PublicDateAtUSN: 2019-03-08 Candidate: CVE-2019-9639 PublicDate: 2019-03-09 00:29:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9639 https://www.debian.org/security/2019/dsa-4403 https://ubuntu.com/security/notices/USN-3922-1 https://ubuntu.com/security/notices/USN-3922-2 https://ubuntu.com/security/notices/USN-3922-3 Description: An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_MAKERNOTE because of mishandling the data_len variable. Ubuntu-Description: Notes: mdeslaur> same patch as CVE-2019-9638 Bugs: https://bugs.php.net/bug.php?id=77659 Priority: medium Discovered-by: Assigned-to: leosilva CVSS: nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [7.5 HIGH] nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [7.5 HIGH] Patches_php5: upstream_php5: needs-triage precise/esm_php5: released (5.3.10-1ubuntu3.34) trusty_php5: released (5.5.9+dfsg-1ubuntu4.29) trusty/esm_php5: released (5.5.9+dfsg-1ubuntu4.29) xenial_php5: DNE bionic_php5: DNE cosmic_php5: DNE disco_php5: DNE devel_php5: DNE Patches_php7.0: upstream_php7.0: needs-triage precise/esm_php7.0: DNE trusty_php7.0: DNE trusty/esm_php7.0: DNE xenial_php7.0: released (7.0.33-0ubuntu0.16.04.3) esm-infra/xenial_php7.0: released (7.0.33-0ubuntu0.16.04.3) bionic_php7.0: DNE cosmic_php7.0: DNE disco_php7.0: DNE devel_php7.0: DNE Patches_php7.2: upstream: http://git.php.net/?p=php-src.git;a=commit;h=b82437eeddadf6a3a8c0f492acb6861682cd4d93 upstream_php7.2: released (7.2.16) precise/esm_php7.2: DNE trusty_php7.2: DNE trusty/esm_php7.2: DNE xenial_php7.2: DNE bionic_php7.2: released (7.2.15-0ubuntu0.18.04.2) cosmic_php7.2: released (7.2.15-0ubuntu0.18.10.2) disco_php7.2: released (7.2.15-0ubuntu3) devel_php7.2: released (7.2.15-0ubuntu3) Patches_php7.3: upstream_php7.3: released (7.3.3) precise/esm_php7.3: DNE trusty_php7.3: DNE trusty/esm_php7.3: DNE xenial_php7.3: DNE bionic_php7.3: DNE cosmic_php7.3: DNE disco_php7.3: DNE devel_php7.3: not-affected (7.3.4-2)