CVE-2019-11036

Published: 03 May 2019

When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.29, 7.2.x below 7.2.18 and 7.3.x below 7.3.5 can be caused to read past allocated buffer in exif_process_IFD_TAG function. This may lead to information disclosure or crash.

Priority

Low

CVSS 3 base score: 9.1

Status

Package Release Status
php5
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr)
Released (5.5.9+dfsg-1ubuntu4.29+esm2)
Patches:
Upstream: https://github.com/php/php-src/commit/f80ad18afae2230c2c1802c7d829100af646874e
php7.0
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus)
Released (7.0.33-0ubuntu0.16.04.5)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

php7.2
Launchpad, Ubuntu, Debian
Upstream
Released (7.2.18)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (7.2.19-0ubuntu0.18.04.1)
Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: http://git.php.net/?p=php-src.git;a=commit;h=f80ad18afae2230c2c1802c7d829100af646874e
php7.3
Launchpad, Ubuntu, Debian
Upstream
Released (7.3.5)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist