openSUSE-SU-2019:1293

openSUSE-SU-2019:1503

openSUSE-SU-2019:1572

openSUSE-SU-2019:1573

RHSA-2019:2519

RHSA-2019:3299

https://bugs.php.net/bug.php?id=77563

[debian-lts-announce] 20190331 [SECURITY] [DLA 1741-1] php5 security update

https://security.netapp.com/advisory/ntap-20190502-0007/

USN-3922-1

USN-3922-2

USN-3922-3

DSA-4403

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1624 advisory.

  - php: Buffer over-read in PHAR reading functions     (CVE-2018-20783)

  - php: Heap buffer overflow in function     exif_process_IFD_TAG() (CVE-2019-11034)

  - php: Heap buffer overflow in function     exif_iif_add_value() (CVE-2019-11035)

  - php: Buffer over-read in exif_process_IFD_TAG() leading     to information disclosure (CVE-2019-11036)

  - php: Out-of-bounds read due to integer overflow in     iconv_mime_decode_headers() (CVE-2019-11039)

  - php: Buffer over-read in exif_read_data()     (CVE-2019-11040)

  - php: Heap buffer over-read in exif_scan_thumbnail()     (CVE-2019-11041)

  - php: Heap buffer over-read in     exif_process_user_comment() (CVE-2019-11042)

  - php: Invalid memory access in function xmlrpc_decode()     (CVE-2019-9020)

  - php: Heap-based buffer over-read in PHAR reading     functions (CVE-2019-9021)

  - php: memcpy with negative length via crafted DNS     response (CVE-2019-9022)

  - php: Heap-based buffer over-read in mbstring regular     expression functions (CVE-2019-9023)

  - php: Out-of-bounds read in base64_decode_xmlrpc in     ext/xmlrpc/libxmlrpc/base64.c (CVE-2019-9024)

  - php: File rename across filesystems may allow unwanted     access during processing (CVE-2019-9637)

  - php: Uninitialized read in exif_process_IFD_in_MAKERNOTE     (CVE-2019-9638, CVE-2019-9639)

  - php: Invalid read in exif_process_SOFn() (CVE-2019-9640)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update for php7 fixes the following issues :

Security issues fixed :

  - CVE-2019-9637: Fixed improper implementation of rename     function and multiple invalid memory access in EXIF     extension (bsc#1128892).

  - CVE-2019-9675: Fixed improper implementation of rename     function and multiple invalid memory access in EXIF     extension (bsc#1128886).

  - CVE-2019-9638: Fixed improper implementation of rename     function and multiple invalid memory access in EXIF     extension ((bsc#1128889).

  - CVE-2019-9639: Fixed improper implementation of rename     function and multiple invalid memory access in EXIF     extension (bsc#1128887).

  - CVE-2019-9640: Fixed improper implementation of rename     function and multiple invalid memory access in EXIF     extension (bsc#1128883).

  - CVE-2019-9022: Fixed a vulnerability which could allow a     hostile DNS server to make PHP misuse memcpy     (bsc#1126827).

  - CVE-2019-9024: Fixed a vulnerability in xmlrpc_decode     function which could allow to a hostile XMLRPC server to     cause memory read outside the allocated areas     (bsc#1126821).

  - CVE-2019-9020: Fixed a heap out of bounds in     xmlrpc_decode function (bsc#1126711).

  - CVE-2018-20783: Fixed a buffer over-read in PHAR reading     functions which could allow an attacker to read     allocated and unallocated memory when parsing a phar     file (bsc#1127122).

  - CVE-2019-9021: Fixed a heap buffer-based buffer     over-read in PHAR reading functions which could allow an     attacker to read allocated and unallocated memory when     parsing a phar file (bsc#1126713).

  - CVE-2019-9023: Fixed multiple heap-based buffer     over-read instances in mbstring regular expression     functions (bsc#1126823).

  - CVE-2019-9641: Fixed multiple invalid memory access in     EXIF extension and improved insecure implementation of     rename function (bsc#1128722).

