Bug 1739465 (CVE-2019-11042)

Summary: CVE-2019-11042 php: Heap buffer over-read in exif_process_user_comment()
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: fedora, fgrosjea, hhorak, jlyle, jorton, rcollet, security-response-team, webstack-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php 7.1.31, php 7.2.21, php 7.3.8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-01 18:51:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1739466, 1749920, 1749921, 1749923, 1749924, 1749925, 1767426, 1772840, 1857699    
Bug Blocks: 1739467    

Description Marian Rehak 2019-08-09 11:29:55 UTC 
heap-buffer-overflow on exif_process_user_comment

Upstream issue and fix:

https://bugs.php.net/bug.php?id=78256
Comment 1 Marian Rehak 2019-08-09 11:30:07 UTC 
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1739466]
Comment 2 Tomas Hoger 2019-08-09 12:55:40 UTC 
Upstream commit:

http://git.php.net/?p=php-src.git;a=commitdiff;h=e648fa4699e8d072db6db34fcc09826e8127fab8

Upstream bug as well as the fix indicate short buffer over-read, that is unlikely to have any visible impact without using using tools as valgrind or AddressSanitizer.
Comment 4 Marco Benatto 2019-09-06 19:05:26 UTC 
There's a heap based buffer overflow on PHP's exif module at function exif_process_user_comment(). When parsing the user comment IFD TAG exif_process_user_comment() tries to verify the character encoding used, this information has 8 bytes in length and is stored at the beginning of comment tag. Currently the function doesn't validate properly the buffer size after this first 8 bytes has been read out, given that an attacker may leverage this weakness by creating an input image with a crafted user comment tag which will lead exif's module to out of bands read due to buffer overflow while reading the remaining comment information after the encoding data.
Comment 12 errata-xmlrpc 2019-11-01 13:01:11 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:3299 https://access.redhat.com/errata/RHSA-2019:3299
Comment 13 Product Security DevOps Team 2019-11-01 18:51:19 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-11042
Comment 15 errata-xmlrpc 2020-04-28 15:32:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1624 https://access.redhat.com/errata/RHSA-2020:1624
Comment 17 errata-xmlrpc 2020-09-08 09:46:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3662 https://access.redhat.com/errata/RHSA-2020:3662