Bug 1065108 (CVE-2013-7226, CVE-2013-7327, CVE-2013-7328, CVE-2014-2020)

Summary: CVE-2013-7226 CVE-2013-7327 CVE-2013-7328 CVE-2014-2020 php: multiple vulnerabilities in gdImageCrop()
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bgollahe, drieden, fedora, hhorak, jkurik, jorton, mmaslano, pertusus, pfrields, rcollet, tdawson, tkramer, varekova, webstack-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20140206,reported=20140206,source=internet,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,rhel-4/php=notaffected,rhel-5/php=notaffected,rhel-5/php53=notaffected,rhel-6/php=notaffected,rhel-7/php=notaffected,rhscl-1/php54-php=notaffected,rhscl-1/php55-php=affected,rhel-5/gd=notaffected,rhel-6/gd=notaffected,rhel-7/gd=notaffected,fedora-all/php=affected,fedora-all/gd=affected
Fixed In Version: php 5.5.10 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-13 19:17:15 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 1065114    
Bug Blocks: 1065115    

Description Vincent Danen 2014-02-13 18:54:09 EST
A heap overflow vulnerability in PHP 5.5.0 and later was reported [1] in PHP's imagecrop() function.  In code that used the imagecrop() function to crop untrusted images, this vulnerability could cause a crash of the script or, possibly, the execution of arbitrary code as the user running the PHP script.

This has been corrected in PHP 5.5.9 [2].

[1] https://bugs.php.net/bug.php?id=66356
[2] http://git.php.net/?p=php-src.git;a=commitdiff;h=8f4a5373bb71590352fd934028d6dde5bc18530b


External References:

http://www.php.net/ChangeLog-5.php#5.5.9
Comment 1 Vincent Danen 2014-02-13 19:00:04 EST
Not vulnerable. This issue did not affect the versions of php or php53 as shipped with Red Hat Enterprise Linux 5 and 6 as they did not include the vulnerable function (it was introduced in PHP 5.5.0).
Comment 2 Vincent Danen 2014-02-13 19:01:23 EST
PHP 5.5.9 is currently in Fedora 20 and Fedora 19-testing, so not filing additional tracking bugs there.
Comment 5 Tomas Hoger 2014-02-17 05:01:43 EST
HackerOne report:
https://hackerone.com/reports/1356
Comment 8 Vincent Danen 2014-02-18 17:41:44 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-7327 to
the following vulnerability:

Name: CVE-2013-7327
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7327
Assigned: 20140218
Reference: http://git.php.net/?p=php-src.git;a=commit;h=8f4a5373bb71590352fd934028d6dde5bc18530b
Reference: https://bugs.php.net/bug.php?id=66356
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1065108

The gdImageCrop function in ext/gd/gd.c in PHP 5.5.x before 5.5.9 does
not check return values, which allows remote attackers to cause a
denial of service (application crash) or possibly have unspecified
other impact via invalid imagecrop arguments that lead to use of a
NULL pointer as a return value, a different vulnerability than
CVE-2013-7226.
Comment 9 Vincent Danen 2014-02-18 17:43:09 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-7328 to
the following vulnerability:

Name: CVE-2013-7328
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7328
Assigned: 20140218
Reference: http://git.php.net/?p=php-src.git;a=commit;h=8f4a5373bb71590352fd934028d6dde5bc18530b
Reference: https://bugs.php.net/bug.php?id=66356
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1065108

Multiple integer signedness errors in the gdImageCrop function in
ext/gd/gd.c in PHP 5.5.x before 5.5.9 allow remote attackers to cause
a denial of service (application crash) or obtain sensitive
information via an imagecrop function call with a negative value for
the (1) x or (2) y dimension, a different vulnerability than
CVE-2013-7226.
Comment 10 Vincent Danen 2014-02-18 17:44:53 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2014-2020 to
the following vulnerability:

Name: CVE-2014-2020
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2020
Assigned: 20140218
Reference: https://bugs.php.net/bug.php?id=66356
Reference: https://github.com/php/php-src/commit/2938329ce19cb8c4197dec146c3ec887c6f61d01

ext/gd/gd.c in PHP 5.5.x before 5.5.9 does not check data types, which
might allow remote attackers to obtain sensitive information by using
a (1) string or (2) array data type in place of a numeric data type,
as demonstrated by an imagecrop function call with a string for the x
dimension value, a different vulnerability than CVE-2013-7226.
Comment 11 Vincent Danen 2014-02-18 17:46:16 EST
I'm not sure why MITRE turned one issue into four, but as these all affect the same versions (5.5.0 through to and including 5.5.8, fixed in 5.5.9), and as none of these affect anything we support, it's safe enough to put them all in one bug that doesn't affect us.
Comment 12 Tomas Hoger 2014-03-03 09:34:00 EST
For completeness, this is official CVE description for CVE-2013-7226:

Integer overflow in the gdImageCrop function in ext/gd/gd.c in PHP 5.5.x before 5.5.9 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an imagecrop function call with a large x dimension value, leading to a heap-based buffer overflow.
Comment 13 Tomas Hoger 2014-03-03 09:48:44 EST
(In reply to Vincent Danen from comment #11)
> I'm not sure why MITRE turned one issue into four, but as these all affect
> the same versions (5.5.0 through to and including 5.5.8, fixed in 5.5.9)

The split here does not seem too surprising here.  Reported issues actually affect 2 components - php gd extension and libgd library, that is bundled with php.  Issues in the libgd may possibly affect standalone gd library.

