Bug 1739459 (CVE-2019-11041)

Summary: CVE-2019-11041 php: Heap buffer over-read in exif_scan_thumbnail()
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: fedora, fgrosjea, hhorak, jlyle, jorton, mbenatto, ravpatil, rcollet, security-response-team, webstack-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php 7.1.31, php 7.2.21, php 7.3.8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-01 18:51:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1739464, 1749549, 1749550, 1749551, 1749552, 1749553, 1767425, 1772837, 1857698    
Bug Blocks: 1739467    

Description Marian Rehak 2019-08-09 11:24:02 UTC 
heap-buffer-overflow on exif_scan_thumbnail

Upstream issue and patch:

https://bugs.php.net/bug.php?id=78222
Comment 1 Marian Rehak 2019-08-09 11:29:28 UTC 
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1739464]
Comment 2 Tomas Hoger 2019-08-09 12:55:37 UTC 
Upstream commit:

http://git.php.net/?p=php-src.git;a=commitdiff;h=f22101c8308669bb63c03a73a2cac2408d844f38

Upstream bug as well as the fix indicate short buffer over-read, that is unlikely to have any visible impact without using using tools as valgrind or AddressSanitizer.
Comment 6 Marco Benatto 2019-09-05 20:21:59 UTC 
PHP's exif module is responsible to extract exif information from images. One possible information contained in EXIF header are the possible thumbnails for the image itself. When parsing EXIF information the exif module allocate a buffer at exif_thumbnail_extract() to hold the Thumbnail image, this buffer's size is based on the Thumbnail size metadata present on the image. When the image has invalid thumbnail size it leads exif module to a heap-based buffer overflow on function exif_scan_thumbnail(). The overflow happens when exif_scan_thumbnail() tries to verify the JPEG magic number present in the Thumbnail image, which is 3-bytes long, but the thumbnail size contained at EXIF header is smaller than this value.
An attacker may leverage this flaw by using a crafted image to cause unexpected heap based data read, causing a low confidentiality impact.
Comment 14 errata-xmlrpc 2019-11-01 13:01:08 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:3299 https://access.redhat.com/errata/RHSA-2019:3299
Comment 15 Product Security DevOps Team 2019-11-01 18:51:17 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-11041
Comment 17 errata-xmlrpc 2020-04-28 15:32:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1624 https://access.redhat.com/errata/RHSA-2020:1624
Comment 19 errata-xmlrpc 2020-09-08 09:46:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3662 https://access.redhat.com/errata/RHSA-2020:3662