#1006672 php8.1: CVE-2021-21708

Package:
src:php8.1
Source:
php8.1
Submitter:
Salvatore Bonaccorso
Date:
2022-07-09 13:06:08 UTC
Severity:
grave
Tags:
#1006672#5
Date:
2022-03-02 06:15:42 UTC
From:
To:
Hi,

The following vulnerability was published for php8.1.

CVE-2021-21708[0]:
| In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x
| below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT
| filter and min/max limits, if the filter fails, there is a possibility
| to trigger use of allocated memory after free, which can result it
| crashes, and potentially in overwrite of other memory chunks and RCE.
| This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max
| limits.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-21708
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21708
[1] https://bugs.php.net/81708

Regards,
Salvatore
#1006672#16
Date:
2022-07-09 13:01:53 UTC
From:
To:
close 1006672 8.1.5-1
thanks

8.1.3-1 is listed in debian/changelog closing this bug but apparently this
never reached the archive. 8.1.5-1 was then the first version hitting unstable
closing the bug.