heap-buffer-overflow on exif_process_user_comment Upstream issue and fix: https://bugs.php.net/bug.php?id=78256
Created php tracking bugs for this issue: Affects: fedora-all [bug 1739466]
Upstream commit: http://git.php.net/?p=php-src.git;a=commitdiff;h=e648fa4699e8d072db6db34fcc09826e8127fab8 Upstream bug as well as the fix indicate short buffer over-read, that is unlikely to have any visible impact without using using tools as valgrind or AddressSanitizer.
There's a heap based buffer overflow on PHP's exif module at function exif_process_user_comment(). When parsing the user comment IFD TAG exif_process_user_comment() tries to verify the character encoding used, this information has 8 bytes in length and is stored at the beginning of comment tag. Currently the function doesn't validate properly the buffer size after this first 8 bytes has been read out, given that an attacker may leverage this weakness by creating an input image with a crafted user comment tag which will lead exif's module to out of bands read due to buffer overflow while reading the remaining comment information after the encoding data.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2019:3299 https://access.redhat.com/errata/RHSA-2019:3299
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11042
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1624 https://access.redhat.com/errata/RHSA-2020:1624
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:3662 https://access.redhat.com/errata/RHSA-2020:3662