Bug 25603 - php 7.3.11 closes several buffer overflows
Summary: php 7.3.11 closes several buffer overflows
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-10-24 16:56 CEST by Marc Krämer
Modified: 2019-10-29 15:55 CET (History)
3 users (show)

See Also:
Source RPM: php
CVE:
Status comment:


Attachments

Description Marc Krämer 2019-10-24 16:56:52 CEST
new version released which closes
#78599 (env_path_info underflow in fpm_main.c can lead to RCE). (CVE-2019-11043)
#78633 (Heap buffer overflow (read) in mb_eregi).
#78620 (Out of memory error).
#78525 (Memory leak in pdo when reusing native prepared statements).
Comment 1 Marc Krämer 2019-10-24 16:57:20 CEST
and 
#78272 (calling preg_match() before pcntl_fork() will freeze child process).
Comment 2 Marc Krämer 2019-10-24 17:37:50 CEST
Suggested advisory:
========================
Updated php packages fix security vulnerabilities:

- FPM (#78599) env_path_info underflow in fpm_main.c can lead to RCE. (CVE-2019-11043)
- MBString (#78633) Heap buffer overflow (read) in mb_eregi.
- Mysqlnd (#78525) Memory leak in pdo when reusing native prepared statements.
- PCRE (#78272) calling preg_match() before pcntl_fork() will freeze child process.
- Base (#78612) strtr leaks memory when integer keys are used and the subject string shorter.

References:
https://www.php.net/ChangeLog-7.php#7.3.11
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11043
https://bugs.php.net/bug.php?id=78272


