{"id":"openSUSE-SU-2019:1573-1","summary":"Security update for php7","details":"This update for php7 fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2019-9637: Fixed improper implementation of rename function and multiple invalid memory access in EXIF extension (bsc#1128892).\n- CVE-2019-9675: Fixed improper implementation of rename function and multiple invalid memory access in EXIF extension (bsc#1128886).\n- CVE-2019-9638: Fixed improper implementation of rename function and multiple invalid memory access in EXIF extension ((bsc#1128889).\n- CVE-2019-9639: Fixed improper implementation of rename function and multiple invalid memory access in EXIF extension (bsc#1128887).\n- CVE-2019-9640: Fixed improper implementation of rename function and multiple invalid memory access in EXIF extension (bsc#1128883).\n- CVE-2019-9022: Fixed a vulnerability which could allow a hostile DNS server to make PHP misuse memcpy (bsc#1126827).\n- CVE-2019-9024: Fixed a vulnerability in xmlrpc_decode function which could allow to a hostile XMLRPC server\n  to cause memory read outside the allocated areas (bsc#1126821).\n- CVE-2019-9020: Fixed a heap out of bounds in xmlrpc_decode function (bsc#1126711).\n- CVE-2018-20783: Fixed a buffer over-read in PHAR reading functions which could allow an attacker to read\n  allocated and unallocated memory when parsing a phar file (bsc#1127122).\n- CVE-2019-9021: Fixed a heap buffer-based buffer over-read in PHAR reading functions which could allow an\n  attacker to read allocated and unallocated memory when parsing a phar file (bsc#1126713).\n- CVE-2019-9023: Fixed multiple heap-based buffer over-read instances in mbstring regular expression functions (bsc#1126823).\n- CVE-2019-9641: Fixed multiple invalid memory access in EXIF extension and improved insecure implementation\n  of rename function (bsc#1128722).\n- CVE-2018-19935: Fixed a Denial of Service in php_imap.c which could be triggered \n  via an empty string in the message argument to imap_mail (bsc#1118832).\n- CVE-2019-11034: Fixed a heap-buffer overflow in php_ifd_get32si() (bsc#1132838).\n- CVE-2019-11035: Fixed a heap-buffer overflow in exif_iif_add_value() (bsc#1132837).\n- CVE-2019-11036: Fixed buffer over-read in exif_process_IFD_TAG function leading to information disclosure (bsc#1134322).\n\nOther issue addressed:   \n\n- Deleted README.default_socket_timeout which is not needed anymore (bsc#1129032).\n- Enabled php7 testsuite (bsc#1119396).\n\nThis update was imported from the SUSE:SLE-15:Update update project.","modified":"2026-02-04T02:13:09.997420Z","published":"2019-06-18T11:38:13Z","related":["CVE-2018-19935","CVE-2018-20783","CVE-2019-11034","CVE-2019-11035","CVE-2019-11036","CVE-2019-9020","CVE-2019-9021","CVE-2019-9022","CVE-2019-9023","CVE-2019-9024","CVE-2019-9637","CVE-2019-9638","CVE-2019-9639","CVE-2019-9640","CVE-2019-9641","CVE-2019-9675"],"upstream":["CVE-2018-19935","CVE-2018-20783","CVE-2019-11034","CVE-2019-11035","CVE-2019-11036","CVE-2019-9020","CVE-2019-9021","CVE-2019-9022","CVE-2019-9023","CVE-2019-9024","CVE-2019-9637","CVE-2019-9638","CVE-2019-9639","CVE-2019-9640","CVE-2019-9641","CVE-2019-9675"],"references":[{"type":"ADVISORY","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BZGSTORTRYTIVYMVFOFYRIJIMKYXZ32T/#BZGSTORTRYTIVYMVFOFYRIJIMKYXZ32T"},{"type":"REPORT","url":"https://bugzilla.suse.com/1118832"},{"type":"REPORT","url":"https://bugzilla.suse.com/1119396"},{"type":"REPORT","url":"https://bugzilla.suse.com/1126711"},{"type":"REPORT","url":"https://bugzilla.suse.com/1126713"},{"type":"REPORT","url":"https://bugzilla.suse.com/1126821"},{"type":"REPORT","url":"https://bugzilla.suse.com/1126823"},{"type":"REPORT","url":"https://bugzilla.suse.com/1126827"},{"type":"REPORT","url":"https://bugzilla.suse.com/1127122"},{"type":"REPORT","url":"https://bugzilla.suse