Bug 1685398 (CVE-2019-9023) - CVE-2019-9023 php: Heap-based buffer over-read in mbstring regular expression functions
Summary: CVE-2019-9023 php: Heap-based buffer over-read in mbstring regular expression...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-9023
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1709133 1709132 1709134 1709135 1709136
Blocks: 1680558
TreeView+ depends on / blocked
 
Reported: 2019-03-05 06:21 UTC by Dhananjay Arunesh
Modified: 2019-11-06 10:12 UTC (History)
6 users (show)

Fixed In Version: php 5.6.40, php 7.1.26, php 7.2.14, php 7.3.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-19 08:47:43 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3727 None None None 2019-11-06 10:12:32 UTC
Red Hat Product Errata RHSA-2019:2519 None None None 2019-08-19 08:42:49 UTC
Red Hat Product Errata RHSA-2019:3299 None None None 2019-11-01 13:00:45 UTC

Description Dhananjay Arunesh 2019-03-05 06:21:52 UTC
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcomp.c, ext/mbstring/oniguruma/regexec.c, ext/mbstring/oniguruma/regparse.c, ext/mbstring/oniguruma/enc/unicode.c, and ext/mbstring/oniguruma/src/utf32_be.c when a multibyte regular expression pattern contains invalid multibyte sequences.

Upstream commit:
http://git.php.net/?p=php-src.git;a=commit;h=20407d06ca3cb5eeb10f876a812b40c381574bcc
http://git.php.net/?p=php-src.git;a=commit;h=deb06bbb9cbb31292fc219501614a8c3ff25bb11
http://git.php.net/?p=php-src.git;a=commit;h=c6e34d91b88638966662caac62c4d0e90538e317
http://git.php.net/?p=php-src.git;a=commit;h=28362ed4fae6969b5a8878591a5a06eadf114e03
http://git.php.net/?p=php-src.git;a=commit;h=9d6c59eeea88a3e9d7039cb4fed5126ef704593a
http://git.php.net/?p=php-src.git;a=commit;h=b6fe458ef9ac1372b60c3d3810b0358e2e20840d

Upstream Patch:
https://gist.github.com/hughdavenport/c5696e48ea3a83bfe12075f79b2b5abf
https://gist.github.com/hughdavenport/89849d35cc27c2242edcce4eb7c93520
https://gist.github.com/hughdavenport/3cb40fcf956085de44bf4443c25c58fe
https://gist.github.com/hughdavenport/aa428164c8f30d20c178ce0ab2907947
https://gist.github.com/hughdavenport/09b48d4b20a28bcd7afaa530e2ec6731
https://gist.github.com/hughdavenport/7f7b78c08aea058eaa955510d1548f12
https://gist.github.com/hughdavenport/3db8c2b9f92765c84196b387c32faaea

References:
https://bugs.php.net/bug.php?id=77370 
https://bugs.php.net/bug.php?id=77371 
https://bugs.php.net/bug.php?id=77381 
https://bugs.php.net/bug.php?id=77382 
https://bugs.php.net/bug.php?id=77385 
https://bugs.php.net/bug.php?id=77394
https://bugs.php.net/bug.php?id=77418

Comment 3 Huzaifa S. Sidhpurwala 2019-05-13 05:18:39 UTC
Flaw is related to how certain mb_strings in php are processed. Impact is crash due to OOB read. The PHP script however needs to allow users to upload arbitrary and malicious strings which are treated by mb_strings by PHP.

Comment 5 errata-xmlrpc 2019-08-19 08:42:48 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:2519 https://access.redhat.com/errata/RHSA-2019:2519

Comment 6 Product Security DevOps Team 2019-08-19 08:47:43 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-9023

Comment 7 errata-xmlrpc 2019-11-01 13:00:44 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:3299 https://access.redhat.com/errata/RHSA-2019:3299


Note You need to log in before you can comment on or make changes to this bug.