Thanks for reporting this issue, but the exploit linked above is not the
exploit for CVE-2021-21703, but an exploit for an unfixed use-after-free
in SplDoublyLinkedList which upstream doesn't consider to be a security
issue. It can be used to escape the sandbox, which is why it was used as
the first step in the proof of concept for the CVE-2021-21703 bug.
I would expect php to still crash when that particular exploit is run
against it, but the bug that caused CVE-2021-21703 should no longer be
exploitable.
** Changed in: php7.4 (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1953244
Title:
CVE-2021-21703 POC still cause segfault on php-fpm 7.4.3-4ubuntu2.7
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/php7.4/+bug/1953244/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
