Bug 1099098 - (CVE-2018-12882) VUL-0: CVE-2018-12882: php7: exif_read_from_impl in ext/exif/exif.c in PHP 7.2.x through 7.2.7 allowsattackers to trigger a use-after-free (in exif_read_from_file) because it closesa stream that it is not responsible for closing. The vuln
(CVE-2018-12882)
VUL-0: CVE-2018-12882: php7: exif_read_from_impl in ext/exif/exif.c in PHP 7....
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/208851/
CVSSv3:RedHat:CVE-2018-12882:6.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-06-26 06:32 UTC by Marcus Meissner
Modified: 2021-09-14 12:46 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
test.jpg (1 bytes, image/jpeg)
2018-06-26 06:42 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-06-26 06:32:56 UTC
CVE-2018-12882

exif_read_from_impl in ext/exif/exif.c in PHP 7.2.x through 7.2.7 allows
attackers to trigger a use-after-free (in exif_read_from_file) because it closes
a stream that it is not responsible for closing. The vulnerable code is
reachable through the PHP exif_read_data function.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12882
https://bugs.php.net/bug.php?id=76409
Comment 1 Marcus Meissner 2018-06-26 06:42:10 UTC
Created attachment 775258 [details]
test.jpg

QA REPRODUCER:

(make sure php7-exif is installed)

php7 -r 'exif_read_data(file_get_contents("test.jpg"));'

should not crash, but report:
PHP Fatal error:  Uncaught Error: Call to undefined function exif_read_data() in Command line code:1
Comment 2 Marcus Meissner 2018-06-26 06:52:22 UTC
Weird, the upstream report seems to have changed to have non-standard files as cause

QA REPRODUCER:
php7 -r 'exif_read_data(file_get_contents("."));'


Also the handler is not closed in the patch, just sety to NULL. Not sure if this fix is ok
Comment 3 Marcus Meissner 2018-06-26 09:37:28 UTC
i am not seeing issues, also not with valgrind or ZEND_ALLOC=0
Comment 4 Petr Gajdos 2018-06-26 11:15:00 UTC
I could not reproduce in 15/php7, 12/php7, 12/php5, 11sp3/php53, 11/php5 and 10sp3/php5, neither with

$ export ZEND_ALLOC=0
$ valgrind php -r 'exif_read_data(file_get_contents("test.jpg"));'

nor with

$ valgrind php -r 'exif_read_data(".");'
.

When both php and php-exif installed, I get every time:

$ valgrind -q php -r exif_read_data(file_get_contents("test.jpg"));
PHP Warning:  exif_read_data(): Not a file in Command line code on line 1
$
Comment 5 Petr Gajdos 2018-06-26 11:22:03 UTC
Upstream commit:
http://git.php.net/?p=php-src.git;a=commit;h=3fdde65617e9f954e2c964768aac8831005497e5

Code is everywhere.
Comment 6 Petr Gajdos 2018-06-26 11:43:06 UTC
Will submit for: 15/php7, 12/php7, 12/php5, 11sp3/php53, 11/php5 and 10sp3/php5.

The behavior had not change AFTER.
Comment 7 Petr Gajdos 2018-06-26 11:44:21 UTC
I believe all fixed.
Comment 9 Swamp Workflow Management 2018-06-27 06:36:08 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2018-07-11.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64078
Comment 10 Swamp Workflow Management 2018-07-05 10:15:00 UTC
SUSE-SU-2018:1886-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1099098
CVE References: CVE-2018-12882
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    php7-7.0.7-50.41.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-50.41.1
Comment 11 Swamp Workflow Management 2018-07-07 01:08:08 UTC
openSUSE-SU-2018:1913-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1099098
CVE References: CVE-2018-12882
Sources used:
openSUSE Leap 42.3 (src):    php7-7.0.7-40.1
Comment 12 Swamp Workflow Management 2018-07-12 13:08:20 UTC
SUSE-SU-2018:1936-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1099098
CVE References: CVE-2018-12882
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15 (src):    php7-7.2.5-4.3.1
Comment 13 Swamp Workflow Management 2018-07-12 16:17:19 UTC
SUSE-SU-2018:1936-2: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1099098
CVE References: CVE-2018-12882
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15 (src):    php7-7.2.5-4.3.1
Comment 14 Swamp Workflow Management 2018-07-20 01:10:07 UTC
openSUSE-SU-2018:2014-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1099098
CVE References: CVE-2018-12882
Sources used:
openSUSE Leap 15.0 (src):    php7-7.2.5-lp150.2.6.1
Comment 15 Swamp Workflow Management 2018-07-23 19:09:47 UTC
SUSE-SU-2018:2044-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1096984,1099098
CVE References: CVE-2018-10360,CVE-2018-12882
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    php53-5.3.17-112.28.1
SUSE Linux Enterprise Server 11-SP4 (src):    php53-5.3.17-112.28.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-112.28.1
Comment 19 Vit Pelcak 2018-08-08 11:59:54 UTC
I reran those tests and the ones in your list that failed fail for me, too.

