Bug 1336772 (CVE-2015-8874)
Summary: | CVE-2015-8874 gd: gdImageFillToBorder deep recursion leading to stack overflow | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | abhgupta, dmcphers, fedora, hhorak, jialiu, jmlich83, jokerman, jorton, kseifried, lmeyer, mmaslano, mmccomas, mskalick, rcollet, sardella, tiwillia, varekova, webstack-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | php 5.6.12, php 5.5.37 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-05-19 20:42:16 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1336786 |
Description
Andrej Nemec
2016-05-17 12:30:07 UTC
This is not PHP flaw, but rather gd/libgd flaw. PHP embeds the gd library as part of its gd extension. Upstream gd bug report is still unresolved. Apparently, the issue is not yet resolved in any released gd version. https://github.com/libgd/libgd/issues/178 Additionally, in gd itself, both large positive and large negative coordinate can trigger deep recursion leading to stack overflow and crash. This has limited impact (crash), and is triggered if gdImageFillToBorder (libgd) or imagefilltoborder (php) function is called with starting coordinate outside the image boundaries, and the function is not very likely to get called with coordinate from untrusted source. There is currently no plan to backport the fix to PHP packages in Red Hat products. PHP patch that added upper boundary: http://git.php.net/?p=php-src.git;a=commitdiff;h=feba44546c27b0158f9ac20e72040a224b918c75 https://bugs.php.net/bug.php?id=22965 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Via RHSA-2016:2750 https://rhn.redhat.com/errata/RHSA-2016-2750.html |