  - CVE-2018-19935: Fixed a Denial of Service in php_imap.c     which could be triggered via an empty string in the     message argument to imap_mail (bsc#1118832).

  - CVE-2019-11034: Fixed a heap-buffer overflow in     php_ifd_get32si() (bsc#1132838).

  - CVE-2019-11035: Fixed a heap-buffer overflow in     exif_iif_add_value() (bsc#1132837).

  - CVE-2019-11036: Fixed buffer over-read in     exif_process_IFD_TAG function leading to information     disclosure (bsc#1134322).

Other issue addressed :

  - Deleted README.default_socket_timeout which is not     needed anymore (bsc#1129032).

  - Enabled php7 testsuite (bsc#1119396).

This update was imported from the SUSE:SLE-15:Update update project.

This update for php7 fixes the following issues :

Security issues fixed :

CVE-2019-9637: Fixed improper implementation of rename function and multiple invalid memory access in EXIF extension (bsc#1128892).

CVE-2019-9675: Fixed improper implementation of rename function and multiple invalid memory access in EXIF extension (bsc#1128886).

CVE-2019-9638: Fixed improper implementation of rename function and multiple invalid memory access in EXIF extension ((bsc#1128889).

CVE-2019-9639: Fixed improper implementation of rename function and multiple invalid memory access in EXIF extension (bsc#1128887).

CVE-2019-9640: Fixed improper implementation of rename function and multiple invalid memory access in EXIF extension (bsc#1128883).

CVE-2019-9022: Fixed a vulnerability which could allow a hostile DNS server to make PHP misuse memcpy (bsc#1126827).

CVE-2019-9024: Fixed a vulnerability in xmlrpc_decode function which could allow to a hostile XMLRPC server to cause memory read outside the allocated areas (bsc#1126821).

CVE-2019-9020: Fixed a heap out of bounds in xmlrpc_decode function (bsc#1126711).

CVE-2018-20783: Fixed a buffer over-read in PHAR reading functions which could allow an attacker to read allocated and unallocated memory when parsing a phar file (bsc#1127122).

CVE-2019-9021: Fixed a heap buffer-based buffer over-read in PHAR reading functions which could allow an attacker to read allocated and unallocated memory when parsing a phar file (bsc#1126713).

CVE-2019-9023: Fixed multiple heap-based buffer over-read instances in mbstring regular expression functions (bsc#1126823).

CVE-2019-9641: Fixed multiple invalid memory access in EXIF extension and improved insecure implementation of rename function (bsc#1128722).

CVE-2018-19935: Fixed a Denial of Service in php_imap.c which could be triggered via an empty string in the message argument to imap_mail (bsc#1118832).

CVE-2019-11034: Fixed a heap-buffer overflow in php_ifd_get32si() (bsc#1132838).

CVE-2019-11035: Fixed a heap-buffer overflow in exif_iif_add_value() (bsc#1132837).

CVE-2019-11036: Fixed buffer over-read in exif_process_IFD_TAG function leading to information disclosure (bsc#1134322).

Other issue addressed: Deleted README.default_socket_timeout which is not needed anymore (bsc#1129032).

Enabled php7 testsuite (bsc#1119396).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for php5 fixes the following issues :

Security issues fixed :

  - CVE-2019-11034: Fixed a heap-buffer overflow in     php_ifd_get32si() (bsc#1132838).

  - CVE-2019-11035: Fixed a heap-buffer overflow in     exif_iif_add_value() (bsc#1132837).

  - CVE-2019-9637: Fixed a potential information disclosure     in rename() (bsc#1128892).

  - CVE-2019-9675: Fixed a potential buffer overflow in     phar_tar_writeheaders_int() (bsc#1128886).

  - CVE-2019-9638: Fixed an uninitialized read in     exif_process_IFD_in_MAKERNOTE() related to value_len     (bsc#1128889).

