Bug 680972 (CVE-2011-0708)

Summary: CVE-2011-0708 php: buffer over-read in Exif extension
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact: David Kutálek <dkutalek>
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: dkutalek, fedora, jorton, redhat-bugzilla, rpm, vdanen, vvitek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-30 18:45:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 740731, 740732, 740733, 740734, 768025, 769756, 769761, 831135    
Bug Blocks: 715030, 750552    

Description Tomas Hoger 2011-02-28 16:51:52 UTC 
An insufficient input validation flaws was discovered in the PHP's Exif extension that allows extracting Exif data from image files:
  http://thread.gmane.org/gmane.comp.security.oss.general/4198

An integer overflow causes PHP to not validate offsets read from the file properly, causing it to read behind the end of the buffer.  This leads to PHP interpreter crash when reading specially crafted Exif data.

Before the code over-reading the buffer is reached, PHP needs to allocate a large amount of memory (based on the components / length value read from the file).  This attempt triggers the integer overflow check in safe_emalloc on 32bit platforms and requires the memory_limit for the script to be set to -1 (i.e. no limit is enforced by PHP) on 64bit platforms.

Upstream commits, which include reproducers:
  http://svn.php.net/viewvc?view=revision&revision=308316
  http://svn.php.net/viewvc?view=revision&revision=308317

The follow-up commit replaces the use of hard-coded numeric constant with INT32_MAX:
  http://svn.php.net/viewvc?view=revision&revision=308362

This fix should first appear in upstream version 5.3.6.
Comment 4 errata-xmlrpc 2011-11-02 22:24:35 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2011:1423 https://rhn.redhat.com/errata/RHSA-2011-1423.html
Comment 5 Vincent Danen 2011-11-02 23:00:38 UTC 
Statement:

(none)
Comment 11 Huzaifa S. Sidhpurwala 2012-01-17 04:09:44 UTC 
This issue did not affect the version of php as shipped with Fedora 15 and Fedora 16.
Comment 12 errata-xmlrpc 2012-01-18 18:44:40 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0033 https://rhn.redhat.com/errata/RHSA-2012-0033.html
Comment 13 errata-xmlrpc 2012-01-30 18:18:26 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2012:0071 https://rhn.redhat.com/errata/RHSA-2012-0071.html