Bug 1146360 (CVE-2019-11041) - VUL-0: CVE-2019-11041: php5,php72,php7,php53: php: heap buffer over-read in exif_scan_thumbnail()
Summary: VUL-0: CVE-2019-11041: php5,php72,php7,php53: php: heap buffer over-read in e...
Status: RESOLVED FIXED
Alias: CVE-2019-11041
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Deadline: 2019-09-20
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/239340/
Whiteboard: CVSSv2:NVD:CVE-2019-11041:6.8:(AV:N/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2019-08-20 11:34 UTC by Wolfgang Frisch
Modified: 2023-10-26 10:35 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Wolfgang Frisch 2019-08-20 12:20:09 UTC
Following my investigation of the PHP source code, I conclude the following packages are affected:

SUSE:SLE-10-SP3:Update php5
SUSE:SLE-11:Update php5
SUSE:SLE-11-SP2:Update php53
SUSE:SLE-11-SP3:Update php53
SUSE:SLE-12:Update php5 
SUSE:SLE-12:Update php7
SUSE:SLE-12:Update php72
SUSE:SLE-15:Update php7
Comment 4 Petr Gajdos 2019-08-23 10:55:59 UTC
I cannot reproduce with or without ASAN or with valgrind any invalid reads with the test case from the upstream commit. The fix protects memcmp() from unintended reading and seem clearly apply for all code streams, indeed.
Comment 5 Petr Gajdos 2019-08-23 10:57:09 UTC
Will submit for 15/php7, 12/php72, 12/php7, 11sp3/php53, 11/php5 and 10sp3/php5.
Comment 6 Petr Gajdos 2019-08-23 11:05:08 UTC
I believe all fixed.
Comment 8 Swamp Workflow Management 2019-08-28 19:14:27 UTC
SUSE-SU-2019:2243-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1140118,1145095,1146360
CVE References: CVE-2019-11038,CVE-2019-11041,CVE-2019-11042
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    php7-7.0.7-50.85.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-50.85.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Vasileios ANastasiadis 2019-08-30 09:36:21 UTC
I was able to reproduce the issue while testing the update. 

The issue was not fixed by the update - reported errors remain. Results:

(testphp is the reproducer script mentioned in the upstream issue page)

Results:

