An XSS issue was discovered in the Laborator Neon theme 2.0 for WordPress via the data/autosuggest-remote.php q parameter.

CVE-2019-20141

wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript&colon; substring.

WordPress 5.3.1 is now available!

This security and maintenance release features 46 fixes and enhancements. Plus, it adds a number of security fixes—see the list below.

WordPress 5.3.1 is a short-cycle maintenance release. The next major release will be version 5.4.

You can download WordPress 5.3.1 by clicking the button at the top of this page, or visit your **Dashboard → Updates** and click **Update Now**.

If you have sites that support automatic background updates, they’ve already started the update process.

**Security updates**

Four security issues affect WordPress versions 5.3 and earlier; version 5.3.1 fixes them, so you’ll want to upgrade. If you haven’t yet updated to 5.3, there are also updated versions of 5.2 and earlier that fix the security issues.

*   Props to Daniel Bachhuber for finding an issue where an unprivileged user could make a post sticky via the REST API.
*   Props to Simon Scannell of RIPS Technologies for finding and disclosing an issue where cross-site scripting (XSS) could be stored in well-crafted links.
*   Props to the WordPress.org Security Team for hardening wp_kses_bad_protocol() to ensure that it is aware of the named colon attribute.
*   Props to Nguyen The Duc for discovering a stored XSS vulnerability using block editor content.

**Maintenance updates**

Here are a few of the highlights:

*   Administration: improvements to admin form controls height and alignment standardization (see related dev note), dashboard widget links accessibility and alternate color scheme readability issues (see related dev note).
*   Block editor: fix Edge scrolling issues and intermittent JavaScript issues.
*   Bundled themes: add customizer option to show/hide author bio, replace JS based smooth scroll with CSS (see related dev note) and fix Instagram embed CSS.
*   Date/time: improve non-GMT dates calculation, fix date format output in specific languages and make get_permalink() more resilient against PHP timezone changes.
*   Embeds: remove CollegeHumor oEmbed provider as the service doesn’t exist anymore.
*   External libraries: update sodium_compat.
*   Site health: allow the remind interval for the admin email verification to be filtered.
*   Uploads: avoid thumbnails overwriting other uploads when filename matches, and exclude PNG images from scaling after upload.
*   Users: ensure administration email verification uses the user’s locale instead of the site locale.

For more information, browse the full list of changes on Trac or check out the version 5.3.1 HelpHub documentation page.

**Thanks!**

In addition to the security researchers mentioned above, thank you to everyone who contributed to WordPress 5.3.1:

123host, acosmin, Adam Silverstein, Albert Juhé Lluveras, Alex Concha, Alex Mills, Anantajit JG, Anders Norén, andraganescu, Andrea Fercia, Andrew Duthie, Andrew Ozz, Andrey “Rarst” Savchenko, aravindajith, archon810, Ate Up With Motor, Ayesh Karunaratne, Birgir Erlendsson (birgire), Boga86, Boone Gorges, Carolina Nymark, Chetan Prajapati, Csaba (LittleBigThings), Dademaru, Daniel Bachhuber, Daniele Scasciafratte, Daniel Richards, David Baumwald, David Herrera, Dion hulse, ehtis, Ella van Durpe, epiqueras, Fabian, Felix Arntz, flaviozavan, Garrett Hyder, Glenn, Grzegorz (Greg) Ziółkowski, Grzegorz.Janoszka, Hareesh Pillai, Ian Belanger, ispreview, Jake Spurlock, James Huff, James Koster, Jarret, Jasper van der Meer, Jb Audras, jeichorn, Jer Clarke, Jeremy Felt, Jip Moors, Joe Hoyle, John James Jacoby, Jonathan Desrosiers, Jonny Harris, Joost de Valk, Jorge Costa, Joy, Juliette Reinders Folmer, justdaiv, Kelly Dwan, Kharis Sulistiyono, Kite, kyliesabra, lisota, lukaswaudentio, Maciej Mackowiak, marcelo2605, Marius L. J., Mat Lipe, mayanksonawat, Mel Choyce-Dwan, Michael Arestad, miette49, Miguel Fonseca, mihdan, Mike Auteri, Mikko Saari, Milan Petrovic, Mukesh Panchal, NextScripts, Nick Daugherty, Niels Lange, noyle, Ov3rfly, Paragon Initiative Enterprises, Paul Biron, Peter Wilson, Rachel Peter, Riad Benguella, Ricard Torres, Roland Murg, Ryan McCue, Ryan Welcher, SamuelFernandez, sathyapulse, Scott Taylor, scvleon, Sergey Biryukov, sergiomdgomes, SGr33n, simonjanin, smerriman, steevithak, Stephen Bernhardt, Stephen Edgar, Steve Dufresne, Subrata Mal, Sultan Nasir Uddin, Sybre Waaijer, Tammie Lister, Tanvirul Haque, Tellyworth, timon33, Timothy Jacobs, Timothée Brosille, tmatsuur, Tung Du, Veminom, vortfu, waleedt93, williampatton, wpgurudev, and Zack Tollman.

CVE-2019-20041: WordPress 5.3.1 Security and Maintenance Release

In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel() can be used in a particular way to result in a stored cross-site scripting (XSS) vulnerability. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.

CVE-2019-20042

In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer overflow in the function WriteSGIImage of coders/sgi.c.

