Bug 2139280 (CVE-2022-31630)

Summary: CVE-2022-31630 php: OOB read due to insufficient input validation in imageloadfont()
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: hhorak, jorton, kyoshida, rcollet
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php 7.4.33 Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read flaw was found in PHP due to insufficient input validation in the imageloadfont() function. This flaw allows a remote attacker to pass specially crafted data to the web application, trigger an out-of-bounds read error, and read the contents of memory on the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-17 01:46:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2139281, 2139285, 2139286, 2139287, 2139288, 2161668, 2161669    
Bug Blocks: 2138925    

Description TEJ RATHI 2022-11-02 04:51:58 UTC 
It is possible to construct font files supposed to be loaded by imageloadfont() which trigger OOB reads if the fonts are actually accessed (e.g. by imagechar()).  The given test scripts exploits that by triggering the assignment of a zero byte memory allocation to gdFont.data (which is happily accepted by imageloadfont()), and to read beyond this "buffer" when calling imagechar(). So if an application allows to upload arbitrary font files and working with these, it is likely vulnerable.

References:
https://www.php.net/ChangeLog-8.php#8.0.25
https://bugs.php.net/bug.php?id=81739
Comment 1 TEJ RATHI 2022-11-02 04:52:11 UTC 
Created php tracking bugs for this issue:

Affects: fedora-all [bug 2139281]
Comment 4 errata-xmlrpc 2023-02-21 09:31:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0848 https://access.redhat.com/errata/RHSA-2023:0848
Comment 5 errata-xmlrpc 2023-02-28 08:20:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0965 https://access.redhat.com/errata/RHSA-2023:0965
Comment 6 errata-xmlrpc 2023-05-09 07:45:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2417 https://access.redhat.com/errata/RHSA-2023:2417
Comment 7 errata-xmlrpc 2023-05-16 08:26:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2903 https://access.redhat.com/errata/RHSA-2023:2903
Comment 8 Product Security DevOps Team 2023-05-17 01:46:02 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-31630