Bug 1159855 - (CVE-2019-11049) VUL-1: CVE-2019-11049: php72,php7: when supplying custom headers to mail() function
(CVE-2019-11049)
VUL-1: CVE-2019-11049: php72,php7: when supplying custom headers to mail() fu...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Normal
: unspecified
Assigned To: Petr Gajdos
Security Team bot
https://smash.suse.de/issue/249633/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-12-27 14:15 UTC by Alexandros Toptsoglou
Modified: 2019-12-27 14:17 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-12-27 14:15:45 UTC
CVE-2019-11049

In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom
headers to mail() function, due to mistake introduced in commit
78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is supplied in
lowercase, this can result in double-freeing certain memory locations.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11049
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11049.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11049
https://bugs.php.net/bug.php?id=78943
Comment 1 Alexandros Toptsoglou 2019-12-27 14:17:27 UTC
This does not affect versions older than 7.3. Additionally this bug affects only Windows. Closing