Bug 1188035 - (CVE-2021-21704) VUL-0: CVE-2021-21704: php53,php7,php72,php5,php74: security issues in pdo_firebase module
(CVE-2021-21704)
VUL-0: CVE-2021-21704: php53,php7,php72,php5,php74: security issues in pdo_fi...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/303436/
CVSSv3.1:SUSE:CVE-2021-21704:7.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-07-06 11:16 UTC by Robert Frohl
Modified: 2021-08-20 13:55 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Robert Frohl 2021-07-06 12:07:47 UTC
tracking these as affected(some only partially):

- SUSE:SLE-11:Update/php5
- SUSE:SLE-12:Update/php5

- SUSE:SLE-11-SP3:Update/php53

- SUSE:SLE-12:Update/php7
- SUSE:SLE-15:Update/php7
- SUSE:SLE-15-SP2:Update/php7

- SUSE:SLE-12:Update/php72

- SUSE:SLE-12:Update/php74
Comment 2 Petr Gajdos 2021-07-09 10:51:52 UTC
This resembles rather circular definition, so sorry for the question. 

It is bit unusual that four upstream bugs get one CVE without any reasons given. There is only one piece of information in the redhat bug, only one commit related to upstream bug 76449 and nothing more. Unfortunately none of the other references actually work.

Could you please be more specific what do you want actually?
Comment 3 Robert Frohl 2021-07-12 08:46:50 UTC
(In reply to Petr Gajdos from comment #2)
> This resembles rather circular definition, so sorry for the question. 
> 
> It is bit unusual that four upstream bugs get one CVE without any reasons
> given. There is only one piece of information in the redhat bug, only one
> commit related to upstream bug 76449 and nothing more. 

Yes, I agree that this is a strange assignment.

> Unfortunately none of the other references actually work.

What do you mean by this ? Each bug had a patch in the comments.

76449 -> https://github.com/php/php-src/commit/08da7c73726f7b86b67d6f0ff87c73c585a7834a
76450 -> https://github.com/php/php-src/commit/bcbf8aa0c96d8d9e81ec3428232485555fae0b37
76452 -> https://github.com/php/php-src/commit/286162e9b03071c4308e7e92597bca4239f49d89
76448 -> https://github.com/php/php-src/commit/67afa32541ebc4abbf633cb1e7e879b2fbb616ad

I assumed that they are all relevant.

> 
> Could you please be more specific what do you want actually?

I thought to take the patches which apply to the codesteams and apply them, as all bugs seem to have security implications. So take as much of the patches as possible.

Please let me know if I missed something where this would not make sense.
Comment 4 Petr Gajdos 2021-08-02 13:05:07 UTC
(In reply to Robert Frohl from comment #3)
> (In reply to Petr Gajdos from comment #2)
> > This resembles rather circular definition, so sorry for the question. 
> Yes, I agree that this is a strange assignment.
> [..]
> 
> > Unfortunately none of the other references actually work.
> 
> What do you mean by this ? Each bug had a patch in the comments.

My point is:

(In reply to Robert Frohl from comment #0)
> rh#1978790
[..] 
> References:
> https://bugzilla.redhat.com/show_bug.cgi?id=1978790
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21704
---> CVE not found
> http://www.debian.org/security/-1/dsa-4935
---> page not found

So it seems that only authoritative source is the redhat bug. If you look at comment 3 in the very same bug, then there are only one commit listed.

> 76449 ->
> https://github.com/php/php-src/commit/
> 08da7c73726f7b86b67d6f0ff87c73c585a7834a
> 76450 ->
> https://github.com/php/php-src/commit/
> bcbf8aa0c96d8d9e81ec3428232485555fae0b37
> 76452 ->
> https://github.com/php/php-src/commit/
> 286162e9b03071c4308e7e92597bca4239f49d89
> 76448 ->
> https://github.com/php/php-src/commit/
> 67afa32541ebc4abbf633cb1e7e879b2fbb616ad
> 
> I assumed that they are all relevant.

