Bugzilla – Bug 1138172
VUL-0: CVE-2019-11040: php5,php72,php7,php53: heap-buffer-overflow on php_jpg_get16
Last modified: 2023-10-26 10:35:45 UTC
CVE-2019-11040 heap-buffer-overflow on php_jpg_get16 Upstream bug: https://bugs.php.net/bug.php?id=77988 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11040 http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11040.html
*/php* $ USE_ZEND_ALLOC=0 valgrind -q php test.php ==11143== Invalid read of size 1 ==11143== at 0x6F6030D: php_jpg_get16 (exif.c:1462) ==11143== by 0x6F6030D: exif_scan_thumbnail (exif.c:3943) ==11143== by 0x6F690AF: zif_exif_read_data (exif.c:4603) ==11143== by 0x81B47B: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:573) ==11143== by 0x81B47B: execute_ex (zend_vm_execute.h:59731) ==11143== by 0x826223: zend_execute (zend_vm_execute.h:63760) ==11143== by 0x75E3AF: zend_execute_scripts (zend.c:1496) ==11143== by 0x6F06DF: php_execute_script (main.c:2590) ==11143== by 0x828D85: do_cli (php_cli.c:1011) ==11143== by 0x58DB7D: main (php_cli.c:1404) ==11143== Address 0x6deb925 is 0 bytes after a block of size 5 alloc'd ==11143== at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==11143== by 0x72B138: __zend_malloc (zend_alloc.c:2829) ==11143== by 0x73187A: _estrndup (zend_alloc.c:2537) ==11143== by 0x6F634A7: exif_thumbnail_extract (exif.c:2964) ==11143== by 0x6F634A7: exif_process_IFD_in_JPEG (exif.c:3640) ==11143== by 0x6F67D1D: exif_process_TIFF_in_JPEG (exif.c:3686) ==11143== by 0x6F67D1D: exif_process_APP1 (exif.c:3711) ==11143== by 0x6F67D1D: exif_scan_JPEG_header (exif.c:3856) ==11143== by 0x6F67D1D: exif_scan_FILE_header (exif.c:4249) ==11143== by 0x6F67D1D: exif_read_from_impl (exif.c:4390) ==11143== by 0x6F67D1D: exif_read_from_stream.constprop.17 (exif.c:4407) ==11143== by 0x6F6811C: exif_read_from_file (exif.c:4434) ==11143== by 0x6F6811C: zif_exif_read_data (exif.c:4509) ==11143== by 0x81B47B: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:573) ==11143== by 0x81B47B: execute_ex (zend_vm_execute.h:59731) ==11143== by 0x826223: zend_execute (zend_vm_execute.h:63760) ==11143== by 0x75E3AF: zend_execute_scripts (zend.c:1496) ==11143== by 0x6F06DF: php_execute_script (main.c:2590) ==11143== by 0x828D85: do_cli (php_cli.c:1011) ==11143== by 0x58DB7D: main (php_cli.c:1404) ==11143== $ PATCH http://git.php.net/?p=php-src.git;a=commit;h=73ff4193be24192c894dc0502d06e2b2db35eefb AFTER */php* $ USE_ZEND_ALLOC=0 valgrind -q php test.php $
Will submit for: 15/php7, 12/php72,php7,php5, 11sp3/php53, and 11,10sp3/php5.
I believe all fixed.
SUSE-SU-2019:1725-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1119396,1138172,1138173 CVE References: CVE-2019-11039,CVE-2019-11040 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): php7-7.0.7-50.80.2 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): php7-7.0.7-50.80.2 SUSE Linux Enterprise Module for Web Scripting 12 (src): php7-7.0.7-50.80.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:1724-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1138172,1138173 CVE References: CVE-2019-11039,CVE-2019-11040 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): php72-7.2.5-1.20.2 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): php72-7.2.5-1.20.2 SUSE Linux Enterprise Module for Web Scripting 12 (src): php72-7.2.5-1.20.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:1746-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1137633,1138172,1138173 CVE References: CVE-2015-1351,CVE-2019-11039,CVE-2019-11040 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): php5-5.5.14-109.63.2 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): php5-5.5.14-109.63.2 SUSE Linux Enterprise Module for Web Scripting 12 (src): php5-5.5.14-109.63.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:1832-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1138172,1138173 CVE References: CVE-2019-11039,CVE-2019-11040 Sources used: SUSE Linux Enterprise Module for Web Scripting 15-SP1 (src): php7-7.2.5-4.35.3 SUSE Linux Enterprise Module for Web Scripting 15 (src): php7-7.2.5-4.35.3 SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src): php7-7.2.5-4.35.3 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): php7-7.2.5-4.35.3 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): php7-7.2.5-4.35.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:1778-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1138172,1138173 CVE References: CVE-2019-11039,CVE-2019-11040 Sources used: openSUSE Leap 15.1 (src): php7-7.2.5-lp151.6.6.1 openSUSE Leap 15.0 (src): php7-7.2.5-lp150.2.22.1
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2019-08-21. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64336
all fixed
This is an autogenerated message for OBS integration: This bug (1138172) was mentioned in https://build.opensuse.org/request/show/802846 Factory / php7
This is an autogenerated message for OBS integration: This bug (1138172) was mentioned in https://build.opensuse.org/request/show/802978 Factory / php7
This is an autogenerated message for OBS integration: This bug (1138172) was mentioned in https://build.opensuse.org/request/show/804946 Factory / php7
This is an autogenerated message for OBS integration: This bug (1138172) was mentioned in https://build.opensuse.org/request/show/805287 Factory / php7
This is an autogenerated message for OBS integration: This bug (1138172) was mentioned in https://build.opensuse.org/request/show/1120490 Backports:SLE-15-SP5 / php81