https://bugs.php.net/bug.php?id=78069

Function iconv_mime_decode_headers() in PHP may perform out-of-buffer read due to integer overflow when parsing MIME headers. This may lead to information disclosure or crash.(CVE-2019-11039)

When using gdImageCreateFromXbm() function of PHP gd extension, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code. (CVE-2019-11038)

When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash. (CVE-2019-11040)

This update for php7 fixes the following issues :

Security issues fixed: &#9; 

  - CVE-2019-11039: Fixed a heap-buffer-overflow on     php_jpg_get16 (bsc#1138173).

  - CVE-2019-11040: Fixed an out-of-bounds read due to an     integer overflow in iconv.c:_php_iconv_mime_decode()     (bsc#1138172). &#9; 

This update was imported from the SUSE:SLE-15:Update update project.

This update for php7 fixes the following issues :

Security issues fixed :

CVE-2019-11039: Fixed a heap-buffer-overflow on php_jpg_get16 (bsc#1138173).

CVE-2019-11040: Fixed an out-of-bounds read due to an integer overflow in iconv.c:_php_iconv_mime_decode() (bsc#1138172).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for php5 fixes the following issues :

Security issues fixed :

CVE-2019-11039: Fixed a heap-buffer-overflow on php_jpg_get16 (bsc#1138173).

CVE-2019-11040: Fixed an out-of-bounds read due to an integer overflow in iconv.c:_php_iconv_mime_decode() (bsc#1138172).

CVE-2015-1351: Fixed a use after free in opcache extension (bsc#1137633).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for php7 fixes the following issues :

Security issues fixed :

CVE-2019-11039: Fixed a heap-buffer-overflow on php_jpg_get16 (bsc#1138173).

CVE-2019-11040: Fixed an out-of-bounds read due to an integer overflow in iconv.c:_php_iconv_mime_decode() (bsc#1138172).

Other issue addressed: Enable php7 testsuite (bsc#1119396

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for php72 fixes the following issues :

Security issues fixed :

CVE-2019-11039: Fixed a heap-buffer-overflow on php_jpg_get16 (bsc#1138173).

CVE-2019-11040: Fixed an out-of-bounds read due to an integer overflow in iconv.c:_php_iconv_mime_decode() (bsc#1138172).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its banner, the version of PHP running on the remote web server is 7.1.x prior to 7.1.30, 7.2.x prior to 7.2.19 or 7.3.x prior to 7.3.6. It is, therefore, affected by the following vulnerabilities:

 - An uninitialized read vulnerability exists in gdImageCreateFromXbm due to sscanf method not being able to read a hex value. An attacker may be able exploit this issue, to cause the disclose of sensitive information. (CVE-2019-11038)

 - An out of bounds read vulnerability exists in iconv.c:_php_iconv_mime_decode() due to integer overflow. An attacker may be able exploit this issue, to cause the disclose of sensitive information. (CVE-2019-11039)

 - A heap-based buffer overflow condition exists on php_jpg_get16. An attacker can exploit this, to cause a denial of service condition or the execution of arbitrary code. (CVE-2019-11040)

 Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

**PHP version 7.2.19** (30 May 2019)

**EXIF:**

  - Fixed bug php#77988 (heap-buffer-overflow on     php_jpg_get16). (CVE-2019-11040) (Stas)

**FPM:**

  - Fixed bug php#77934 (php-fpm kill -USR2 not working).
    (Jakub Zelenka)

  - Fixed bug php#77921 (static.php.net doesn't work     anymore). (Peter Kokot)

**GD:**

  - Fixed bug php#77943 (imageantialias($image, false); does     not work). (cmb)

  - Fixed bug php#77973 (Uninitialized read in     gdImageCreateFromXbm). (CVE-2019-11038) (cmb)

**Iconv:**

  - Fixed bug php#78069 (Out-of-bounds read in     iconv.c:_php_iconv_mime_decode() due to integer     overflow). (CVE-2019-11039). (maris dot adam)

**JSON:**

  - Fixed bug php#77843 (Use after free with json     serializer). (Nikita)