However also PHPTEST-ext-dom-tests-dom007 and PHPTEST-ext-imap-tests-bug46918 fail for me.

Running selected tests.
FAIL Bug #46918 (imap_rfc822_parse_adrlist host part not filled in correctly) [ext/imap/tests/bug46918.phpt] 

With following info in log:

---- EXPECTED OUTPUT
array (
  0 => 
  stdClass::__set_state(array(
     'mailbox' => 'iane',
     'host' => 'example.ac.uk',
     'personal' => 'ian eiloart',
  )),
  1 => 
  stdClass::__set_state(array(
     'mailbox' => 'shuf6',
     'host' => 'example.ac.uk',
  )),
  2 => 
  stdClass::__set_state(array(
     'mailbox' => 'blobby',
     'host' => 'example.com',
  )),
  3 => 
  stdClass::__set_state(array(
     'mailbox' => 'ian',
     'host' => 'example.ac.uk',
     'personal' => 'ian,eiloart',
  )),
  4 => 
  stdClass::__set_state(array(
     'mailbox' => 'foo',
     'host' => 'example.ac.uk',
     'adl' => '@example.com',
  )),
  5 => 
  stdClass::__set_state(array(
     'mailbox' => 'foo',
     'host' => '#',
  )),
  6 => 
  stdClass::__set_state(array(
     'mailbox' => 'ian',
     'host' => '-example.com',
  )),
  7 => 
  stdClass::__set_state(array(
     'mailbox' => 'ian',
     'host' => 'one',
  )),
  8 => 
  stdClass::__set_state(array(
     'mailbox' => 'UNEXPECTED_DATA_AFTER_ADDRESS',
     'host' => '.SYNTAX-ERROR.',
  )),
)
Notice: Unknown: Unexpected characters at end of address: @two (errflg=3) in Unknown on line 0
---- ACTUAL OUTPUT
Fatal error: Call to undefined function imap_rfc822_parse_adrlist() in /usr/share/qa/qa_test_php5/ext/imap/tests/bug4
6918.php on line 11
---- FAILED



=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Bug #46918 (imap_rfc822_parse_adrlist host part not filled in correctly) [ext/imap/tests/bug46918.phpt]

FAIL Test 7: DTD tests [ext/dom/tests/dom007.phpt] 

With following info in the log:

---- EXPECTED OUTPUT
Length: 1
Key GIF: GIF (image/gif) (-)

Index 0: GIF (image/gif) (-)

NULL

Length: 3
Key: test Name: test
Key: rdf Name: rdf
Key: myimage Name: myimage

Index 0: test
Index 1: rdf
Index 2: myimage

NULL
NULL
---- ACTUAL OUTPUT
Length: 1
Key GIF: GIF (image/gif) (-)

Index 0: GIF (image/gif) (-)

NULL

Length: 3
Key: test Name: test
Key: myimage Name: myimage
Key: rdf Name: rdf

Index 0: test
Index 1: myimage
Index 2: rdf

NULL
NULL
---- FAILED


Additionally, I reran the whole testsuite with the following result:

TIME END 2018-08-08 11:32:33

=====================================================================
TEST RESULT SUMMARY
---------------------------------------------------------------------
Exts skipped    :   19
Exts tested     :   55
---------------------------------------------------------------------

Number of tests : 8885              7489
Tests skipped   : 1396 ( 15.7%) --------
Tests warned    :    0 (  0.0%) (  0.0%)
Tests failed    :  146 (  1.6%) (  1.9%)
Expected fail   :    4 (  0.0%) (  0.1%)
Tests passed    : 7339 ( 82.6%) ( 98.0%)
---------------------------------------------------------------------
Time taken      : 1463 seconds
=====================================================================

