Bug 1076676 (CVE-2014-2497)
Summary: | CVE-2014-2497 gd: NULL pointer dereference in gdImageCreateFromXpm() | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | low | Docs Contact: | |||||
Priority: | low | ||||||
Version: | unspecified | CC: | bgollahe, caolanm, carnil, drieden, fedora, hhorak, jkurik, jorton, mmaslano, mmcgrath, nobody+bgollahe, pertusus, rcollet, webstack-team, yselkowi | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | php 5.5.16, php 5.4.32 | Doc Type: | Bug Fix | ||||
Doc Text: |
A NULL pointer dereference flaw was found in the gdImageCreateFromXpm() function of PHP's gd extension. A remote attacker could use this flaw to crash a PHP application using gd via a specially crafted X PixMap (XPM) file.
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2019-06-08 02:32:05 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1080167, 1080168, 1114521, 1140017, 1140018, 1140023, 1140026, 1140027, 1149762, 1149771 | ||||||
Bug Blocks: | 1076680, 1101912, 1138881, 1149858 | ||||||
Attachments: |
|
Description
Vincent Danen
2014-03-14 19:57:56 UTC
Note that the PHP bug includes a reproducer, but it does not seem to work with the versions I've tried (it notes version 5.4.17, I tried with 5.4.25 and 5.3.3): $ echo '<?php print imagecreatefromxpm("monochrome-poc.xpm")."\n"; ?>'|php Warning: imagecreatefromxpm(): 'monochrome-poc.xpm' is not a valid XPM file in - on line 1 $ file monochrome-poc.xpm monochrome-poc.xpm: X pixmap image text It's possible that I did something wrong; I just cut-n-paste the reproducer from the upstream bug and I did not spend much time trying, so the bug is filed due to the CVE assignment. Created attachment 874847 [details]
reproducer.xpm
This (correct) reproducer raise the segfault, tested with php 5.5.10 (and system gd 2.1).
php -r 'var_dump(imagecreatefromxpm("reproducer.xpm"));'
Thanks, Remi. That is perfect. Based on this reproducer, this affects php53 on Red Hat Enterprise Linux 5, but not php (5.1) as it is not built with xpm support: % echo "<?php var_dump(gd_info()); ?>"|php array(12) { ["GD Version"]=> string(27) "bundled (2.0.28 compatible)" ["FreeType Support"]=> bool(true) ["FreeType Linkage"]=> string(13) "with freetype" ["T1Lib Support"]=> bool(false) ["GIF Read Support"]=> bool(true) ["GIF Create Support"]=> bool(true) ["JPG Support"]=> bool(true) ["PNG Support"]=> bool(true) ["WBMP Support"]=> bool(true) ["XPM Support"]=> bool(false) ["XBM Support"]=> bool(true) ["JIS-mapped Japanese Font Support"]=> bool(false) } % rpm -q php-gd php-gd-5.1.6-43.el5_10 Summary of what is affected: - php in Red Hat Enterprise Linux 5 is not affected (XPM support is disabled as noted in comment 4) - php53 in Red Hat Enterprise Linux 5, php in Red Hat Enterprise Linux 6, php54-php in Red Hat Software Collections 1, and php packages in Fedora are affected - gd in Red Hat Enterprise Linux 5 and 6, and gd packages in Fedora are affected - libwmf packages in Red Hat Enterprise Linux 5 and 6, and libwmf packages in Fedora are not affected. Red Hat Enterprise Linux 5 libwmf packages have bundled gd built without xpm support. The libwmf packages in Red Hat Enterprise Linux 6 and later (including Fedora) have the whole gdImageCreateFromXpm() disabled (#if 0) via the libwmf-0.2.8.4-reducesymbols.patch: http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-reducesymbols.patch?id=916cd2c#n467 Statement: This issue affects the versions of gd as shipped with Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. This issue has not been fixed in libgd version bundled in PHP. It still seems to affect current upstream libgd 2.1.0, and there's no libgd upstream fix yet either. Created gd tracking bugs for this issue: Affects: fedora-all [bug 1080168] Created php tracking bugs for this issue: Affects: fedora-all [bug 1080167] GD upstream fix: https://bitbucket.org/libgd/gd-libgd/commits/463c3bd09bfe8e924e19acad7a2a6af16953a704 PHP upstream fix (will be in 5.4.32, 5.5.16) http://git.php.net/?p=php-src.git;a=commit;h=cf4753691dc55999373d1c576f62ecb298723420 gd-2.1.0-6.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. This is corrected in upstream PHP 5.5.16: http://php.net/ChangeLog-5.php#5.5.16 php-5.5.16-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. IssueDescription: A NULL pointer dereference flaw was found in the gdImageCreateFromXpm() function of PHP's gd extension. A remote attacker could use this flaw to crash a PHP application using gd via a specially crafted X PixMap (XPM) file. This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Via RHSA-2014:1326 https://rhn.redhat.com/errata/RHSA-2014-1326.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2014:1327 https://rhn.redhat.com/errata/RHSA-2014-1327.html This issue has been addressed in the following products: Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 Via RHSA-2014:1766 https://rhn.redhat.com/errata/RHSA-2014-1766.html This issue has been addressed in the following products: Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 Via RHSA-2014:1765 https://rhn.redhat.com/errata/RHSA-2014-1765.html Why does the gd-2.1.0-color_c_null_pointer.patch in Fedora match neither the PHP patch nor the upstream libgd patch? More importantly, Fedora patch introduces memory leak, afaics. colors[] is not freed if the error is hit. CCing patch author for comments. IIRC, the patch applied in Fedora was the one attached to the initial upstream bug report. Yes this patch introduce a memory leak (while the upstream patch doesn't) gd 2.1.1 should have be released for a long time now :( I hope it will be very soon (some other important fix in this bugfix release). Thanks for spotting this. I have updated the fedora package to use upstream patch and tested it for memory leak. gd-2.1.0-8.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. gd-2.1.0-8.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. |