**Opcache:**

  - Fixed possible crashes, because of inconsistent PCRE     cache and opcache SHM reset. (Alexey Kalinin, Dmitry)

**PDO_MySQL:**

  - Fixed bug php#77944 (Wrong meta pdo_type for bigint on     LLP64). (cmb)

**Reflection:**

  - Fixed bug php#75186 (Inconsistent reflection of     Closure:::__invoke()). (Nikita)

**Session:**

  - Fixed bug php#77911 (Wrong warning for     session.sid_bits_per_character). (cmb)

**SPL:**

  - Fixed bug php#77024 (SplFileObject::__toString() may     return array). (Craig Duncan)

**SQLite:**

  - Fixed bug php#77967 (Bypassing open_basedir restrictions     via file uris). (Stas)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that PHP incorrectly handled certain exif tags in images. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly obtain sensitive information. (CVE-2019-11036)

It was discovered that PHP incorrectly decoding certain MIME headers.
A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2019-11039)

It was discovered that PHP incorrectly handled certain exif tags in images. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2019-11040).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

**PHP version 7.3.6** (30 May 2019)

**cURL:**

  - Implemented FR php#72189 (Add missing CURL_VERSION_*     constants). (Javier Spagnoletti)

**EXIF:**

  - Fixed bug php#77988 (heap-buffer-overflow on     php_jpg_get16). (CVE-2019-11040) (Stas)

**FPM:**

  - Fixed bug php#77934 (php-fpm kill -USR2 not working).
    (Jakub Zelenka)

  - Fixed bug php#77921 (static.php.net doesn't work     anymore). (Peter Kokot)

**GD:**

  - Fixed bug php#77943 (imageantialias($image, false); does     not work). (cmb)

  - Fixed bug php#77973 (Uninitialized read in     gdImageCreateFromXbm). (CVE-2019-11038) (cmb)

**Iconv:**

  - Fixed bug php#78069 (Out-of-bounds read in     iconv.c:_php_iconv_mime_decode() due to integer     overflow). (CVE-2019-11039). (maris dot adam)

**JSON:**

  - Fixed bug php#77843 (Use after free with json     serializer). (Nikita)

**Opcache:**

  - Fixed possible crashes, because of inconsistent PCRE     cache and opcache SHM reset. (Alexey Kalinin, Dmitry)

**PDO_MySQL:**

  - Fixed bug php#77944 (Wrong meta pdo_type for bigint on     LLP64). (cmb)

**Reflection:**

  - Fixed bug php#75186 (Inconsistent reflection of     Closure:::__invoke()). (Nikita)

**Session:**

  - Fixed bug php#77911 (Wrong warning for     session.sid_bits_per_character). (cmb)

**SOAP:**

  - Fixed bug php#77945 (Segmentation fault when     constructing SoapClient with WSDL_CACHE_BOTH). (Nikita)

**SPL:**

  - Fixed bug php#77024 (SplFileObject::__toString() may     return array). (Craig Duncan)

**SQLite:**

  - Fixed bug php#77967 (Bypassing open_basedir restrictions     via file uris). (Stas)

**Standard:**

  - Fixed bug php#77931 (Warning for array_map mentions     wrong type). (Nikita)

  - Fixed bug php#78003 (strip_tags output change since PHP     7.3). (cmb)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Two vulnerabilities were found in PHP, a widely-used open source general purpose scripting language.

CVE-2019-11039

An integer underflow in the iconv module could be exploited to trigger an out of bounds read.

CVE-2019-11040

A heap buffer overflow was discovered in the EXIF parsing code.

For Debian 8 'Jessie', these problems have been fixed in version 5.6.40+dfsg-0+deb8u4.

