Bug 1159922 (CVE-2019-11047) - VUL-0: CVE-2019-11047: php5,php72,php7,php53: information disclosure in exif_read_data()
Summary: VUL-0: CVE-2019-11047: php5,php72,php7,php53: information disclosure in exif_...
Status: RESOLVED FIXED
Alias: CVE-2019-11047
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2020-01-22
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/249634/
Whiteboard: CVSSv3:NVD:CVE-2019-11047:9.1:(AV:N/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2019-12-30 16:34 UTC by Alexander Bergmann
Modified: 2020-04-29 13:46 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2019-12-30 16:34:27 UTC
rh#1786570

A vulnerability was found in PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.

Reference:
https://bugs.php.net/bug.php?id=78910

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1786570
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11047
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11047.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11047
https://bugs.php.net/bug.php?id=78910
Comment 1 Petr Gajdos 2020-01-02 13:43:23 UTC
I cannot reproduce.

$ valgrind  -q php test.php
--5039-- WARNING: Serious error when reading debug info
--5039-- When reading debug info from /usr/lib64/php7/extensions/exif.so:
--5039-- get_Form_contents: DW_FORM_GNU_strp_alt used, but no alternate .debug_str
PHP Notice:  exif_read_data(): Read from TIFF: tag(0x927C, MakerNote  ): Illegal format code 0x2020, switching to BYTE in /159922/test.php on line 3
PHP Warning:  exif_read_data(): Process tag(x927C=MakerNote  ): Illegal format code 0x2020, suppose BYTE in /159922/test.php on line 3
PHP Warning:  exif_read_data(): Process tag(x927C=MakerNote  ): Illegal components(0) in /159922/test.php on line 3
PHP Warning:  exif_read_data(): Invalid TIFF file in /159922/test.php on line 3
bool(false)
$
Comment 2 Petr Gajdos 2020-01-02 13:43:49 UTC
Patch applies cleanly everywhere.

Will submit for: 15/php7, 12/php72, 12/php7, 11sp3/php53, 11/php5 and 10sp3/php5.
Comment 3 Petr Gajdos 2020-01-02 13:45:39 UTC
(Testcase from the upstream bug.)
Comment 4 Petr Gajdos 2020-01-02 15:30:34 UTC
I have also submitted 7.3.13 version update into 15sp2.
Comment 5 Petr Gajdos 2020-01-02 15:59:19 UTC
Packages submitted. I believe all fixed.
Comment 7 Swamp Workflow Management 2020-01-08 15:32:10 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2020-01-22.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64405
Comment 8 Swamp Workflow Management 2020-01-14 23:12:27 UTC
SUSE-SU-2020:0101-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1159922,1159923,1159924,1159927
CVE References: CVE-2019-11045,CVE-2019-11046,CVE-2019-11047,CVE-2019-11050
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP1 (src):    php7-7.2.5-4.49.1
SUSE Linux Enterprise Module for Web Scripting 15 (src):    php7-7.2.5-4.49.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src):    php7-7.2.5-4.49.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    php7-7.2.5-4.49.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    php7-7.2.5-4.49.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2020-01-20 17:19:22 UTC
openSUSE-SU-2020:0080-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1159922,1159923,1159924,1159927
CVE References: CVE-2019-11045,CVE-2019-11046,CVE-2019-11047,CVE-2019-11050
Sources used:
openSUSE Leap 15.1 (src):    php7-7.2.5-lp151.6.19.2, php7-test-7.2.5-lp151.6.19.2
Comment 10 Swamp Workflow Management 2020-01-30 20:19:31 UTC
SUSE-SU-2020:0267-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1159922,1159923,1159924,1159927
CVE References: CVE-2019-11045,CVE-2019-11046,CVE-2019-11047,CVE-2019-11050
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    php72-7.2.5-1.32.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    php72-7.2.5-1.32.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php72-7.2.5-1.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2020-02-06 20:12:15 UTC
SUSE-SU-2020:0352-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1159922,1159923,1159924,1159927
CVE References: CVE-2019-11045,CVE-2019-11046,CVE-2019-11047,CVE-2019-11050
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    php7-7.0.7-50.91.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    php7-7.0.7-50.91.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-50.91.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Petr Gajdos 2020-02-10 14:52:12 UTC
Submitted also for devel:languages:php:php56/php5.
Submitted also for 12/php5.
Comment 16 Swamp Workflow Management 2020-02-24 14:11:33 UTC
SUSE-SU-2020:14289-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1159922,1159923,1159924,1159927,1161982,1162629
CVE References: CVE-2019-11045,CVE-2019-11046,CVE-2019-11047,CVE-2019-11050,CVE-2019-20433,CVE-2020-7059
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    php53-5.3.17-112.79.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    php53-5.3.17-112.79.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-112.79.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    php53-5.3.17-112.79.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2020-02-28 14:26:25 UTC
SUSE-SU-2020:0522-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1145095,1146360,1154999,1159922,1159923,1159924,1159927,1161982,1162629,1162632
CVE References: CVE-2019-11041,CVE-2019-11042,CVE-2019-11043,CVE-2019-11045,CVE-2019-11046,CVE-2019-11047,CVE-2019-11050,CVE-2020-7059,CVE-2020-7060
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    php5-5.5.14-109.68.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-109.68.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Alexandros Toptsoglou 2020-04-29 13:46:11 UTC
Done