Bug 1162629 (CVE-2020-7059) - VUL-0: CVE-2020-7059: php5,php72,php7,php53: Out of bounds read in php_strip_tags_ex
Summary: VUL-0: CVE-2020-7059: php5,php72,php7,php53: Out of bounds read in php_strip_...
Status: RESOLVED FIXED
Alias: CVE-2020-7059
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2020-03-09
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/252318/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-7059:5.3:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-04 11:50 UTC by Robert Frohl
Modified: 2020-05-27 15:24 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2020-02-04 11:50:59 UTC
rh#1797776

A flaw was found in php before 7.4.2. An out of bounds read in php_strip_tags_ex may lead to denial of service or potentially disclosure of sensitive data.

Upstream issue:

https://bugs.php.net/79099

Patch:

https://git.php.net/?p=php-src.git;a=commitdiff;h=0f79b1bf301f455967676b5129240140c5c45b09

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1797776
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7059
Comment 1 Robert Frohl 2020-02-04 11:54:37 UTC
judging by the patch, tracking all codestreams as affected:

- SUSE:SLE-10-SP3:Update / php5
- SUSE:SLE-11:Update / php5
- SUSE:SLE-11-SP2:Update / php53 
- SUSE:SLE-11-SP3:Update / php53
- SUSE:SLE-12:Update / php5
- SUSE:SLE-12:Update /  php7 
- SUSE:SLE-12:Update /  php72 
- SUSE:SLE-15:Update / php7
Comment 3 Petr Gajdos 2020-02-05 12:33:23 UTC
Using phpt from the upstream commit.

BEFORE

15/php7,11sp3/php53,11/php5

$ USE_ZEND_ALLOC=0 valgrind  -q php bug79099.php
string(0) ""
==28433== Invalid read of size 1
==28433==    at 0x62E108: php_strip_tags_ex (string.c:4847)
==28433==    by 0x5F6CD4: zif_fgetss (file.c:1132)
==28433==    by 0x7C0343: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:617)
==28433==    by 0x7C0343: execute_ex (zend_vm_execute.h:59734)
==28433==    by 0x7CAFA7: zend_execute (zend_vm_execute.h:63760)
==28433==    by 0x6FF63F: zend_execute_scripts (zend.c:1496)
==28433==    by 0x68D62F: php_execute_script (main.c:2590)
==28433==    by 0x7CD9E7: do_cli (php_cli.c:1011)
==28433==    by 0x50F78A: main (php_cli.c:1404)
==28433==  Address 0x715cd1f is 1 bytes before a block of size 3 alloc'd
==28433==    at 0x4C2E01F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==28433==    by 0x6CAA38: __zend_malloc (zend_alloc.c:2829)
==28433==    by 0x6D2ABA: _estrndup (zend_alloc.c:2537)
==28433==    by 0x62D46E: php_strip_tags_ex (string.c:4706)
==28433==    by 0x5F6CD4: zif_fgetss (file.c:1132)
==28433==    by 0x7C0343: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:617)
==28433==    by 0x7C0343: execute_ex (zend_vm_execute.h:59734)
==28433==    by 0x7CAFA7: zend_execute (zend_vm_execute.h:63760)
==28433==    by 0x6FF63F: zend_execute_scripts (zend.c:1496)
==28433==    by 0x68D62F: php_execute_script (main.c:2590)
==28433==    by 0x7CD9E7: do_cli (php_cli.c:1011)
==28433==    by 0x50F78A: main (php_cli.c:1404)
==28433==
string(0) ""
string(0) ""
==28433== Invalid read of size 1
==28433==    at 0x62E040: php_strip_tags_ex (string.c:4874)
==28433==    by 0x5F6CD4: zif_fgetss (file.c:1132)
==28433==    by 0x7C0343: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:617)
==28433==    by 0x7C0343: execute_ex (zend_vm_execute.h:59734)
==28433==    by 0x7CAFA7: zend_execute (zend_vm_execute.h:63760)
==28433==    by 0x6FF63F: zend_execute_scripts (zend.c:1496)
==28433==    by 0x68D62F: php_execute_script (main.c:2590)
==28433==    by 0x7CD9E7: do_cli (php_cli.c:1011)
==28433==    by 0x50F78A: main (php_cli.c:1404)
==28433==  Address 0x715f35f is 1 bytes before a block of size 3 alloc'd
==28433==    at 0x4C2E01F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==28433==    by 0x6CAA38: __zend_malloc (zend_alloc.c:2829)
==28433==    by 0x6D2ABA: _estrndup (zend_alloc.c:2537)
==28433==    by 0x62D46E: php_strip_tags_ex (string.c:4706)
==28433==    by 0x5F6CD4: zif_fgetss (file.c:1132)
==28433==    by 0x7C0343: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:617)
==28433==    by 0x7C0343: execute_ex (zend_vm_execute.h:59734)
==28433==    by 0x7CAFA7: zend_execute (zend_vm_execute.h:63760)
==28433==    by 0x6FF63F: zend_execute_scripts (zend.c:1496)
==28433==    by 0x68D62F: php_execute_script (main.c:2590)
==28433==    by 0x7CD9E7: do_cli (php_cli.c:1011)
==28433==    by 0x50F78A: main (php_cli.c:1404)
==28433==
string(0) ""
string(0) ""
==28433== Invalid read of size 1
==28433==    at 0x62DA50: php_strip_tags_ex (string.c:4901)
==28433==    by 0x5F6CD4: zif_fgetss (file.c:1132)
==28433==    by 0x7C0343: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:617)
==28433==    by 0x7C0343: execute_ex (zend_vm_execute.h:59734)
==28433==    by 0x7CAFA7: zend_execute (zend_vm_execute.h:63760)
==28433==    by 0x6FF63F: zend_execute_scripts (zend.c:1496)
==28433==    by 0x68D62F: php_execute_script (main.c:2590)
==28433==    by 0x7CD9E7: do_cli (php_cli.c:1011)
==28433==    by 0x50F78A: main (php_cli.c:1404)
==28433==  Address 0x716199f is 1 bytes before a block of size 3 alloc'd
==28433==    at 0x4C2E01F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==28433==    by 0x6CAA38: __zend_malloc (zend_alloc.c:2829)
==28433==    by 0x6D2ABA: _estrndup (zend_alloc.c:2537)
==28433==    by 0x62D46E: php_strip_tags_ex (string.c:4706)
==28433==    by 0x5F6CD4: zif_fgetss (file.c:1132)
==28433==    by 0x7C0343: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:617)
==28433==    by 0x7C0343: execute_ex (zend_vm_execute.h:59734)
==28433==    by 0x7CAFA7: zend_execute (zend_vm_execute.h:63760)
==28433==    by 0x6FF63F: zend_execute_scripts (zend.c:1496)
==28433==    by 0x68D62F: php_execute_script (main.c:2590)
==28433==    by 0x7CD9E7: do_cli (php_cli.c:1011)
==28433==    by 0x50F78A: main (php_cli.c:1404)
==28433==
string(0) ""
$


