Bug 1820627 (CVE-2020-7065)

Summary: CVE-2020-7065 php: Using mb_strtolower() function with UTF-32LE encoding leads to potential code execution
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: fedora, hhorak, jorton, kyoshida, nduffy, rcollet, security-response-team, tcrider, webstack-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php 7.3.16, php 7.4.4 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in PHP while using the mb_strtolower() function with UTF-32LE encoding, where certain invalid strings cause PHP to overwrite the stack-allocated buffer. This flaw leads to memory corruption, crashes, and potential code execution.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-08 13:19:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1820629, 1821129, 1821130, 1857713    
Bug Blocks: 1820607    

Description Dhananjay Arunesh 2020-04-03 13:31:08 UTC 
A vulnerability was found in PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.34, while using mb_strtolower() function with UTF-32LE encoding, certain invalid strings could cause PHP to overwrite stack-allocated buffer. This could lead to memory corruption, crashes and potentially code execution.
Comment 1 Dhananjay Arunesh 2020-04-03 13:31:40 UTC 
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1820629]
Comment 2 Remi Collet 2020-04-03 13:48:23 UTC 
-A vulnerability was found in PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.34
+A vulnerability was found in PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.4
Comment 4 Huzaifa S. Sidhpurwala 2020-04-06 06:33:29 UTC 
It is difficult to trigger these issues in production code, and also depends on the way the PHP script is written. Therefore this issue has been downgraded to having moderate impact.
Comment 5 Huzaifa S. Sidhpurwala 2020-04-06 06:35:17 UTC 
Upstream patch:
http://git.php.net/?p=php-src.git;a=commit;h=69155120e68d2e614d5c300974a1a5610cfa2e8b
Comment 6 Huzaifa S. Sidhpurwala 2020-04-06 06:35:21 UTC 
External References:

https://www.php.net/ChangeLog-7.php#PHP_7_3
https://www.php.net/ChangeLog-7.php#PHP_7_4
Comment 12 errata-xmlrpc 2020-09-08 09:47:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3662 https://access.redhat.com/errata/RHSA-2020:3662
Comment 13 Product Security DevOps Team 2020-09-08 13:19:08 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-7065
Comment 14 errata-xmlrpc 2020-12-01 12:03:55 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:5275 https://access.redhat.com/errata/RHSA-2020:5275