Updated packages in core/updates_testing:
========================
php-ini-7.3.11-1.mga7
apache-mod_php-7.3.11-1.mga7
php-cli-7.3.11-1.mga7
php-cgi-7.3.11-1.mga7
libphp_common7-7.3.11-1.mga7
php-devel-7.3.11-1.mga7
php-openssl-7.3.11-1.mga7
php-zlib-7.3.11-1.mga7
php-doc-7.3.11-1.mga7
php-bcmath-7.3.11-1.mga7
php-bz2-7.3.11-1.mga7
php-calendar-7.3.11-1.mga7
php-ctype-7.3.11-1.mga7
php-curl-7.3.11-1.mga7
php-dba-7.3.11-1.mga7
php-dom-7.3.11-1.mga7
php-enchant-7.3.11-1.mga7
php-exif-7.3.11-1.mga7
php-fileinfo-7.3.11-1.mga7
php-filter-7.3.11-1.mga7
php-ftp-7.3.11-1.mga7
php-gd-7.3.11-1.mga7
php-gettext-7.3.11-1.mga7
php-gmp-7.3.11-1.mga7
php-hash-7.3.11-1.mga7
php-iconv-7.3.11-1.mga7
php-imap-7.3.11-1.mga7
php-interbase-7.3.11-1.mga7
php-intl-7.3.11-1.mga7
php-json-7.3.11-1.mga7
php-ldap-7.3.11-1.mga7
php-mbstring-7.3.11-1.mga7
php-mysqli-7.3.11-1.mga7
php-mysqlnd-7.3.11-1.mga7
php-odbc-7.3.11-1.mga7
php-opcache-7.3.11-1.mga7
php-pcntl-7.3.11-1.mga7
php-pdo-7.3.11-1.mga7
php-pdo_dblib-7.3.11-1.mga7
php-pdo_firebird-7.3.11-1.mga7
php-pdo_mysql-7.3.11-1.mga7
php-pdo_odbc-7.3.11-1.mga7
php-pdo_pgsql-7.3.11-1.mga7
php-pdo_sqlite-7.3.11-1.mga7
php-pgsql-7.3.11-1.mga7
php-phar-7.3.11-1.mga7
php-posix-7.3.11-1.mga7
php-readline-7.3.11-1.mga7
php-recode-7.3.11-1.mga7
php-session-7.3.11-1.mga7
php-shmop-7.3.11-1.mga7
php-snmp-7.3.11-1.mga7
php-soap-7.3.11-1.mga7
php-sockets-7.3.11-1.mga7
php-sodium-7.3.11-1.mga7
php-sqlite3-7.3.11-1.mga7
php-sysvmsg-7.3.11-1.mga7
php-sysvsem-7.3.11-1.mga7
php-sysvshm-7.3.11-1.mga7
php-tidy-7.3.11-1.mga7
php-tokenizer-7.3.11-1.mga7
php-xml-7.3.11-1.mga7
php-xmlreader-7.3.11-1.mga7
php-xmlrpc-7.3.11-1.mga7
php-xmlwriter-7.3.11-1.mga7
php-xsl-7.3.11-1.mga7
php-wddx-7.3.11-1.mga7
php-zip-7.3.11-1.mga7
php-fpm-7.3.11-1.mga7
phpdbg-7.3.11-1.mga7
php-debugsource-7.3.11-1.mga7
php-debuginfo-7.3.11-1.mga7
apache-mod_php-debuginfo-7.3.11-1.mga7
php-cli-debuginfo-7.3.11-1.mga7
php-cgi-debuginfo-7.3.11-1.mga7
libphp_common7-debuginfo-7.3.11-1.mga7
php-openssl-debuginfo-7.3.11-1.mga7
php-zlib-debuginfo-7.3.11-1.mga7
php-bcmath-debuginfo-7.3.11-1.mga7
php-bz2-debuginfo-7.3.11-1.mga7
php-calendar-debuginfo-7.3.11-1.mga7
php-ctype-debuginfo-7.3.11-1.mga7
php-curl-debuginfo-7.3.11-1.mga7
php-dba-debuginfo-7.3.11-1.mga7
php-dom-debuginfo-7.3.11-1.mga7
php-enchant-debuginfo-7.3.11-1.mga7
php-exif-debuginfo-7.3.11-1.mga7
php-fileinfo-debuginfo-7.3.11-1.mga7
php-filter-debuginfo-7.3.11-1.mga7
php-ftp-debuginfo-7.3.11-1.mga7
php-gd-debuginfo-7.3.11-1.mga7
php-gettext-debuginfo-7.3.11-1.mga7
php-gmp-debuginfo-7.3.11-1.mga7
php-hash-debuginfo-7.3.11-1.mga7
php-iconv-debuginfo-7.3.11-1.mga7
php-imap-debuginfo-7.3.11-1.mga7
php-interbase-debuginfo-7.3.11-1.mga7
php-intl-debuginfo-7.3.11-1.mga7
php-json-debuginfo-7.3.11-1.mga7
php-ldap-debuginfo-7.3.11-1.mga7
php-mbstring-debuginfo-7.3.11-1.mga7
php-mysqli-debuginfo-7.3.11-1.mga7
php-mysqlnd-debuginfo-7.3.11-1.mga7
php-odbc-debuginfo-7.3.11-1.mga7
php-opcache-debuginfo-7.3.11-1.mga7
php-pcntl-debuginfo-7.3.11-1.mga7
php-pdo-debuginfo-7.3.11-1.mga7
php-pdo_dblib-debuginfo-7.3.11-1.mga7
php-pdo_firebird-debuginfo-7.3.11-1.mga7
php-pdo_mysql-debuginfo-7.3.11-1.mga7
php-pdo_odbc-debuginfo-7.3.11-1.mga7
php-pdo_pgsql-debuginfo-7.3.11-1.mga7
php-pdo_sqlite-debuginfo-7.3.11-1.mga7
php-pgsql-debuginfo-7.3.11-1.mga7
php-phar-debuginfo-7.3.11-1.mga7
php-posix-debuginfo-7.3.11-1.mga7
php-readline-debuginfo-7.3.11-1.mga7
php-recode-debuginfo-7.3.11-1.mga7
php-session-debuginfo-7.3.11-1.mga7
php-shmop-debuginfo-7.3.11-1.mga7
php-snmp-debuginfo-7.3.11-1.mga7
php-soap-debuginfo-7.3.11-1.mga7
php-sockets-debuginfo-7.3.11-1.mga7
php-sodium-debuginfo-7.3.11-1.mga7
php-sqlite3-debuginfo-7.3.11-1.mga7
php-sysvmsg-debuginfo-7.3.11-1.mga7
php-sysvsem-debuginfo-7.3.11-1.mga7
php-sysvshm-debuginfo-7.3.11-1.mga7
php-tidy-debuginfo-7.3.11-1.mga7
php-tokenizer-debuginfo-7.3.11-1.mga7
php-xml-debuginfo-7.3.11-1.mga7
php-xmlreader-debuginfo-7.3.11-1.mga7
php-xmlrpc-debuginfo-7.3.11-1.mga7
php-xmlwriter-debuginfo-7.3.11-1.mga7
php-xsl-debuginfo-7.3.11-1.mga7
php-wddx-debuginfo-7.3.11-1.mga7
php-zip-debuginfo-7.3.11-1.mga7
php-fpm-debuginfo-7.3.11-1.mga7
phpdbg-debuginfo-7.3.11-1.mga7


