Bug 1702256 (CVE-2019-11034)

Summary: CVE-2019-11034 php: Heap buffer overflow in function exif_process_IFD_TAG()
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: fedora, hhorak, jlyle, jorton, patalber, rcollet, webstack-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php 7.1.28, php 7.2.17, php 7.3.4 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-19 08:48:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1706886, 1702259, 1706884, 1706887, 1706888, 1706889    
Bug Blocks: 1702258    

Description Dhananjay Arunesh 2019-04-23 10:41:39 UTC
When processing certain files, PHP EXIF extension in versions 7.1.x below 7.2.8, 7.2.x below 7.2.17 and 7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_process_IFD_TAG function. This may lead to information disclosure or crash.

Reference:
https://bugs.php.net/bug.php?id=77753

Upstream commit:
http://git.php.net/?p=php-src.git;a=commit;h=f3aefc6d071b807ddacae0a0bc49f09c38e18490
http://git.php.net/?p=php-src.git;a=commit;h=a1631ac57b853edd81431e57c266ec813e180acd
http://git.php.net/?p=php-src.git;a=commit;h=1c0d06441aefee18b30520e2b1ae89cbfcf56a59

Comment 1 Dhananjay Arunesh 2019-04-23 10:45:50 UTC
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1702259]

Comment 6 Marco Benatto 2019-05-06 14:49:26 UTC
Currently EXIF module from php packages doesn't validate properly the number of IFD entries. A crafted image may contain an
invalid IFD count leading to heap buffer overflow and improper read of heap data on php_ifd_get32s() function.

Comment 7 errata-xmlrpc 2019-08-19 08:42:59 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:2519 https://access.redhat.com/errata/RHSA-2019:2519

Comment 8 Product Security DevOps Team 2019-08-19 08:48:01 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-11034

Comment 9 errata-xmlrpc 2019-11-01 13:00:59 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:3299 https://access.redhat.com/errata/RHSA-2019:3299