Bugzilla – Bug 1162629
VUL-0: CVE-2020-7059: php5,php72,php7,php53: Out of bounds read in php_strip_tags_ex
Last modified: 2020-05-27 15:24:38 UTC
rh#1797776 A flaw was found in php before 7.4.2. An out of bounds read in php_strip_tags_ex may lead to denial of service or potentially disclosure of sensitive data. Upstream issue: https://bugs.php.net/79099 Patch: https://git.php.net/?p=php-src.git;a=commitdiff;h=0f79b1bf301f455967676b5129240140c5c45b09 References: https://bugzilla.redhat.com/show_bug.cgi?id=1797776 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7059
judging by the patch, tracking all codestreams as affected: - SUSE:SLE-10-SP3:Update / php5 - SUSE:SLE-11:Update / php5 - SUSE:SLE-11-SP2:Update / php53 - SUSE:SLE-11-SP3:Update / php53 - SUSE:SLE-12:Update / php5 - SUSE:SLE-12:Update / php7 - SUSE:SLE-12:Update / php72 - SUSE:SLE-15:Update / php7
Using phpt from the upstream commit. BEFORE 15/php7,11sp3/php53,11/php5 $ USE_ZEND_ALLOC=0 valgrind -q php bug79099.php string(0) "" ==28433== Invalid read of size 1 ==28433== at 0x62E108: php_strip_tags_ex (string.c:4847) ==28433== by 0x5F6CD4: zif_fgetss (file.c:1132) ==28433== by 0x7C0343: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:617) ==28433== by 0x7C0343: execute_ex (zend_vm_execute.h:59734) ==28433== by 0x7CAFA7: zend_execute (zend_vm_execute.h:63760) ==28433== by 0x6FF63F: zend_execute_scripts (zend.c:1496) ==28433== by 0x68D62F: php_execute_script (main.c:2590) ==28433== by 0x7CD9E7: do_cli (php_cli.c:1011) ==28433== by 0x50F78A: main (php_cli.c:1404) ==28433== Address 0x715cd1f is 1 bytes before a block of size 3 alloc'd ==28433== at 0x4C2E01F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==28433== by 0x6CAA38: __zend_malloc (zend_alloc.c:2829) ==28433== by 0x6D2ABA: _estrndup (zend_alloc.c:2537) ==28433== by 0x62D46E: php_strip_tags_ex (string.c:4706) ==28433== by 0x5F6CD4: zif_fgetss (file.c:1132) ==28433== by 0x7C0343: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:617) ==28433== by 0x7C0343: execute_ex (zend_vm_execute.h:59734) ==28433== by 0x7CAFA7: zend_execute (zend_vm_execute.h:63760) ==28433== by 0x6FF63F: zend_execute_scripts (zend.c:1496) ==28433== by 0x68D62F: php_execute_script (main.c:2590) ==28433== by 0x7CD9E7: do_cli (php_cli.c:1011) ==28433== by 0x50F78A: main (php_cli.c:1404) ==28433== string(0) "" string(0) "" ==28433== Invalid read of size 1 ==28433== at 0x62E040: php_strip_tags_ex (string.c:4874) ==28433== by 0x5F6CD4: zif_fgetss (file.c:1132) ==28433== by 0x7C0343: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:617) ==28433== by 0x7C0343: execute_ex (zend_vm_execute.h:59734) ==28433== by 0x7CAFA7: zend_execute (zend_vm_execute.h:63760) ==28433== by 0x6FF63F: zend_execute_scripts (zend.c:1496) ==28433== by 0x68D62F: php_execute_script (main.c:2590) ==28433== by 0x7CD9E7: do_cli (php_cli.c:1011) ==28433== by 0x50F78A: main (php_cli.c:1404) ==28433== Address 0x715f35f is 1 bytes before a block of size 3 alloc'd ==28433== at 0x4C2E01F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==28433== by 0x6CAA38: __zend_malloc (zend_alloc.c:2829) ==28433== by 0x6D2ABA: _estrndup (zend_alloc.c:2537) ==28433== by 0x62D46E: php_strip_tags_ex (string.c:4706) ==28433== by 0x5F6CD4: zif_fgetss (file.c:1132) ==28433== by 0x7C0343: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:617) ==28433== by 0x7C0343: execute_ex (zend_vm_execute.h:59734) ==28433== by 0x7CAFA7: zend_execute (zend_vm_execute.h:63760) ==28433== by 0x6FF63F: zend_execute_scripts (zend.c:1496) ==28433== by 0x68D62F: php_execute_script (main.c:2590) ==28433== by 0x7CD9E7: do_cli (php_cli.c:1011) ==28433== by 0x50F78A: main (php_cli.c:1404) ==28433== string(0) "" string(0) "" ==28433== Invalid read of size 1 ==28433== at 0x62DA50: php_strip_tags_ex (string.c:4901) ==28433== by 0x5F6CD4: zif_fgetss (file.c:1132) ==28433== by 0x7C0343: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:617) ==28433== by 0x7C0343: execute_ex (zend_vm_execute.h:59734) ==28433== by 