diff -Nru php7.0-7.0.33/debian/changelog php7.0-7.0.33/debian/changelog --- php7.0-7.0.33/debian/changelog 2019-04-18 15:28:03.000000000 +0000 +++ php7.0-7.0.33/debian/changelog 2019-06-04 17:16:35.000000000 +0000 @@ -1,3 +1,20 @@ +php7.0 (7.0.33-0ubuntu0.16.04.5) xenial-security; urgency=medium + + * SECURITY UPDATE: overflow in exif_process_IFD_TAG + - debian/patches/CVE-2019-11036.patch: check dir_entry in + ext/exif/exif.c. + - CVE-2019-11036 + * SECURITY UPDATE: out-of-bounds read in _php_iconv_mime_decode() + - debian/patches/CVE-2019-11039.patch: add an extra check in + ext/iconv/iconv.c. + - CVE-2019-11039 + * SECURITY UPDATE: heap-buffer-overflow on php_jpg_get16 + - debian/patches/CVE-2019-11040.patch: add an extra check in + ext/exif/exif.c. + - CVE-2019-11040 + + -- Marc Deslauriers Tue, 04 Jun 2019 13:13:15 -0400 + php7.0 (7.0.33-0ubuntu0.16.04.4) xenial-security; urgency=medium * SECURITY UPDATE: Heap-buffer-overflow in php_ifd_get32s diff -Nru php7.0-7.0.33/debian/patches/CVE-2019-11036.patch php7.0-7.0.33/debian/patches/CVE-2019-11036.patch --- php7.0-7.0.33/debian/patches/CVE-2019-11036.patch 1970-01-01 00:00:00.000000000 +0000 +++ php7.0-7.0.33/debian/patches/CVE-2019-11036.patch 2019-06-04 17:12:58.000000000 +0000 @@ -0,0 +1,31 @@ +From f80ad18afae2230c2c1802c7d829100af646874e Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 29 Apr 2019 23:38:12 -0700 +Subject: [PATCH] Fix bug #77950 - Heap-buffer-overflow in _estrndup via + exif_process_IFD_TAG + +I do not completely understand what is going on there, but I am pretty +sure dir_entry <= offset_base if not a normal situation, so we better not +to rely on such dir_entry. +--- + NEWS | 11 +++++++++-- + ext/exif/exif.c | 2 +- + ext/exif/tests/bug77950.phpt | 12 ++++++++++++ + ext/exif/tests/bug77950.tiff | Bin 0 -> 1267 bytes + 4 files changed, 22 insertions(+), 3 deletions(-) + create mode 100644 ext/exif/tests/bug77950.phpt + create mode 100644 ext/exif/tests/bug77950.tiff + +Index: php7.0-7.0.33/ext/exif/exif.c +=================================================================== +--- php7.0-7.0.33.orig/ext/exif/exif.c 2019-06-04 13:12:55.128349189 -0400 ++++ php7.0-7.0.33/ext/exif/exif.c 2019-06-04 13:12:55.124349169 -0400 +@@ -2890,7 +2890,7 @@ static int exif_process_IFD_TAG(image_in + offset_base is ImageInfo->file.list[sn].data-dir_offset + dir_entry - offset_base is dir_offset+2+i*12 + */ +- if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry || offset_val < (size_t)(dir_entry-offset_base)) { ++ if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry || offset_val < (size_t)(dir_entry-offset_base) || dir_entry <= offset_base) { + /* It is important to check for IMAGE_FILETYPE_TIFF + * JPEG does not use absolute pointers instead its pointers are + * relative to the start of the TIFF header in APP1 section. */ diff -Nru php7.0-7.0.33/debian/patches/CVE-2019-11039.patch php7.0-7.0.33/debian/patches/CVE-2019-11039.patch --- php7.0-7.0.33/debian/patches/CVE-2019-11039.patch 