Bug 1138173 (CVE-2019-11039) - VUL-0: CVE-2019-11039: php5,php72,php7,php53: Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow
Summary: VUL-0: CVE-2019-11039: php5,php72,php7,php53: Out-of-bounds read in iconv.c:_...
Status: RESOLVED FIXED
Alias: CVE-2019-11039
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2019-08-21
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/234474/
Whiteboard: CVSSv2:NVD:CVE-2019-11039:6.4:(AV:N/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2019-06-13 13:18 UTC by Alexander Bergmann
Modified: 2023-10-26 10:35 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
proof of concept from the upstream bugzilla (107 bytes, application/octet-stream)
2019-06-14 15:28 UTC, Petr Gajdos
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2019-06-13 13:18:41 UTC
CVE-2019-11039

Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer
overflow

Upstream bug:
https://bugs.php.net/bug.php?id=78069

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11039
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11039.html
Comment 1 Petr Gajdos 2019-06-14 15:28:57 UTC
Created attachment 807644 [details]
proof of concept from the upstream bugzilla

test.php
<?php
  $hdr = iconv_mime_decode_headers(file_get_contents("poc"),2);
?>

$ USE_ZEND_ALLOC=0 valgrind  -q php test.php
PHP Notice:  iconv_mime_decode_headers(): Detected an illegal character in input string in /138173/test.php on line 2
$

No valgrind error reported. I had also tried with asan, no report either.
Comment 2 Petr Gajdos 2019-06-14 15:30:13 UTC
Will submit for: 15/php7, 12/php72,php7,php5, 11sp3/php53, and 11,10sp3/php5.
Comment 3 Petr Gajdos 2019-06-14 15:36:22 UTC
I believe all fixed.
Comment 6 Swamp Workflow Management 2019-07-02 19:12:40 UTC
SUSE-SU-2019:1725-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1119396,1138172,1138173
CVE References: CVE-2019-11039,CVE-2019-11040
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    php7-7.0.7-50.80.2
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    php7-7.0.7-50.80.2
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-50.80.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2019-07-02 19:14:06 UTC
SUSE-SU-2019:1724-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1138172,1138173
CVE References: CVE-2019-11039,CVE-2019-11040
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    php72-7.2.5-1.20.2
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    php72-7.2.5-1.20.2
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php72-7.2.5-1.20.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2019-07-04 13:11:33 UTC
SUSE-SU-2019:1746-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1137633,1138172,1138173
CVE References: CVE-2015-1351,CVE-2019-11039,CVE-2019-11040
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    php5-5.5.14-109.63.2
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    php5-5.5.14-109.63.2
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-109.63.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2019-07-12 19:12:27 UTC
SUSE-SU-2019:1832-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1138172,1138173
CVE References: CVE-2019-11039,CVE-2019-11040
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP1 (src):    php7-7.2.5-4.35.3
SUSE Linux Enterprise Module for Web Scripting 15 (src):    php7-7.2.5-4.35.3
SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src):    php7-7.2.5-4.35.3
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    php7-7.2.5-4.35.3
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    php7-7.2.5-4.35.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2019-07-21 10:13:28 UTC
openSUSE-SU-2019:1778-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1138172,1138173
CVE References: CVE-2019-11039,CVE-2019-11040
Sources used:
openSUSE Leap 15.1 (src):    php7-7.2.5-lp151.6.6.1
openSUSE Leap 15.0 (src):    php7-7.2.5-lp150.2.22.1
Comment 12 Swamp Workflow Management 2019-08-07 11:52:49 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2019-08-21.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64336
Comment 16 Alexandros Toptsoglou 2020-03-03 13:24:10 UTC
Done
Comment 17 OBSbugzilla Bot 2020-05-12 08:01:58 UTC
This is an autogenerated message for OBS integration:
This bug (1138173) was mentioned in
https://build.opensuse.org/request/show/802846 Factory / php7
Comment 18 OBSbugzilla Bot 2020-05-12 14:01:46 UTC
This is an autogenerated message for OBS integration:
This bug (1138173) was mentioned in
https://build.opensuse.org/request/show/802978 Factory / php7
Comment 19 OBSbugzilla Bot 2020-05-13 08:21:39 UTC
This is an autogenerated message for OBS integration:
This bug (1138173) was mentioned in
https://build.opensuse.org/request/show/804946 Factory / php7
Comment 21 OBSbugzilla Bot 2020-05-13 13:31:07 UTC
This is an autogenerated message for OBS integration:
This bug (1138173) was mentioned in
https://build.opensuse.org/request/show/805287 Factory / php7
Comment 27 OBSbugzilla Bot 2023-10-26 10:35:45 UTC
This is an autogenerated message for OBS integration:
This bug (1138173) was mentioned in
https://build.opensuse.org/request/show/1120490 Backports:SLE-15-SP5 / php81