Bug 1076676 (CVE-2014-2497)

Summary: CVE-2014-2497 gd: NULL pointer dereference in gdImageCreateFromXpm()
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bgollahe, caolanm, carnil, drieden, fedora, hhorak, jkurik, jorton, mmaslano, mmcgrath, nobody+bgollahe, pertusus, rcollet, webstack-team, yselkowi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php 5.5.16, php 5.4.32 Doc Type: Bug Fix
Doc Text:
A NULL pointer dereference flaw was found in the gdImageCreateFromXpm() function of PHP's gd extension. A remote attacker could use this flaw to crash a PHP application using gd via a specially crafted X PixMap (XPM) file.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:32:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1080167, 1080168, 1114521, 1140017, 1140018, 1140023, 1140026, 1140027, 1149762, 1149771    
Bug Blocks: 1076680, 1101912, 1138881, 1149858    
Attachments:
Description Flags
reproducer.xpm none

Description Vincent Danen 2014-03-14 19:57:56 UTC
It was reported [1] that the gdImageCreateFromXpm() function in libgd could dereference a NULL pointer, noting:

"The call to strlen() parses image.colorTable[i].c_color which is initialised as NULL if the particular color mapping uses a different key (such as monochrome/monovisual)."

This was reported against PHP, which includes an embedded copy of the gd library.  CVE-2014-2497 was assigned to this issue [2].

[1] https://bugs.php.net/bug.php?id=66901
[2] http://seclists.org/oss-sec/2014/q1/580

Comment 1 Vincent Danen 2014-03-14 20:03:40 UTC
Note that the PHP bug includes a reproducer, but it does not seem to work with the versions I've tried (it notes version 5.4.17, I tried with 5.4.25 and 5.3.3):

$ echo '<?php print imagecreatefromxpm("monochrome-poc.xpm")."\n"; ?>'|php

Warning: imagecreatefromxpm(): 'monochrome-poc.xpm' is not a valid XPM file in - on line 1
$ file monochrome-poc.xpm
monochrome-poc.xpm: X pixmap image text

It's possible that I did something wrong; I just cut-n-paste the reproducer from the upstream bug and I did not spend much time trying, so the bug is filed due to the CVE assignment.

Comment 2 Remi Collet 2014-03-15 16:20:09 UTC
Created attachment 874847 [details]
reproducer.xpm

This (correct) reproducer raise the segfault, tested with php 5.5.10 (and system gd 2.1).

php -r 'var_dump(imagecreatefromxpm("reproducer.xpm"));'

Comment 3 Vincent Danen 2014-03-17 14:56:50 UTC
Thanks, Remi.  That is perfect.

Comment 4 Vincent Danen 2014-03-17 16:13:29 UTC
Based on this reproducer, this affects php53 on Red Hat Enterprise Linux 5, but not php (5.1) as it is not built with xpm support:

% echo "<?php var_dump(gd_info()); ?>"|php
array(12) {
  ["GD Version"]=>
  string(27) "bundled (2.0.28 compatible)"
  ["FreeType Support"]=>
  bool(true)
  ["FreeType Linkage"]=>
  string(13) "with freetype"
  ["T1Lib Support"]=>
  bool(false)
  ["GIF Read Support"]=>
  bool(true)
  ["GIF Create Support"]=>
  bool(true)
  ["JPG Support"]=>
  bool(true)
  ["PNG Support"]=>
  bool(true)
  ["WBMP Support"]=>
  bool(true)
  ["XPM Support"]=>
  bool(false)
  ["XBM Support"]=>
  bool(true)
  ["JIS-mapped Japanese Font Support"]=>
  bool(false)
}
% rpm -q php-gd
php-gd-5.1.6-43.el5_10

Comment 5 Tomas Hoger 2014-03-24 16:55:30 UTC
Summary of what is affected:

- php in Red Hat Enterprise Linux 5 is not affected (XPM support is disabled as noted in comment 4)
- php53 in Red Hat Enterprise Linux 5, php in Red Hat Enterprise Linux 6, php54-php in Red Hat Software Collections 1, and php packages in Fedora are affected

- gd in Red Hat Enterprise Linux 5 and 6, and gd packages in Fedora are affected

- libwmf packages in Red Hat Enterprise Linux 5 and 6, and libwmf packages in Fedora are not affected.  Red Hat Enterprise Linux 5 libwmf packages have bundled gd built without xpm support.  The libwmf packages in Red Hat Enterprise Linux 6 and later (including Fedora) have the whole gdImageCreateFromXpm() disabled (#if 0) via the libwmf-0.2.8.4-reducesymbols.patch:

http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-reducesymbols.patch?id=916cd2c#n467

Comment 7 Tomas Hoger 2014-03-24 19:37:25 UTC
Statement:

This issue affects the versions of gd as shipped with Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 8 Tomas Hoger 2014-03-24 19:39:34 UTC
This issue has not been fixed in libgd version bundled in PHP.  It still seems to affect current upstream libgd 2.1.0, and there's no libgd upstream fix yet either.

Comment 9 Tomas Hoger 2014-03-24 19:40:32 UTC
Created gd tracking bugs for this issue:

Affects: fedora-all [bug 1080168]

Comment 10 Tomas Hoger 2014-03-24 19:40:37 UTC
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1080167]

Comment 16 Fedora Update System 2014-08-15 02:31:56 UTC
gd-2.1.0-6.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Vincent Danen 2014-08-22 18:55:13 UTC
This is corrected in upstream PHP 5.5.16:

http://php.net/ChangeLog-5.php#5.5.16

Comment 18 Fedora Update System 2014-09-02 06:47:56 UTC
php-5.5.16-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 Martin Prpič 2014-09-25 12:14:03 UTC
IssueDescription:

A NULL pointer dereference flaw was found in the gdImageCreateFromXpm() function of PHP's gd extension. A remote attacker could use this flaw to crash a PHP application using gd via a specially crafted X PixMap (XPM) file.

Comment 25 errata-xmlrpc 2014-09-30 05:14:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2014:1326 https://rhn.redhat.com/errata/RHSA-2014-1326.html

Comment 26 errata-xmlrpc 2014-09-30 09:09:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:1327 https://rhn.redhat.com/errata/RHSA-2014-1327.html

Comment 29 errata-xmlrpc 2014-10-30 19:45:56 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6

Via RHSA-2014:1766 https://rhn.redhat.com/errata/RHSA-2014-1766.html

Comment 30 errata-xmlrpc 2014-10-30 19:47:28 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6

Via RHSA-2014:1765 https://rhn.redhat.com/errata/RHSA-2014-1765.html

Comment 31 Yaakov Selkowitz 2015-01-01 04:44:43 UTC
Why does the gd-2.1.0-color_c_null_pointer.patch in Fedora match neither the PHP patch nor the upstream libgd patch?

Comment 32 Tomas Hoger 2015-01-02 08:29:37 UTC
More importantly, Fedora patch introduces memory leak, afaics.  colors[] is not freed if the error is hit.  CCing patch author for comments.

Comment 33 Remi Collet 2015-01-02 08:41:33 UTC
IIRC, the patch applied in Fedora was the one attached to the initial upstream bug report.

Yes this patch introduce a memory leak (while the upstream patch doesn't)
gd 2.1.1 should have be released for a long time now :(
I hope it will be very soon (some other important fix in this bugfix release).

Comment 34 Jozef Mlich 2015-01-08 12:56:07 UTC
Thanks for spotting this. I have updated the fedora package to use upstream patch and tested it for memory leak.

Comment 35 Fedora Update System 2015-01-19 01:35:05 UTC
gd-2.1.0-8.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 36 Fedora Update System 2015-01-20 21:03:49 UTC
gd-2.1.0-8.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.