0x7CAFA7: zend_execute (zend_vm_execute.h:63760) ==28433== by 0x6FF63F: zend_execute_scripts (zend.c:1496) ==28433== by 0x68D62F: php_execute_script (main.c:2590) ==28433== by 0x7CD9E7: do_cli (php_cli.c:1011) ==28433== by 0x50F78A: main (php_cli.c:1404) ==28433== Address 0x716199f is 1 bytes before a block of size 3 alloc'd ==28433== at 0x4C2E01F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==28433== by 0x6CAA38: __zend_malloc (zend_alloc.c:2829) ==28433== by 0x6D2ABA: _estrndup (zend_alloc.c:2537) ==28433== by 0x62D46E: php_strip_tags_ex (string.c:4706) ==28433== by 0x5F6CD4: zif_fgetss (file.c:1132) ==28433== by 0x7C0343: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:617) ==28433== by 0x7C0343: execute_ex (zend_vm_execute.h:59734) ==28433== by 0x7CAFA7: zend_execute (zend_vm_execute.h:63760) ==28433== by 0x6FF63F: zend_execute_scripts (zend.c:1496) ==28433== by 0x68D62F: php_execute_script (main.c:2590) ==28433== by 0x7CD9E7: do_cli (php_cli.c:1011) ==28433== by 0x50F78A: main (php_cli.c:1404) ==28433== string(0) "" $ AFTER 15/php7,11sp3/php53,11/php5 $ USE_ZEND_ALLOC=0 valgrind -q php bug79099.php string(0) "" string(0) "" string(0) "" string(0) "" string(0) "" string(0) "" $
Will submit for: 15/php7, 12/php72, 11sp3/php53, 11/php5 and 10sp3/php5.
Also committed to devel:languages:php:php56/php5.
Packages submitted, I believe all fixed.
Submitted also for 12/php5.
SUSE-SU-2020:0397-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1161982,1162629,1162632 CVE References: CVE-2019-20433,CVE-2020-7059,CVE-2020-7060 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): php72-7.2.5-1.37.1 SUSE Linux Enterprise Software Development Kit 12-SP4 (src): php72-7.2.5-1.37.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php72-7.2.5-1.37.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:14289-1: An update that fixes 6 vulnerabilities is now available. Category: security (moderate) Bug References: 1159922,1159923,1159924,1159927,1161982,1162629 CVE References: CVE-2019-11045,CVE-2019-11046,CVE-2019-11047,CVE-2019-11050,CVE-2019-20433,CVE-2020-7059 Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): php53-5.3.17-112.79.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): php53-5.3.17-112.79.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): php53-5.3.17-112.79.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): php53-5.3.17-112.79.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2020-03-09. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64419
SUSE-SU-2020:0522-1: An update that solves 9 vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1145095,1146360,1154999,1159922,1159923,1159924,1159927,1161982,1162629,1162632 CVE References: CVE-2019-11041,CVE-2019-11042,CVE-2019-11043,CVE-2019-11045,CVE-2019-11046,CVE-2019-11047,CVE-2019-11050,CVE-2020-7059,CVE-2020-7060 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): php5-5.5.14-109.68.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php5-5.5.14-109.68.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:0622-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1162629,1162632,1165280,1165289 CVE References: CVE-2020-7059,CVE-2020-7060,CVE-2020-7062,CVE-2020-7063 Sources used: SUSE Linux Enterprise Server for SAP 15 (src): php7-7.2.5-4.52.4 SUSE Linux Enterprise Server 15-LTSS (src): php7-7.2.5-4.52.4 SUSE Linux Enterprise Module for Web Scripting 15-SP1 (src): php7-7.2.5-4.52.4 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): php7-7.2.5-4.52.4 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): php7-7.2.5-4.52.4 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): php7-7.2.5-4.52.4 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:0341-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1162629,1162632,1165280,1165289 CVE References: CVE-2020-7059,CVE-2020-7060,CVE-2020-7062,CVE-2020-7063 Sources used: openSUSE Leap 15.1 (src): php7-7.2.5-lp151.6.22.1, php7-test-7.2.5-lp151.6.22.1
All released.