Bug 1685398 (CVE-2019-9023)

Summary: CVE-2019-9023 php: Heap-based buffer over-read in mbstring regular expression functions
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: hhorak, jorton, patalber, rcollet, webstack-team, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php 5.6.40, php 7.1.26, php 7.2.14, php 7.3.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-19 08:47:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1709132, 1709133, 1709134, 1709135, 1709136    
Bug Blocks: 1680558    

Description Dhananjay Arunesh 2019-03-05 06:21:52 UTC 
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcomp.c, ext/mbstring/oniguruma/regexec.c, ext/mbstring/oniguruma/regparse.c, ext/mbstring/oniguruma/enc/unicode.c, and ext/mbstring/oniguruma/src/utf32_be.c when a multibyte regular expression pattern contains invalid multibyte sequences.

Upstream commit:
http://git.php.net/?p=php-src.git;a=commit;h=20407d06ca3cb5eeb10f876a812b40c381574bcc
http://git.php.net/?p=php-src.git;a=commit;h=deb06bbb9cbb31292fc219501614a8c3ff25bb11
http://git.php.net/?p=php-src.git;a=commit;h=c6e34d91b88638966662caac62c4d0e90538e317
http://git.php.net/?p=php-src.git;a=commit;h=28362ed4fae6969b5a8878591a5a06eadf114e03
http://git.php.net/?p=php-src.git;a=commit;h=9d6c59eeea88a3e9d7039cb4fed5126ef704593a
http://git.php.net/?p=php-src.git;a=commit;h=b6fe458ef9ac1372b60c3d3810b0358e2e20840d

Upstream Patch:
https://gist.github.com/hughdavenport/c5696e48ea3a83bfe12075f79b2b5abf
https://gist.github.com/hughdavenport/89849d35cc27c2242edcce4eb7c93520
https://gist.github.com/hughdavenport/3cb40fcf956085de44bf4443c25c58fe
https://gist.github.com/hughdavenport/aa428164c8f30d20c178ce0ab2907947
https://gist.github.com/hughdavenport/09b48d4b20a28bcd7afaa530e2ec6731
https://gist.github.com/hughdavenport/7f7b78c08aea058eaa955510d1548f12
https://gist.github.com/hughdavenport/3db8c2b9f92765c84196b387c32faaea

References:
https://bugs.php.net/bug.php?id=77370 
https://bugs.php.net/bug.php?id=77371 
https://bugs.php.net/bug.php?id=77381 
https://bugs.php.net/bug.php?id=77382 
https://bugs.php.net/bug.php?id=77385 
https://bugs.php.net/bug.php?id=77394
https://bugs.php.net/bug.php?id=77418
Comment 3 Huzaifa S. Sidhpurwala 2019-05-13 05:18:39 UTC 
Flaw is related to how certain mb_strings in php are processed. Impact is crash due to OOB read. The PHP script however needs to allow users to upload arbitrary and malicious strings which are treated by mb_strings by PHP.
Comment 5 errata-xmlrpc 2019-08-19 08:42:48 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:2519 https://access.redhat.com/errata/RHSA-2019:2519
Comment 6 Product Security DevOps Team 2019-08-19 08:47:43 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-9023
Comment 7 errata-xmlrpc 2019-11-01 13:00:44 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:3299 https://access.redhat.com/errata/RHSA-2019:3299
Comment 8 errata-xmlrpc 2020-04-28 15:31:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1624 https://access.redhat.com/errata/RHSA-2020:1624