Bug 1837842 (CVE-2019-11048) - CVE-2019-11048 php: Integer wraparounds when receiving multipart forms
Summary: CVE-2019-11048 php: Integer wraparounds when receiving multipart forms
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-11048
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1837843 1837913 1837915 1837916 1837918 1837919 1837920 1837921 1837922 1837923 1837924 1837925 1838693
Blocks: 1837849
TreeView+ depends on / blocked
 
Reported: 2020-05-20 06:35 UTC by Marian Rehak
Modified: 2024-03-25 15:56 UTC (History)
10 users (show)

Fixed In Version: php 7.3.18, php 7.2.31, php 7.4.6
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in PHP under a non-default configuration, where it was vulnerable to integer wraparounds during the reception of a multipart POST request. This flaw allows a remote attacker to repeatedly crash PHP and fill the filesystem with temporary PHP files, resulting in a denial of service.
Clone Of:
Environment:
Last Closed: 2020-09-08 13:19:11 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3662 0 None None None 2020-09-08 09:47:34 UTC
Red Hat Product Errata RHSA-2020:5275 0 None None None 2020-12-01 12:03:33 UTC

Description Marian Rehak 2020-05-20 06:35:17 UTC 
There are 2 integers wraparound flaws in php-src/main/rfc1867.c that allow a malicious user to crash PHP during a multipart/form-data file upload. A large multipart/form-data variable, or filename, may cause an integer overflow that leads to a subsequent crash.
Temporary files are not cleaned up, and could ultimately fill up the file system containing PHP temporary data.

Upstream Issues:

https://bugs.php.net/bug.php?id=78876
https://bugs.php.net/bug.php?id=78875
Comment 1 Marian Rehak 2020-05-20 06:35:36 UTC 
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1837843]
Comment 2 Cedric Buissart 2020-05-20 08:18:01 UTC 
Upstream fixes :
* Fix #78876: Long variables cause OOM and temp files are not cleaned 
https://github.com/php/php-src/commit/f43041250f82ed69bd4575655984fbfc842da266

* Fix #78875: Long filenames cause OOM and temp files are not cleaned 
https://github.com/php/php-src/commit/1c9bd513ac5c7c1d13d7f0dfa7c16a7ad2ce0f87

For php-7.4 : https://github.com/php/php-src/commit/a3924ab6542a358a3099de992b63b932a9570add
For php-7.3 : https://github.com/php/php-src/commit/f43041250f82ed69bd4575655984fbfc842da266
For php-7.2 : https://github.com/php/php-src/commit/f43041250f82ed69bd4575655984fbfc842da266 https://github.com/php/php-src/commit/1c9bd513ac5c7c1d13d7f0dfa7c16a7ad2ce0f87
Comment 4 Joe Orton 2020-05-20 14:56:50 UTC 
Note that this issue requires a pathological configuration to trigger; post_max_size must be set to 2GB or higher.  Such a configuration allows an effective Denial of Service attack against any server and should never be used in production.
Comment 5 Cedric Buissart 2020-05-21 13:03:18 UTC 
Statement:

The severity of this issue is considered Moderate because it requires an unlikely large `post_max_size` to be configured.
Comment 6 Cedric Buissart 2020-05-21 13:03:21 UTC 
Mitigation:

Ensure that `post_max_size` is set to a value less than 2GB, or remains default.
Comment 14 errata-xmlrpc 2020-09-08 09:47:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3662 https://access.redhat.com/errata/RHSA-2020:3662
Comment 15 Product Security DevOps Team 2020-09-08 13:19:11 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-11048
Comment 16 errata-xmlrpc 2020-12-01 12:03:29 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:5275 https://access.redhat.com/errata/RHSA-2020:5275
Note You need to log in before you can comment on or make changes to this bug.