Bug 1154999 - (CVE-2019-11043) VUL-0: CVE-2019-11043: php5,php72,php7,php53: env_path_info underflow in fpm_main.c can lead to RCE
(CVE-2019-11043)
VUL-0: CVE-2019-11043: php5,php72,php7,php53: env_path_info underflow in fpm_...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/245741/
CVSSv3:SUSE:CVE-2019-11043:8.1:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-10-24 13:35 UTC by Alexandros Toptsoglou
Modified: 2021-09-14 12:51 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Alexandros Toptsoglou 2019-10-24 13:45:39 UTC
Tracked as affected: 

php72
php7 
php53 in SLE11-SP3
php5 in SLE12 

php5 in SLE11-SP1 and SLE10-SP3 ASFAICS do not ship the php-fpm

In comment 0 the upstream bug report and the fix are available.
Comment 3 Petr Gajdos 2019-10-25 09:50:30 UTC
Packages submitted for: 15/php7,12/php72,12/php7,11sp3/php53.
Comment 4 Petr Gajdos 2019-10-25 09:57:29 UTC
Fixed also in devel:languages:php:php56/php5.
Comment 7 Swamp Workflow Management 2019-10-29 17:14:17 UTC
SUSE-SU-2019:2809-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1154999
CVE References: CVE-2019-11043
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    php7-7.0.7-50.88.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    php7-7.0.7-50.88.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-50.88.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2019-10-30 14:12:03 UTC
SUSE-SU-2019:2819-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1154999
CVE References: CVE-2019-11043
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP1 (src):    php7-7.2.5-4.46.1
SUSE Linux Enterprise Module for Web Scripting 15 (src):    php7-7.2.5-4.46.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src):    php7-7.2.5-4.46.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    php7-7.2.5-4.46.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    php7-7.2.5-4.46.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2019-11-05 20:46:57 UTC
openSUSE-SU-2019:2441-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1154999
CVE References: CVE-2019-11043
Sources used:
openSUSE Leap 15.1 (src):    php7-7.2.5-lp151.6.13.1, php7-test-7.2.5-lp151.6.13.1
Comment 10 Swamp Workflow Management 2019-11-06 17:12:38 UTC
SUSE-SU-2019:2909-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1154999
CVE References: CVE-2019-11043
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    php72-7.2.5-1.29.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    php72-7.2.5-1.29.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php72-7.2.5-1.29.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2019-11-09 17:13:01 UTC
openSUSE-SU-2019:2457-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1154999
CVE References: CVE-2019-11043
Sources used:
openSUSE Leap 15.0 (src):    php7-7.2.5-lp150.2.29.2, php7-test-7.2.5-lp150.2.29.2
Comment 12 Petr Gajdos 2020-02-10 14:52:17 UTC
Submitted also for 12/php5.
Comment 15 Swamp Workflow Management 2020-02-28 14:26:19 UTC
SUSE-SU-2020:0522-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1145095,1146360,1154999,1159922,1159923,1159924,1159927,1161982,1162629,1162632
CVE References: CVE-2019-11041,CVE-2019-11042,CVE-2019-11043,CVE-2019-11045,CVE-2019-11046,CVE-2019-11047,CVE-2019-11050,CVE-2020-7059,CVE-2020-7060
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    php5-5.5.14-109.68.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-109.68.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Alexandros Toptsoglou 2020-04-29 13:45:49 UTC
Done
Comment 17 OBSbugzilla Bot 2020-05-12 08:02:18 UTC
This is an autogenerated message for OBS integration:
This bug (1154999) was mentioned in
https://build.opensuse.org/request/show/802846 Factory / php7
Comment 18 OBSbugzilla Bot 2020-05-12 14:02:03 UTC
This is an autogenerated message for OBS integration:
This bug (1154999) was mentioned in
https://build.opensuse.org/request/show/802978 Factory / php7
Comment 19 OBSbugzilla Bot 2020-05-13 08:21:54 UTC
This is an autogenerated message for OBS integration:
This bug (1154999) was mentioned in
https://build.opensuse.org/request/show/804946 Factory / php7
Comment 21 OBSbugzilla Bot 2020-05-13 13:31:21 UTC
This is an autogenerated message for OBS integration:
This bug (1154999) was mentioned in
https://build.opensuse.org/request/show/805287 Factory / php7