Bug 1739465 (CVE-2019-11042)
Summary: | CVE-2019-11042 php: Heap buffer over-read in exif_process_user_comment() | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | fedora, fgrosjea, hhorak, jlyle, jorton, rcollet, security-response-team, webstack-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | php 7.1.31, php 7.2.21, php 7.3.8 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-11-01 18:51:19 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1739466, 1749920, 1749921, 1749923, 1749924, 1749925, 1767426, 1772840, 1857699 | ||
Bug Blocks: | 1739467 |
Description
Marian Rehak
2019-08-09 11:29:55 UTC
Created php tracking bugs for this issue: Affects: fedora-all [bug 1739466] Upstream commit: http://git.php.net/?p=php-src.git;a=commitdiff;h=e648fa4699e8d072db6db34fcc09826e8127fab8 Upstream bug as well as the fix indicate short buffer over-read, that is unlikely to have any visible impact without using using tools as valgrind or AddressSanitizer. There's a heap based buffer overflow on PHP's exif module at function exif_process_user_comment(). When parsing the user comment IFD TAG exif_process_user_comment() tries to verify the character encoding used, this information has 8 bytes in length and is stored at the beginning of comment tag. Currently the function doesn't validate properly the buffer size after this first 8 bytes has been read out, given that an attacker may leverage this weakness by creating an input image with a crafted user comment tag which will lead exif's module to out of bands read due to buffer overflow while reading the remaining comment information after the encoding data. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2019:3299 https://access.redhat.com/errata/RHSA-2019:3299 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11042 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1624 https://access.redhat.com/errata/RHSA-2020:1624 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:3662 https://access.redhat.com/errata/RHSA-2020:3662 |