Candidate:CVE-2020-7067
PublicDate: 2020-04-27 21:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7067
Description:
 In PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17 and 7.4.x below
 7.4.5, if PHP is compiled with EBCDIC support (uncommon), urldecode()
 function can be made to access locations past the allocated memory, due to
 erroneously using signed numbers as array indexes.
Ubuntu-Description:
Notes:
 mdeslaur> only an issue when CHARSET_EBCDIC is defined, which isn't the
 mdeslaur> case on any Ubuntu platforms.
Mitigation: 
Bugs: 
 https://bugs.php.net/79465
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [7.5 HIGH]

Patches_php5:
upstream_php5: needs-triage
precise/esm_php5: not-affected (code not present)
trusty_php5: ignored (out of standard support)
trusty/esm_php5: not-affected (code not present)
xenial_php5: DNE
bionic_php5: DNE
eoan_php5: DNE
devel_php5: DNE

Patches_php7.0:
upstream_php7.0: needs-triage
precise/esm_php7.0: DNE
trusty_php7.0: DNE
trusty/esm_php7.0: DNE
xenial_php7.0: not-affected (code not present)
esm-infra/xenial_php7.0: not-affected (code not present)
bionic_php7.0: DNE
eoan_php7.0: DNE
devel_php7.0: DNE

Patches_php7.2:
upstream_php7.2: needs-triage
precise/esm_php7.2: DNE
trusty_php7.2: DNE
trusty/esm_php7.2: DNE
xenial_php7.2: DNE
bionic_php7.2: not-affected (code not present)
eoan_php7.2: DNE
devel_php7.2: DNE

Patches_php7.3:
upstream_php7.3: released (7.3.17)
precise/esm_php7.3: DNE
trusty_php7.3: DNE
trusty/esm_php7.3: DNE
xenial_php7.3: DNE
bionic_php7.3: DNE
eoan_php7.3: not-affected (code not present)
devel_php7.3: DNE

Patches_php7.4:
 upstream: http://git.php.net/?p=php-src.git;a=commit;h=9d6bf8221b05f86ce5875832f0f646c4c1f218be
upstream_php7.4: released (7.4.5)
precise/esm_php7.4: DNE
trusty_php7.4: DNE
trusty/esm_php7.4: DNE
xenial_php7.4: DNE
bionic_php7.4: DNE
eoan_php7.4: DNE
devel_php7.4: not-affected (code not present)