Bug 1180706 (CVE-2020-7071)

Summary: VUL-0: CVE-2020-7071: php5,php74,php72,php53,php7: FILTER_VALIDATE_URL accepts URLs with invalid userinfo
Product: [Novell Products] SUSE Security Incidents Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: pgajdos, smash_bz, wolfgang.frisch
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/274923/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-7071:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: POC

Description Alexandros Toptsoglou 2021-01-08 16:11:55 UTC 
CVE-2020-7071

A flaw was found in PHP in the way the function parse_url() returns an erroneous host, which would be valid for `FILTER_VALIDATE_URL`.

Reference:
https://bugs.php.net/bug.php?id=77423

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1913846
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7071
Comment 1 Alexandros Toptsoglou 2021-01-08 16:14:28 UTC 
Created attachment 844947 [details]
POC

run php $POC 

vulnerable: 

string(33) "http://php.net\@aliyun.com/aaa.do"
array(4) {
  ["scheme"]=>
  string(4) "http"
  ["host"]=>
  string(10) "aliyun.com"
  ["user"]=>
  string(8) "php.net\"
  ["path"]=>
  string(7) "/aaa.do"
}
string(34) "https://example.com\uFF03@bing.com"
array(3) {
  ["scheme"]=>
  string(5) "https"
  ["host"]=>
  string(8) "bing.com"
  ["user"]=>
  string(17) "example.com\uFF03"

Fixed: 

bool(false)
array(3) {
  ["scheme"]=>
  string(4) "http"
  ["host"]=>
  string(19) "php.net\@aliyun.com"
  ["path"]=>
  string(7) "/aaa.do"
}
bool(false)
array(2) {
  ["scheme"]=>
  string(5) "https"
  ["host"]=>
  string(26) "example.com\uFF03@bing.com"
}
Comment 2 Alexandros Toptsoglou 2021-01-08 16:17:35 UTC 
Tracked as affected all supported php versions
Comment 3 Alexandros Toptsoglou 2021-01-08 16:18:10 UTC 
Upstream issue 

https://bugs.php.net/bug.php?id=77423
Comment 4 Petr Gajdos 2021-01-11 12:08:40 UTC 
BEFORE

As said in comment 1:

7.4,7.2,5.3,5.2

$ php phptest.php
string(33) "http://php.net\@aliyun.com/aaa.do"
array(4) {
  ["scheme"]=>
  string(4) "http"
  ["host"]=>
  string(10) "aliyun.com"
  ["user"]=>
  string(8) "php.net\"
  ["path"]=>
  string(7) "/aaa.do"
}
string(34) "https://example.com\uFF03@bing.com"
array(3) {
  ["scheme"]=>
  string(5) "https"
  ["host"]=>
  string(8) "bing.com"
  ["user"]=>
  string(17) "example.com\uFF03"
}
$


PATCH

http://git.php.net/?p=php-src.git;a=commit;h=b132da7f9df39c1774997f21016c522b676a6ab0
http://git.php.net/?p=php-src.git;a=commit;h=2d3d72412a6734e19a38ed10f385227a6238e4a6

QA: note the change of the testsuite


AFTER

As said in comment 1:

7.4,7.2,5.3,5.2

$ php phptest.php
bool(false)
array(3) {
  ["scheme"]=>
  string(4) "http"
  ["host"]=>
  string(19) "php.net\@aliyun.com"
  ["path"]=>
  string(7) "/aaa.do"
}
bool(false)
array(2) {
  ["scheme"]=>
  string(5) "https"
  ["host"]=>
  string(26) "example.com\uFF03@bing.com"
}
$
Comment 5 Petr Gajdos 2021-01-11 12:11:56 UTC 
Submitted for 15sp2/php7,15/php7,12/php74,12/php72,11sp3/php53,11/php5 and devel:languages:php:php56/php5.
Comment 6 Petr Gajdos 2021-01-11 12:12:21 UTC 
I believe all fixed.
Comment 8 Swamp Workflow Management 2021-01-14 14:24:47 UTC 
SUSE-SU-2021:0124-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1180706
CVE References: CVE-2020-7071
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    php7-7.4.6-3.14.2
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (src):    php7-7.4.6-3.14.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2021-01-14 14:25:53 UTC 
SUSE-SU-2021:0125-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1180706
CVE References: CVE-2020-7071
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    php72-7.2.5-1.57.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php72-7.2.5-1.57.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2021-01-14 14:27:56 UTC 
SUSE-SU-2021:0126-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1180706
CVE References: CVE-2020-7071
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    php74-7.4.6-1.16.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php74-7.4.6-1.16.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2021-01-17 23:18:36 UTC 
openSUSE-SU-2021:0101-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1180706
CVE References: CVE-2020-7071
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    php7-7.2.5-lp151.6.39.1, php7-test-7.2.5-lp151.6.39.1
Comment 12 Swamp Workflow Management 2021-01-18 14:18:31 UTC 
openSUSE-SU-2021:0106-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1180706
CVE References: CVE-2020-7071
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    php7-7.4.6-lp152.2.12.1, php7-test-7.4.6-lp152.2.12.1