1970-01-01 00:00:00.000000000 +0000 +++ php7.0-7.0.33/debian/patches/CVE-2019-11039.patch 2019-06-04 17:13:04.000000000 +0000 @@ -0,0 +1,29 @@ +From 7cf7148a8f8f4f55fb04de2a517d740bb6253eac Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 27 May 2019 16:32:42 -0700 +Subject: [PATCH] Fix bug #78069 - Out-of-bounds read in + iconv.c:_php_iconv_mime_decode() due to integer overflow + +--- + ext/iconv/iconv.c | 4 +++- + ext/iconv/tests/bug78069.data | Bin 0 -> 107 bytes + ext/iconv/tests/bug78069.phpt | 15 +++++++++++++++ + 3 files changed, 18 insertions(+), 1 deletion(-) + create mode 100644 ext/iconv/tests/bug78069.data + create mode 100644 ext/iconv/tests/bug78069.phpt + +Index: php7.0-7.0.33/ext/iconv/iconv.c +=================================================================== +--- php7.0-7.0.33.orig/ext/iconv/iconv.c 2019-06-04 13:13:02.736385167 -0400 ++++ php7.0-7.0.33/ext/iconv/iconv.c 2019-06-04 13:13:02.732385149 -0400 +@@ -1645,7 +1645,9 @@ static php_iconv_err_t _php_iconv_mime_d + * we can do at this point. */ + if (*(p1 + 1) == '=') { + ++p1; +- --str_left; ++ if (str_left > 1) { ++ --str_left; ++ } + } + + err = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl); diff -Nru php7.0-7.0.33/debian/patches/CVE-2019-11040.patch php7.0-7.0.33/debian/patches/CVE-2019-11040.patch --- php7.0-7.0.33/debian/patches/CVE-2019-11040.patch 1970-01-01 00:00:00.000000000 +0000 +++ php7.0-7.0.33/debian/patches/CVE-2019-11040.patch 2019-06-04 17:13:11.000000000 +0000 @@ -0,0 +1,27 @@ +From 73ff4193be24192c894dc0502d06e2b2db35eefb Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 27 May 2019 17:16:29 -0700 +Subject: [PATCH] Fix bug #77988 - heap-buffer-overflow on php_jpg_get16 + +--- + NEWS | 8 ++++++-- + ext/exif/exif.c | 2 ++ + ext/exif/tests/bug77988.jpg | Bin 0 -> 1202 bytes + ext/exif/tests/bug77988.phpt | 11 +++++++++++ + 4 files changed, 19 insertions(+), 2 deletions(-) + create mode 100644 ext/exif/tests/bug77988.jpg + create mode 100644 ext/exif/tests/bug77988.phpt + +Index: php7.0-7.0.33/ext/exif/exif.c +=================================================================== +--- php7.0-7.0.33.orig/ext/exif/exif.c 2019-06-04 13:13:10.044419598 -0400 ++++ php7.0-7.0.33/ext/exif/exif.c 2019-06-04 13:13:10.044419598 -0400 +@@ -3525,6 +3525,8 @@ static int exif_scan_thumbnail(image_inf + if (c == 0xFF) + return FALSE; + marker = c; ++ if (pos>=ImageInfo->Thumbnail.size) ++ return FALSE; + length = php_jpg_get16(data+pos); + if (length > ImageInfo->Thumbnail.size || pos >= ImageInfo->Thumbnail.size - length) { + return FALSE; diff -Nru php7.0-7.0.33/debian/patches/series php7.0-7.0.33/debian/patches/series --- php7.0-7.0.33/debian/patches/series 2019-04-18 15:25:10.000000000 +0000 +++ php7.0-7.0.33/debian/patches/series 2019-06-04 17:13:08.000000000 +0000 @@ -109,3 +109,6 @@ CVE-2019-11035-1.patch CVE-2019-11035-2.patch CVE-2019-11035-3.patch +CVE-2019-11036.patch +CVE-2019-11039.patch +CVE-2019-11040.patch