**Prerequisites**

*   I have written a descriptive issue title
*   I have verified that I am using the latest version of ImageMagick
*   I have searched open and closed issues to ensure it has not already been reported

**Description**

There is a heap buffer overflow vulnerability in function WriteSGIImage of coders/sgi.c.

**Steps to Reproduce**

poc  
magick convert $poc ./test.sgi  
=================================================================  
==41720==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f70c67db7f8 at pc 0x0000006c216f bp 0x7ffea64ddb50 sp 0x7ffea64ddb40  
WRITE of size 1 at 0x7f70c67db7f8 thread T0  
    #0 0x6c216e in WriteSGIImage coders/sgi.c:1051  
    #1 0x849036 in WriteImage MagickCore/constitute.c:1159  
    #2 0x849d5b in WriteImages MagickCore/constitute.c:1376  
    #3 0xbf16d0 in ConvertImageCommand MagickWand/convert.c:3305  
    #4 0xcdf180 in MagickCommandGenesis MagickWand/mogrify.c:185  
    #5 0x4100a1 in MagickMain utilities/magick.c:149  
    #6 0x410282 in main utilities/magick.c:180  
    #7 0x7f70c10c882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)  
    #8 0x40fbb8 in _start (/home/test/temp/ImageMagick/utilities/magick+0x40fbb8)

0x7f70c67db7f8 is located 8 bytes to the left of 524288-byte region [0x7f70c67db800,0x7f70c685b800)  
allocated by thread T0 here:  
    #0 0x7f70c5868076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)  
    #1 0x4408c7 in AcquireAlignedMemory MagickCore/memory.c:265  
    #2 0x440beb in AcquireVirtualMemory MagickCore/memory.c:621  
    #3 0x6c1ead in WriteSGIImage coders/sgi.c:1030  
    #4 0x849036 in WriteImage MagickCore/constitute.c:1159  
    #5 0x849d5b in WriteImages MagickCore/constitute.c:1376  
    #6 0xbf16d0 in ConvertImageCommand MagickWand/convert.c:3305  
    #7 0xcdf180 in MagickCommandGenesis MagickWand/mogrify.c:185  
    #8 0x4100a1 in MagickMain utilities/magick.c:149  
    #9 0x410282 in main utilities/magick.c:180  
    #10 0x7f70c10c882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow coders/sgi.c:1051 WriteSGIImage  
Shadow bytes around the buggy address:  
  0x0fee98cf36a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0fee98cf36b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0fee98cf36c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0fee98cf36d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0fee98cf36e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
=>0x0fee98cf36f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]  
  0x0fee98cf3700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
  0x0fee98cf3710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
  0x0fee98cf3720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
  0x0fee98cf3730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
  0x0fee98cf3740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
Shadow byte legend (one shadow byte represents 8 application bytes):  
  Addressable:           00  
 Partially addressable: 01 02 03 04 05 06 07  
  Heap left redzone:       fa  
  Heap right redzone:      fb  
  Freed heap region:       fd  
  Stack left redzone:      f1  
  Stack mid redzone:       f2  
  Stack right redzone:     f3  
  Stack partial redzone:   f4  
  Stack after return:      f5  
  Stack use after scope:   f8  
  Global redzone:          f9  
  Global init order:       f6  
  Poisoned by user:        f7  
  Container overflow:      fc  
  Array cookie:            ac  
  Intra object redzone:    bb  
  ASan internal:           fe  
==41720==ABORTING

**System Configuration**

*   ImageMagick version:  
    Version: ImageMagick 7.0.8-43 Q16 x86_64 2019-04-29 https://imagemagick.org  
    Copyright: ? 1999-2019 ImageMagick Studio LLC  
    License: https://imagemagick.org/script/license.php  
    Features: Cipher DPC HDRI OpenMP(4.0)   
    Delegates (built-in): bzlib djvu fftw fontconfig freetype jbig jng jpeg lcms lqr lzma openexr pangocairo png tiff wmf x xml zlib
*   Environment (Operating system, version and so on):  
    Distributor ID:	Ubuntu  
    Description:	Ubuntu 16.04.1 LTS  
    Release:	16.04  
    Codename:	xenial
*   Additional information:

CVE-2019-19948: heap-buffer-overflow in WriteSGIImage of coders/sgi.c · Issue #1562 · ImageMagick/ImageMagick

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 on Windows, PHP link() function accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.

Sec Bug #78862

link() silently truncates after a null byte on Windows

Submitted:

2019-11-23 09:23 UTC

Modified:

2019-12-16 19:01 UTC

From:

ryat@php.net

Assigned:

stas (profile)

Status:

Closed

Package:

Filesystem function related

PHP Version:

7.3.12

OS:

Windows

Private report:

No

CVE-ID:

2019-11044

 **\[2019-11-23 09:23 UTC\] ryat@php.net**

Description:
------------
ext/standard/link\_win32.c:
\`\`\`
PHP\_FUNCTION(link)
{
	...
	if (zend\_parse\_parameters(ZEND\_NUM\_ARGS(), "ss", &frompath, &frompath\_len, &topath, &topath\_len) == FAILURE) {
		return;
	}
\`\`\`

PoC for Windows:
\`\`\`
<?php

link("ryat\\x00php", "php\\x00ryat");

?>
\`\`\`

Fix:
\`\`\`
if (zend\_parse\_parameters(ZEND\_NUM\_ARGS(), "pp", &frompath, &frompath\_len, &topath, &topath\_len) == FAILURE) 
\`\`\`

**Patches**

Add a Patch

**Pull Requests**

Add a Pull Request

**History**

AllCommentsChangesGit/SVN commitsRelated reports

 **\[2019-11-23 12:07 UTC\] cmb@php.net**

\-Status: Open +Status: Verified \-Package: \*General Issues +Package: Filesystem function related \-Assigned To: +Assigned To: stas

 **\[2019-11-30 22:01 UTC\] stas@php.net**

\-CVE-ID: +CVE-ID: 2019-11044

 **\[2019-12-16 19:02 UTC\] stas@php.net**

\-Status: Verified +Status: Closed

CVE-2019-11044: link() silently truncates after a null byte on Windows

When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.