BEFORE:
-------

valgrind php testphp2
==27342== Memcheck, a memory error detector
==27342== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==27342== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==27342== Command: php testphp2
==27342== 
==27342== Conditional jump or move depends on uninitialised value(s)
==27342==    at 0x4C34280: __memcmp_sse4_1 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==27342==    by 0x633D08A: ??? (in /usr/lib64/libcrypto.so.1.1)
==27342==    by 0x633C235: FIPS_selftest (in /usr/lib64/libcrypto.so.1.1)
==27342==    by 0x633709C: ??? (in /usr/lib64/libcrypto.so.1.1)
==27342==    by 0x634AFE0: FIPS_mode_set (in /usr/lib64/libcrypto.so.1.1)
==27342==    by 0x625016A: ??? (in /usr/lib64/libcrypto.so.1.1)
==27342==    by 0x400FBF9: call_init.part.0 (in /lib64/ld-2.26.so)
==27342==    by 0x400FD05: _dl_init (in /lib64/ld-2.26.so)
==27342==    by 0x4000ED9: ??? (in /lib64/ld-2.26.so)
==27342==    by 0x1: ???
==27342==    by 0x1FFF0004D6: ???
==27342==    by 0x1FFF0004DA: ???
==27342== 
==27342== Conditional jump or move depends on uninitialised value(s)
==27342==    at 0x4C342A6: __memcmp_sse4_1 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==27342==    by 0x633D08A: ??? (in /usr/lib64/libcrypto.so.1.1)
==27342==    by 0x633C235: FIPS_selftest (in /usr/lib64/libcrypto.so.1.1)
==27342==    by 0x633709C: ??? (in /usr/lib64/libcrypto.so.1.1)
==27342==    by 0x634AFE0: FIPS_mode_set (in /usr/lib64/libcrypto.so.1.1)
==27342==    by 0x625016A: ??? (in /usr/lib64/libcrypto.so.1.1)
==27342==    by 0x400FBF9: call_init.part.0 (in /lib64/ld-2.26.so)
==27342==    by 0x400FD05: _dl_init (in /lib64/ld-2.26.so)
==27342==    by 0x4000ED9: ??? (in /lib64/ld-2.26.so)
==27342==    by 0x1: ???
==27342==    by 0x1FFF0004D6: ???
==27342==    by 0x1FFF0004DA: ???
==27342== 
==27342== Conditional jump or move depends on uninitialised value(s)
==27342==    at 0x4C342CF: __memcmp_sse4_1 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==27342==    by 0x633D08A: ??? (in /usr/lib64/libcrypto.so.1.1)
==27342==    by 0x633C235: FIPS_selftest (in /usr/lib64/libcrypto.so.1.1)
==27342==    by 0x633709C: ??? (in /usr/lib64/libcrypto.so.1.1)
==27342==    by 0x634AFE0: FIPS_mode_set (in /usr/lib64/libcrypto.so.1.1)
==27342==    by 0x625016A: ??? (in /usr/lib64/libcrypto.so.1.1)
==27342==    by 0x400FBF9: call_init.part.0 (in /lib64/ld-2.26.so)
==27342==    by 0x400FD05: _dl_init (in /lib64/ld-2.26.so)
==27342==    by 0x4000ED9: ??? (in /lib64/ld-2.26.so)
==27342==    by 0x1: ???
==27342==    by 0x1FFF0004D6: ???
==27342==    by 0x1FFF0004DA: ???
==27342== 
==27342== Conditional jump or move depends on uninitialised value(s)
==27342==    at 0x4C342F1: __memcmp_sse4_1 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==27342==    by 0x633D08A: ??? (in /usr/lib64/libcrypto.so.1.1)
==27342==    by 0x633C235: FIPS_selftest (in /usr/lib64/libcrypto.so.1.1)
==27342==    by 0x633709C: ??? (in /usr/lib64/libcrypto.so.1.1)
==27342==    by 0x634AFE0: FIPS_mode_set (in /usr/lib64/libcrypto.so.1.1)
==27342==    by 0x625016A: ??? (in /usr/lib64/libcrypto.so.1.1)
==27342==    by 0x400FBF9: call_init.part.0 (in /lib64/ld-2.26.so)
==27342==    by 0x400FD05: _dl_init (in /lib64/ld-2.26.so)
==27342==    by 0x4000ED9: ??? (in /lib64/ld-2.26.so)
==27342==    by 0x1: ???
==27342==    by 0x1FFF0004D6: ???
==27342==    by 0x1FFF0004DA: ???
==27342== 
==27342== Conditional jump or move depends on uninitialised value(s)
==27342==    at 0x63370A1: ??? (in /usr/lib64/libcrypto.so.1.1)
==27342==    by 0x634AFE0: FIPS_mode_set (in /usr/lib64/libcrypto.so.1.1)
==27342==    by 0x625016A: ??? (in /usr/lib64/libcrypto.so.1.1)
==27342==    by 0x400FBF9: call_init.part.0 (in /lib64/ld-2.26.so)
==27342==    by 0x400FD05: _dl_init (in /lib64/ld-2.26.so)
==27342==    by 0x4000ED9: ??? (in /lib64/ld-2.26.so)
==27342==    by 0x1: ???
==27342==    by 0x1FFF0004D6: ???
==27342==    by 0x1FFF0004DA: ???
==27342== 
==27342== 
==27342== HEAP SUMMARY:
==27342==     in use at exit: 108,415 bytes in 62 blocks
==27342==   total heap usage: 59,553 allocs, 59,491 frees, 6,688,959 bytes allocated
==27342== 
==27342== LEAK SUMMARY:
==27342==    definitely lost: 0 bytes in 0 blocks
==27342==    indirectly lost: 0 bytes in 0 blocks
==27342==      possibly lost: 0 bytes in 0 blocks
==27342==    still reachable: 108,415 bytes in 62 blocks
==27342==         suppressed: 0 bytes in 0 blocks
==27342== Rerun with --leak-check=full to see details of leaked memory
==27342== 
==27342== For counts of detected and suppressed errors, rerun with: -v
==27342== Use --track-origins=yes to see where uninitialised values come from
==27342== ERROR SUMMARY: 10 errors from 5 contexts (suppressed: 0 from 0)

