go against php-pear as of xenial
Mitigation:
Bugs:
 https://bugs.php.net/79971
Priority: low
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N [5.3 MEDIUM]

Patches_php5:
upstream_php5: needs-triage
trusty_php5: ignored (out of standard support)
trusty/esm_php5: needed
xenial_php5: DNE
bionic_php5: DNE
focal_php5: DNE
hirsute_php5: DNE
impish_php5: DNE
jammy_php5: DNE
devel_php5: DNE

Patches_php7.0:
 upstream: https://github.com/php/php-src/commit/f15f8fc573eb38c3c73e23e0930063a6f6409ed4
upstream_php7.0: needed
trusty_php7.0: DNE
trusty/esm_php7.0: DNE
xenial_php7.0: ignored (end of standard support, was needed)
esm-infra/xenial_php7.0: released (7.0.33-0ubuntu0.16.04.16+esm3)
bionic_php7.0: DNE
focal_php7.0: DNE
hirsute_php7.0: DNE
impish_php7.0: DNE
jammy_php7.0: DNE
devel_php7.0: DNE

Patches_php7.2:
upstream_php7.2: needs-triage
trusty_php7.2: DNE
trusty/esm_php7.2: DNE
xenial_php7.2: DNE
bionic_php7.2: released (7.2.24-0ubuntu0.18.04.11)
focal_php7.2: DNE
hirsute_php7.2: DNE
impish_php7.2: DNE
jammy_php7.2: DNE
devel_php7.2: DNE

Patches_php7.4:
upstream_php7.4: released (7.4.26)
trusty_php7.4: DNE
trusty/esm_php7.4: DNE
xenial_php7.4: DNE
bionic_php7.4: DNE
focal_php7.4: released (7.4.3-4ubuntu2.10)
hirsute_php7.4: ignored (reached end-of-life)
impish_php7.4: DNE
jammy_php7.4: DNE
devel_php7.4: DNE

Patches_php8.0:
 upstream: https://github.com/php/php-src/commit/f15f8fc573eb38c3c73e23e0930063a6f6409ed4
upstream_php8.0: released (8.0.13)
trusty_php8.0: DNE
trusty/esm_php8.0: DNE
xenial_php8.0: DNE
bionic_php8.0: DNE
focal_php8.0: DNE
hirsute_php8.0: DNE
impish_php8.0: released (8.0.8-1ubuntu0.3)
jammy_php8.0: DNE
devel_php8.0: DNE

Patches_php8.1:
upstream_php8.1: needs-triage
precise/esm_php8.1: DNE
trusty_php8.1: DNE
trusty/esm_php8.1: DNE
xenial_php8.1: DNE
bionic_php8.1: DNE
focal_php8.1: DNE
groovy_php8.1: DNE
hirsute_php8.1: DNE
impish_php8.1: DNE
jammy_php8.1: not-affected (8.1.0-1)
devel_php8.1: not-affected (8.1.0-1)