Bug 1154999 (CVE-2019-11043)

Summary: VUL-0: CVE-2019-11043: php5,php72,php7,php53: env_path_info underflow in fpm_main.c can lead to RCE
Product: [Novell Products] SUSE Security Incidents Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: meissner, pgajdos, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/245741/
Whiteboard: CVSSv3:SUSE:CVE-2019-11043:8.1:(AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv2:NVD:CVE-2019-11043:7.5:(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 1 Alexandros Toptsoglou 2019-10-24 13:45:39 UTC 
Tracked as affected: 

php72
php7 
php53 in SLE11-SP3
php5 in SLE12 

php5 in SLE11-SP1 and SLE10-SP3 ASFAICS do not ship the php-fpm

In comment 0 the upstream bug report and the fix are available.
Comment 3 Petr Gajdos 2019-10-25 09:50:30 UTC 
Packages submitted for: 15/php7,12/php72,12/php7,11sp3/php53.
Comment 4 Petr Gajdos 2019-10-25 09:57:29 UTC 
Fixed also in devel:languages:php:php56/php5.
Comment 7 Swamp Workflow Management 2019-10-29 17:14:17 UTC 
SUSE-SU-2019:2809-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1154999
CVE References: CVE-2019-11043
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    php7-7.0.7-50.88.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    php7-7.0.7-50.88.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-50.88.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2019-10-30 14:12:03 UTC 
SUSE-SU-2019:2819-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1154999
CVE References: CVE-2019-11043
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP1 (src):    php7-7.2.5-4.46.1
SUSE Linux Enterprise Module for Web Scripting 15 (src):    php7-7.2.5-4.46.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src):    php7-7.2.5-4.46.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    php7-7.2.5-4.46.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    php7-7.2.5-4.46.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2019-11-05 20:46:57 UTC 
openSUSE-SU-2019:2441-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1154999
CVE References: CVE-2019-11043
Sources used:
openSUSE Leap 15.1 (src):    php7-7.2.5-lp151.6.13.1, php7-test-7.2.5-lp151.6.13.1
Comment 10 Swamp Workflow Management 2019-11-06 17:12:38 UTC 
SUSE-SU-2019:2909-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1154999
CVE References: CVE-2019-11043
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    php72-7.2.5-1.29.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    php72-7.2.5-1.29.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php72-7.2.5-1.29.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2019-11-09 17:13:01 UTC 
openSUSE-SU-2019:2457-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1154999
CVE References: CVE-2019-11043
Sources used:
openSUSE Leap 15.0 (src):    php7-7.2.5-lp150.2.29.2, php7-test-7.2.5-lp150.2.29.2
Comment 12 Petr Gajdos 2020-02-10 14:52:17 UTC 
Submitted also for 12/php5.
Comment 15 Swamp Workflow Management 2020-02-28 14:26:19 UTC 
SUSE-SU-2020:0522-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1145095,1146360,1154999,1159922,1159923,1159924,1159927,1161982,1162629,1162632
CVE References: CVE-2019-11041,CVE-2019-11042,CVE-2019-11043,CVE-2019-11045,CVE-2019-11046,CVE-2019-11047,CVE-2019-11050,CVE-2020-7059,CVE-2020-7060
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    php5-5.5.14-109.68.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-109.68.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Alexandros Toptsoglou 2020-04-29 13:45:49 UTC 
Done
Comment 17 OBSbugzilla Bot 2020-05-12 08:02:18 UTC 
This is an autogenerated message for OBS integration:
This bug (1154999) was mentioned in
https://build.opensuse.org/request/show/802846 Factory / php7
Comment 18 OBSbugzilla Bot 2020-05-12 14:02:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1154999) was mentioned in
https://build.opensuse.org/request/show/802978 Factory / php7
Comment 19 OBSbugzilla Bot 2020-05-13 08:21:54 UTC 
This is an autogenerated message for OBS integration:
This bug (1154999) was mentioned in
https://build.opensuse.org/request/show/804946 Factory / php7
Comment 21 OBSbugzilla Bot 2020-05-13 13:31:21 UTC 
This is an autogenerated message for OBS integration:
This bug (1154999) was mentioned in
https://build.opensuse.org/request/show/805287 Factory / php7