Bug 1132793 (CVE-2014-5120)
| Summary: | CVE-2014-5120 php: gd extension NUL byte injection in file names | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Murray McAllister <mmcallis> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | caolanm, carnil, fedora, hhorak, jmlich, jorton, jrusnack, mmaslano, pertusus, rcollet, varekova, vdanen, webstack-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | php 5.5.16, php 5.4.32 | Doc Type: | Bug Fix |
| Doc Text: |
It was found that PHP's gd extension did not properly handle file names with a null character. A remote attacker could possibly use this flaw to make a PHP application access unexpected files and bypass intended file system access restrictions.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-10-31 10:26:18 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1132794, 1140026, 1140027, 1149762, 1149771 | ||
| Bug Blocks: | 1132795, 1138881, 1149858 | ||
|
Description
Murray McAllister
2014-08-22 05:10:07 UTC
Created php tracking bugs for this issue: Affects: fedora-all [bug 1132794] This is corrected in upstream PHP 5.5.16: http://php.net/ChangeLog-5.php#5.5.16 php-5.5.16-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. php-5.5.16-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. Upstream commit: http://git.php.net/?p=php-src.git;a=commitdiff;h=1daa4c0090b7cd8178dcaa96287234c69ac6ca18 This isn't GD issue, but PHP GD extension issue. (In reply to Murray McAllister from comment #0) > The upstream bug notes this issue was introduced in PHP version 5.4. This issue existed in earlier PHP versions too, but was corrected as part of CVE-2006-7243 (bug 662707). Hence this issue is corrected in all php packages in Red Hat Enterprise Linux 5 and 6. It seems the fix was not correctly merged to 5.4 branch upstream, leading to regression of the fix in upstream PHP 5.4 versions. The php packages in Red Hat Enterprise Linux 7 and Red Hat Software Collections 1 are based on upstream 5.4 or 5.5 and are therefore affected. (In reply to Tomas Hoger from comment #7) > It seems the fix was not correctly merged to 5.4 branch upstream, leading to > regression of the fix in upstream PHP 5.4 versions. The fix for CVE-2006-7243 that was applied to PHP 5.4 was different from the fix applied to 5.3. The internal zend_parse_parameters() function was extended to add support for a new type specifier 'p' (specifier meant for use for parsing string arguments that will be used as file paths) that differs from the 's' (specifier used for parsing string function arguments) specifier previously used to parse file name arguments by ensuring returned value does not contain any embedded NUL character. In case of GD extension, such change was properly applied to code paths used by imagegd, imagegd2 and imagexbm functions. However, the code path used by remaining functions (imagegif, imagejpeg, imagepng, imagewbmp, imagewebp) was not corrected. PHP applications using one of the above functions can be affected by this issue. For reference, I'm adding links to CVE-2006-7243 patches in 5.4 and 5.3: 5.4 http://git.php.net/?p=php-src.git;a=commitdiff;h=32b5f8a 5.3 http://git.php.net/?p=php-src.git;a=commitdiff;h=ce96fd6 Statement: This issue does not affect the current php and php53 packages in Red Hat Enterprise Linux 5 and 6, as it was previously corrected as part of the fix for CVE-2006-7243. IssueDescription: It was found that PHP's gd extension did not properly handle file names with a null character. A remote attacker could possibly use this flaw to make a PHP application access unexpected files and bypass intended file system access restrictions. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2014:1327 https://rhn.redhat.com/errata/RHSA-2014-1327.html This issue has been addressed in the following products: Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 Via RHSA-2014:1766 https://rhn.redhat.com/errata/RHSA-2014-1766.html This issue has been addressed in the following products: Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 Via RHSA-2014:1765 https://rhn.redhat.com/errata/RHSA-2014-1765.html |