Bug 1359770

Summary: php,gd: gdImageTrueColorToPaletteBody allows arbitrary write/read access
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, dmcphers, fedora, hhorak, jialiu, jmlich83, jokerman, jorton, kseifried, lmeyer, mmccomas, mskalick, rcollet, sardella, slawomir, tiwillia, varekova, webstack-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php 5.5.38, php 5.6.24, php 7.0.9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-12 05:43:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1359837, 1359839    
Bug Blocks: 1359830    

Description Adam Mariš 2016-07-25 12:24:17 UTC 
It was found that gdImageTrueColorToPaletteBody doesn't check for negative transparent colors while converting the image that can lead to arbitrary null write and information leak.

Upstream bug:

https://bugs.php.net/bug.php?id=72512
Comment 1 Adam Mariš 2016-07-25 14:12:04 UTC 
Created gd tracking bugs for this issue:

Affects: fedora-all [bug 1359839]
Comment 2 Adam Mariš 2016-07-25 14:12:14 UTC 
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1359837]
Comment 3 Huzaifa S. Sidhpurwala 2016-08-12 05:43:39 UTC 
Analysis:

As per upstream: 

"Not sure how exploitable this is... theoretically could be if somebody had online image editor, etc. though it's a bit far-reaching by this point..."

This flaw can only be exploited, if some kind of special image wrangling is done by the PHP script, based on attacker input. 

Based on the above, Red Hat Product Security Team, does not consider this as a security flaw.