=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
ZE2 A class constructor must keep the signature of all interfaces [tests/classes/ctor_in_interface_02.phpt]
Test open_basedir configuration [tests/security/open_basedir_chdir.phpt]
Test open_basedir configuration [tests/security/open_basedir_chmod.phpt]
Test open_basedir configuration [tests/security/open_basedir_copy.phpt]
Test open_basedir configuration [tests/security/open_basedir_dir.phpt]
Test open_basedir configuration [tests/security/open_basedir_disk_free_space.phpt]
Test open_basedir configuration [tests/security/open_basedir_file.phpt]
Test open_basedir configuration [tests/security/open_basedir_file_exists.phpt]
Test open_basedir configuration [tests/security/open_basedir_file_get_contents.phpt]
Test open_basedir configuration [tests/security/open_basedir_fileatime.phpt]
Test open_basedir configuration [tests/security/open_basedir_filectime.phpt]
Test open_basedir configuration [tests/security/open_basedir_filegroup.phpt]
Test open_basedir configuration [tests/security/open_basedir_fileinode.phpt]
Test open_basedir configuration [tests/security/open_basedir_filemtime.phpt]
Test open_basedir configuration [tests/security/open_basedir_fileowner.phpt]
Test open_basedir configuration [tests/security/open_basedir_fileperms.phpt]
Test open_basedir configuration [tests/security/open_basedir_filesize.phpt]
Test open_basedir configuration [tests/security/open_basedir_filetype.phpt]
Test open_basedir configuration [tests/security/open_basedir_fopen.phpt]
Test open_basedir configuration [tests/security/open_basedir_is_dir.phpt]
Test open_basedir configuration [tests/security/open_basedir_is_executable.phpt]
Test open_basedir configuration [tests/security/open_basedir_is_file.phpt]
Test open_basedir configuration [tests/security/open_basedir_is_link.phpt]
Test open_basedir configuration [tests/security/open_basedir_is_readable.phpt]
Test open_basedir configuration [tests/security/open_basedir_is_writable.phpt]
Test open_basedir configuration [tests/security/open_basedir_linkinfo.phpt]
Test open_basedir configuration [tests/security/open_basedir_lstat.phpt]
Test open_basedir configuration [tests/security/open_basedir_opendir.phpt]
Test open_basedir configuration [tests/security/open_basedir_parse_ini_file.phpt]
Test open_basedir configuration [tests/security/open_basedir_readlink.phpt]
Test open_basedir configuration [tests/security/open_basedir_scandir.phpt]
Test open_basedir configuration [tests/security/open_basedir_stat.phpt]
Test open_basedir configuration [tests/security/open_basedir_symlink.phpt]
Test open_basedir configuration [tests/security/open_basedir_tempnam.phpt]
Test open_basedir configuration [tests/security/open_basedir_touch.phpt]
Bug #36568 (memory_limit has no effect) [Zend/tests/bug36568.phpt]
Bug #38779 (engine crashes when require()'ing file with syntax error through userspace stream wrapper) [Zend/tests/bug38779.phpt]
easter_date() [ext/calendar/tests/easter_date.phpt]
unixtojd() [ext/calendar/tests/unixtojd.phpt]
Curl_multi_getcontent() basic test with different sources (local file/http) [ext/curl/tests/curl_multi_getcontent_basic3.phpt]
curl_setopt() basic parameter test [ext/curl/tests/curl_setopt_error.phpt]
timezone_abbreviations_list() tests [ext/date/tests/010.phpt]
Test DateTimeZone::getTransitions() function : basic functionality [ext/date/tests/DateTimeZone_getTransitions_basic1.phpt]
Test DateTimeZone::listAbbreviations() function : basic functionality [ext/date/tests/DateTimeZone_listAbbreviations_basic1.phpt]
Test DateTime::modify() function : usage variation - Passing unexpected values to first argument $modify. [ext/date/tests/DateTime_modify_variation1.phpt]
Bug #20382 [2] (strtotime ("Monday", $date) produces wrong result on DST changeover) [ext/date/tests/bug20382-2.phpt]
Bug #27780 (strtotime(+1 xxx) returns a wrong date/time) [ext/date/tests/bug27780.phpt]
Bug #32086 (strtotime don't work in DST) [ext/date/tests/bug32086.phpt]
Bug #33414 [1] (Comprehensive list of incorrect days returned after strotime() / date() tests) [ext/date/tests/bug33414-1.phpt]
Bug #33414 [2] (Comprehensive list of incorrect days returned after strotime() / date() tests) [ext/date/tests/bug33414-2.phpt]
Bug #33415 [1] (Possibly invalid non-one-hour DST or timezone shifts) [ext/date/tests/bug33415-1.phpt]
Bug #33415 [2] (Possibly invalid non-one-hour DST or timezone shifts) [ext/date/tests/bug33415-2.phpt]
Bug #33532 (Different output for strftime() and date()) [ext/date/tests/bug33532.phpt]
Bug #46111 (strtotime() returns false for some valid timezones) [ext/date/tests/bug46111.phpt]
date_default_timezone_get() function [1] [ext/date/tests/date_default_timezone_get-1.phpt]
date_default_timezone_get() function [2] [ext/date/tests/date_default_timezone_get-2.phpt]
