openEuler 20.03 LTS update for php



Published: 2020-12-30
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2020-7063
CWE-ID CWE-276
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe 		openEuler
Operating systems & Components / Operating system

php-enchant
Operating systems & Components / Operating system package or component

php-mbstring
Operating systems & Components / Operating system package or component

php-snmp
Operating systems & Components / Operating system package or component

php-soap
Operating systems & Components / Operating system package or component

php-bcmath
Operating systems & Components / Operating system package or component

php-process
Operating systems & Components / Operating system package or component

php-tidy
Operating systems & Components / Operating system package or component

php-embedded
Operating systems & Components / Operating system package or component

php-odbc
Operating systems & Components / Operating system package or component

php-json
Operating systems & Components / Operating system package or component

php-mysqlnd
Operating systems & Components / Operating system package or component

php-opcache
Operating systems & Components / Operating system package or component

php-cli
Operating systems & Components / Operating system package or component

php-intl
Operating systems & Components / Operating system package or component

php-pgsql
Operating systems & Components / Operating system package or component

php-xml
Operating systems & Components / Operating system package or component

php-common
Operating systems & Components / Operating system package or component

php-devel
Operating systems & Components / Operating system package or component

php-xmlrpc
Operating systems & Components / Operating system package or component

php-recode
Operating systems & Components / Operating system package or component

php-gmp
Operating systems & Components / Operating system package or component

php-dba
Operating systems & Components / Operating system package or component

php-dbg
Operating systems & Components / Operating system package or component

php-debugsource
Operating systems & Components / Operating system package or component

php-fpm
Operating systems & Components / Operating system package or component

php-help
Operating systems & Components / Operating system package or component

php-debuginfo
Operating systems & Components / Operating system package or component

php-gd
Operating systems & Components / Operating system package or component

php-pdo
Operating systems & Components / Operating system package or component

php-ldap
Operating systems & Components / Operating system package or component

php
Operating systems & Components / Operating system package or component

Vendor openEuler

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Incorrect default permissions

EUVDB-ID: #VU25592

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-7063

CWE-ID: CWE-276 - Incorrect Default Permissions

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to incorrect default permissions for files and folders that are set during the Phar::buildFromIterator() call when adding files into tar archive. A local user can extract files from tar archive and gain access to otherwise restricted information.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 20.03 LTS

php-enchant: before 7.2.10-8

php-mbstring: before 7.2.10-8

php-snmp: before 7.2.10-8

php-soap: before 7.2.10-8

php-bcmath: before 7.2.10-8

php-process: before 7.2.10-8

php-tidy: before 7.2.10-8

php-embedded: before 7.2.10-8

php-odbc: before 7.2.10-8

php-json: before 7.2.10-8

php-mysqlnd: before 7.2.10-8

php-opcache: before 7.2.10-8

php-cli: before 7.2.10-8

php-intl: before 7.2.10-8

php-pgsql: before 7.2.10-8

php-xml: before 7.2.10-8

php-common: before 7.2.10-8

php-devel: before 7.2.10-8

php-xmlrpc: before 7.2.10-8

php-recode: before 7.2.10-8

php-gmp: before 7.2.10-8

php-dba: before 7.2.10-8

php-dbg: before 7.2.10-8

php-debugsource: before 7.2.10-8

php-fpm: before 7.2.10-8

php-help: before 7.2.10-8

php-debuginfo: before 7.2.10-8

php-gd: before 7.2.10-8

php-pdo: before 7.2.10-8

php-ldap: before 7.2.10-8

php: before 7.2.10-8

External links

http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2020-1109


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###