Bug 1297717 (CVE-2016-1903)

Summary: CVE-2016-1903 php: Out-of-bounds memory read via gdImageRotateInterpolated
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, carnil, cbuissar, dmcphers, fedora, jialiu, jokerman, jorton, kseifried, lmeyer, mmaslano, mmccomas, rcollet, sardella, tiwillia, webstack-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php 5.5.31, php 5.6.17 Doc Type: Bug Fix
Doc Text:
A buffer over-read flaw was found in the GD library used by the PHP gd extension. A specially crafted image file could cause a PHP application using the imagerotate() function to disclose portions of the server memory or crash the PHP application.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-03 13:03:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1297718    
Bug Blocks: 1297732    

Description Adam Mariš 2016-01-12 10:06:15 UTC 
In function:

resource imagerotate ( resource $image , float $angle , int $bgd_color [, int $ignore_transparent = 0 ] )

$bgd_color specifies the background color of an image. This is passed in as an integer that represents an index to the color palette. It was found that there is a lack of validation on $bgd_color. One can pass in a large number that exceeds the color palette array, which results in out-of-bounds memory read beyond the color palette. Information of the memory leak can then be obtained via the background color after the image has been rotated.

Upstream patches:

-> original fix
https://github.com/php/php-src/commit/4bb422343f29f06b7081323844d9b52e1a71e4a5
-> improvement
https://github.com/php/php-src/commit/2baeb167a08b0186a885208bdc8b5871f1681dc8
-> final correction, includes the reverse of the 2 above :
https://github.com/php/php-src/commit/aa8d3a8cc612ba87c0497275f58a2317a90fb1c4

Upstream bug (contains reproducer):

https://bugs.php.net/bug.php?id=70976
Comment 1 Adam Mariš 2016-01-12 10:06:48 UTC 
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1297718]
Comment 2 Remi Collet 2016-01-12 11:56:58 UTC 
This issue only affects PHP 5.5+ with bundled libgd >= 2.1

So it doesn't affects PHP 5.3 (RHEL-6) OR php 5.4 (RHEL-7)
Comment 3 Remi Collet 2016-01-12 13:26:25 UTC 
Fix:

https://github.com/php/php-src/commit/4bb422343f29f06b7081323844d9b52e1a71e4a5
https://github.com/php/php-src/commit/2baeb167a08b0186a885208bdc8b5871f1681dc8
https://github.com/php/php-src/commit/aa8d3a8cc612ba87c0497275f58a2317a90fb1c4
Comment 7 errata-xmlrpc 2016-11-15 11:49:11 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS

Via RHSA-2016:2750 https://rhn.redhat.com/errata/RHSA-2016-2750.html