AFTER

15/php7,11sp3/php53,11/php5

$ USE_ZEND_ALLOC=0 valgrind  -q php bug79099.php
string(0) ""
string(0) ""
string(0) ""
string(0) ""
string(0) ""
string(0) ""
$
Comment 4 Petr Gajdos 2020-02-05 12:38:15 UTC
Will submit for: 15/php7, 12/php72, 11sp3/php53, 11/php5 and 10sp3/php5.
Comment 5 Petr Gajdos 2020-02-05 15:53:54 UTC
Also committed to devel:languages:php:php56/php5.
Comment 6 Petr Gajdos 2020-02-05 15:56:27 UTC
Packages submitted, I believe all fixed.
Comment 9 Petr Gajdos 2020-02-10 14:52:01 UTC
Submitted also for 12/php5.
Comment 11 Swamp Workflow Management 2020-02-18 17:13:54 UTC
SUSE-SU-2020:0397-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1161982,1162629,1162632
CVE References: CVE-2019-20433,CVE-2020-7059,CVE-2020-7060
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    php72-7.2.5-1.37.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    php72-7.2.5-1.37.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php72-7.2.5-1.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2020-02-24 14:12:10 UTC
SUSE-SU-2020:14289-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1159922,1159923,1159924,1159927,1161982,1162629
CVE References: CVE-2019-11045,CVE-2019-11046,CVE-2019-11047,CVE-2019-11050,CVE-2019-20433,CVE-2020-7059
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    php53-5.3.17-112.79.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    php53-5.3.17-112.79.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-112.79.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    php53-5.3.17-112.79.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2020-02-24 17:00:30 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2020-03-09.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64419
Comment 16 Swamp Workflow Management 2020-02-28 14:26:56 UTC
SUSE-SU-2020:0522-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1145095,1146360,1154999,1159922,1159923,1159924,1159927,1161982,1162629,1162632
CVE References: CVE-2019-11041,CVE-2019-11042,CVE-2019-11043,CVE-2019-11045,CVE-2019-11046,CVE-2019-11047,CVE-2019-11050,CVE-2020-7059,CVE-2020-7060
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    php5-5.5.14-109.68.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-109.68.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2020-03-09 20:24:20 UTC
SUSE-SU-2020:0622-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1162629,1162632,1165280,1165289
CVE References: CVE-2020-7059,CVE-2020-7060,CVE-2020-7062,CVE-2020-7063
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    php7-7.2.5-4.52.4
SUSE Linux Enterprise Server 15-LTSS (src):    php7-7.2.5-4.52.4
SUSE Linux Enterprise Module for Web Scripting 15-SP1 (src):    php7-7.2.5-4.52.4
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    php7-7.2.5-4.52.4
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    php7-7.2.5-4.52.4
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    php7-7.2.5-4.52.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Swamp Workflow Management 2020-03-15 11:11:18 UTC
openSUSE-SU-2020:0341-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1162629,1162632,1165280,1165289
CVE References: CVE-2020-7059,CVE-2020-7060,CVE-2020-7062,CVE-2020-7063
Sources used:
openSUSE Leap 15.1 (src):    php7-7.2.5-lp151.6.22.1, php7-test-7.2.5-lp151.6.22.1
Comment 20 Wolfgang Frisch 2020-05-27 15:24:38 UTC
All released.