  - CVE-2019-9639: Fixed an uninitialized read in     exif_process_IFD_in_MAKERNOTE() related to data_len     (bsc#1128887).

  - CVE-2019-9640: Fixed an invalid Read in     exif_process_SOFn() (bsc#1128883).

  - CVE-2019-11036: Fixed buffer over-read in     exif_process_IFD_TAG function leading to information     disclosure (bsc#1134322).

This update was imported from the SUSE:SLE-12:Update update project.

This update for php5 fixes the following issues :

Security issues fixed :

CVE-2019-11034: Fixed a heap-buffer overflow in php_ifd_get32si() (bsc#1132838).

CVE-2019-11035: Fixed a heap-buffer overflow in exif_iif_add_value() (bsc#1132837).

CVE-2019-9637: Fixed a potential information disclosure in rename() (bsc#1128892).

CVE-2019-9675: Fixed a potential buffer overflow in phar_tar_writeheaders_int() (bsc#1128886).

CVE-2019-9638: Fixed an uninitialized read in exif_process_IFD_in_MAKERNOTE() related to value_len (bsc#1128889).

CVE-2019-9639: Fixed an uninitialized read in exif_process_IFD_in_MAKERNOTE() related to data_len (bsc#1128887).

CVE-2019-9640: Fixed an invalid Read in exif_process_SOFn() (bsc#1128883).

CVE-2019-11036: Fixed buffer over-read in exif_process_IFD_TAG function leading to information disclosure (bsc#1134322).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for php7 fixes the following issues: &#9; Security issues fixed: &#9; 

  - CVE-2019-9637: Fixed improper implementation of rename     function and multiple invalid memory access in EXIF     extension (bsc#1128892).

  - CVE-2019-9675: Fixed improper implementation of rename     function and multiple invalid memory access in EXIF     extension (bsc#1128886).

  - CVE-2019-9638: Fixed improper implementation of rename     function and multiple invalid memory access in EXIF     extension ((bsc#1128889).

  - CVE-2019-9639: Fixed improper implementation of rename     function and multiple invalid memory access in EXIF     extension (bsc#1128887).

  - CVE-2019-9640: Fixed improper implementation of rename     function and multiple invalid memory access in EXIF     extension (bsc#1128883).

  - CVE-2019-9024: Fixed a vulnerability in xmlrpc_decode     function which could allow to a hostile XMLRPC server to     cause memory read outside the allocated areas     (bsc#1126821).

  - CVE-2019-9020: Fixed a heap out of bounds in     xmlrpc_decode function (bsc#1126711).

  - CVE-2018-20783: Fixed a buffer over-read in PHAR reading     functions which could allow an attacker to read     allocated and unallocated memory when parsing a phar     file (bsc#1127122).

  - CVE-2019-9021: Fixed a heap buffer-based buffer     over-read in PHAR reading functions which could allow an     attacker to read allocated and unallocated memory when     parsing a phar file (bsc#1126713).

  - CVE-2019-9023: Fixed multiple heap-based buffer     over-read instances in mbstring regular expression     functions (bsc#1126823).

  - CVE-2019-9641: Fixed multiple invalid memory access in     EXIF extension and improved insecure implementation of     rename function (bsc#1128722).

Other issue addressed :

  - Deleted README.default_socket_timeout which is not     needed anymore (bsc#1129032).

This update was imported from the SUSE:SLE-12:Update update project.

USN-3922-1 fixed vulnerabilities in PHP. This update provides the corresponding update for Ubuntu 14.04 LTS.

