Bugzilla – Bug 1145095
VUL-1: CVE-2019-11042: php5,php72,php7,php53: php: heap buffer over-read in exif_process_user_comment()
Last modified: 2023-10-26 10:35:46 UTC
CVE-2019-11042 heap-buffer-overflow on exif_process_user_comment Upstream issue and fix: https://bugs.php.net/bug.php?id=78256 References: https://bugzilla.redhat.com/show_bug.cgi?id=1739465 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11042 http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11042.html
http://git.php.net/?p=php-src.git;a=commit;h=e648fa4699e8d072db6db34fcc09826e8127fab8
I cannot reproduce with or without ASAN or with valgrind any invalid reads with the test case from the upstream commit. The fix protects memcmp() from unintended reading and seem clearly apply for all code streams.
Will submit for 15/php7, 12/php72, 12/php7, 11sp3/php53, 11/php5 and 10sp3/php5.
I believe all fixed.
SUSE-SU-2019:2243-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1140118,1145095,1146360 CVE References: CVE-2019-11038,CVE-2019-11041,CVE-2019-11042 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): php7-7.0.7-50.85.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php7-7.0.7-50.85.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
I was able to reproduce the issue while testing the update. The issue was not fixed by the update - reported errors remain. Results: (testphp is the reproducer script mentioned in the upstream issue page) BEFORE: ------- valgrind php testphp ==27244== Memcheck, a memory error detector ==27244== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==27244== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==27244== Command: php testphp ==27244== ==27244== Conditional jump or move depends on uninitialised value(s) ==27244== at 0x4C34280: __memcmp_sse4_1 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==27244== by 0x633D08A: ??? (in /usr/lib64/libcrypto.so.1.1) ==27244== by 0x633C235: FIPS_selftest (in /usr/lib64/libcrypto.so.1.1) ==27244== by 0x633709C: ??? (in /usr/lib64/libcrypto.so.1.1) ==27244== by 0x634AFE0: FIPS_mode_set (in /usr/lib64/libcrypto.so.1.1) ==27244== by 0x625016A: ??? (in /usr/lib64/libcrypto.so.1.1) ==27244== by 0x400FBF9: call_init.part.0 (in /lib64/ld-2.26.so) ==27244== by 0x400FD05: _dl_init (in /lib64/ld-2.26.so) ==27244== by 0x4000ED9: ??? (in /lib64/ld-2.26.so) ==27244== by 0x1: ??? ==27244== by 0x1FFF0004D6: ??? ==27244== by 0x1FFF0004DA: ??? ==27244== ==27244== Conditional jump or move depends on uninitialised value(s) ==27244== at 0x4C342A6: __memcmp_sse4_1 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==27244== by 0x633D08A: ??? (in /usr/lib64/libcrypto.so.1.1) ==27244== by 0x633C235: FIPS_selftest (in /usr/lib64/libcrypto.so.1.1) ==27244== by 0x633709C: ??? (in /usr/lib64/libcrypto.so.1.1) ==27244== by 0x634AFE0: FIPS_mode_set (in /usr/lib64/libcrypto.so.1.1) ==27244== by 0x625016A: ??? (in /usr/lib64/libcrypto.so.1.1) ==27244== by 0x400FBF9: call_init.part.0 (in /lib64/ld-2.26.so) ==27244== by 0x400FD05: _dl_init (in /lib64/ld-2.26.so) ==27244== by 0x4000ED9: ??? (in /lib64/ld-2.26.so) ==27244== by 0x1: ??? ==27244== by 0x1FFF0004D6: ??? ==27244== by 0x1FFF0004DA: ??? ==27244== ==27244== Conditional jump or move depends on uninitialised value(s) ==27244== at 0x4C342CF: __memcmp_sse4_1 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==27244== by 0x633D08A: ??? (in /usr/lib64/libcrypto.so.1.1) ==27244== by 0x633C235: FIPS_selftest (in /usr/lib64/libcrypto.so.1.1) ==27244== by 0x633709C: ??? (in /usr/lib64/libcrypto.so.1.1) ==27244== by 0x634AFE0: FIPS_mode_set (in /usr/lib64/libcrypto.so.1.1) ==27244== by 0x625016A: ??? (in /usr/lib64/libcrypto.so.1.1) ==27244== by 