AFTER:
-------

valgrind php testphp
==8878== Memcheck, a memory error detector
==8878== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==8878== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==8878== Command: php testphp
==8878== 
==8878== Conditional jump or move depends on uninitialised value(s)
==8878==    at 0x4C34280: __memcmp_sse4_1 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==8878==    by 0x633D08A: ??? (in /usr/lib64/libcrypto.so.1.1)
==8878==    by 0x633C235: FIPS_selftest (in /usr/lib64/libcrypto.so.1.1)
==8878==    by 0x633709C: ??? (in /usr/lib64/libcrypto.so.1.1)
==8878==    by 0x634AFE0: FIPS_mode_set (in /usr/lib64/libcrypto.so.1.1)
==8878==    by 0x625016A: ??? (in /usr/lib64/libcrypto.so.1.1)
==8878==    by 0x400FBF9: call_init.part.0 (in /lib64/ld-2.26.so)
==8878==    by 0x400FD05: _dl_init (in /lib64/ld-2.26.so)
==8878==    by 0x4000ED9: ??? (in /lib64/ld-2.26.so)
==8878==    by 0x1: ???
==8878==    by 0x1FFF0004D6: ???
==8878==    by 0x1FFF0004DA: ???
==8878== 
==8878== Conditional jump or move depends on uninitialised value(s)
==8878==    at 0x4C342A6: __memcmp_sse4_1 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==8878==    by 0x633D08A: ??? (in /usr/lib64/libcrypto.so.1.1)
==8878==    by 0x633C235: FIPS_selftest (in /usr/lib64/libcrypto.so.1.1)
==8878==    by 0x633709C: ??? (in /usr/lib64/libcrypto.so.1.1)
==8878==    by 0x634AFE0: FIPS_mode_set (in /usr/lib64/libcrypto.so.1.1)
==8878==    by 0x625016A: ??? (in /usr/lib64/libcrypto.so.1.1)
==8878==    by 0x400FBF9: call_init.part.0 (in /lib64/ld-2.26.so)
==8878==    by 0x400FD05: _dl_init (in /lib64/ld-2.26.so)
==8878==    by 0x4000ED9: ??? (in /lib64/ld-2.26.so)
==8878==    by 0x1: ???
==8878==    by 0x1FFF0004D6: ???
==8878==    by 0x1FFF0004DA: ???
==8878== 
==8878== Conditional jump or move depends on uninitialised value(s)
==8878==    at 0x4C342CF: __memcmp_sse4_1 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==8878==    by 0x633D08A: ??? (in /usr/lib64/libcrypto.so.1.1)
==8878==    by 0x633C235: FIPS_selftest (in /usr/lib64/libcrypto.so.1.1)
==8878==    by 0x633709C: ??? (in /usr/lib64/libcrypto.so.1.1)
==8878==    by 0x634AFE0: FIPS_mode_set (in /usr/lib64/libcrypto.so.1.1)
==8878==    by 0x625016A: ??? (in /usr/lib64/libcrypto.so.1.1)
==8878==    by 0x400FBF9: call_init.part.0 (in /lib64/ld-2.26.so)
==8878==    by 0x400FD05: _dl_init (in /lib64/ld-2.26.so)
==8878==    by 0x4000ED9: ??? (in /lib64/ld-2.26.so)
==8878==    by 0x1: ???
==8878==    by 0x1FFF0004D6: ???
==8878==    by 0x1FFF0004DA: ???
==8878== 
==8878== Conditional jump or move depends on uninitialised value(s)
==8878==    at 0x4C342F1: __memcmp_sse4_1 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==8878==    by 0x633D08A: ??? (in /usr/lib64/libcrypto.so.1.1)
==8878==    by 0x633C235: FIPS_selftest (in /usr/lib64/libcrypto.so.1.1)
==8878==    by 0x633709C: ??? (in /usr/lib64/libcrypto.so.1.1)
==8878==    by 0x634AFE0: FIPS_mode_set (in /usr/lib64/libcrypto.so.1.1)
==8878==    by 0x625016A: ??? (in /usr/lib64/libcrypto.so.1.1)
==8878==    by 0x400FBF9: call_init.part.0 (in /lib64/ld-2.26.so)
==8878==    by 0x400FD05: _dl_init (in /lib64/ld-2.26.so)
==8878==    by 0x4000ED9: ??? (in /lib64/ld-2.26.so)
==8878==    by 0x1: ???
==8878==    by 0x1FFF0004D6: ???
==8878==    by 0x1FFF0004DA: ???
==8878== 
==8878== Conditional jump or move depends on uninitialised value(s)
==8878==    at 0x63370A1: ??? (in /usr/lib64/libcrypto.so.1.1)
==8878==    by 0x634AFE0: FIPS_mode_set (in /usr/lib64/libcrypto.so.1.1)
==8878==    by 0x625016A: ??? (in /usr/lib64/libcrypto.so.1.1)
==8878==    by 0x400FBF9: call_init.part.0 (in /lib64/ld-2.26.so)
==8878==    by 0x400FD05: _dl_init (in /lib64/ld-2.26.so)
==8878==    by 0x4000ED9: ??? (in /lib64/ld-2.26.so)
==8878==    by 0x1: ???
==8878==    by 0x1FFF0004D6: ???
==8878==    by 0x1FFF0004DA: ???
==8878== 
PHP Warning:  exif_read_data(): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /tmp/SUSE:Maintenance:12352:199616/testphp on line 4
PHP Warning:  exif_read_data(): Process tag(x9286=UserComment): Illegal format code 0x3030, suppose BYTE in /tmp/SUSE:Maintenance:12352:199616/testphp on line 4
PHP Warning:  exif_read_data(): Illegal IFD offset in /tmp/SUSE:Maintenance:12352:199616/testphp on line 4
PHP Warning:  exif_read_data(): File structure corrupted in /tmp/SUSE:Maintenance:12352:199616/testphp on line 4
PHP Warning:  exif_read_data(): Invalid JPEG file in /tmp/SUSE:Maintenance:12352:199616/testphp on line 4
==8878== 
==8878== HEAP SUMMARY:
