Bug 670799 (CVE-2010-4698)

Summary: CVE-2010-4698 php: GD crash in imagepstext with invalid anti-aliasing argument
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: jorton
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-19 14:18:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Tomas Hoger 2011-01-19 12:40:08 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4698 to the following issue:

Stack-based buffer overflow in the GD extension in PHP before 5.2.15
and 5.3.x before 5.3.4 allows context-dependent attackers to cause a
denial of service (application crash) via vectors related to the
imagepstext function and invalid anti-aliasing.

References:
http://bugs.php.net/53492 (currently not public)
http://www.php.net/ChangeLog-5.php#5.3.4
http://www.php.net/ChangeLog-5.php#5.2.15

Upstream commit:
http://svn.php.net/viewvc?view=revision&revision=306075
Comment 2 Tomas Hoger 2011-01-19 13:29:49 UTC 
(In reply to comment #0)
> Upstream commit:
> http://svn.php.net/viewvc?view=revision&revision=306075

And the correction of the initial commit:
http://svn.php.net/viewvc/?view=revision&revision=306234
Comment 3 Tomas Hoger 2011-01-19 14:18:08 UTC 
PHP GD extension only provides imagepstext() function when PHP was compiled with t1lib support.  That is not the case for PHP packages in Red Hat Enterprise Linux 4, 5 and 6, which are hence unaffected by this issue.

Fedora PHP packages are build with t1lib support.  Stable Fedora versions are currently updated to PHP version 5.3.4, that have the stack-based buffer overflow fixed.  However, 5.3.4 (and 5.3.5 too) only include the first fix, r306075, and do not yet provide corrected fix, r306234.  Due to the broken check, imagepstext() function now always returns false and reports:

  PHP Warning:  imagepstext(): AA steps must be 4 or 16 in ..

It's also reasonable to assume that antialias_steps parameter passed to the function does not come from an untrusted input, even more that documentation explicitly lists 4 and 16 as the only valid values.  Therefore, this issue is only likely to be relevant for safe_mode / open_basedir restriction bypasses (see also bug #169857).

Statement:

Not vulnerable. This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 4, 5, or 6.