A heap overflow vulnerability in PHP 5.5.0 and later was reported [1] in PHP's imagecrop() function. In code that used the imagecrop() function to crop untrusted images, this vulnerability could cause a crash of the script or, possibly, the execution of arbitrary code as the user running the PHP script. This has been corrected in PHP 5.5.9 [2]. [1] https://bugs.php.net/bug.php?id=66356 [2] http://git.php.net/?p=php-src.git;a=commitdiff;h=8f4a5373bb71590352fd934028d6dde5bc18530b External References: http://www.php.net/ChangeLog-5.php#5.5.9
Not vulnerable. This issue did not affect the versions of php or php53 as shipped with Red Hat Enterprise Linux 5 and 6 as they did not include the vulnerable function (it was introduced in PHP 5.5.0).
PHP 5.5.9 is currently in Fedora 20 and Fedora 19-testing, so not filing additional tracking bugs there.
HackerOne report: https://hackerone.com/reports/1356
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-7327 to the following vulnerability: Name: CVE-2013-7327 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7327 Assigned: 20140218 Reference: http://git.php.net/?p=php-src.git;a=commit;h=8f4a5373bb71590352fd934028d6dde5bc18530b Reference: https://bugs.php.net/bug.php?id=66356 Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1065108 The gdImageCrop function in ext/gd/gd.c in PHP 5.5.x before 5.5.9 does not check return values, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via invalid imagecrop arguments that lead to use of a NULL pointer as a return value, a different vulnerability than CVE-2013-7226.
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-7328 to the following vulnerability: Name: CVE-2013-7328 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7328 Assigned: 20140218 Reference: http://git.php.net/?p=php-src.git;a=commit;h=8f4a5373bb71590352fd934028d6dde5bc18530b Reference: https://bugs.php.net/bug.php?id=66356 Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1065108 Multiple integer signedness errors in the gdImageCrop function in ext/gd/gd.c in PHP 5.5.x before 5.5.9 allow remote attackers to cause a denial of service (application crash) or obtain sensitive information via an imagecrop function call with a negative value for the (1) x or (2) y dimension, a different vulnerability than CVE-2013-7226.
Common Vulnerabilities and Exposures assigned an identifier CVE-2014-2020 to the following vulnerability: Name: CVE-2014-2020 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2020 Assigned: 20140218 Reference: https://bugs.php.net/bug.php?id=66356 Reference: https://github.com/php/php-src/commit/2938329ce19cb8c4197dec146c3ec887c6f61d01 ext/gd/gd.c in PHP 5.5.x before 5.5.9 does not check data types, which might allow remote attackers to obtain sensitive information by using a (1) string or (2) array data type in place of a numeric data type, as demonstrated by an imagecrop function call with a string for the x dimension value, a different vulnerability than CVE-2013-7226.
I'm not sure why MITRE turned one issue into four, but as these all affect the same versions (5.5.0 through to and including 5.5.8, fixed in 5.5.9), and as none of these affect anything we support, it's safe enough to put them all in one bug that doesn't affect us.
For completeness, this is official CVE description for CVE-2013-7226: Integer overflow in the gdImageCrop function in ext/gd/gd.c in PHP 5.5.x before 5.5.9 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an imagecrop function call with a large x dimension value, leading to a heap-based buffer overflow.
(In reply to Vincent Danen from comment #11) > I'm not sure why MITRE turned one issue into four, but as these all affect > the same versions (5.5.0 through to and including 5.5.8, fixed in 5.5.9) The split here does not seem too surprising here. Reported issues actually affect 2 components - php gd extension and libgd library, that is bundled with php. Issues in the libgd may possibly affect standalone gd library. There are two upstream commits: - libgd part (linked in comment 0): http://git.php.net/?p=php-src.git;a=commitdiff;h=8f4a5373bb71590352fd934028d6dde5bc18530b This covers: CVE-2013-7226, CVE-2013-7327, CVE-2013-7328 Note that CVE description for these says "gdImageCrop function in ext/gd/gd.c", while it should be "gdImageCrop function in ext/gd/libgd/gd_crop.c". - php gd extension part: http://git.php.net/?p=php-src.git;a=commitdiff;h=2938329ce19cb8c4197dec146c3ec887c6f61d01 This is CVE-2014-2020 It can be argued if 3 separate ids were needed for libgd, but the split seems consistent with CVE content decisions where different flaw types imply split.
