Missing check in node_is_equal_ex function in ext/soap/php_xml.c leads to a NULL pointer dereference. Reference: https://bugs.php.net/bug.php?id=80672
Created php tracking bugs for this issue: Affects: fedora-all [bug 1925273]
Upstream fix: http://git.php.net/?p=php-src.git;a=commit;h=3c939e3f69955d087e0bb671868f7267dfb2a502
Statement: This flaw has been rated as having a security impact of Low, because it requires a malicious or compromised server in order to be exploited, and it only affects the SOAP client.
While parsing a WSDL document via load_wsdl(), SoapClient ended up calling node_is_equal_ex() with a NULL node name. The node_is_equal_ex() function compares the name of an xmlNode with an argument string: `strcmp((char*)node->name, name)`. This could result in a NULL pointer dereference in strcmp() when node->name is NULL: ==28500== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==28500== Access not within mapped region at address 0x0 ==28500== at 0x4C353B4: strcmp (vg_replace_strmem.c:849) ==28500== by 0x19AFC66D: node_is_equal_ex (php_xml.c:223) ==28500== by 0x19AF8625: load_wsdl_ex (php_sdl.c:370) ==28500== by 0x19AF8B6D: load_wsdl (php_sdl.c:741) ==28500== by 0x19AF9E88: get_sdl (php_sdl.c:3313)
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:2992 https://access.redhat.com/errata/RHSA-2021:2992
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-21702
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4213 https://access.redhat.com/errata/RHSA-2021:4213