date_default_timezone_set() function [1] [ext/date/tests/date_default_timezone_set-1.phpt]
Test date_default_timezone_set() function : usage variations - Passing unexpected values for time_zone identifier [ext/date/tests/date_default_timezone_set_variation1.phpt]
date_modify() function [1] [ext/date/tests/date_modify-1.phpt]
Test date_modify() function : usage variation - Passing unexpected values to second argument $format. [ext/date/tests/date_modify_variation2.phpt]
mktime() [3] (64-bit) [ext/date/tests/mktime-3-64bit.phpt]
Test timezone_abbreviations_list() function : basic functionality [ext/date/tests/timezone_abbreviations_list_basic1.phpt]
Test timezone_transitions_get() function : basic functionality [ext/date/tests/timezone_transitions_get_basic1.phpt]
DOMDocument::validate() should validate an external DTD declaration [ext/dom/tests/DOMDocument_validate_external_dtd.phpt]
DOMDocument::$validateOnParse - effectual determination (dom_document_validate_on_parse_read/dom_document_validate_on_parse_write) [ext/dom/tests/DOMDocument_validate_on_parse_variation.phpt]
Bug #48555 (ImageFTBBox() differs from previous versions for texts with new lines) [ext/gd/tests/bug48555.phpt]
Test imagecolorallocate() function : usage variations  - passing different data types to fourth argument [ext/gd/tests/imagecolorallocate_variation4.phpt]
Testing imagetruecolortopalette(): wrong parameters for parameter 3 [ext/gd/tests/imagetruecolortopalette_error3.phpt]
Testing imagetruecolortopalette(): out of range parameter 3 [ext/gd/tests/imagetruecolortopalette_error4.phpt]
gmp_gcd() basic tests [ext/gmp/tests/021.phpt]
gmp_cmp() basic tests [ext/gmp/tests/026.phpt]
Feature Request #50283 (allow base in gmp_strval to use full range: 2 to 62, and -2 to -36) [ext/gmp/tests/bug50283.phpt]
ldap_bind() - Basic anonymous binding [ext/ldap/tests/ldap_bind_basic.phpt]
ldap_bind() - Advanced binding [ext/ldap/tests/ldap_bind_variation.phpt]
ldap_sasl_bind() - Basic anonymous binding [ext/ldap/tests/ldap_sasl_bind_basic.phpt]
ldap_search() - operation that should fail [ext/ldap/tests/ldap_search_error.phpt]
ldap_start_tls() - Basic ldap_start_tls test [ext/ldap/tests/ldap_start_tls_basic.phpt]
Bug #47566 (return value of pcntl_wexitstatus()) [ext/pcntl/tests/bug47566.phpt]
Bug #47769 (Strange extends PDO) [ext/pdo/tests/bug47769.phpt]
Bug #41125 (PDO mysql + quote() + prepare() can result in seg fault) [ext/pdo_mysql/tests/bug41125.phpt]
Bug #44327 (PDORow::queryString property & numeric offsets / Crash) [ext/pdo_mysql/tests/bug44327.phpt]
via [ext/pdo_mysql/tests/common.phpt]
        MySQL Bug #47769 (Strange extends PDO) [ext/pdo_mysql/tests/bug47769.phpt]
via [ext/pdo_odbc/tests/common.phpt]
        ODBC Bug #47769 (Strange extends PDO) [ext/pdo_odbc/tests/bug47769.phpt]
PDO ODBC "long" columns [ext/pdo_odbc/tests/long_columns.phpt]
via [ext/pdo_pgsql/tests/common.phpt]
        Postgres Bug #47769 (Strange extends PDO) [ext/pdo_pgsql/tests/bug47769.phpt]
session_set_save_handler test [ext/session/tests/004.phpt]
custom save handler, multiple session_start()s, complex data structure test. [ext/session/tests/005.phpt]
a script should not be able to modify session.use_trans_sid [ext/session/tests/014.phpt]
use_trans_sid should not affect SID [ext/session/tests/015.phpt]
rewriter correctly handles attribute names which contain dashes [ext/session/tests/018.phpt]
rewriter uses arg_seperator.output for modifying URLs [ext/session/tests/020.phpt]
rewriter handles form and fieldset tags correctly [ext/session/tests/021.phpt]
session_set_save_handler test [ext/session/tests/024.phpt]
custom save handler, multiple session_start()s, complex data structure test. [ext/session/tests/025.phpt]
Bug #31454 (Incorrect adding PHPSESSID to links, which contains \r\n) [ext/session/tests/bug36459.phpt]
Bug #41600 (url rewriter tags doesn't work with namespaced tags) [ext/session/tests/bug41600.phpt]
Test session_id() function : variation [ext/session/tests/session_id_variation2.phpt]
Test session_set_save_handler() function : basic functionality [ext/session/tests/session_set_save_handler_basic.phpt]
Test session_set_save_handler() function : variation [ext/session/tests/session_set_save_handler_variation4.phpt]
SimpleXML: XPath [ext/simplexml/tests/008.phpt]
Bug #44811 (Improve error messages when creating new SoapClient which contains invalid data) [ext/soap/tests/bugs/bug44811.phpt]
SPL: DualIterator [ext/spl/examples/tests/dualiterator_001.phpt]
array_pad() tests [ext/standard/tests/array/array_pad.phpt]
Test array_pad() function : error conditions [ext/standard/tests/array/array_pad_error.phpt]
Test array_pad() function : usage variations - unexpected values for 'input' argument [ext/standard/tests/array/array_pad_variation1.phpt]
