Your submission was sent successfully! Close

CVE-2020-7067

Published: 27 April 2020

In PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17 and 7.4.x below 7.4.5, if PHP is compiled with EBCDIC support (uncommon), urldecode() function can be made to access locations past the allocated memory, due to erroneously using signed numbers as array indexes.

Notes

AuthorNote
mdeslaur
only an issue when CHARSET_EBCDIC is defined, which isn't the
case on any Ubuntu platforms.
Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
php5
Launchpad, Ubuntu, Debian
bionic Does not exist

eoan Does not exist

precise Not vulnerable
(code not present)
trusty Not vulnerable
(code not present)
upstream Needs triage

xenial Does not exist

php7.0
Launchpad, Ubuntu, Debian
bionic Does not exist

eoan Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Not vulnerable
(code not present)
php7.2
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
eoan Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

php7.3
Launchpad, Ubuntu, Debian
bionic Does not exist

eoan Not vulnerable
(code not present)
precise Does not exist

trusty Does not exist

upstream
Released (7.3.17)
xenial Does not exist

php7.4
Launchpad, Ubuntu, Debian
bionic Does not exist

eoan Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (7.4.5)
xenial Does not exist

Patches:
upstream: http://git.php.net/?p=php-src.git;a=commit;h=9d6bf8221b05f86ce5875832f0f646c4c1f218be