Bug 1688943 (CVE-2019-9641) - CVE-2019-9641 php: Uninitialized read in exif_process_IFD_in_TIFF
Summary: CVE-2019-9641 php: Uninitialized read in exif_process_IFD_in_TIFF
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2019-9641
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1688952
Blocks: 1688949
TreeView+ depends on / blocked
 
Reported: 2019-03-14 18:23 UTC by Laura Pardo
Modified: 2019-09-29 15:09 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:50:50 UTC


Attachments (Terms of Use)

Description Laura Pardo 2019-03-14 18:23:24 UTC
An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_TIFF.


Upstream Bug:
https://bugs.php.net/bug.php?id=77509

Comment 1 Laura Pardo 2019-03-14 18:39:44 UTC
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1688952]

Comment 2 Riccardo Schirone 2019-03-19 16:50:13 UTC
The issue can be reproduced on 32bit builds only.

Comment 3 Riccardo Schirone 2019-03-19 16:50:16 UTC
Statement:

This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 7 as they are built for 64bit architectures only, where the issue cannot be reproduced.

Comment 5 Riccardo Schirone 2019-05-13 11:54:24 UTC
Upstream patch:
https://github.com/php/php-src/commit/46e79c93518365c7bda894bc512f4be282a29d48


Note You need to log in before you can comment on or make changes to this bug.