Sec Bug #78793

Use-after-free in exif parsing under memory sanitizer

Submitted:

2019-11-07 21:13 UTC

Modified:

2019-12-16 19:14 UTC

From:

nikic@php.net

Assigned:

kalle (profile)

Status:

Closed

Package:

EXIF related

PHP Version:

master-Git-2019-11-07 (Git)

OS:

Private report:

No

CVE-ID:

2019-11050

 **\[2019-11-07 21:13 UTC\] nikic@php.net**

Description:
------------
$f = "ext/exif/tests/bug77950.tiff";
for ($i = 0; $i < 10; $i++) {
    fprintf(STDERR, "ITERATION $i:\\n");
    @exif\_read\_data($f);
}

This produces a use-after-free (use-of-uninitialized-value with heap deallocation origin) when run under memory sanitizer on the 7th iteration.

Unfortunately I have not been able to reproduce this under address sanitizer. Based on the fact that this needs multiple iterations, I'm assuming that this is sensitive to the precise memory layout, and memory sanitizer happens to produce the right one.

==19395==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x2119042 in ap\_php\_conv\_10 /home/nikic/php-src-msan/main/snprintf.c:351:2
    #1 0x212e319 in format\_converter /home/nikic/php-src-msan/main/snprintf.c:882:10
    #2 0x211f70f in strx\_printv /home/nikic/php-src-msan/main/snprintf.c:1237:7
    #3 0x2117fc3 in ap\_php\_snprintf /home/nikic/php-src-msan/main/snprintf.c:1282:2
    #4 0xd0a857 in add\_assoc\_image\_info /home/nikic/php-src-msan/ext/exif/exif.c:2451:10
    #5 0xcf8932 in zif\_exif\_read\_data /home/nikic/php-src-msan/ext/exif/exif.c:4598:2
    #6 0x322e991 in ZEND\_DO\_ICALL\_SPEC\_RETVAL\_UNUSED\_HANDLER /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:1226:2
    #7 0x2d67c7f in execute\_ex /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:51318:7
    #8 0x2d6927f in zend\_execute /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:55571:2
    #9 0x28399d3 in zend\_execute\_scripts /home/nikic/php-src-msan/Zend/zend.c:1645:4
    #10 0x2100536 in php\_execute\_script /home/nikic/php-src-msan/main/main.c:2586:14
    #11 0x34c922d in do\_cli /home/nikic/php-src-msan/sapi/cli/php\_cli.c:959:5
    #12 0x34c0e06 in main /home/nikic/php-src-msan/sapi/cli/php\_cli.c:1350:18
    #13 0x7fadee90fb96 in \_\_libc\_start\_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #14 0x4368e9 in \_start (/home/nikic/php-src-msan/sapi/cli/php+0x4368e9)

  Uninitialized value was stored to memory at
    #0 0x2118d9f in ap\_php\_conv\_10 /home/nikic/php-src-msan/main/snprintf.c:347:23
    #1 0x212e319 in format\_converter /home/nikic/php-src-msan/main/snprintf.c:882:10
    #2 0x211f70f in strx\_printv /home/nikic/php-src-msan/main/snprintf.c:1237:7
    #3 0x2117fc3 in ap\_php\_snprintf /home/nikic/php-src-msan/main/snprintf.c:1282:2
    #4 0xd0a857 in add\_assoc\_image\_info /home/nikic/php-src-msan/ext/exif/exif.c:2451:10
    #5 0xcf8932 in zif\_exif\_read\_data /home/nikic/php-src-msan/ext/exif/exif.c:4598:2
    #6 0x322e991 in ZEND\_DO\_ICALL\_SPEC\_RETVAL\_UNUSED\_HANDLER /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:1226:2
    #7 0x2d67c7f in execute\_ex /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:51318:7
    #8 0x2d6927f in zend\_execute /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:55571:2
    #9 0x28399d3 in zend\_execute\_scripts /home/nikic/php-src-msan/Zend/zend.c:1645:4
    #10 0x2100536 in php\_execute\_script /home/nikic/php-src-msan/main/main.c:2586:14
    #11 0x34c922d in do\_cli /home/nikic/php-src-msan/sapi/cli/php\_cli.c:959:5
    #12 0x34c0e06 in main /home/nikic/php-src-msan/sapi/cli/php\_cli.c:1350:18
    #13 0x7fadee90fb96 in \_\_libc\_start\_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