0x400FBF9: call_init.part.0 (in /lib64/ld-2.26.so) ==27244== by 0x400FD05: _dl_init (in /lib64/ld-2.26.so) ==27244== by 0x4000ED9: ??? (in /lib64/ld-2.26.so) ==27244== by 0x1: ??? ==27244== by 0x1FFF0004D6: ??? ==27244== by 0x1FFF0004DA: ??? ==27244== ==27244== Conditional jump or move depends on uninitialised value(s) ==27244== at 0x4C342F1: __memcmp_sse4_1 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==27244== by 0x633D08A: ??? (in /usr/lib64/libcrypto.so.1.1) ==27244== by 0x633C235: FIPS_selftest (in /usr/lib64/libcrypto.so.1.1) ==27244== by 0x633709C: ??? (in /usr/lib64/libcrypto.so.1.1) ==27244== by 0x634AFE0: FIPS_mode_set (in /usr/lib64/libcrypto.so.1.1) ==27244== by 0x625016A: ??? (in /usr/lib64/libcrypto.so.1.1) ==27244== by 0x400FBF9: call_init.part.0 (in /lib64/ld-2.26.so) ==27244== by 0x400FD05: _dl_init (in /lib64/ld-2.26.so) ==27244== by 0x4000ED9: ??? (in /lib64/ld-2.26.so) ==27244== by 0x1: ??? ==27244== by 0x1FFF0004D6: ??? ==27244== by 0x1FFF0004DA: ??? ==27244== ==27244== Conditional jump or move depends on uninitialised value(s) ==27244== at 0x63370A1: ??? (in /usr/lib64/libcrypto.so.1.1) ==27244== by 0x634AFE0: FIPS_mode_set (in /usr/lib64/libcrypto.so.1.1) ==27244== by 0x625016A: ??? (in /usr/lib64/libcrypto.so.1.1) ==27244== by 0x400FBF9: call_init.part.0 (in /lib64/ld-2.26.so) ==27244== by 0x400FD05: _dl_init (in /lib64/ld-2.26.so) ==27244== by 0x4000ED9: ??? (in /lib64/ld-2.26.so) ==27244== by 0x1: ??? ==27244== by 0x1FFF0004D6: ??? ==27244== by 0x1FFF0004DA: ??? ==27244== PHP Warning: exif_read_data(): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /tmp/SUSE:Maintenance:12352:199616/testphp on line 4 PHP Warning: exif_read_data(): Process tag(x9286=UserComment): Illegal format code 0x3030, suppose BYTE in /tmp/SUSE:Maintenance:12352:199616/testphp on line 4 PHP Warning: exif_read_data(): Illegal IFD offset in /tmp/SUSE:Maintenance:12352:199616/testphp on line 4 PHP Warning: exif_read_data(): File structure corrupted in /tmp/SUSE:Maintenance:12352:199616/testphp on line 4 PHP Warning: exif_read_data(): Invalid JPEG file in /tmp/SUSE:Maintenance:12352:199616/testphp on line 4 ==27244== ==27244== HEAP SUMMARY: ==27244== in use at exit: 108,415 bytes in 62 blocks ==27244== total heap usage: 59,533 allocs, 59,471 frees, 6,685,076 bytes allocated ==27244== ==27244== LEAK SUMMARY: ==27244== definitely lost: 0 bytes in 0 blocks ==27244== indirectly lost: 0 bytes in 0 blocks ==27244== possibly lost: 0 bytes in 0 blocks ==27244== still reachable: 108,415 bytes in 62 blocks ==27244== suppressed: 0 bytes in 0 blocks ==27244== Rerun with --leak-check=full to see details of leaked memory ==27244== ==27244== For counts of detected and suppressed errors, rerun with: -v ==27244== Use --track-origins=yes to see where uninitialised values come from ==27244== ERROR SUMMARY: 10 errors from 5 contexts (suppressed: 0 from 0) AFTER: ------- valgrind php testphp ==16477== Memcheck, a memory error detector ==16477== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==16477== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==16477== Command: php testphp ==16477== ==16477== Conditional jump or move depends on uninitialised value(s) ==16477== at 0x4C34280: __memcmp_sse4_1 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==16477== by 0x633D08A: ??? (in /usr/lib64/libcrypto.so.1.1) ==16477== by 0x633C235: FIPS_selftest (in /usr/lib64/libcrypto.so.1.1) ==16477== by 0x633709C: ??? (in /usr/lib64/libcrypto.so.1.1) ==16477== by 0x634AFE0: FIPS_mode_set (in /usr/lib64/libcrypto.so.1.1) ==16477== by 0x625016A: ??? (in /usr/lib64/libcrypto.so.1.1) ==16477== by 0x400FBF9: call_init.part.0 (in /lib64/ld-2.26.so) ==16477== by 0x400FD05: _dl_init (in /lib64/ld-2.26.so) ==16477== by 0x4000ED9: ??? (in /lib64/ld-2.26.so) ==16477== by 0x1: ??? ==16477== by 0x1FFF0004D6: ??? ==16477== by 0x1FFF0004DA: ??? ==16477== ==16477== Conditional jump or move depends on uninitialised value(s) ==16477== at 0x4C342A6: __memcmp_sse4_1 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==16477== by 0x633D08A: ??? (in /usr/lib64/libcrypto.so.1.1) ==16477== by 0x633C235: FIPS_selftest (in /usr/lib64/libcrypto.so.1.1) ==16477== by 0x633709C: ??? (in /usr/lib64/libcrypto.so.1.1) ==16477== by 0x634AFE0: FIPS_mode_set (in /usr/lib64/libcrypto.so.1.1) ==16477== by 0x625016A: ??? (in /usr/lib64/libcrypto.so.1.1) ==16477== by 0x400FBF9: call_init.part.0 (in /lib64/ld-2.26.so) ==16477== by 0x400FD05: _dl_init (in /lib64/ld-2.26.so) ==16477== by 0x4000ED9: ??? (in /lib64/ld-2.26.so) ==16477== by 0x1: ??? ==16477== by 0x1FFF0004D6: ??? ==16477== by 0x1FFF0004DA: ??? ==16477== ==16477== Conditional jump or move depends on uninitialised value(s) ==16477== at 0x4C342CF: __memcmp_sse4_1 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==16477== by 0x633D08A: ??? (in /usr/lib64/libcrypto.so.1.1) ==16477== by 0x633C235: FIPS_selftest (in /usr/lib64/libcrypto.so.1.1) ==16477== by 0x633709C: ??? (in /usr/lib64/libcrypto.so.1.1) ==16477== by 0x634AFE0: FIPS_mode_set (in /usr/lib64/libcrypto.so.1.1) ==16477== by 0x625016A: ??? (in /usr/lib64/libcrypto.so.1.1) ==16477== by 0x400FBF9: call_init.part.0 (in /lib64/ld-2.26.so) ==16477== by 0x400FD05: _dl_init (in /lib64/ld-2.26.so) ==16477== by 0x4000ED9: ??? (in /lib64/ld-2.26.so) ==16477== by 0x1: ??? ==16477== by 0x1FFF0004D6: ??? ==16477== by 0x1FFF0004DA: ??? ==16477== ==16477== Conditional jump or move depends on uninitialised value(s) ==16477== at 0x4C342F1: __memcmp_sse4_1 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==16477== by 0x633D08A: ??? (in /usr/lib64/libcrypto.so.1.1) ==16477== by 0x633C235: FIPS_selftest (in /usr/lib64/libcrypto.so.1.1) ==16477== by 0x633709C: ??? (in /usr/lib64/libcrypto.so.1.1) ==16477== by 0x634AFE0: FIPS_mode_set (in /usr/lib64/libcrypto.so.1.1) ==16477== by 0x625016A: ??? (in /usr/lib64/libcrypto.so.1.1) ==16477== by 0x400FBF9: call_init.part.0 (in /lib64/ld-2.26.so) ==16477== by 0x400FD05: _dl_init (in /lib64/ld-2.26.so) ==16477== by 0x4000ED9: ??? (in /lib64/ld-2.26.so) ==16477== by 0x1: ??? ==16477== by 0x1FFF0004D6: ??? ==16477== by 0x1FFF0004DA: ??? ==16477== ==16477== Conditional jump or move depends on uninitialised value(s) ==16477== at 0x63370A1: ??? (in /usr/lib64/libcrypto.so.1.1) ==16477== by 0x634AFE0: FIPS_mode_set (in /usr/lib64/libcrypto.so.1.1) ==16477== by 0x625016A: ??? (in /usr/lib64/libcrypto.so.1.1) ==16477== by 0x400FBF9: call_init.part.0 (in /lib64/ld-2.26.so) ==16477== by 0x400FD05: _dl_init (in /lib64/ld-2.26.so) ==16477== by 0x4000ED9: ??? (in /lib64/ld-2.26.so) ==16477== by 0x1: ??? ==16477== by 0x1FFF0004D6: ??? ==16477== by 0x1FFF0004DA: ??? ==16477== PHP Warning: exif_read_data(): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /tmp/SUSE:Maintenance:12352:199616/testphp on line 4 PHP Warning: exif_read_data(): Process tag(x9286=UserComment): Illegal format code 0x3030, suppose BYTE in /tmp/SUSE:Maintenance:12352:199616/testphp on line 4 PHP Warning: exif_read_data(): Illegal IFD offset in /tmp/SUSE:Maintenance:12352:199616/testphp on line 4 PHP Warning: exif_read_data(): File structure corrupted in /tmp/SUSE:Maintenance:12352:199616/testphp on line 4 PHP Warning: exif_read_data(): Invalid JPEG file in /tmp/SUSE:Maintenance:12352:199616/testphp on line 4 ==16477== ==16477== HEAP SUMMARY: ==16477== in use at exit: 108,415 