Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 698452 (CVE-2019-11043) - <dev-lang/php-{5.6.40-r7,7.1.33,7.2.24,7.3.11}: env_path_info underflow in fpm_main (CVE-2019-11043)
Summary: <dev-lang/php-{5.6.40-r7,7.1.33,7.2.24,7.3.11}: env_path_info underflow in fp...
Status: RESOLVED FIXED
Alias: CVE-2019-11043
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://bugs.php.net/bug.php?id=78599
Whiteboard: B1 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-10-24 13:40 UTC by GLSAMaker/CVETool Bot
Modified: 2019-11-19 10:52 UTC (History)
2 users (show)

See Also:
Package list:
dev-lang/php-7.1.33 dev-lang/php-7.2.24 dev-lang/php-7.3.11
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-10-24 13:40:16 UTC
Incoming details.
Comment 1 Thomas Deutschmann gentoo-dev Security 2019-10-24 13:45:05 UTC
In certain php-fpm configurations, a underflow in env_path_info() from fpm_main.c could lead to RCE. See $URL for details.
Comment 2 David Heidelberg (okias) 2019-10-24 21:47:58 UTC
since this issue impact nextCloud and probably ownCloud instances, can we get to making it stable?

[note, working properly on amd64, unmasked]
Comment 3 Larry the Git Cow gentoo-dev 2019-10-24 23:35:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1a96c94f084d79006c5e245bd870acb362c1a4dc

commit 1a96c94f084d79006c5e245bd870acb362c1a4dc
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-10-24 23:35:14 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-10-24 23:35:27 +0000

    dev-libs/oniguruma: security cleanup
    
    Bug: https://bugs.gentoo.org/698452
    Package-Manager: Portage-2.3.78, Repoman-2.3.17
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 dev-libs/oniguruma/oniguruma-6.9.3-r1.ebuild | 34 ----------------------------
 1 file changed, 34 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aff9ca0ff462c2583d1b6fb02aa6866f0d1946fa

commit aff9ca0ff462c2583d1b6fb02aa6866f0d1946fa
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-10-24 23:34:40 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-10-24 23:35:26 +0000

    dev-libs/oniguruma: move stable keywords
    
    Bug: https://bugs.gentoo.org/698452
    Package-Manager: Portage-2.3.78, Repoman-2.3.17
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 dev-libs/oniguruma/oniguruma-6.9.3-r2.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 4 Agostino Sarubbo gentoo-dev 2019-10-25 07:25:07 UTC
amd64 stable
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2019-10-25 11:12:01 UTC
This issue was resolved and addressed in
 GLSA 201910-01 at https://security.gentoo.org/glsa/201910-01
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 6 Thomas Deutschmann gentoo-dev Security 2019-10-25 11:12:51 UTC
Re-opening for remaining architectures.
Comment 7 Thomas Deutschmann gentoo-dev Security 2019-10-25 11:22:03 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-10-25 11:59:59 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2019-10-25 12:00:38 UTC
ppc64 stable
Comment 10 Rolf Eike Beer 2019-10-25 20:05:11 UTC
sparc stable
Comment 11 Rolf Eike Beer 2019-10-27 19:25:50 UTC
hppa stable
Comment 12 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-11-01 10:17:29 UTC
arm stable
Comment 13 Tomek L 2019-11-01 16:54:09 UTC
Please correct the GLSA as PHP 5 series is not affected.
Comment 14 Tomáš Mózes 2019-11-01 18:31:45 UTC
(In reply to Tomek L from comment #13)
> Please correct the GLSA as PHP 5 series is not affected.

Php 5 is EOL and should not be used.
Comment 15 Thomas Deutschmann gentoo-dev Security 2019-11-01 20:02:29 UTC
PHP 5 _is_ affected -- GLSA is correct. There's a backport https://github.com/microsoft/php-src/commit/c69bcb212b37900fd61daaf38762e4974cb4dcc9 ... but I don't think Gentoo will do another PHP 5 release. It's scheduled for removal.
Comment 16 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-11-06 22:51:26 UTC
arm64 stable
Comment 17 Agostino Sarubbo gentoo-dev 2019-11-14 11:56:07 UTC
ia64 stable.

Maintainer(s), please cleanup.
Comment 18 Larry the Git Cow gentoo-dev 2019-11-14 19:51:12 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3bb9c52d57dd7694ae6695b844d3bb16fb1bc733

commit 3bb9c52d57dd7694ae6695b844d3bb16fb1bc733
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2019-11-14 19:50:29 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2019-11-14 19:50:29 +0000

    dev-lang/php: Security cleanup for vulnerable versions
    
    Bug: https://bugs.gentoo.org/698452
    Package-Manager: Portage-2.3.79, Repoman-2.3.18
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-lang/php/Manifest          |   3 -
 dev-lang/php/php-7.1.32.ebuild | 736 ----------------------------------------
 dev-lang/php/php-7.2.22.ebuild | 748 ----------------------------------------
 dev-lang/php/php-7.3.9.ebuild  | 749 -----------------------------------------
 4 files changed, 2236 deletions(-)
Comment 19 Larry the Git Cow gentoo-dev 2019-11-19 10:44:47 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=46ffc05beb6a90b4207adab9f5b7d989fdc2b5c9

commit 46ffc05beb6a90b4207adab9f5b7d989fdc2b5c9
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-11-19 10:34:33 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-11-19 10:44:37 +0000

    dev-lang/php: security bump
    
    Bug: https://bugs.gentoo.org/698452
    Package-Manager: Portage-2.3.79, Repoman-2.3.18
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 dev-lang/php/Manifest                                       | 2 +-
 dev-lang/php/{php-5.6.40-r6.ebuild => php-5.6.40-r7.ebuild} | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
Comment 20 Thomas Deutschmann gentoo-dev Security 2019-11-19 10:52:35 UTC
All done, repository is clean!