It was discovered that PHP incorrectly handled certain files. An attacker could possibly use this issue to access sensitive information. (CVE-2019-9022)

It was discovered that PHP incorrectly handled certain files. An attacker could possibly use this issue to execute arbitrary code.
(CVE-2019-9675)

Original advisory details :

It was discovered that PHP incorrectly handled certain inputs. An attacker could possibly use this issue to expose sensitive information. (CVE-2019-9637, CVE-2019-9638, CVE-2019-9639, CVE-2019-9640, CVE-2019-9641).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for php72 fixes the following issues :

CVE-2019-9637: Due to the way rename() across filesystems is implemented, it was possible that file being renamed is briefly available with wrong permissions while the rename is ongoing, thus enabling unauthorized users to access the data. (bsc#1128892)

CVE-2019-9675: phar_tar_writeheaders_int in ext/phar/tar.c has a buffer overflow via a long link value. NOTE: The vendor indicates that the link value is used only when an archive contains a symlink, which currently cannot happen: 'This issue allows theoretical compromise of security, but a practical attack is usually impossible.' (bsc#1128886)

CVE-2019-9638: An issue was discovered in the EXIF component in PHP.
There was an uninitialized read in exif_process_IFD_in_MAKERNOTE because of mishandling the maker_note->offset relationship to value_len. (bsc#1128889)

CVE-2019-9639: An issue was discovered in the EXIF component in PHP.
There was an uninitialized read in exif_process_IFD_in_MAKERNOTE because of mishandling the data_len variable. (bsc#1128887)

CVE-2019-9640: An issue was discovered in the EXIF component in PHP.
There was an Invalid Read in exif_process_SOFn. (bsc#1128883)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its banner, the version of PHP running on the remote web server is 7.3.x prior to 7.3.3. It is, therefore, affected by multiple vulnerabilities:

  - Uninitialized reads in the EXIF component of PHP due     to the mishandling of data in exif_process_IFD_in_MAKERNOTE,     and exif_process_IFD_in_TIFF. (CVE-2019-9638, CVE-2019-9639,     CVE-2019-9641)

  - An invalid read in the EXIF component of PHP due to a     mishandling of data in exif_process_SOFn. (CVE-2019-9640)

  - An access control bypass vulnerability exists due to the     way rename() is implemented. This could allow unauthorized     users to access data they otherwise would not have access     to (CVE-2019-9637).

According to its banner, the version of PHP running on the remote web server is 7.2.x prior to 7.2.16. It is, therefore, affected by multiple vulnerabilities:

  - Uninitialized reads in the EXIF component of PHP due     to the mishandling of data in exif_process_IFD_in_MAKERNOTE,     and exif_process_IFD_in_TIFF. (CVE-2019-9638, CVE-2019-9639,     CVE-2019-9641)

  - An invalid read in the EXIF component of PHP due to a     mishandling of data in exif_process_SOFn. (CVE-2019-9640)

  - An access control bypass vulnerability exists due to the     way rename() is implemented. This could allow unauthorized     users to access data they otherwise would not have access     to (CVE-2019-9637).

According to its banner, the version of PHP running on the remote web server is 7.1.x prior to 7.1.27. It is, therefore, affected by multiple vulnerabilities:

  - Uninitialized reads in the EXIF component of PHP due     to the mishandling of data in exif_process_IFD_in_MAKERNOTE,     and exif_process_IFD_in_TIFF. (CVE-2019-9638, CVE-2019-9639,     CVE-2019-9641)

  - An invalid read in the EXIF component of PHP due to a     mishandling of data in exif_process_SOFn. (CVE-2019-9640)

  - An access control bypass vulnerability exists due to the     way rename() is implemented. This could allow unauthorized     users to access data they otherwise would not have access     to (CVE-2019-9637).

This update for php53 fixes the following issues :

Security issues fixed :

CVE-2019-9637: Fixed improper implementation of rename function and multiple invalid memory access in EXIF extension (bsc#1128892).

CVE-2019-9675: Fixed improper implementation of rename function and multiple invalid memory access in EXIF extension (bsc#1128886).

CVE-2019-9638: Fixed improper implementation of rename function and multiple invalid memory access in EXIF extension ((bsc#1128889).

CVE-2019-9639: Fixed improper implementation of rename function and multiple invalid memory access in EXIF extension (bsc#1128887).

