It was reported [1] that the gdImageCreateFromXpm() function in libgd could dereference a NULL pointer, noting: "The call to strlen() parses image.colorTable[i].c_color which is initialised as NULL if the particular color mapping uses a different key (such as monochrome/monovisual)." This was reported against PHP, which includes an embedded copy of the gd library. CVE-2014-2497 was assigned to this issue [2]. [1] https://bugs.php.net/bug.php?id=66901 [2] http://seclists.org/oss-sec/2014/q1/580
Note that the PHP bug includes a reproducer, but it does not seem to work with the versions I've tried (it notes version 5.4.17, I tried with 5.4.25 and 5.3.3): $ echo '<?php print imagecreatefromxpm("monochrome-poc.xpm")."\n"; ?>'|php Warning: imagecreatefromxpm(): 'monochrome-poc.xpm' is not a valid XPM file in - on line 1 $ file monochrome-poc.xpm monochrome-poc.xpm: X pixmap image text It's possible that I did something wrong; I just cut-n-paste the reproducer from the upstream bug and I did not spend much time trying, so the bug is filed due to the CVE assignment.
Created attachment 874847 [details] reproducer.xpm This (correct) reproducer raise the segfault, tested with php 5.5.10 (and system gd 2.1). php -r 'var_dump(imagecreatefromxpm("reproducer.xpm"));'
Thanks, Remi. That is perfect.
Based on this reproducer, this affects php53 on Red Hat Enterprise Linux 5, but not php (5.1) as it is not built with xpm support: % echo "<?php var_dump(gd_info()); ?>"|php array(12) { ["GD Version"]=> string(27) "bundled (2.0.28 compatible)" ["FreeType Support"]=> bool(true) ["FreeType Linkage"]=> string(13) "with freetype" ["T1Lib Support"]=> bool(false) ["GIF Read Support"]=> bool(true) ["GIF Create Support"]=> bool(true) ["JPG Support"]=> bool(true) ["PNG Support"]=> bool(true) ["WBMP Support"]=> bool(true) ["XPM Support"]=> bool(false) ["XBM Support"]=> bool(true) ["JIS-mapped Japanese Font Support"]=> bool(false) } % rpm -q php-gd php-gd-5.1.6-43.el5_10
Summary of what is affected: - php in Red Hat Enterprise Linux 5 is not affected (XPM support is disabled as noted in comment 4) - php53 in Red Hat Enterprise Linux 5, php in Red Hat Enterprise Linux 6, php54-php in Red Hat Software Collections 1, and php packages in Fedora are affected - gd in Red Hat Enterprise Linux 5 and 6, and gd packages in Fedora are affected - libwmf packages in Red Hat Enterprise Linux 5 and 6, and libwmf packages in Fedora are not affected. Red Hat Enterprise Linux 5 libwmf packages have bundled gd built without xpm support. The libwmf packages in Red Hat Enterprise Linux 6 and later (including Fedora) have the whole gdImageCreateFromXpm() disabled (#if 0) via the libwmf-0.2.8.4-reducesymbols.patch: http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-reducesymbols.patch?id=916cd2c#n467
Statement: This issue affects the versions of gd as shipped with Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
This issue has not been fixed in libgd version bundled in PHP. It still seems to affect current upstream libgd 2.1.0, and there's no libgd upstream fix yet either.
Created gd tracking bugs for this issue: Affects: fedora-all [bug 1080168]
Created php tracking bugs for this issue: Affects: fedora-all [bug 1080167]
GD upstream fix: https://bitbucket.org/libgd/gd-libgd/commits/463c3bd09bfe8e924e19acad7a2a6af16953a704 PHP upstream fix (will be in 5.4.32, 5.5.16) http://git.php.net/?p=php-src.git;a=commit;h=cf4753691dc55999373d1c576f62ecb298723420
gd-2.1.0-6.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
This is corrected in upstream PHP 5.5.16: http://php.net/ChangeLog-5.php#5.5.16
php-5.5.16-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
IssueDescription: A NULL pointer dereference flaw was found in the gdImageCreateFromXpm() function of PHP's gd extension. A remote attacker could use this flaw to crash a PHP application using gd via a specially crafted X PixMap (XPM) file.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Via RHSA-2014:1326 https://rhn.redhat.com/errata/RHSA-2014-1326.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2014:1327 https://rhn.redhat.com/errata/RHSA-2014-1327.html
This issue has been addressed in the following products: Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 Via RHSA-2014:1766 https://rhn.redhat.com/errata/RHSA-2014-1766.html
This issue has been addressed in the following products: Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 Via RHSA-2014:1765 https://rhn.redhat.com/errata/RHSA-2014-1765.html
Why does the gd-2.1.0-color_c_null_pointer.patch in Fedora match neither the PHP patch nor the upstream libgd patch?
More importantly, Fedora patch introduces memory leak, afaics. colors[] is not freed if the error is hit. CCing patch author for comments.
IIRC, the patch applied in Fedora was the one attached to the initial upstream bug report. Yes this patch introduce a memory leak (while the upstream patch doesn't) gd 2.1.1 should have be released for a long time now :( I hope it will be very soon (some other important fix in this bugfix release).
Thanks for spotting this. I have updated the fedora package to use upstream patch and tested it for memory leak.
gd-2.1.0-8.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
gd-2.1.0-8.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.