Main Vulnerability Database SB2019121938

SB2019121938 - Out-of-bounds read in php7 (Alpine package)

Published: December 19, 2019

Security Bulletin ID SB2019121938

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Out-of-bounds read (CVE-ID: CVE-2019-11047)

The vulnerability allows a remote non-authenticated attacker to #BASIC_IMPACT#.

When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.

Remediation

Install update from vendor's website.

References

https://git.alpinelinux.org/aports/commit/?id=5ea4a0536e0f920f0bffd2ac54ce75665830e4ab
https://git.alpinelinux.org/aports/commit/?id=c34558aad0fa77a9c307564822690940e618b972
https://git.alpinelinux.org/aports/commit/?id=2e744b63543aae404c54b88ee4b4135a58449190
https://git.alpinelinux.org/aports/commit/?id=840f665bfeaa4de03d66d8a6d69ceb3a331e3bf6
https://git.alpinelinux.org/aports/commit/?id=89bf7fcf675ffb9138a3afe613cb1f7c918b57ac