CVE-2019-9640: Fixed improper implementation of rename function and multiple invalid memory access in EXIF extension (bsc#1128883).

CVE-2019-9024: Fixed a vulnerability in xmlrpc_decode function which could allow to a hostile XMLRPC server to cause memory read outside the allocated areas (bsc#1126821).

CVE-2019-9020: Fixed a heap out of bounds in xmlrpc_decode function (bsc#1126711).

CVE-2018-20783: Fixed a buffer over-read in PHAR reading functions which could allow an attacker to read allocated and unallocated memory when parsing a phar file (bsc#1127122).

CVE-2019-9021: Fixed a heap buffer-based buffer over-read in PHAR reading functions which could allow an attacker to read allocated and unallocated memory when parsing a phar file (bsc#1126713).

CVE-2019-9023: Fixed multiple heap-based buffer over-read instances in mbstring regular expression functions (bsc#1126823).

CVE-2019-9641: Fixed multiple invalid memory access in EXIF extension and improved insecure implementation of rename function (bsc#1128722).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been found in php5, a server-side, HTML-embedded scripting language.

CVE-2019-9637 rename() across the device may allow unwanted access during processing.

CVE-2019-9638, CVE-2019-9639 Uninitialized read in exif_process_IFD_in_MAKERNOTE.

CVE-2019-9640 Invalid Read on exif_process_SOFn.

CVE-2019-9641 Uninitialized read in exif_process_IFD_in_TIFF.

CVE-2019-9022 An issue during parsing of DNS responses allows a hostile DNS server to misuse memcpy, which leads to a read operation past an allocated buffer.

For Debian 8 'Jessie', these problems have been fixed in version 5.6.40+dfsg-0+deb8u2.

We recommend that you upgrade your php5 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple security issues were found in PHP, a widely-used open source general purpose scripting language: The EXIF extension had multiple cases of invalid memory access and rename() was implemented insecurely.

ID	Name	Product	Family	Severity
136057	RHEL 8 : php:7.2 (RHSA-2020:1624)	Nessus	Red Hat Local Security Checks	high
126035	openSUSE Security Update : php7 (openSUSE-2019-1573)	Nessus	SuSE Local Security Checks	high
126034	openSUSE Security Update : php7 (openSUSE-2019-1572)	Nessus	SuSE Local Security Checks	high
125850	SUSE SLED15 / SLES15 Security Update : php7 (SUSE-SU-2019:1461-1)	Nessus	SuSE Local Security Checks	high
125700	openSUSE Security Update : php5 (openSUSE-2019-1503)	Nessus	SuSE Local Security Checks	medium
125457	SUSE SLES12 Security Update : php5 (SUSE-SU-2019:1325-1)	Nessus	SuSE Local Security Checks	medium
124401	openSUSE Security Update : php7 (openSUSE-2019-1293)	Nessus	SuSE Local Security Checks	high
124271	Ubuntu 14.04 LTS : php5 vulnerabilities (USN-3922-2)	Nessus	Ubuntu Local Security Checks	high
124268	SUSE SLES12 Security Update : php72 (SUSE-SU-2019:0988-1)	Nessus	SuSE Local Security Checks	medium
123829	PHP 7.3.x < 7.3.3 Multiple vulnerabilities.	Nessus	CGI abuses	high
123828	PHP 7.2.x < 7.2.16 Multiple vulnerabilities.	Nessus	CGI abuses	high
123827	PHP 7.1.x < 7.1.27 Multiple vulnerabilities.	Nessus	CGI abuses	high
123826	SUSE SLES11 Security Update : php53 (SUSE-SU-2019:14013-1)	Nessus	SuSE Local Security Checks	high
123528	Debian DLA-1741-1 : php5 security update	Nessus	Debian Local Security Checks	high
122722	Debian DSA-4403-1 : php7.0 - security update	Nessus	Debian Local Security Checks	high

CVE-2019-9638

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Configuration 5

Tenable Plugins