There are two upstream commits:

- libgd part (linked in comment 0):

http://git.php.net/?p=php-src.git;a=commitdiff;h=8f4a5373bb71590352fd934028d6dde5bc18530b

This covers: CVE-2013-7226, CVE-2013-7327, CVE-2013-7328

Note that CVE description for these says "gdImageCrop function in ext/gd/gd.c", while it should be "gdImageCrop function in ext/gd/libgd/gd_crop.c".

- php gd extension part:

http://git.php.net/?p=php-src.git;a=commitdiff;h=2938329ce19cb8c4197dec146c3ec887c6f61d01

This is CVE-2014-2020


It can be argued if 3 separate ids were needed for libgd, but the split seems consistent with CVE content decisions where different flaw types imply split.
Comment 14 Tomas Hoger 2014-03-03 11:37:39 EST
(In reply to Tomas Hoger from comment #13)
> Issues in the libgd may possibly affect standalone gd library.

None of the issues actually affect upstream libgd 2.1.0, where gdImageCrop() is implemented as thin wrapper around gdImageCopy():

https://bitbucket.org/libgd/gd-libgd/src/9f0a7e7/src/gd_crop.c#cl-21

The gd versions as shipped in Red Hat Enterprise Linux 5, and 6, and Fedora up to version 19 include gd 2.0.35 or earlier.  These versions do not implemented gdImageCrop() at all.

gdImageCrop() was added in libgd upstream via this commit:

https://bitbucket.org/libgd/gd-libgd/commits/f67452e

That version did not include proper NULL check and hence was affected by problems described in CVE-2013-7327.  NULL check was added in this commit:

https://bitbucket.org/libgd/gd-libgd/commits/02ae7c2

Fedora 20 includes gd-2.1.0, which has the NULL check.

gdImageCopy() uses gdImageGetPixel() and gdImageSetPixel() internally, which already implement check (using gdImageBoundsSafeMacro()) to avoid out of bounds access and are not affected by CVE-2013-7226 and CVE-2013-7328.
Comment 15 Tomas Hoger 2014-03-03 12:29:57 EST
(In reply to Vincent Danen from comment #10)
> Name: CVE-2014-2020
> 
> ext/gd/gd.c in PHP 5.5.x before 5.5.9 does not check data types, which
> might allow remote attackers to obtain sensitive information by using
> a (1) string or (2) array data type in place of a numeric data type,
> as demonstrated by an imagecrop function call with a string for the x
> dimension value, a different vulnerability than CVE-2013-7226.

This looks more like a bug than a security flaw.  This can easily be triggered by script author, but with the removal of safe mode in PHP 5.4, it does not seem PHP attempts to provide protections against malicious script authors any more.

Leak or crash is likely to be triggered remotely if values from $_GET or $_POST are directly passed to imagecrop().  However, problem caused by that is unlikely to go unnoticed if a script doing so is tested.  Test case used in the upstream report has:

imagecrop($img, array("x" => "a", "y" => 0, "width" => 10, "height" => 10))

using string "a" as value for x in the crop rectangle.  However, even a string representing numeric value such as "0" triggers the crash.  Hence using $_GET['x'] would trigger crash with non-malicious x in the request, using e.g. intval($_GET['x']) was required.
Comment 16 Tomas Hoger 2014-03-03 12:41:20 EST
(In reply to Vincent Danen from comment #8)
> Name: CVE-2013-7327
> 
> The gdImageCrop function in ext/gd/gd.c in PHP 5.5.x before 5.5.9 does
> not check return values, which allows remote attackers to cause a
> denial of service (application crash) or possibly have unspecified
> other impact via invalid imagecrop arguments that lead to use of a
> NULL pointer as a return value, a different vulnerability than
> CVE-2013-7226.

Fix for this issue in incomplete.  It is still possible to trigger NULL pointer dereference using crop rectangle width and height values that cause integer overflow when multiplied.  gd detect that and gdImageCreate*() return NULL.  That return value is only checked after use (in gdImageSaveAlpha() / gdImagePaletteCopy()).

Reported upstream in:
https://bugs.php.net/bug.php?id=66815

Test case:
imagecrop($img, array("x" => 0, "y" => 0, "width" => 65535, "height" => 65535));
Comment 17 Tomas Hoger 2014-03-03 14:45:33 EST
Statement CVE-2014-2020:

Not vulnerable. This issue did not affect the versions of php or php53 as shipped with Red Hat Enterprise Linux 5 and 6, and the versions of php54-php as shipped with Red Hat Software Collections 1, as they did not include the vulnerable function (it was introduced in PHP 5.5.0).

Statement CVE-2013-7226, CVE-2013-7327, CVE-2013-7328:

Not vulnerable. This issue did not affect the versions of php or php53 as shipped with Red Hat Enterprise Linux 5 and 6, and the versions of php54-php as shipped with Red Hat Software Collections 1, as they did not include the vulnerable function (it was introduced in PHP 5.5.0). This issue also did not affect the versions of gd as shipped with Red Hat Enterprise Linux 5 and 6.
Comment 18 Tomas Hoger 2014-03-06 10:47:54 EST
(In reply to Tomas Hoger from comment #16)
> Fix for this issue in incomplete.  It is still possible to trigger NULL
> pointer dereference using crop rectangle width and height values that cause
> integer overflow when multiplied.  gd detect that and gdImageCreate*()
> return NULL.  That return value is only checked after use (in
> gdImageSaveAlpha() / gdImagePaletteCopy()).
> 
> Reported upstream in:
> https://bugs.php.net/bug.php?id=66815

Upstream bug is now public, and issue fixed in 5.5.10:

http://www.php.net/ChangeLog-5.php#5.5.10

Upstream commit:

http://git.php.net/?p=php-src.git;a=commitdiff;h=af09d8b96a8aacdd7d738fec81b695c1c58368f7