Test array_pad() function : usage variations - unexpected values for 'pad_size' argument(Bug#43482) [ext/standard/tests/array/array_pad_variation2.phpt]
fopencookie detected and working (or cast mechanism works) [ext/standard/tests/file/fopencookie.phpt]
User streams and include() [ext/standard/tests/file/include_userstream_001.phpt]
local user streams must not be able to open() url's [ext/standard/tests/file/include_userstream_002.phpt]
Bug #44394 (Last two bytes missing from output) with session.use_trans_id [ext/standard/tests/general_functions/bug44394_2.phpt]
Test function getservbyname() by substituting argument 2 with emptyUnsetUndefNull values. [ext/standard/tests/general_functions/getservbyname_variation10.phpt]
Test function getservbyname() by substituting argument 2 with boolean values. [ext/standard/tests/general_functions/getservbyname_variation9.phpt]
phpinfo() [ext/standard/tests/general_functions/phpinfo.phpt]
Test function proc_nice() by substituting argument 1 with int values. [ext/standard/tests/general_functions/proc_nice_variation5.phpt]
Test uniqid() function : basic functionality [ext/standard/tests/general_functions/uniqid_basic.phpt]
Bug #51604 (newline in end of header is shown in start of message) [ext/standard/tests/mail/bug51604.phpt]
Test mail() function : error conditions [ext/standard/tests/mail/mail_error.phpt]
Check the php_ini_loaded_file() function. No file is loaded in test, so false ins returned [ext/standard/tests/php_ini_loaded_file.phpt]
serialize()/unserialize() objects [ext/standard/tests/serialize/005.phpt]
Bug #25378 (unserialize() crashes with invalid data) [ext/standard/tests/serialize/bug25378.phpt]
htmlentities() test 2 (setlocale / fr_FR.ISO-8859-15) [ext/standard/tests/strings/htmlentities02.phpt]
htmlentities() test 4 (setlocale / ja_JP.EUC-JP) [ext/standard/tests/strings/htmlentities04.phpt]
htmlentities() test 10 (default_charset / cp1252) [ext/standard/tests/strings/htmlentities10.phpt]
htmlentities() test 11 (default_charset / ISO-8859-15) [ext/standard/tests/strings/htmlentities11.phpt]
htmlentities() test 13 (default_charset / EUC-JP) [ext/standard/tests/strings/htmlentities13.phpt]
htmlentities() test 15 (setlocale / KOI8-R) [ext/standard/tests/strings/htmlentities15.phpt]
Test setlocale() function : usage variations - Setting all available locales in the platform [ext/standard/tests/strings/setlocale_variation2.phpt]
Test parse_url() function: Parse a load of URLs without specifying the component [ext/standard/tests/url/parse_url_basic_001.phpt]
Test parse_url() function: Parse a load of URLs without specifying PHP_URL_SCHEME as the URL component [ext/standard/tests/url/parse_url_basic_002.phpt]
Test parse_url() function: Parse a load of URLs without specifying PHP_URL_HOST as the URL component [ext/standard/tests/url/parse_url_basic_003.phpt]
Test parse_url() function: Parse a load of URLs without specifying PHP_URL_PORT as the URL component [ext/standard/tests/url/parse_url_basic_004.phpt]
Test parse_url() function: Parse a load of URLs without specifying PHP_URL_USER as the URL component [ext/standard/tests/url/parse_url_basic_005.phpt]
Test parse_url() function: Parse a load of URLs without specifying PHP_URL_PASS as the URL component [ext/standard/tests/url/parse_url_basic_006.phpt]
Test parse_url() function: Parse a load of URLs without specifying PHP_URL_PATH as the URL component [ext/standard/tests/url/parse_url_basic_007.phpt]
Test parse_url() function: Parse a load of URLs without specifying PHP_URL_QUERY as the URL component [ext/standard/tests/url/parse_url_basic_008.phpt]
Test parse_url() function: Parse a load of URLs without specifying PHP_URL_FRAGMENT as the URL component [ext/standard/tests/url/parse_url_basic_009.phpt]
sysvmsg functions on non-existing queue [ext/sysvmsg/tests/005.phpt]
msg_send() data types when not serializing [ext/sysvmsg/tests/006.phpt]
Bug #32001 (xml_parse*() goes into infinite loop when autodetection in effect), using UTF-* [ext/xml/tests/bug32001.phpt]
Bug #42189 (xmlrpc_get_type() crashes PHP on invalid dates) [ext/xmlrpc/tests/bug42189.phpt]
Bug #51288 (CVE-2010-0397, NULL pointer deref when no <methodName> in request) [ext/xmlrpc/tests/bug51288.phpt]
Test 10: EXSLT Support [ext/xsl/tests/xslt010.phpt]
Check xsltprocessor::registerPHPFunctions and a non-string function in xsl [ext/xsl/tests/xsltprocessor_registerPHPFunctions-funcnostring.phpt]
Check xsltprocessor::registerPHPFunctions and a undefined php function [ext/xsl/tests/xsltprocessor_registerPHPFunctions-funcundef.phpt]
Test function gzgetc() by calling it with its expected arguments [ext/zlib/tests/gzgetc_basic.phpt]
show information about class [sapi/cli/tests/005.phpt]
=====================================================================

