SB2020012120 - Out-of-bounds read in php7 (Alpine package)
Published: January 21, 2020
Security Bulletin ID
SB2020012120
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Out-of-bounds read (CVE-ID: CVE-2020-7060)
The vulnerability allows a remote attacker to gain access to potentially sensitive information or perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition when using certain "mbstring" functions to convert multibyte encodings. A remote attacker can supply data that will cause function "mbfl_filt_conv_big5_wchar" to read past the allocated buffer, trigger out-of-bounds read error and read contents of memory on the system or crash the application.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=37674ae79d4a86d8c65e91229951ff777ec29540
- https://git.alpinelinux.org/aports/commit/?id=ec9d680b52bf5f756d39d57cd415ef638a1aac60
- https://git.alpinelinux.org/aports/commit/?id=42c07d47c295b72e57f7dc851d590097aa6053ff
- https://git.alpinelinux.org/aports/commit/?id=68838633d9df28ddca4f065d839b033d943bbb7b