.com/1128722"},{"type":"REPORT","url":"https://bugzilla.suse.com/1128883"},{"type":"REPORT","url":"https://bugzilla.suse.com/1128886"},{"type":"REPORT","url":"https://bugzilla.suse.com/1128887"},{"type":"REPORT","url":"https://bugzilla.suse.com/1128889"},{"type":"REPORT","url":"https://bugzilla.suse.com/1128892"},{"type":"REPORT","url":"https://bugzilla.suse.com/1129032"},{"type":"REPORT","url":"https://bugzilla.suse.com/1132837"},{"type":"REPORT","url":"https://bugzilla.suse.com/1132838"},{"type":"REPORT","url":"https://bugzilla.suse.com/1134322"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-19935"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-20783"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-11034"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-11035"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-11036"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-9020"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-9021"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-9022"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-9023"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-9024"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-9637"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-9638"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-9639"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-9640"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-9641"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-9675"}],"affected":[{"package":{"name":"php7","ecosystem":"openSUSE:Leap 15.0","purl":"pkg:rpm/opensuse/php7&distro=openSUSE%20Leap%2015.0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.2.5-lp150.2.19.1"}]}],"ecosystem_specific":{"binaries":[{"php7-gmp":"7.2.5-lp150.2.19.1","php7-gd":"7.2.5-lp150.2.19.1","php7-dba":"7.2.5-lp150.2.19.1","php7-ctype":"7.2.5-lp150.2.19.1","php7-pdo":"7.2.5-lp150.2.19.1","php7-phar":"7.2.5-lp150.2.19.1","php7-shmop":"7.2.5-lp150.2.19.1","php7-intl":"7.2.5-lp150.2.19.1","php7-sysvshm":"7.2.5-lp150.2.19.1","php7-odbc":"7.2.5-lp150.2.19.1","php7-firebird":"7.2.5-lp150.2.19.1","php7-calendar":"7.2.5-lp150.2.19.1","apache2-mod_php7":"7.2.5-lp150.2.19.1","php7-bz2":"7.2.5-lp150.2.19.1","php7-pear":"7.2.5-lp150.2.19.1","php7":"7.2.5-lp150.2.19.1","php7-xmlrpc":"7.2.5-lp150.2.19.1","php7-sysvsem":"7.2.5-lp150.2.19.1","php7-pcntl":"7.2.5-lp150.2.19.1","php7-posix":"7.2.5-lp150.2.19.1","php7-ftp":"7.2.5-lp150.2.19.1","php7-zlib":"7.2.5-lp150.2.19.1","php7-fileinfo":"7.2.5-lp150.2.19.1","php7-pear-Archive_Tar":"7.2.5-lp150.2.19.1","php7-sockets":"7.2.5-lp150.2.19.1","php7-exif":"7.2.5-lp150.2.19.1","php7-iconv":"7.2.5-lp150.2.19.1","php7-ldap":"7.2.5-lp150.2.19.1","php7-xmlwriter":"7.2.5-lp150.2.19.1","php7-wddx":"7.2.5-lp150.2.19.1","php7-bcmath":"7.2.5-lp150.2.19.1","php7-opcache":"7.2.5-lp150.2.19.1","php7-tokenizer":"7.2.5-lp150.2.19.1","php7-sodium":"7.2.5-lp150.2.19.1","php7-mbstring":"7.2.5-lp150.2.19.1","php7-soap":"7.2.5-lp150.2.19.1","php7-devel":"7.2.5-lp150.2.19.1","php7-openssl":"7.2.5-lp150.2.19.1","php7-readline":"7.2.5-lp150.2.19.1","php7-dom":"7.2.5-lp150.2.19.1","php7-testresults":"7.2.5-lp150.2.19.1","php7-sysvmsg":"7.2.5-lp150.2.19.1","php7-xmlreader":"7.2.5-lp150.2.19.1","php7-mysql":"7.2.5-lp150.2.19.1","php7-sqlite":"7.2.5-lp150.2.19.1","php7-fastcgi":"7.2.5-lp150.2.19.1","php7-tidy":"7.2.5-lp150.2.19.1","php7-curl":"7.2.5-lp150.2.19.1","php7-zip":"7.2.5-lp150.2.19.1","php7-json":"7.2.5-lp150.2.19.1","php7-enchant":"7.2.5-lp150.2.19.1","php7-embed":"7.2.5-lp150.2.19.1","php7-gettext":"7.2.5-lp150.2.19.1","php7-xsl":"7.2.5-lp150.2.19.1","php7-pgsql":"7.2.5-lp150.2.19.1","php7-fpm":"7.2.5-lp150.2.19.1","php7-snmp":"7.2.5-lp150.2.19.1"}]},"database_specific":{"source":"https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2019:1573-1.json"}}],"schema_version":"1.7.3"}