==8878==     in use at exit: 108,415 bytes in 62 blocks
==8878==   total heap usage: 59,533 allocs, 59,471 frees, 6,685,110 bytes allocated
==8878== 
==8878== LEAK SUMMARY:
==8878==    definitely lost: 0 bytes in 0 blocks
==8878==    indirectly lost: 0 bytes in 0 blocks
==8878==      possibly lost: 0 bytes in 0 blocks
==8878==    still reachable: 108,415 bytes in 62 blocks
==8878==         suppressed: 0 bytes in 0 blocks
==8878== Rerun with --leak-check=full to see details of leaked memory
==8878== 
==8878== For counts of detected and suppressed errors, rerun with: -v
==8878== Use --track-origins=yes to see where uninitialised values come from
==8878== ERROR SUMMARY: 10 errors from 5 contexts (suppressed: 0 from 0)
Comment 10 Vasileios ANastasiadis 2019-08-30 10:27:44 UTC
Note: in 'before' I run testphp2 and in 'after' testphp - it is the same file.
Comment 11 Swamp Workflow Management 2019-09-02 19:13:00 UTC
SUSE-SU-2019:2270-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1145095,1146360
CVE References: CVE-2019-11041,CVE-2019-11042
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    php72-7.2.5-1.23.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php72-7.2.5-1.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2019-09-03 16:12:36 UTC
SUSE-SU-2019:14158-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1140118,1145095,1146360
CVE References: CVE-2019-11038,CVE-2019-11041,CVE-2019-11042
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    php53-5.3.17-112.71.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    php53-5.3.17-112.71.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-112.71.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    php53-5.3.17-112.71.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2019-09-06 13:03:24 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2019-09-20.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64349
Comment 18 Swamp Workflow Management 2019-10-01 16:16:46 UTC
SUSE-SU-2019:2503-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1145095,1146360,1151793
CVE References: CVE-2019-11041,CVE-2019-11042
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP1 (src):    php7-7.2.5-4.40.1
SUSE Linux Enterprise Module for Web Scripting 15 (src):    php7-7.2.5-4.40.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src):    php7-7.2.5-4.40.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    php7-7.2.5-4.40.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    php7-7.2.5-4.40.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Swamp Workflow Management 2019-10-07 01:11:12 UTC
openSUSE-SU-2019:2271-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1145095,1146360,1151793
CVE References: CVE-2019-11041,CVE-2019-11042
Sources used:
openSUSE Leap 15.0 (src):    php7-7.2.5-lp150.2.25.1
Comment 23 Petr Gajdos 2020-02-10 14:52:19 UTC
Submitted also for 12/php5.
Comment 26 Swamp Workflow Management 2020-02-28 14:26:12 UTC
SUSE-SU-2020:0522-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1145095,1146360,1154999,1159922,1159923,1159924,1159927,1161982,1162629,1162632
CVE References: CVE-2019-11041,CVE-2019-11042,CVE-2019-11043,CVE-2019-11045,CVE-2019-11046,CVE-2019-11047,CVE-2019-11050,CVE-2020-7059,CVE-2020-7060
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    php5-5.5.14-109.68.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-109.68.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Alexandros Toptsoglou 2020-03-03 13:17:44 UTC
Done
Comment 28 OBSbugzilla Bot 2020-05-12 08:02:08 UTC
This is an autogenerated message for OBS integration:
This bug (1146360) was mentioned in
https://build.opensuse.org/request/show/802846 Factory / php7
Comment 29 OBSbugzilla Bot 2020-05-12 14:01:57 UTC
This is an autogenerated message for OBS integration:
This bug (1146360) was mentioned in
https://build.opensuse.org/request/show/802978 Factory / php7
Comment 30 OBSbugzilla Bot 2020-05-13 08:21:49 UTC
This is an autogenerated message for OBS integration:
This bug (1146360) was mentioned in
https://build.opensuse.org/request/show/804946 Factory / php7
Comment 32 OBSbugzilla Bot 2020-05-13 13:31:16 UTC
This is an autogenerated message for OBS integration:
This bug (1146360) was mentioned in
https://build.opensuse.org/request/show/805287 Factory / php7
Comment 38 OBSbugzilla Bot 2023-10-26 10:35:47 UTC
This is an autogenerated message for OBS integration:
This bug (1146360) was mentioned in
https://build.opensuse.org/request/show/1120490 Backports:SLE-15-SP5 / php81