Bug 1138172 - (CVE-2019-11040) VUL-0: CVE-2019-11040: php5,php72,php7,php53: heap-buffer-overflow on php_jpg_get16
(CVE-2019-11040)
VUL-0: CVE-2019-11040: php5,php72,php7,php53: heap-buffer-overflow on php_jpg...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/234473/
CVSSv2:NVD:CVE-2019-11040:6.4:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-06-13 13:18 UTC by Alexander Bergmann
Modified: 2021-09-14 12:50 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2019-06-13 13:18:13 UTC
CVE-2019-11040

heap-buffer-overflow on php_jpg_get16

Upstream bug:
https://bugs.php.net/bug.php?id=77988

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11040
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11040.html
Comment 1 Petr Gajdos 2019-06-14 14:20:03 UTC
*/php*

$ USE_ZEND_ALLOC=0 valgrind  -q php test.php
==11143== Invalid read of size 1
==11143==    at 0x6F6030D: php_jpg_get16 (exif.c:1462)
==11143==    by 0x6F6030D: exif_scan_thumbnail (exif.c:3943)
==11143==    by 0x6F690AF: zif_exif_read_data (exif.c:4603)
==11143==    by 0x81B47B: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:573)
==11143==    by 0x81B47B: execute_ex (zend_vm_execute.h:59731)
==11143==    by 0x826223: zend_execute (zend_vm_execute.h:63760)
==11143==    by 0x75E3AF: zend_execute_scripts (zend.c:1496)
==11143==    by 0x6F06DF: php_execute_script (main.c:2590)
==11143==    by 0x828D85: do_cli (php_cli.c:1011)
==11143==    by 0x58DB7D: main (php_cli.c:1404)
==11143==  Address 0x6deb925 is 0 bytes after a block of size 5 alloc'd
==11143==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==11143==    by 0x72B138: __zend_malloc (zend_alloc.c:2829)
==11143==    by 0x73187A: _estrndup (zend_alloc.c:2537)
==11143==    by 0x6F634A7: exif_thumbnail_extract (exif.c:2964)
==11143==    by 0x6F634A7: exif_process_IFD_in_JPEG (exif.c:3640)
==11143==    by 0x6F67D1D: exif_process_TIFF_in_JPEG (exif.c:3686)
==11143==    by 0x6F67D1D: exif_process_APP1 (exif.c:3711)
==11143==    by 0x6F67D1D: exif_scan_JPEG_header (exif.c:3856)
==11143==    by 0x6F67D1D: exif_scan_FILE_header (exif.c:4249)
==11143==    by 0x6F67D1D: exif_read_from_impl (exif.c:4390)
==11143==    by 0x6F67D1D: exif_read_from_stream.constprop.17 (exif.c:4407)
==11143==    by 0x6F6811C: exif_read_from_file (exif.c:4434)
==11143==    by 0x6F6811C: zif_exif_read_data (exif.c:4509)
==11143==    by 0x81B47B: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:573)
==11143==    by 0x81B47B: execute_ex (zend_vm_execute.h:59731)
==11143==    by 0x826223: zend_execute (zend_vm_execute.h:63760)
==11143==    by 0x75E3AF: zend_execute_scripts (zend.c:1496)
==11143==    by 0x6F06DF: php_execute_script (main.c:2590)
==11143==    by 0x828D85: do_cli (php_cli.c:1011)
==11143==    by 0x58DB7D: main (php_cli.c:1404)
==11143== 

$

PATCH

http://git.php.net/?p=php-src.git;a=commit;h=73ff4193be24192c894dc0502d06e2b2db35eefb

AFTER

*/php*

$ USE_ZEND_ALLOC=0 valgrind  -q php test.php

$
Comment 2 Petr Gajdos 2019-06-14 14:20:57 UTC
Will submit for: 15/php7, 12/php72,php7,php5, 11sp3/php53, and 11,10sp3/php5.
Comment 3 Petr Gajdos 2019-06-14 15:36:06 UTC
I believe all fixed.
Comment 6 Swamp Workflow Management 2019-07-02 19:12:32 UTC
SUSE-SU-2019:1725-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1119396,1138172,1138173
CVE References: CVE-2019-11039,CVE-2019-11040
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    php7-7.0.7-50.80.2
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    php7-7.0.7-50.80.2
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-50.80.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2019-07-02 19:14:00 UTC
SUSE-SU-2019:1724-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1138172,1138173
CVE References: CVE-2019-11039,CVE-2019-11040
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    php72-7.2.5-1.20.2
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    php72-7.2.5-1.20.2
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php72-7.2.5-1.20.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2019-07-04 13:11:24 UTC
SUSE-SU-2019:1746-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1137633,1138172,1138173
CVE References: CVE-2015-1351,CVE-2019-11039,CVE-2019-11040
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    php5-5.5.14-109.63.2
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    php5-5.5.14-109.63.2
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-109.63.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2019-07-12 19:12:19 UTC
SUSE-SU-2019:1832-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1138172,1138173
CVE References: CVE-2019-11039,CVE-2019-11040
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP1 (src):    php7-7.2.5-4.35.3
SUSE Linux Enterprise Module for Web Scripting 15 (src):    php7-7.2.5-4.35.3
SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src):    php7-7.2.5-4.35.3
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    php7-7.2.5-4.35.3
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    php7-7.2.5-4.35.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2019-07-21 10:13:21 UTC
openSUSE-SU-2019:1778-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1138172,1138173
CVE References: CVE-2019-11039,CVE-2019-11040
Sources used:
openSUSE Leap 15.1 (src):    php7-7.2.5-lp151.6.6.1
openSUSE Leap 15.0 (src):    php7-7.2.5-lp150.2.22.1
Comment 12 Swamp Workflow Management 2019-08-07 11:52:58 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2019-08-21.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64336
Comment 16 Wolfgang Frisch 2020-02-13 17:32:00 UTC
all fixed
Comment 17 OBSbugzilla Bot 2020-05-12 08:01:53 UTC
This is an autogenerated message for OBS integration:
This bug (1138172) was mentioned in
https://build.opensuse.org/request/show/802846 Factory / php7
Comment 18 OBSbugzilla Bot 2020-05-12 14:01:40 UTC
This is an autogenerated message for OBS integration:
This bug (1138172) was mentioned in
https://build.opensuse.org/request/show/802978 Factory / php7
Comment 19 OBSbugzilla Bot 2020-05-13 08:21:33 UTC
This is an autogenerated message for OBS integration:
This bug (1138172) was mentioned in
https://build.opensuse.org/request/show/804946 Factory / php7
Comment 21 OBSbugzilla Bot 2020-05-13 13:31:01 UTC
This is an autogenerated message for OBS integration:
This bug (1138172) was mentioned in
https://build.opensuse.org/request/show/805287 Factory / php7