bytes in 62 blocks ==16477== total heap usage: 59,533 allocs, 59,471 frees, 6,685,045 bytes allocated ==16477== ==16477== LEAK SUMMARY: ==16477== definitely lost: 0 bytes in 0 blocks ==16477== indirectly lost: 0 bytes in 0 blocks ==16477== possibly lost: 0 bytes in 0 blocks ==16477== still reachable: 108,415 bytes in 62 blocks ==16477== suppressed: 0 bytes in 0 blocks ==16477== Rerun with --leak-check=full to see details of leaked memory ==16477== ==16477== For counts of detected and suppressed errors, rerun with: -v ==16477== Use --track-origins=yes to see where uninitialised values come from ==16477== ERROR SUMMARY: 10 errors from 5 contexts (suppressed: 0 from 0)
SUSE-SU-2019:2270-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1145095,1146360 CVE References: CVE-2019-11041,CVE-2019-11042 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): php72-7.2.5-1.23.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php72-7.2.5-1.23.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:14158-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1140118,1145095,1146360 CVE References: CVE-2019-11038,CVE-2019-11041,CVE-2019-11042 Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): php53-5.3.17-112.71.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): php53-5.3.17-112.71.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): php53-5.3.17-112.71.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): php53-5.3.17-112.71.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2019-09-20. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64349
SUSE-SU-2019:2503-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1145095,1146360,1151793 CVE References: CVE-2019-11041,CVE-2019-11042 Sources used: SUSE Linux Enterprise Module for Web Scripting 15-SP1 (src): php7-7.2.5-4.40.1 SUSE Linux Enterprise Module for Web Scripting 15 (src): php7-7.2.5-4.40.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src): php7-7.2.5-4.40.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): php7-7.2.5-4.40.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): php7-7.2.5-4.40.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:2271-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1145095,1146360,1151793 CVE References: CVE-2019-11041,CVE-2019-11042 Sources used: openSUSE Leap 15.0 (src): php7-7.2.5-lp150.2.25.1
Submitted also for 12/php5.
SUSE-SU-2020:0522-1: An update that solves 9 vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1145095,1146360,1154999,1159922,1159923,1159924,1159927,1161982,1162629,1162632 CVE References: CVE-2019-11041,CVE-2019-11042,CVE-2019-11043,CVE-2019-11045,CVE-2019-11046,CVE-2019-11047,CVE-2019-11050,CVE-2020-7059,CVE-2020-7060 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): php5-5.5.14-109.68.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php5-5.5.14-109.68.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done
This is an autogenerated message for OBS integration: This bug (1145095) was mentioned in https://build.opensuse.org/request/show/802846 Factory / php7
This is an autogenerated message for OBS integration: This bug (1145095) was mentioned in https://build.opensuse.org/request/show/802978 Factory / php7
This is an autogenerated message for OBS integration: This bug (1145095) was mentioned in https://build.opensuse.org/request/show/804946 Factory / php7
This is an autogenerated message for OBS integration: This bug (1145095) was mentioned in https://build.opensuse.org/request/show/805287 Factory / php7
This is an autogenerated message for OBS integration: This bug (1145095) was mentioned in https://build.opensuse.org/request/show/1120490 Backports:SLE-15-SP5 / php81