Bug 459529 (CVE-2008-3658)

Summary: CVE-2008-3658 php: buffer overflow in the imageloadfont function in gd extension
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: fedora, jorton, kreilly, rpm
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-23 22:31:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 487359, 487360, 487361, 487368, 487369, 487370, 487371    
Bug Blocks:    
Attachments:
Description Flags
Reproducer from upstream CVS none

Description Tomas Hoger 2008-08-19 18:41:24 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-3658 to
the following vulnerability:

Buffer overflow in the imageloadfont function in ext/gd/gd.c in PHP 4.4.x before 4.4.9 and PHP 5.6 through 5.2.6 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.

References:
http://www.php.net/archive/2008.php#id2008-08-07-1
http://www.openwall.com/lists/oss-security/2008/08/08/2
http://www.openwall.com/lists/oss-security/2008/08/13/8
http://news.php.net/php.cvs/51219

Comment 1 Tomas Hoger 2008-08-19 18:42:48 UTC
According to upstream, this issue does not affect stand-along gd, only "modified" gd version as used by PHP:
http://www.openwall.com/lists/oss-security/2008/08/13/11

Comment 2 Tomas Hoger 2008-08-19 18:44:23 UTC
Created attachment 314567 [details]
Reproducer from upstream CVS

http://cvs.php.net/viewvc.cgi/php-src/ext/gd/tests/imageloadfont_invalid.phpt

Comment 3 Remi Collet 2008-08-20 08:27:02 UTC
Reproducer test from upstream failed with 5.2.6 build.

Fedora PHP build provides the bundled GD library and don't use the system one (even if php-devel is BR, I don't find any explanation about this in the spec changelog)

@joe Shouldn't we switch to --with-gd=shared,%{_prefix} ?

Regards

Comment 8 errata-xmlrpc 2009-04-06 16:38:11 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:0338 https://rhn.redhat.com/errata/RHSA-2009-0338.html

Comment 9 errata-xmlrpc 2009-04-06 16:51:10 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3
  Red Hat Enterprise Linux 4

Via RHSA-2009:0337 https://rhn.redhat.com/errata/RHSA-2009-0337.html

Comment 10 errata-xmlrpc 2009-04-14 17:14:42 UTC
This issue has been addressed in following products:

  Red Hat Web Application Stack for RHEL 5

Via RHSA-2009:0350 https://rhn.redhat.com/errata/RHSA-2009-0350.html

Comment 11 Fedora Update System 2009-05-30 02:33:44 UTC
maniadrive-1.2-13.fc10, php-5.2.9-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2009-05-30 02:37:45 UTC
maniadrive-1.2-13.fc9, php-5.2.9-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.