(In reply to Tomas Hoger from comment #13) > Issues in the libgd may possibly affect standalone gd library. None of the issues actually affect upstream libgd 2.1.0, where gdImageCrop() is implemented as thin wrapper around gdImageCopy(): https://bitbucket.org/libgd/gd-libgd/src/9f0a7e7/src/gd_crop.c#cl-21 The gd versions as shipped in Red Hat Enterprise Linux 5, and 6, and Fedora up to version 19 include gd 2.0.35 or earlier. These versions do not implemented gdImageCrop() at all. gdImageCrop() was added in libgd upstream via this commit: https://bitbucket.org/libgd/gd-libgd/commits/f67452e That version did not include proper NULL check and hence was affected by problems described in CVE-2013-7327. NULL check was added in this commit: https://bitbucket.org/libgd/gd-libgd/commits/02ae7c2 Fedora 20 includes gd-2.1.0, which has the NULL check. gdImageCopy() uses gdImageGetPixel() and gdImageSetPixel() internally, which already implement check (using gdImageBoundsSafeMacro()) to avoid out of bounds access and are not affected by CVE-2013-7226 and CVE-2013-7328.
(In reply to Vincent Danen from comment #10) > Name: CVE-2014-2020 > > ext/gd/gd.c in PHP 5.5.x before 5.5.9 does not check data types, which > might allow remote attackers to obtain sensitive information by using > a (1) string or (2) array data type in place of a numeric data type, > as demonstrated by an imagecrop function call with a string for the x > dimension value, a different vulnerability than CVE-2013-7226. This looks more like a bug than a security flaw. This can easily be triggered by script author, but with the removal of safe mode in PHP 5.4, it does not seem PHP attempts to provide protections against malicious script authors any more. Leak or crash is likely to be triggered remotely if values from $_GET or $_POST are directly passed to imagecrop(). However, problem caused by that is unlikely to go unnoticed if a script doing so is tested. Test case used in the upstream report has: imagecrop($img, array("x" => "a", "y" => 0, "width" => 10, "height" => 10)) using string "a" as value for x in the crop rectangle. However, even a string representing numeric value such as "0" triggers the crash. Hence using $_GET['x'] would trigger crash with non-malicious x in the request, using e.g. intval($_GET['x']) was required.
(In reply to Vincent Danen from comment #8) > Name: CVE-2013-7327 > > The gdImageCrop function in ext/gd/gd.c in PHP 5.5.x before 5.5.9 does > not check return values, which allows remote attackers to cause a > denial of service (application crash) or possibly have unspecified > other impact via invalid imagecrop arguments that lead to use of a > NULL pointer as a return value, a different vulnerability than > CVE-2013-7226. Fix for this issue in incomplete. It is still possible to trigger NULL pointer dereference using crop rectangle width and height values that cause integer overflow when multiplied. gd detect that and gdImageCreate*() return NULL. That return value is only checked after use (in gdImageSaveAlpha() / gdImagePaletteCopy()). Reported upstream in: https://bugs.php.net/bug.php?id=66815 Test case: imagecrop($img, array("x" => 0, "y" => 0, "width" => 65535, "height" => 65535));
Statement CVE-2014-2020: Not vulnerable. This issue did not affect the versions of php or php53 as shipped with Red Hat Enterprise Linux 5 and 6, and the versions of php54-php as shipped with Red Hat Software Collections 1, as they did not include the vulnerable function (it was introduced in PHP 5.5.0). Statement CVE-2013-7226, CVE-2013-7327, CVE-2013-7328: Not vulnerable. This issue did not affect the versions of php or php53 as shipped with Red Hat Enterprise Linux 5 and 6, and the versions of php54-php as shipped with Red Hat Software Collections 1, as they did not include the vulnerable function (it was introduced in PHP 5.5.0). This issue also did not affect the versions of gd as shipped with Red Hat Enterprise Linux 5 and 6.
(In reply to Tomas Hoger from comment #16) > Fix for this issue in incomplete. It is still possible to trigger NULL > pointer dereference using crop rectangle width and height values that cause > integer overflow when multiplied. gd detect that and gdImageCreate*() > return NULL. That return value is only checked after use (in > gdImageSaveAlpha() / gdImagePaletteCopy()). > > Reported upstream in: > https://bugs.php.net/bug.php?id=66815 Upstream bug is now public, and issue fixed in 5.5.10: http://www.php.net/ChangeLog-5.php#5.5.10 Upstream commit: http://git.php.net/?p=php-src.git;a=commitdiff;h=af09d8b96a8aacdd7d738fec81b695c1c58368f7