CVE-2021-21707

Name	CVE-2021-21707
Description	In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3243-1, DSA-5082-1, ELA-775-1, ELA-777-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
php5 (PTS)	jessie, jessie (lts)	5.6.40+dfsg-0+deb8u18	fixed
php7.0 (PTS)	stretch (security)	7.0.33-0+deb9u12	vulnerable
	stretch (lts), stretch	7.0.33-0+deb9u16	fixed
php7.3 (PTS)	buster	7.3.31-1~deb10u1	vulnerable
	buster (security)	7.3.31-1~deb10u5	fixed
php7.4 (PTS)	bullseye	7.4.33-1+deb11u4	fixed
	bullseye (security)	7.4.33-1+deb11u5	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
php5	source	jessie	5.6.40+dfsg-0+deb8u16	ELA-777-1
php5	source	(unstable)	(unfixed)
php7.0	source	stretch	7.0.33-0+deb9u13	ELA-775-1
php7.0	source	(unstable)	(unfixed)
php7.3	source	buster	7.3.31-1~deb10u2	DLA-3243-1
php7.3	source	(unstable)	(unfixed)
php7.4	source	bullseye	7.4.28-1+deb11u1	DSA-5082-1
php7.4	source	(unstable)	7.4.26-1
php8.0	source	(unstable)	(unfixed)
php8.1	source	(unstable)	8.1.0-1

Notes

[stretch] - php7.0 <no-dsa> (Minor issue, fix along with next DLA)
Fixed in 8.1.0, 8.0.13, 7.4.26, 7.3.33
PHP Bug: https://bugs.php.net/79971
https://github.com/php/php-src/commit/f15f8fc573eb38c3c73e23e0930063a6f6409ed4