Candidate: CVE-2019-11044
PublicDate: 2019-12-23 03:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11044
Description:
 In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 on
 Windows, PHP link() function accepts filenames with embedded \0 byte and
 treats them as terminating at that byte. This could lead to security
 vulnerabilities, e.g. in applications checking paths that the code is
 allowed to access.
Ubuntu-Description:
Notes:
 mdeslaur> windows-specific issue
Mitigation:
Bugs:
 http://bugs.php.net/78862
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [7.5 HIGH]

Patches_php5:
upstream_php5: not-affected (debian: Windows specific issue)
precise/esm_php5: not-affected (code not compiled)
trusty_php5: ignored (out of standard support)
trusty/esm_php5: not-affected (code not compiled)
xenial_php5: DNE
bionic_php5: DNE
disco_php5: DNE
eoan_php5: DNE
devel_php5: DNE

Patches_php7.0:
upstream_php7.0: not-affected (debian: Windows specific issue)
precise/esm_php7.0: DNE
trusty_php7.0: DNE
trusty/esm_php7.0: DNE
xenial_php7.0: not-affected (code not compiled)
esm-infra/xenial_php7.0: not-affected (code not compiled)
bionic_php7.0: DNE
disco_php7.0: DNE
eoan_php7.0: DNE
devel_php7.0: DNE

Patches_php7.2:
upstream_php7.2: needs-triage
precise/esm_php7.2: DNE
trusty_php7.2: DNE
trusty/esm_php7.2: DNE
xenial_php7.2: DNE
bionic_php7.2: not-affected (code not compiled)
disco_php7.2: not-affected (code not compiled)
eoan_php7.2: DNE
devel_php7.2: DNE

Patches_php7.3:
upstream_php7.3: not-affected (debian: Windows specific issue)
precise/esm_php7.3: DNE
trusty_php7.3: DNE
trusty/esm_php7.3: DNE
xenial_php7.3: DNE
bionic_php7.3: DNE
disco_php7.3: DNE
eoan_php7.3: not-affected (code not compiled)
devel_php7.3: not-affected (code not compiled)