  Uninitialized value was stored to memory at
    #0 0x2118818 in ap\_php\_conv\_10 /home/nikic/php-src-msan/main/snprintf.c:321:13
    #1 0x212e319 in format\_converter /home/nikic/php-src-msan/main/snprintf.c:882:10
    #2 0x211f70f in strx\_printv /home/nikic/php-src-msan/main/snprintf.c:1237:7
    #3 0x2117fc3 in ap\_php\_snprintf /home/nikic/php-src-msan/main/snprintf.c:1282:2
    #4 0xd0a857 in add\_assoc\_image\_info /home/nikic/php-src-msan/ext/exif/exif.c:2451:10
    #5 0xcf8932 in zif\_exif\_read\_data /home/nikic/php-src-msan/ext/exif/exif.c:4598:2
    #6 0x322e991 in ZEND\_DO\_ICALL\_SPEC\_RETVAL\_UNUSED\_HANDLER /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:1226:2
    #7 0x2d67c7f in execute\_ex /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:51318:7
    #8 0x2d6927f in zend\_execute /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:55571:2
    #9 0x28399d3 in zend\_execute\_scripts /home/nikic/php-src-msan/Zend/zend.c:1645:4
    #10 0x2100536 in php\_execute\_script /home/nikic/php-src-msan/main/main.c:2586:14
    #11 0x34c922d in do\_cli /home/nikic/php-src-msan/sapi/cli/php\_cli.c:959:5
    #12 0x34c0e06 in main /home/nikic/php-src-msan/sapi/cli/php\_cli.c:1350:18
    #13 0x7fadee90fb96 in \_\_libc\_start\_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

  Uninitialized value was stored to memory at
    #0 0x21184af in ap\_php\_conv\_10 /home/nikic/php-src-msan/main/snprintf.c
    #1 0x212e319 in format\_converter /home/nikic/php-src-msan/main/snprintf.c:882:10
    #2 0x211f70f in strx\_printv /home/nikic/php-src-msan/main/snprintf.c:1237:7
    #3 0x2117fc3 in ap\_php\_snprintf /home/nikic/php-src-msan/main/snprintf.c:1282:2
    #4 0xd0a857 in add\_assoc\_image\_info /home/nikic/php-src-msan/ext/exif/exif.c:2451:10
    #5 0xcf8932 in zif\_exif\_read\_data /home/nikic/php-src-msan/ext/exif/exif.c:4598:2
    #6 0x322e991 in ZEND\_DO\_ICALL\_SPEC\_RETVAL\_UNUSED\_HANDLER /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:1226:2
    #7 0x2d67c7f in execute\_ex /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:51318:7
    #8 0x2d6927f in zend\_execute /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:55571:2
    #9 0x28399d3 in zend\_execute\_scripts /home/nikic/php-src-msan/Zend/zend.c:1645:4
    #10 0x2100536 in php\_execute\_script /home/nikic/php-src-msan/main/main.c:2586:14
    #11 0x34c922d in do\_cli /home/nikic/php-src-msan/sapi/cli/php\_cli.c:959:5
    #12 0x34c0e06 in main /home/nikic/php-src-msan/sapi/cli/php\_cli.c:1350:18
    #13 0x7fadee90fb96 in \_\_libc\_start\_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

  Uninitialized value was stored to memory at
    #0 0x2129fb3 in format\_converter /home/nikic/php-src-msan/main/snprintf.c:807:14
    #1 0x211f70f in strx\_printv /home/nikic/php-src-msan/main/snprintf.c:1237:7
    #2 0x2117fc3 in ap\_php\_snprintf /home/nikic/php-src-msan/main/snprintf.c:1282:2
    #3 0xd0a857 in add\_assoc\_image\_info /home/nikic/php-src-msan/ext/exif/exif.c:2451:10
    #4 0xcf8932 in zif\_exif\_read\_data /home/nikic/php-src-msan/ext/exif/exif.c:4598:2
    #5 0x322e991 in ZEND\_DO\_ICALL\_SPEC\_RETVAL\_UNUSED\_HANDLER /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:1226:2
    #6 0x2d67c7f in execute\_ex /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:51318:7
    #7 0x2d6927f in zend\_execute /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:55571:2
    #8 0x28399d3 in zend\_execute\_scripts /home/nikic/php-src-msan/Zend/zend.c:1645:4
    #9 0x2100536 in php\_execute\_script /home/nikic/php-src-msan/main/main.c:2586:14
    #10 0x34c922d in do\_cli /home/nikic/php-src-msan/sapi/cli/php\_cli.c:959:5
    #11 0x34c0e06 in main /home/nikic/php-src-msan/sapi/cli/php\_cli.c:1350:18
    #12 0x7fadee90fb96 in \_\_libc\_start\_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