I was just curious what led you to this conclusion, i.e. at least it seems to me that the description of redhat bug and your interpretation are in conflict with third comment of the redhat bug. So I was wondering whether and where there is some noise on the channel as the CVE assignment seems to be strange, as you said yourself. And there's little of other info around.

> I thought to take the patches which apply to the codesteams and apply them,
> as all bugs seem to have security implications. So take as much of the
> patches as possible.

All right, I will include all fixes as a CVE-2021-21704 patch.
Comment 5 Petr Gajdos 2021-08-02 13:11:17 UTC
(In reply to Robert Frohl from comment #1)
> tracking these as affected(some only partially):
> 
> - SUSE:SLE-11:Update/php5
> - SUSE:SLE-12:Update/php5
> 
> - SUSE:SLE-11-SP3:Update/php53
> 
> - SUSE:SLE-12:Update/php7
> - SUSE:SLE-15:Update/php7
> - SUSE:SLE-15-SP2:Update/php7
> 
> - SUSE:SLE-12:Update/php72
> 
> - SUSE:SLE-12:Update/php74

I think we ship php-firebird nowhere else than in 15sp2/php7. Despite that fact, I will submit it into 15/php7, 12/php74, 12/php72, where is a, even if little, chance that we would enable and ship firebird extension in the future.

In case I am mistaken, please let me know.
Comment 6 Petr Gajdos 2021-08-02 13:48:22 UTC
Submitted for 15sp2,15/php7, 12/php74 and 12/php72.

I believe all fixed.
Comment 8 Swamp Workflow Management 2021-08-06 13:26:16 UTC
SUSE-SU-2021:2637-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1188035,1188037
CVE References: CVE-2021-21704,CVE-2021-21705
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    php7-7.4.6-3.22.1
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    php7-7.4.6-3.22.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src):    php7-7.4.6-3.22.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (src):    php7-7.4.6-3.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2021-08-06 13:27:28 UTC
openSUSE-SU-2021:2637-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1188035,1188037
CVE References: CVE-2021-21704,CVE-2021-21705
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    php7-7.4.6-3.22.1
Comment 10 Swamp Workflow Management 2021-08-06 13:28:44 UTC
SUSE-SU-2021:2636-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1188035,1188037
CVE References: CVE-2021-21704,CVE-2021-21705
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    php74-7.4.6-1.24.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php74-7.4.6-1.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2021-08-06 13:37:20 UTC
SUSE-SU-2021:2638-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1188035
CVE References: CVE-2021-21704
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    php72-7.2.5-1.66.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php72-7.2.5-1.66.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2021-08-10 13:48:38 UTC
openSUSE-SU-2021:1130-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1188035,1188037
CVE References: CVE-2021-21704,CVE-2021-21705
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    php7-7.4.6-lp152.2.18.1, php7-test-7.4.6-lp152.2.18.1
Comment 13 Swamp Workflow Management 2021-08-20 13:26:40 UTC
# maintenance_jira_update_notice
openSUSE-SU-2021:2795-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1188035
CVE References: CVE-2021-21704
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    php7-7.2.5-4.79.1
Comment 14 Swamp Workflow Management 2021-08-20 13:55:20 UTC
# maintenance_jira_update_notice
SUSE-SU-2021:2795-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1188035
CVE References: CVE-2021-21704
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    php7-7.2.5-4.79.1
SUSE Manager Retail Branch Server 4.0 (src):    php7-7.2.5-4.79.1
SUSE Manager Proxy 4.0 (src):    php7-7.2.5-4.79.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    php7-7.2.5-4.79.1
SUSE Linux Enterprise Server for SAP 15 (src):    php7-7.2.5-4.79.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    php7-7.2.5-4.79.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    php7-7.2.5-4.79.1
SUSE Linux Enterprise Server 15-LTSS (src):    php7-7.2.5-4.79.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    php7-7.2.5-4.79.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    php7-7.2.5-4.79.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    php7-7.2.5-4.79.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    php7-7.2.5-4.79.1
SUSE Enterprise Storage 6 (src):    php7-7.2.5-4.79.1
SUSE CaaS Platform 4.0 (src):    php7-7.2.5-4.79.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.