=====================================================================
EXPECTED FAILED TEST SUMMARY
---------------------------------------------------------------------
output buffering - fatalism [tests/output/ob_011.phpt]
ob_start(): Ensure unerasable buffer cannot be flushed by ob_flush() [tests/output/ob_start_basic_unerasable_005.phpt]
SPL: ArrayObject::exchangeArray() basic usage with object as underlying data store. [ext/spl/tests/arrayObject_exchangeArray_basic3.phpt]
Bug #39863 (file_exists() silently truncates after a null byte) [ext/standard/tests/file/bug39863.phpt]
=====================================================================

You may have found a problem in PHP.
We would like to send this report automatically to the
PHP QA team, to give us a better understanding of how
the test cases are doing. If you don't want to send it
immediately, you can choose "s" to save the report to
a file that you can send us later.
Do you want to send this report now? [Yns]: n
Comment 22 Swamp Workflow Management 2018-09-10 19:13:46 UTC
SUSE-SU-2018:2682-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1096984,1099098,1103659,1105466
CVE References: CVE-2017-9118,CVE-2018-10360,CVE-2018-12882,CVE-2018-14851
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    php5-5.5.14-109.38.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-109.38.1
Comment 23 Swamp Workflow Management 2018-09-12 10:09:12 UTC
openSUSE-SU-2018:2694-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1096984,1099098,1103659,1105466
CVE References: CVE-2017-9118,CVE-2018-10360,CVE-2018-12882,CVE-2018-14851
Sources used:
openSUSE Leap 42.3 (src):    php5-5.5.14-103.1
Comment 24 Karol Babioch 2018-10-30 14:45:14 UTC
Updates released, bug can be closed.
Comment 34 OBSbugzilla Bot 2020-05-12 08:00:07 UTC
This is an autogenerated message for OBS integration:
This bug (1099098) was mentioned in
https://build.opensuse.org/request/show/802846 Factory / php7