  Uninitialized value was stored to memory at
    #0 0xd5a64a in exif\_iif\_add\_value /home/nikic/php-src-msan/ext/exif/exif.c:2186:26
    #1 0xd04751 in exif\_iif\_add\_tag /home/nikic/php-src-msan/ext/exif/exif.c:2227:2
    #2 0xd3e3f0 in exif\_process\_IFD\_TAG /home/nikic/php-src-msan/ext/exif/exif.c:3529:2
    #3 0xd49d49 in exif\_process\_IFD\_in\_MAKERNOTE /home/nikic/php-src-msan/ext/exif/exif.c:3172:8
    #4 0xd3ccfd in exif\_process\_IFD\_TAG /home/nikic/php-src-msan/ext/exif/exif.c:3477:10
    #5 0xd274b2 in exif\_process\_IFD\_in\_TIFF /home/nikic/php-src-msan/ext/exif/exif.c:4148:12
    #6 0xd25f89 in exif\_process\_IFD\_in\_TIFF /home/nikic/php-src-msan/ext/exif/exif.c:4119:7
    #7 0xd25f89 in exif\_process\_IFD\_in\_TIFF /home/nikic/php-src-msan/ext/exif/exif.c:4119:7
    #8 0xd25f89 in exif\_process\_IFD\_in\_TIFF /home/nikic/php-src-msan/ext/exif/exif.c:4119:7
    #9 0xd25f89 in exif\_process\_IFD\_in\_TIFF /home/nikic/php-src-msan/ext/exif/exif.c:4119:7
    #10 0xd1b38e in exif\_scan\_FILE\_header /home/nikic/php-src-msan/ext/exif/exif.c:4231:9
    #11 0xd1963d in exif\_read\_from\_impl /home/nikic/php-src-msan/ext/exif/exif.c:4357:8
    #12 0xcfb4f0 in exif\_read\_from\_stream /home/nikic/php-src-msan/ext/exif/exif.c:4374:8
    #13 0xcfd036 in exif\_read\_from\_file /home/nikic/php-src-msan/ext/exif/exif.c:4401:8
    #14 0xcf4f80 in zif\_exif\_read\_data /home/nikic/php-src-msan/ext/exif/exif.c:4476:9
    #15 0x322e991 in ZEND\_DO\_ICALL\_SPEC\_RETVAL\_UNUSED\_HANDLER /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:1226:2
    #16 0x2d67c7f in execute\_ex /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:51318:7
    #17 0x2d6927f in zend\_execute /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:55571:2
    #18 0x28399d3 in zend\_execute\_scripts /home/nikic/php-src-msan/Zend/zend.c:1645:4
    #19 0x2100536 in php\_execute\_script /home/nikic/php-src-msan/main/main.c:2586:14

  Uninitialized value was stored to memory at
    #0 0xd29af5 in php\_ifd\_get32u /home/nikic/php-src-msan/ext/exif/exif.c:1474:3
    #1 0xd5a57f in exif\_iif\_add\_value /home/nikic/php-src-msan/ext/exif/exif.c:2186:28
    #2 0xd04751 in exif\_iif\_add\_tag /home/nikic/php-src-msan/ext/exif/exif.c:2227:2
    #3 0xd3e3f0 in exif\_process\_IFD\_TAG /home/nikic/php-src-msan/ext/exif/exif.c:3529:2
    #4 0xd49d49 in exif\_process\_IFD\_in\_MAKERNOTE /home/nikic/php-src-msan/ext/exif/exif.c:3172:8
    #5 0xd3ccfd in exif\_process\_IFD\_TAG /home/nikic/php-src-msan/ext/exif/exif.c:3477:10
    #6 0xd274b2 in exif\_process\_IFD\_in\_TIFF /home/nikic/php-src-msan/ext/exif/exif.c:4148:12
    #7 0xd25f89 in exif\_process\_IFD\_in\_TIFF /home/nikic/php-src-msan/ext/exif/exif.c:4119:7
    #8 0xd25f89 in exif\_process\_IFD\_in\_TIFF /home/nikic/php-src-msan/ext/exif/exif.c:4119:7
    #9 0xd25f89 in exif\_process\_IFD\_in\_TIFF /home/nikic/php-src-msan/ext/exif/exif.c:4119:7
    #10 0xd25f89 in exif\_process\_IFD\_in\_TIFF /home/nikic/php-src-msan/ext/exif/exif.c:4119:7
    #11 0xd1b38e in exif\_scan\_FILE\_header /home/nikic/php-src-msan/ext/exif/exif.c:4231:9
    #12 0xd1963d in exif\_read\_from\_impl /home/nikic/php-src-msan/ext/exif/exif.c:4357:8
    #13 0xcfb4f0 in exif\_read\_from\_stream /home/nikic/php-src-msan/ext/exif/exif.c:4374:8
    #14 0xcfd036 in exif\_read\_from\_file /home/nikic/php-src-msan/ext/exif/exif.c:4401:8
    #15 0xcf4f80 in zif\_exif\_read\_data /home/nikic/php-src-msan/ext/exif/exif.c:4476:9
    #16 0x322e991 in ZEND\_DO\_ICALL\_SPEC\_RETVAL\_UNUSED\_HANDLER /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:1226:2
    #17 0x2d67c7f in execute\_ex /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:51318:7
    #18 0x2d6927f in zend\_execute /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:55571:2
    #19 0x28399d3 in zend\_execute\_scripts /home/nikic/php-src-msan/Zend/zend.c:1645:4