libpcre2_0-10.33-1.1.mga7
libpcre2posix2-10.33-1.1.mga7
libpcre2-devel-10.33-1.1.mga7
pcre2-tools-10.33-1.1.mga7
pcre2-debugsource-10.33-1.1.mga7
pcre2-debuginfo-10.33-1.1.mga7
libpcre2_0-debuginfo-10.33-1.1.mga7
libpcre2posix2-debuginfo-10.33-1.1.mga7
pcre2-tools-debuginfo-10.33-1.1.mga7

Source RPMs: 
php-7.3.11-1.mga7.src.rpm
pcre2-10.33-1.1.mga7.src.rpm

Assignee: mageia => qa-bugs

Comment 3 PC LX 2019-10-26 17:57:29 CEST
Installed and tested without issues.

Tested with various large (e.g. roundcubemail, phpmyadmin, wordpress, drupal, custom) and small scripts, using HTTP(S) and CLI.


System: Mageia 7, x86_64, Intel CPU.

$ uname -a
Linux marte 5.3.6-desktop-2.mga7 #1 SMP Sun Oct 13 18:22:10 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ php --version
PHP 7.3.11 (cli) (built: Oct 24 2019 15:24:10) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.11, Copyright (c) 1998-2018 Zend Technologies
$ rpm -qa | grep 7.3.11 | sort -u
apache-mod_php-7.3.11-1.mga7
lib64php_common7-7.3.11-1.mga7
php-bz2-7.3.11-1.mga7
php-cli-7.3.11-1.mga7
php-ctype-7.3.11-1.mga7
php-dom-7.3.11-1.mga7
php-filter-7.3.11-1.mga7
php-ftp-7.3.11-1.mga7
php-gd-7.3.11-1.mga7
php-gettext-7.3.11-1.mga7
php-hash-7.3.11-1.mga7
php-ini-7.3.11-1.mga7
php-json-7.3.11-1.mga7
php-mbstring-7.3.11-1.mga7
php-mysqli-7.3.11-1.mga7
php-mysqlnd-7.3.11-1.mga7
php-openssl-7.3.11-1.mga7
php-pdo-7.3.11-1.mga7
php-pdo_mysql-7.3.11-1.mga7
php-pdo_sqlite-7.3.11-1.mga7
php-posix-7.3.11-1.mga7
php-session-7.3.11-1.mga7
php-sysvsem-7.3.11-1.mga7
php-sysvshm-7.3.11-1.mga7
php-tokenizer-7.3.11-1.mga7
php-xml-7.3.11-1.mga7
php-xmlreader-7.3.11-1.mga7
php-xmlwriter-7.3.11-1.mga7
php-zip-7.3.11-1.mga7
php-zlib-7.3.11-1.mga7

CC: (none) => mageia

Comment 4 Thomas Backlund 2019-10-29 15:35:29 CET
Flushing out as exploits for CVE-2019-11043 RCE is out in the wild...

Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA7-64-OK
CC: (none) => tmb, sysadmin-bugs

Comment 5 Mageia Robot 2019-10-29 15:55:46 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0307.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.