SB2019031818 - Out-of-bounds read in php7 (Alpine package)

Description

This security bulletin contains information about 1 security vulnerability.

1) Out-of-bounds read (CVE-ID: CVE-2019-9023)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a multiple boundary condition within the ext/mbstring/oniguruma/regcomp.c, ext/mbstring/oniguruma/regexec.c, ext/mbstring/oniguruma/regparse.c, ext/mbstring/oniguruma/enc/unicode.c, and ext/mbstring/oniguruma/src/utf32_be.c files when parsing multibyte data in regular expressions. A remote attacker can pass specially crafted input to the application, trigger out-of-bounds read error and read contents of memory on the system.

Remediation

Install update from vendor's website.

References

• https://git.alpinelinux.org/aports/commit/?id=ebcd3398f2d6e6f536fbfeaba9cc3b84ac377251
• https://git.alpinelinux.org/aports/commit/?id=583c0d55e9e7208425dd53eb1739a7010b6b0dbc
• https://git.alpinelinux.org/aports/commit/?id=7c1daf27a04307093cef0fcb3f1c5ab4bb68eee1