CVE-2019-9025

NameCVE-2019-9025
DescriptionAn issue was discovered in PHP 7.3.x before 7.3.1. An invalid multibyte string supplied as an argument to the mb_split() function in ext/mbstring/php_mbregex.c can cause PHP to execute memcpy() with a negative argument, which could read and write past buffers allocated for the data.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php7.3 (PTS)sid, buster, buster (security)7.3.11-1~deb10u1fixed
bullseye7.3.10-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php7.3source(unstable)7.3.1-1

Notes

Fixed in 7.3.1
PHP Bug: https://bugs.php.net/bug.php?id=77367

Search for package or bug name: Reporting problems