Bug 1609637 (CVE-2018-14883)

Summary: CVE-2018-14883 php: exif: integer overflow leading to out-of-bound buffer read in exif_thumbnail_extract()
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: andreas.maus, fedora, hhorak, jorton, rcollet, sfowler, webstack-team, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php 5.6.37, php 7.0.31, php 7.1.20, php 7.2.8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-08-02 15:19:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1609638, 1609639    
Bug Blocks: 1609640    

Description Sam Fowler 2018-07-30 05:24:33 UTC
PHP before versions 5.6.37, 7.0.31, 7.1.20 and 7.2.8 is vulnerable to an integer overflow with subsequent heap-based buffer overflow in the exif.c:exif_thumbnail_extract() function. An attacker could exploit this to cause a denial of service via crafted file.


Upstream Bug:

https://bugs.php.net/bug.php?id=76423


Upstream Patch:

http://git.php.net/?p=php-src.git;a=commit;h=1baeae42703f9b2ec21fff787146eeca08d45535

Comment 1 Sam Fowler 2018-07-30 05:25:02 UTC
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1609638]

Comment 4 Tomas Hoger 2018-08-02 12:29:58 UTC
As noted in comment 0, there is an integer overflow in the exif_thumbnail_extract() function, that leads to an out-of-bounds buffer read.  This may possibly lead to crash or limited memory disclosure.

The integer overflow is in the check:

  if ((ImageInfo->Thumbnail.offset + ImageInfo->Thumbnail.size) > length) {

There are limits on the maximum values of offset (0xffffffff) and size (0xffff) and therefore the overflow only happens on 32bit builds.  Therefore, this does not affect PHP packages as shipped with Red Hat Enterprise Linux 7 and Red Hat Software Collections for Red Hat Enterprise Linux 6 and 7, as those products only include 64bit builds of PHP.

The size of the out-of-bounds read is determined by the size variable, and hence is limited to 64k bytes.

Comment 5 Tomas Hoger 2018-08-02 14:21:35 UTC
Note that the vulnerable code is only reached when extracting thumbnail data from images.  That happens when using the exif_thumbnail() function, or when using the exif_read_data() with its fourth argument set to True (the default is False).

Comment 6 Tomas Hoger 2018-08-02 15:13:38 UTC
In Red Hat PHP packages, the Exif extension is included in the php-common sub-package, which is installed with all PHP installation.  For PHP versions before 5.5, the extension is compiled directly into PHP binaries.  This was changed for PHP 5.5 packages and the Exif extension is now available as loadable module:

https://src.fedoraproject.org/cgit/rpms/php.git/commit/?id=77d120e92be73a895596c27a32ede91112048914

Deployments that do not require Exif extension and still want to ensure that the affected functionality can not be used by accident can do one of the following:

* Prevent loading of the Exif extension (only in PHP 5.5 and later).  This can be achieved by modifying configuration file exif.ini or 20-exif.ini, located in the php.d configuration directory.  Depending on the packages, that directory can either be in /etc/php.d, or /etc/opt/rh/rh-php*/php.d or /opt/rh/php*/root/etc/php.d (for Red Hat Software Collections packages).  In the exif.ini file, comment out the following line:

  extension=exif.so

A PHP application trying to call any of the Exif module functions would get a "Call to undefined function" error.

* Disable relevant functions using the disable_functions configuration directive.  Locate the disable_functions configuration in the php.ini file (found in /etc/, /etc/opt/rh/rh-php*/ or /opt/rh/php*/root/etc/) and add relevant functions to the list.  The list is empty by default, so after the change, it should contain:

  disable_functions = exif_read_data, exif_thumbnail, read_exif_data

A PHP application trying to of the disabled function would get an error as "exif_read_data() has been disabled for security reasons".

For more information about disable_functions configuration directive see:

http://www.php.net/manual/en/ini.core.php#ini.disable-functions