Описание
Security update for php5
This update for php5 fixes the following issues:
Security issues fixed:
- CVE-2019-9024: Fixed a vulnerability in xmlrpc_decode function which could allow to a hostile XMLRPC server to cause memory read outside the allocated areas (bsc#1126821).
- CVE-2019-9020: Fixed a heap out of bounds in xmlrpc_decode function (bsc#1126711).
- CVE-2018-20783: Fixed a buffer over-read in PHAR reading functions which could allow an attacker to read allocated and unallocated memory when parsing a phar file (bsc#1127122).
- CVE-2019-9021: Fixed a heap buffer-based buffer over-read in PHAR reading functions which could allow an attacker to read allocated and unallocated memory when parsing a phar file (bsc#1126713).
- CVE-2019-9023: Fixed multiple heap-based buffer over-read instances in mbstring regular expression functions (bsc#1126823).
- CVE-2019-9641: Fixed multiple invalid memory access in EXIF extension and improved insecure implementation of rename function (bsc#1128722).
Список пакетов
SUSE Linux Enterprise Module for Web and Scripting 12
SUSE Linux Enterprise Software Development Kit 12 SP3
SUSE Linux Enterprise Software Development Kit 12 SP4
Ссылки
- Link for SUSE-SU-2019:0985-1
- E-Mail link for SUSE-SU-2019:0985-1
- SUSE Security Ratings
- SUSE Bug 1126711
- SUSE Bug 1126713
- SUSE Bug 1126821
- SUSE Bug 1126823
- SUSE Bug 1127122
- SUSE Bug 1128722
- SUSE CVE CVE-2018-20783 page
- SUSE CVE CVE-2019-9020 page
- SUSE CVE CVE-2019-9021 page
- SUSE CVE CVE-2019-9023 page
- SUSE CVE CVE-2019-9024 page
- SUSE CVE CVE-2019-9641 page
Описание
In PHP before 5.6.39, 7.x before 7.0.33, 7.1.x before 7.1.25, and 7.2.x before 7.2.13, a buffer over-read in PHAR reading functions may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse a .phar file. This is related to phar_parse_pharfile in ext/phar/phar.c.
Затронутые продукты
Ссылки
- CVE-2018-20783
- SUSE Bug 1126713
- SUSE Bug 1127122
Описание
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc/xml_element.c.
Затронутые продукты
Ссылки
- CVE-2019-9020
- SUSE Bug 1126711
Описание
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file name, a different vulnerability than CVE-2018-20783. This is related to phar_detect_phar_fname_ext in ext/phar/phar.c.
Затронутые продукты
Ссылки
- CVE-2019-9021
- SUSE Bug 1126713
Описание
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcomp.c, ext/mbstring/oniguruma/regexec.c, ext/mbstring/oniguruma/regparse.c, ext/mbstring/oniguruma/enc/unicode.c, and ext/mbstring/oniguruma/src/utf32_be.c when a multibyte regular expression pattern contains invalid multibyte sequences.
Затронутые продукты
Ссылки
- CVE-2019-9023
- SUSE Bug 1126823
Описание
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. xmlrpc_decode() can allow a hostile XMLRPC server to cause PHP to read memory outside of allocated areas in base64_decode_xmlrpc in ext/xmlrpc/libxmlrpc/base64.c.
Затронутые продукты
Ссылки
- CVE-2019-9024
- SUSE Bug 1126821
Описание
An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_TIFF.
Затронутые продукты
Ссылки
- CVE-2019-9641
- SUSE Bug 1128722