CVE-2020-7059

Published: 10 February 2020

When using fgetss() function to read data with stripping tags, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause this function to read past the allocated buffer. This may lead to information disclosure or crash.

Priority

Medium

CVSS 3 base score: 9.1

Status

Package Release Status
php5
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr)
Released (5.5.9+dfsg-1ubuntu4.29+esm10)
Patches:
Upstream: https://github.com/microsoft/php-src/commit/9db5a8f58dd26d547cf530beeb41155d97e700f0
php7.0
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus)
Released (7.0.33-0ubuntu0.16.04.11)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

php7.2
Launchpad, Ubuntu, Debian
Upstream
Released (7.2.27)
Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver)
Released (7.2.24-0ubuntu0.18.04.3)
Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: http://git.php.net/?p=php-src.git;a=commit;h=0f79b1bf301f455967676b5129240140c5c45b09
php7.3
Launchpad, Ubuntu, Debian
Upstream
Released (7.3.14)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(7.3.15-1)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: http://git.php.net/?p=php-src.git;a=commit;h=0f79b1bf301f455967676b5129240140c5c45b09
Upstream: http://git.php.net/?p=php-src.git;a=commit;h=25ec7eb3463f34a2be666c6785d1c6b3cc89575e