Unrated severityNVD Advisory· Published Sep 9, 2020· Updated Sep 17, 2024
Use of freed hash key in the phar_parse_zipfile function
CVE-2020-7068
Description
In PHP versions 7.2.x below 7.2.33, 7.3.x below 7.3.21 and 7.4.x below 7.4.9, while processing PHAR files using phar extension, phar_parse_zipfile could be tricked into accessing freed memory, which could lead to a crash or information disclosure.
Affected products
1Patches
3b9ca291efb24Update versions for PHP 7.4.9
2 files changed · +3 −3
configure.ac+1 −1 modified@@ -17,7 +17,7 @@ dnl Basic autoconf initialization, generation of config.nice. dnl ---------------------------------------------------------------------------- AC_PREREQ([2.68]) -AC_INIT([PHP],[7.4.9-dev],[https://bugs.php.net],[php],[https://www.php.net]) +AC_INIT([PHP],[7.4.9],[https://bugs.php.net],[php],[https://www.php.net]) AC_CONFIG_SRCDIR([main/php_version.h]) AC_CONFIG_AUX_DIR([build]) AC_PRESERVE_HELP_ORDER
main/php_version.h+2 −2 modified@@ -3,6 +3,6 @@ #define PHP_MAJOR_VERSION 7 #define PHP_MINOR_VERSION 4 #define PHP_RELEASE_VERSION 9 -#define PHP_EXTRA_VERSION "-dev" -#define PHP_VERSION "7.4.9-dev" +#define PHP_EXTRA_VERSION "" +#define PHP_VERSION "7.4.9" #define PHP_VERSION_ID 70409
1ff373e57010Update versions for PHP 7.2.33
2 files changed · +6 −6
configure.ac+2 −2 modified@@ -107,8 +107,8 @@ int zend_sprintf(char *buffer, const char *format, ...); PHP_MAJOR_VERSION=7 PHP_MINOR_VERSION=2 -PHP_RELEASE_VERSION=32 -PHP_EXTRA_VERSION="-dev" +PHP_RELEASE_VERSION=33 +PHP_EXTRA_VERSION="" PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION" PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION`
main/php_version.h+4 −4 modified@@ -2,7 +2,7 @@ /* edit configure.ac to change version number */ #define PHP_MAJOR_VERSION 7 #define PHP_MINOR_VERSION 2 -#define PHP_RELEASE_VERSION 32 -#define PHP_EXTRA_VERSION "-dev" -#define PHP_VERSION "7.2.32-dev" -#define PHP_VERSION_ID 70232 +#define PHP_RELEASE_VERSION 33 +#define PHP_EXTRA_VERSION "" +#define PHP_VERSION "7.2.33" +#define PHP_VERSION_ID 70233
4 files changed · +5 −5
configure.ac+1 −1 modified@@ -108,7 +108,7 @@ int zend_sprintf(char *buffer, const char *format, ...); PHP_MAJOR_VERSION=7 PHP_MINOR_VERSION=3 PHP_RELEASE_VERSION=21 -PHP_EXTRA_VERSION="RC1" +PHP_EXTRA_VERSION="" PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION" PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION`
main/php_version.h+2 −2 modified@@ -3,6 +3,6 @@ #define PHP_MAJOR_VERSION 7 #define PHP_MINOR_VERSION 3 #define PHP_RELEASE_VERSION 21 -#define PHP_EXTRA_VERSION "RC1" -#define PHP_VERSION "7.3.21RC1" +#define PHP_EXTRA_VERSION "" +#define PHP_VERSION "7.3.21" #define PHP_VERSION_ID 70321
NEWS+1 −1 modified@@ -1,6 +1,6 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| -23 Jul 2020, PHP 7.3.21RC1 +06 Aug 2020, PHP 7.3.21 - Apache: . Fixed bug #79030 (Upgrade apache2handler's php_apache_sapi_get_request_time
Zend/zend.h+1 −1 modified@@ -20,7 +20,7 @@ #ifndef ZEND_H #define ZEND_H -#define ZEND_VERSION "3.3.21RC1" +#define ZEND_VERSION "3.3.21" #define ZEND_ENGINE_3
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- security.gentoo.org/glsa/202009-10mitrevendor-advisoryx_refsource_GENTOO
- www.debian.org/security/2021/dsa-4856mitrevendor-advisoryx_refsource_DEBIAN
- bugs.php.net/bug.phpmitrex_refsource_MISC
- security.netapp.com/advisory/ntap-20200918-0005/mitrex_refsource_CONFIRM
- www.tenable.com/security/tns-2021-14mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.