  Uninitialized value was created by a heap deallocation
    #0 0x43ce59 in free (/home/nikic/php-src-msan/sapi/cli/php+0x43ce59)
    #1 0x2542e28 in \_efree\_custom /home/nikic/php-src-msan/Zend/zend\_alloc.c:2425:3
    #2 0x2542402 in \_efree /home/nikic/php-src-msan/Zend/zend\_alloc.c:2545:3
    #3 0xd56453 in exif\_file\_sections\_free /home/nikic/php-src-msan/ext/exif/exif.c:2063:4
    #4 0xd0050c in exif\_discard\_imageinfo /home/nikic/php-src-msan/ext/exif/exif.c:4293:2
    #5 0xcf895b in zif\_exif\_read\_data /home/nikic/php-src-msan/ext/exif/exif.c:4604:2
    #6 0x322e991 in ZEND\_DO\_ICALL\_SPEC\_RETVAL\_UNUSED\_HANDLER /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:1226:2
    #7 0x2d67c7f in execute\_ex /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:51318:7
    #8 0x2d6927f in zend\_execute /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:55571:2
    #9 0x28399d3 in zend\_execute\_scripts /home/nikic/php-src-msan/Zend/zend.c:1645:4
    #10 0x2100536 in php\_execute\_script /home/nikic/php-src-msan/main/main.c:2586:14
    #11 0x34c922d in do\_cli /home/nikic/php-src-msan/sapi/cli/php\_cli.c:959:5
    #12 0x34c0e06 in main /home/nikic/php-src-msan/sapi/cli/php\_cli.c:1350:18
    #13 0x7fadee90fb96 in \_\_libc\_start\_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

**Patches**

Add a Patch

**Pull Requests**

Add a Pull Request

**History**

AllCommentsChangesGit/SVN commitsRelated reports

 **\[2019-12-13 14:43 UTC\] nikic@php.net**

\-Assigned To: +Assigned To: kalle

 **\[2019-12-16 08:27 UTC\] stas@php.net**

Should we merge this for upcoming release or still wait for feedback?

 **\[2019-12-16 08:56 UTC\] nikic@php.net**

I believe this should be fine for merge. I've done a couple of hours of fuzzing with this patch as a sanity check, which didn't turn up anything.

 **\[2019-12-16 19:02 UTC\] stas@php.net**

\-Status: Assigned +Status: Closed

 **\[2019-12-16 19:14 UTC\] stas@php.net**

\-CVE-ID: +CVE-ID: 2019-11050

CVE-2019-11050: Use-after-free in exif parsing under memory sanitizer

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.

Sec Bug #78863

DirectoryIterator class silently truncates after a null byte

Submitted:

2019-11-23 10:01 UTC

Modified:

2019-12-16 19:01 UTC

From:

ryat@php.net

Assigned:

stas (profile)

Status:

Closed

Package:

SPL related

PHP Version:

7.3.12

OS:

\*

Private report:

No

CVE-ID:

2019-11045

 **\[2019-11-23 10:01 UTC\] ryat@php.net**

Description:
------------
ext/spl/spl\_directory.c:
\`\`\`
void spl\_filesystem\_object\_construct(INTERNAL\_FUNCTION\_PARAMETERS, zend\_long ctor\_flags) /\* {{{ \*/
{
    ...
	if (SPL\_HAS\_FLAG(ctor\_flags, DIT\_CTOR\_FLAGS)) {
		flags = SPL\_FILE\_DIR\_KEY\_AS\_PATHNAME|SPL\_FILE\_DIR\_CURRENT\_AS\_FILEINFO;
		parsed = zend\_parse\_parameters(ZEND\_NUM\_ARGS(), "s|l", &path, &len, &flags);
	} else {
		flags = SPL\_FILE\_DIR\_KEY\_AS\_PATHNAME|SPL\_FILE\_DIR\_CURRENT\_AS\_SELF;
		parsed = zend\_parse\_parameters(ZEND\_NUM\_ARGS(), "s", &path, &len);
	}
\`\`\`

PoC:
\`\`\`
<?php

$dir = new DirectoryIterator("../../ryat\\x00/php");
foreach ($dir as $fileinfo) {
    if (!$fileinfo->isDot()) {
        var\_dump($fileinfo->getFilename());
    }
}

?>
\`\`\`

Fix:
\`\`\`
	if (SPL\_HAS\_FLAG(ctor\_flags, DIT\_CTOR\_FLAGS)) {
		flags = SPL\_FILE\_DIR\_KEY\_AS\_PATHNAME|SPL\_FILE\_DIR\_CURRENT\_AS\_FILEINFO;
		parsed = zend\_parse\_parameters(ZEND\_NUM\_ARGS(), "p|l", &path, &len, &flags);
	} else {
		flags = SPL\_FILE\_DIR\_KEY\_AS\_PATHNAME|SPL\_FILE\_DIR\_CURRENT\_AS\_SELF;
		parsed = zend\_parse\_parameters(ZEND\_NUM\_ARGS(), "p", &path, &len);
	}
\`\`\`

**Patches**

Add a Patch

**Pull Requests**

Add a Pull Request

**History**

AllCommentsChangesGit/SVN commitsRelated reports

 **\[2019-11-25 16:09 UTC\] cmb@php.net**

\-Status: Open +Status: Verified \-Assigned To: +Assigned To: stas

 **\[2019-11-28 09:08 UTC\] stas@php.net**

Will do. Not sure whether it needs a CVE?

 **\[2019-11-29 04:31 UTC\] stas@php.net**

\-CVE-ID: +CVE-ID: 2019-11044

 **\[2019-11-30 22:06 UTC\] stas@php.net**

\-CVE-ID: 2019-11044 +CVE-ID: 2019-11045

 **\[2019-12-16 19:02 UTC\] stas@php.net**

\-Status: Verified +Status: Closed

CVE-2019-11045: DirectoryIterator class silently truncates after a null byte

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren't ASCII numbers. This can read to disclosure of the content of some memory locations.

