Bug 1573797 (CVE-2018-10549)

Summary: CVE-2018-10549 php: Out-of-bounds read in ext/exif/exif.c:exif_read_data() when reading crafted JPEG data
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: apmukher, fedora, hhorak, jorton, kbost, kwalker, miturria, ravpatil, rcollet, rschiron, webstack-team, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php 5.6.36, php 7.0.30, php 7.1.17, php 7.2.5 Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read has been found in PHP when function exif_iif_add_value handles the case of a MakerNote that lacks a final terminator character. A remote attacker could use this vulnerability to cause a crash.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-19 08:47:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1563859, 1573816, 1578330, 1578331    
Bug Blocks: 1573818, 1574650    

Description Adam Mariš 2018-05-02 09:48:13 UTC 
An issue was discovered in PHP before from 5.6.25 to 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. exif_read_data in ext/exif/exif.c has an out-of-bounds read for crafted JPEG data because exif_iif_add_value mishandles the case of a MakerNote that lacks a final '\0' character.

Upstream bug:

https://bugs.php.net/bug.php?id=76130

Upstream patch:

https://git.php.net/?p=php-src.git;a=commit;h=b4e4788c4461449b4587e19ef1f474ce938e4980
Comment 1 Adam Mariš 2018-05-02 10:04:40 UTC 
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1573816]
Comment 8 errata-xmlrpc 2019-08-19 08:41:04 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:2519 https://access.redhat.com/errata/RHSA-2019:2519
Comment 9 Product Security DevOps Team 2019-08-19 08:47:10 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-10549