CVE-2019-9020 in Ubuntu

CVE-2019-9020

Priority

Description

An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x
before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function
xmlrpc_decode() can lead to an invalid memory access (heap out of bounds
read or read after free). This is related to xml_elem_parse_buf in
ext/xmlrpc/libxmlrpc/xml_element.c.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9020
https://ubuntu.com/security/notices/USN-3902-1
https://ubuntu.com/security/notices/USN-3902-2

Bugs

https://bugs.php.net/bug.php?id=77242
https://bugs.php.net/bug.php?id=77249

Notes

Package

Source: php5 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	DNE
Ubuntu 14.04 ESM:	released (5.5.9+dfsg-1ubuntu4.27)

Patches:

Package

Source: php7.0 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	DNE
Ubuntu 16.04 ESM:	released (7.0.33-0ubuntu0.16.04.2)
Ubuntu 14.04 ESM:	DNE

Patches:

Upstream:

https://github.com/php/php-src/commit/9c62b95e5e6a1ac3922a8819f2d56d8ea998d97a (7.1)

Package

Source: php7.2 (LP Ubuntu Debian)

Upstream:	released (7.2.14)
Ubuntu 18.04 LTS:	released (7.2.15-0ubuntu0.18.04.1)
Ubuntu 14.04 ESM:	DNE

Patches:

Package

Source: php7.3 (LP Ubuntu Debian)

Upstream:	released (7.3.1)
Ubuntu 18.04 LTS:	DNE
Ubuntu 14.04 ESM:	DNE

Patches:

More Information

Updated: 2022-04-13 14:01:12 UTC (commit f411bd370d482ef4385c4e751d121a4055fbc009)