Sec Bug #78878

Buffer underflow in bc\_shift\_addsub

Submitted:

2019-11-28 15:03 UTC

Modified:

2019-12-16 19:01 UTC

From:

thomas-josef dot riedmaier at siemens dot com

Assigned:

stas (profile)

Status:

Closed

Package:

BC math related

PHP Version:

7.4.0

OS:

Windows

Private report:

No

CVE-ID:

2019-11046

 **\[2019-11-28 15:03 UTC\] thomas-josef dot riedmaier at siemens dot com**

Description:
------------
When executing the test snippet below, a buffer underflow occurs in bc\_shift\_addsub.

I theory, bc\_shift\_addsub's  assert statement would be triggered, but this does not play any role in the official windows release binaries https://windows.php.net/downloads/releases/php-7.4.0-Win32-vc15-x64.zip .

Instead, on our test machines, an ACCESS\_VIOLATION is triggered.

Test script:
---------------
<?php

print  bcmul(²6483605105519922841849335928742092, bcpowmod(2, 65535, -4e-4));

**Patches**

Add a Patch

**Pull Requests**

Add a Pull Request

**History**

AllCommentsChangesGit/SVN commitsRelated reports

 **\[2019-11-28 16:02 UTC\] cmb@php.net**

\-Status: Open +Status: Feedback \-Assigned To: +Assigned To: cmb

 **\[2019-11-28 16:02 UTC\] cmb@php.net**

I cannot reproduce the access violation (neither with the given
code, nor when I replace the ² with 2, nor when I just remove the
²).  And neither does the assertion trigger in a debug build for
me (it won't trigger in release builds anyway).

Could you please fix/clarify the test script?

 **\[2019-11-29 07:37 UTC\] thomas-josef dot riedmaier at siemens dot com**

I digged a little bit into this and it appears to be a system-dependent problem.

When running the script with Windows7 SP1 or Windows Server 2016 (1607), the script says "Warning: Use of undefined constant �6483605105519922841849335928742092 - assumed '�6483605105519922841849335928742092'" and crashes.

Note the non printable character here.

When running the script with Windows 10 (1809), the scipt says "Warning: Use of undefined constant 6483605105519922841849335928742092 - assumed '6483605105519922841849335928742092'"  and does not crash.

Note that there is no unprintable character here.

So it appears to me that depending on the Windows setup, php seem to ignore the '²', or not. If it is not ignored, an access violation occurs.

 **\[2019-11-29 10:21 UTC\] cmb@php.net**

Hmm, pretty strange that the behavior depends on the Windows
version, but of course, possible.

Could you please post what you get when running

  <?php
  var\_dump(²6483605105519922841849335928742092);

Note that the charset/character encoding may very well matter
here.

 **\[2019-11-29 13:05 UTC\] thomas-josef dot riedmaier at siemens dot com**

C:\\Users\\IEUser>C:\\Users\\IEUser\\Desktop\\php-7.4.0-Win32-vc15-x64\\php.exe C:\\Users\\IEUser\\Desktop\\text.php

Warning: Use of undefined constant ²6483605105519922841849335928742092 - assumed '²6483605105519922841849335928742092' (this will throw an Error in a future ver
sion of PHP) in C:\\Users\\IEUser\\Desktop\\text.php on line 3
string(35) "²6483605105519922841849335928742092"

 **\[2019-11-29 13:13 UTC\] cmb@php.net**

\-Status: Feedback +Status: Open

 **\[2019-11-29 13:13 UTC\] cmb@php.net**

Thanks!  That proves that the ² is encoded as a single byte (so
it's not any Unicode encoding).

 **\[2019-11-30 11:32 UTC\] cmb@php.net**

\-Type: Bug +Type: Security \-Assigned To: cmb +Assigned To: stas \-Private report: No +Private report: Yes

 **\[2019-11-30 11:32 UTC\] cmb@php.net**

While I still not have been able to reproduce the access
violation, it's pretty clear that the code may allow for that,
because it uses isdigit()\[1\] which is locale-dependent, to check
for digits, but only expects decimal ASCII digits\[2\].  So
depending on the current locale, on char signedness, and perhaps a
broken isdigit() implementation, this can lead to all kinds of
issues.

Therefore, I'm tentatively re-classifying as security issue.

Suggested patch: <https://gist.github.com/cmb69/4796c38a08cb17aef5daaa57bcf75041\>.
For PHP-7.3+ also PHP-7.3+.patch has to be applied.

Stas, could you please handle it from here?  If it's not security
issue, please assign back to me.

\[1\] <https://github.com/php/php-src/blob/php-7.4.0/ext/bcmath/libbcmath/src/str2num.c#L59-L61\>
\[2\] <https://github.com/php/php-src/blob/php-7.4.0/ext/bcmath/libbcmath/src/bcmath.h#L61-L64\>

 **\[2019-11-30 21:52 UTC\] stas@php.net**

I am not sure I understand the issue completely - let's say isdigit misclassified the character, what could happen because of that? Why it is different from just having non-digit passed to the function?

 **\[2019-12-01 12:43 UTC\] cmb@php.net**

If a non-digit is passed to the function, E\_WARNING is raised, and
the number is taken as zero.  If a digit, which is not an ASCII
digit, is passed, it is stored as \`digit - '0'\` (BCMath stores
each decimal digit in a full byte), and as such has a value < 0 or
> 9; libbcmath expects all bytes to be in range \[0,9\], though.