We recommend that you upgrade your php5 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its banner, the version of PHP running on the remote web server is 7.3.x prior to 7.3.6.
It is, therefore, affected by the following vulnerabilities:

  - An uninitialized vulnerability exists in gdImageCreateFromXbm due to sscanf method not being   able to read a hex value. An attacker may be able exploit this issue,   to cause the disclose of sensitive information. (CVE-2019-11038)

  - An out of bounds read vulnerability exists in iconv.c:_php_iconv_mime_decode() due to integer overflow.
  An attacker may be able exploit this issue, to cause the disclose of sensitive information. (CVE-2019-11039)

  - A heap-based buffer overflow condition exists on php_jpg_get16. An attacker can exploit this,   to cause a denial of service condition or the execution of arbitrary code. (CVE-2019-11040)

According to its banner, the version of PHP running on the remote web server is 7.1.x prior to 7.1.30.
It is, therefore, affected by the following vulnerabilities:

  - An uninitialized vulnerability exists in gdImageCreateFromXbm due to sscanf method not being   able to read a hex value. An attacker may be able exploit this issue,   to cause the disclose of sensitive information. (CVE-2019-11038)

  - An out of bounds read vulnerability exists in iconv.c:_php_iconv_mime_decode() due to integer overflow.
  An attacker may be able exploit this issue, to cause the disclose of sensitive information. (CVE-2019-11039)

  - A heap-based buffer overflow condition exists on php_jpg_get16. An attacker can exploit this,   to cause a denial of service condition or the execution of arbitrary code. (CVE-2019-11040)

According to its banner, the version of PHP running on the remote web server is 7.2.x prior to 7.2.19.
It is, therefore, affected by the following vulnerabilities:

  - An uninitialized vulnerability exists in gdImageCreateFromXbm due to sscanf method not being   able to read a hex value. An attacker may be able exploit this issue,   to cause the disclose of sensitive information. (CVE-2019-11038)

  - An out of bounds read vulnerability exists in iconv.c:_php_iconv_mime_decode() due to integer overflow.
  An attacker may be able exploit this issue, to cause the disclose of sensitive information. (CVE-2019-11039)

  - A heap-based buffer overflow condition exists on php_jpg_get16. An attacker can exploit this,   to cause a denial of service condition or the execution of arbitrary code. (CVE-2019-11040)

ID	Name	Product	Family	Severity
127068	Amazon Linux AMI : php71 / php72,php73 (ALAS-2019-1240)	Nessus	Amazon Linux Local Security Checks	medium
126908	openSUSE Security Update : php7 (openSUSE-2019-1778)	Nessus	SuSE Local Security Checks	medium
126693	SUSE SLED15 / SLES15 Security Update : php7 (SUSE-SU-2019:1832-1)	Nessus	SuSE Local Security Checks	medium
126500	SUSE SLES12 Security Update : php5 (SUSE-SU-2019:1746-1)	Nessus	SuSE Local Security Checks	high
126463	SUSE SLES12 Security Update : php7 (SUSE-SU-2019:1725-1)	Nessus	SuSE Local Security Checks	medium
126462	SUSE SLES12 Security Update : php72 (SUSE-SU-2019:1724-1)	Nessus	SuSE Local Security Checks	medium
98621	PHP 7.1.x < 7.1.30 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	medium
98620	PHP 7.2.x < 7.2.19 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	medium
98619	PHP 7.3.x < 7.3.6 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	medium
125787	Fedora 29 : php (2019-8c4b25b5ec)	Nessus	Fedora Local Security Checks	medium
125769	Ubuntu 16.04 LTS / 18.04 LTS / 18.10 / 19.04 : php7.0, php7.2 vulnerabilities (USN-4009-1)	Nessus	Ubuntu Local Security Checks	medium
125747	Fedora 30 : php (2019-be4f895015)	Nessus	Fedora Local Security Checks	medium
125682	Debian DLA-1813-1 : php5 security update	Nessus	Debian Local Security Checks	medium
125681	PHP 7.3.x < 7.3.6 Multiple Vulnerabilities.	Nessus	CGI abuses	medium
125640	PHP 7.1.x < 7.1.30 Multiple Vulnerabilities.	Nessus	CGI abuses	medium
125639	PHP 7.2.x < 7.2.19 Multiple Vulnerabilities.	Nessus	CGI abuses	medium

CVE-2019-11039

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins