Bug 478425 (CVE-2008-5498)

Summary: CVE-2008-5498 php: libgd imagerotate() array index error memory disclosure
Product: [Other] Security Response Reporter: Marc Schoenefeld <mschoene>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jorton, kreilly
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5498
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-29 08:48:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 487359, 487360, 487361, 487368, 487369, 487370, 487371    
Bug Blocks:    
Attachments:
Description Flags
Simple PoC none

Description Marc Schoenefeld 2008-12-29 21:33:11 UTC 
Hamid Ebadi reported a boundary condition flaw in PHP:

Array index error in the imageRotate function in PHP 5.2.8 and earlier allows context-dependent attackers to read the contents of arbitrary memory locations via a crafted value of the third argument (aka the bgd_color or clrBack argument) for an indexed image. 

Upstream fix:  
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd.c?r1=1.90.2.1.2.23&r2=1.90.2.1.2.24&sortby=date&diff_format=l

Reproducer: 
http://downloads.securityfocus.com/vulnerabilities/exploits/33002.php
http://downloads.securityfocus.com/vulnerabilities/exploits/33002-2.php
Comment 1 Tomas Hoger 2009-01-15 14:57:23 UTC 
Hamid Ebadi's advisory:

http://www.milw0rm.com/exploits/7646
http://www.securiteam.com/unixfocus/6G00Y0ANFU.html
Comment 2 Tomas Hoger 2009-01-15 15:47:00 UTC 
Created attachment 329104 [details]
Simple PoC

A local copy of:
  http://downloads.securityfocus.com/vulnerabilities/exploits/33002-2.php
Comment 6 errata-xmlrpc 2009-04-06 16:38:15 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:0338 https://rhn.redhat.com/errata/RHSA-2009-0338.html
Comment 7 errata-xmlrpc 2009-04-06 16:51:14 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3
  Red Hat Enterprise Linux 4

Via RHSA-2009:0337 https://rhn.redhat.com/errata/RHSA-2009-0337.html
Comment 8 errata-xmlrpc 2009-04-14 17:14:49 UTC 
This issue has been addressed in following products:

  Red Hat Web Application Stack for RHEL 5

Via RHSA-2009:0350 https://rhn.redhat.com/errata/RHSA-2009-0350.html
Comment 9 Fedora Update System 2009-05-30 02:33:35 UTC 
maniadrive-1.2-13.fc10, php-5.2.9-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2009-05-30 02:37:33 UTC 
maniadrive-1.2-13.fc9, php-5.2.9-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.