 **\[2019-12-16 08:16 UTC\] stas@php.net**

\-CVE-ID: +CVE-ID: 2019-11046

 **\[2019-12-16 19:02 UTC\] stas@php.net**

\-Status: Assigned +Status: Closed

CVE-2019-11046: PHP :: Sec Bug #78878 :: Buffer underflow in bc_shift_addsub

In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is supplied in lowercase, this can result in double-freeing certain memory locations.

Sec Bug #78943

mail() may release string with refcount==1 twice

Submitted:

2019-12-10 17:12 UTC

Modified:

2019-12-16 19:08 UTC

From:

cmb@php.net

Assigned:

stas (profile)

Status:

Closed

Package:

\*Mail Related

PHP Version:

7.3.13RC1

OS:

Windows

Private report:

No

CVE-ID:

2019-11049

**Patches**add-fronk-support (last revision 2022-07-18 03:19 UTC by 1033831147 at qq dot com)

Add a Patch

**Pull Requests**

Add a Pull Request

**History**

AllCommentsChangesGit/SVN commitsRelated reports

 **\[2019-12-10 17:12 UTC\] cmb@php.net**

\-Type: Bug +Type: Security \-Private report: No +Private report: Yes

 **\[2019-12-10 17:37 UTC\] cmb@php.net**

\-PHP Version: 7.2.26RC1 +PHP Version: 7.3.13RC1

 **\[2019-12-10 17:38 UTC\] cmb@php.net**

\-Operating System: \* +Operating System: Windows

 **\[2019-12-10 17:38 UTC\] cmb@php.net**

This affects Windows only.

 **\[2019-12-10 17:45 UTC\] cmb@php.net**

\-Assigned To: +Assigned To: stas

 **\[2019-12-10 20:07 UTC\] stas@php.net**

Sure. Not clear how this got into PCRE2 patch?

 **\[2019-12-16 19:07 UTC\] stas@php.net**

\-CVE-ID: +CVE-ID: 2019-11049

 **\[2019-12-16 19:07 UTC\] stas@php.net**

Not sure it's even exploitable, but since mail could deal with external data, I'll add a CVE just in case.

 **\[2019-12-16 19:08 UTC\] stas@php.net**

\-Status: Assigned +Status: Closed

 **\[2019-12-16 19:08 UTC\] stas@php.net**

The fix for this bug has been committed.
If you are still experiencing this bug, try to check out latest source from https://github.com/php/php-src and re-test.
Thank you for the report, and for helping us make PHP better.

CVE-2019-11049: mail() may release string with refcount==1 twice

HrAddFBBlock in libfreebusy/freebusyutil.cpp in Kopano Groupware Core before 8.7.7 allows out-of-bounds access, as demonstrated by mishandling of an array copy during parsing of ICal data.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

*   Overview
*   Repositories
*   Packages
*   People

**Pinned**

1.  Read-only mirror of Kopano Core git repo
    
    C++ 50 29
    

3.  Read-only mirror of the Kopano WebApp git repo
    
    JavaScript 19 22
    
4.  Material from the Kopano workshop at the 2021 Univention Summit
    
    Shell 1
    

**Repositories**

Type

Select type

All Public Sources Forks Archived Mirrors Templates

Language

Select language

All C# C++ Go HTML JavaScript PHP Python Shell TypeScript

Sort

Select order

Last updated Name Stars

*   kcc-go Public
    
    This implements a minimal client interfacing with a couple of SOAP methods of a Kopano server.
    
    Go 0 Apache-2.0
    
    3 0 3
    
    Updated Mar 4, 2023
    
*   kopano-webapp Public
    
    Read-only mirror of the Kopano WebApp git repo
    
    JavaScript
    
    19 22 0 5
    
    Updated Mar 2, 2023
    
*   oidc-go Public
    
    Oidc-go is a Go package to provide common helpers to interface with OpenID Connect servers.
    
    Go
    
    2
    
    Apache-2.0
    
    1 0 1
    
    Updated Feb 25, 2023
    
*   kwmserver Public
    
    Kopano Web Meetings Server implements the signaling/channelling server for Kopano Web Meetings
    
    Go
    
    5 3 1 3
    
    Updated Feb 24, 2023
    
*   libkcoidc Public
    
    This project implements a C shared library with a public API to validate Kopano Konnect tokens (JSON Web Tokens).
    
    Go 0 0
    
    2 2
    
    Updated Feb 24, 2023
    
*   kapi Public
    
    Kopano API provides a web service with the endpoints to interface with Kopano via HTTP APIs.
    
    Go
    
    3
    
    0
    
    0 1
    
    Updated Feb 15, 2023
    
*   pubsjs Public
    
    Kopano API Pubs Client Library (pubsjs)
    
    TypeScript 0 MIT 0
    
    0 16
    
    Updated Jan 7, 2023
    
*   kwmjs Public
    
    Kopano Web Meetings Client Library (kwmjs)
    
    TypeScript
    
    1
    
    MIT 0
    
    0 11
    
    Updated Jan 7, 2023
    
*   kpop Public
    
    Kpop is a collection of React UI components and UI uitilites for Kopano Web apps
    
    JavaScript 0 Apache-2.0
    
    1 0 17
    
    Updated Dec 10, 2022
    
*   meet Public
    
    A PWA for doing video meetings
    

**Most used topics**

Tag

#php