CVE-2019-11046 in Ubuntu

CVE-2019-11046

Priority

Description

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP
bcmath extension functions on some systems, including Windows, can be
tricked into reading beyond the allocated space by supplying it with string
containing characters that are identified as numeric by the OS but aren't
ASCII numbers. This can read to disclosure of the content of some memory
locations.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11046
http://git.php.net/?p=php-src.git;a=patch;h=2d07f00b73d8f94099850e0f5983e1cc5817c196
https://ubuntu.com/security/notices/USN-4239-1

Bugs

http://bugs.php.net/78878

Assigned-to

leosilva

Notes

Package

Source: php5 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	DNE
Ubuntu 14.04 ESM:	released (5.5.9+dfsg-1ubuntu4.29+esm8)

Patches:

Package

Source: php7.0 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	DNE
Ubuntu 16.04 ESM:	released (7.0.33-0ubuntu0.16.04.9)
Ubuntu 14.04 ESM:	DNE

Patches:

Package

Source: php7.2 (LP Ubuntu Debian)

Upstream:	released (7.2.26)
Ubuntu 18.04 LTS:	released (7.2.24-0ubuntu0.18.04.2)
Ubuntu 14.04 ESM:	DNE

Patches:

Package

Source: php7.3 (LP Ubuntu Debian)

Upstream:	released (7.3.13)
Ubuntu 18.04 LTS:	DNE
Ubuntu 14.04 ESM:	DNE

Patches:

Upstream:

http://git.php.net/?p=php-src.git;a=commit;h=eb23c6008753b1cdc5359dead3a096dce46c9018

More Information

Updated: 2022-04-13 13:36:51 UTC (commit f411bd370d482ef4385c4e751d121a4055fbc009)