Bug 1336772 (CVE-2015-8874)

Summary: CVE-2015-8874 gd: gdImageFillToBorder deep recursion leading to stack overflow
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abhgupta, dmcphers, fedora, hhorak, jialiu, jmlich83, jokerman, jorton, kseifried, lmeyer, mmaslano, mmccomas, mskalick, rcollet, sardella, tiwillia, varekova, webstack-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php 5.6.12, php 5.5.37 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-19 20:42:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1336786    

Description Andrej Nemec 2016-05-17 12:30:07 UTC 
Stack consumption vulnerability in GD in PHP before 5.6.12 allows remote attackers to cause a denial of service via a crafted imagefilltoborder call.

Upstream bug:

https://bugs.php.net/bug.php?id=66387
Comment 1 Andrej Nemec 2016-05-17 12:30:59 UTC 
Upstream fix:

http://git.php.net/?p=php-src.git;a=commit;h=e7f2356665c2569191a946b6fc35b437f0ae1384
Comment 2 Tomas Hoger 2016-05-19 20:23:35 UTC 
This is not PHP flaw, but rather gd/libgd flaw.  PHP embeds the gd library as part of its gd extension.  Upstream gd bug report is still unresolved.  Apparently, the issue is not yet resolved in any released gd version.

https://github.com/libgd/libgd/issues/178

Additionally, in gd itself, both large positive and large negative coordinate can trigger deep recursion leading to stack overflow and crash.
Comment 4 Tomas Hoger 2016-05-19 20:42:16 UTC 
This has limited impact (crash), and is triggered if gdImageFillToBorder (libgd) or imagefilltoborder (php) function is called with starting coordinate outside the image boundaries, and the function is not very likely to get called with coordinate from untrusted source.  There is currently no plan to backport the fix to PHP packages in Red Hat products.
Comment 5 Tomas Hoger 2016-05-19 20:45:07 UTC 
PHP patch that added upper boundary:

http://git.php.net/?p=php-src.git;a=commitdiff;h=feba44546c27b0158f9ac20e72040a224b918c75
https://bugs.php.net/bug.php?id=22965
Comment 6 errata-xmlrpc 2016-11-15 11:52:14 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS

Via RHSA-2016:2750 https://rhn.redhat.com/errata/RHSA-2016-2750.html