An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcomp.c, ext/mbstring/oniguruma/regexec.c, ext/mbstring/oniguruma/regparse.c, ext/mbstring/oniguruma/enc/unicode.c, and ext/mbstring/oniguruma/src/utf32_be.c when a multibyte regular expression pattern contains invalid multibyte sequences. Upstream commit: http://git.php.net/?p=php-src.git;a=commit;h=20407d06ca3cb5eeb10f876a812b40c381574bcc http://git.php.net/?p=php-src.git;a=commit;h=deb06bbb9cbb31292fc219501614a8c3ff25bb11 http://git.php.net/?p=php-src.git;a=commit;h=c6e34d91b88638966662caac62c4d0e90538e317 http://git.php.net/?p=php-src.git;a=commit;h=28362ed4fae6969b5a8878591a5a06eadf114e03 http://git.php.net/?p=php-src.git;a=commit;h=9d6c59eeea88a3e9d7039cb4fed5126ef704593a http://git.php.net/?p=php-src.git;a=commit;h=b6fe458ef9ac1372b60c3d3810b0358e2e20840d Upstream Patch: https://gist.github.com/hughdavenport/c5696e48ea3a83bfe12075f79b2b5abf https://gist.github.com/hughdavenport/89849d35cc27c2242edcce4eb7c93520 https://gist.github.com/hughdavenport/3cb40fcf956085de44bf4443c25c58fe https://gist.github.com/hughdavenport/aa428164c8f30d20c178ce0ab2907947 https://gist.github.com/hughdavenport/09b48d4b20a28bcd7afaa530e2ec6731 https://gist.github.com/hughdavenport/7f7b78c08aea058eaa955510d1548f12 https://gist.github.com/hughdavenport/3db8c2b9f92765c84196b387c32faaea References: https://bugs.php.net/bug.php?id=77370 https://bugs.php.net/bug.php?id=77371 https://bugs.php.net/bug.php?id=77381 https://bugs.php.net/bug.php?id=77382 https://bugs.php.net/bug.php?id=77385 https://bugs.php.net/bug.php?id=77394 https://bugs.php.net/bug.php?id=77418
Flaw is related to how certain mb_strings in php are processed. Impact is crash due to OOB read. The PHP script however needs to allow users to upload arbitrary and malicious strings which are treated by mb_strings by PHP.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:2519 https://access.redhat.com/errata/RHSA-2019:2519
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-9023
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2019:3299 https://access.redhat.com/errata/RHSA-2019:3299
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1624 https://access.redhat.com/errata/RHSA-2020:1624