Bug 1132793 – CVE-2014-5120 php: gd extension NUL byte injection in file names

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1132793 - (CVE-2014-5120) CVE-2014-5120 php: gd extension NUL byte injection in file names

Summary:	CVE-2014-5120 php: gd extension NUL byte injection in file names

Status:	CLOSED ERRATA

Aliases:	CVE-2014-5120

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20140731,repor...
Keywords:	Security

Depends On:	1132794 1140026 1140027 1149762 1149771
Blocks:	1132795 1138881 1149858
	Show dependency tree / graph

Reported:	2014-08-22 01:10 EDT by Murray McAllister
Modified:	2015-11-25 05:12 EST (History)
CC List:	13 users (show)

See Also:
Fixed In Version:	php 5.5.16, php 5.4.32
Doc Type:	Bug Fix
Doc Text:	It was found that PHP's gd extension did not properly handle file names with a null character. A remote attacker could possibly use this flaw to make a PHP application access unexpected files and bypass intended file system access restrictions.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2014-10-31 06:26:18 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2014:1327	normal	SHIPPED_LIVE	Moderate: php security update	2014-09-30 09:09:42 EDT
Red Hat Product Errata	RHSA-2014:1765	normal	SHIPPED_LIVE	Important: php54-php security update	2014-10-30 19:45:24 EDT
Red Hat Product Errata	RHSA-2014:1766	normal	SHIPPED_LIVE	Important: php55-php security update	2014-10-30 19:45:12 EDT

Groups: None (edit)

Description Murray McAllister 2014-08-22 01:10:07 EDT

The PHP 5.4.32 releases fixes an issue in its embedded copy of the gd library. When using certain image handling functions, if an attacker can supply a path containing a NUL byte, it would terminate the path early, possibly leading to an unexpected file being overwritten.

The upstream bug notes this issue was introduced in PHP version 5.4.

From an initial code review it looks less likely that the gd library package is affected.

References:

http://php.net/ChangeLog-5.php#5.4.32
https://bugs.php.net/bug.php?id=67730
https://bugs.php.net/patch-display.php?bug_id=67730&patch=gd-null-injection&revision=latest

Comment 1 Murray McAllister 2014-08-22 01:11:13 EDT

Created php tracking bugs for this issue:

Affects: fedora-all [bug 1132794]

Comment 2 Vincent Danen 2014-08-22 14:57:02 EDT

This is corrected in upstream PHP 5.5.16:

http://php.net/ChangeLog-5.php#5.5.16

Comment 3 Fedora Update System 2014-09-02 02:40:48 EDT

php-5.5.16-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2014-09-02 02:47:52 EDT

php-5.5.16-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Tomas Hoger 2014-09-04 11:13:56 EDT

Upstream commit:
http://git.php.net/?p=php-src.git;a=commitdiff;h=1daa4c0090b7cd8178dcaa96287234c69ac6ca18

Comment 6 Tomas Hoger 2014-09-04 11:15:31 EDT

This isn't GD issue, but PHP GD extension issue.

Comment 7 Tomas Hoger 2014-09-04 11:25:03 EDT

(In reply to Murray McAllister from comment #0)
> The upstream bug notes this issue was introduced in PHP version 5.4.

This issue existed in earlier PHP versions too, but was corrected as part of CVE-2006-7243 (bug 662707).  Hence this issue is corrected in all php packages in Red Hat Enterprise Linux 5 and 6.

It seems the fix was not correctly merged to 5.4 branch upstream, leading to regression of the fix in upstream PHP 5.4 versions.

The php packages in Red Hat Enterprise Linux 7 and Red Hat Software Collections 1 are based on upstream 5.4 or 5.5 and are therefore affected.

Comment 8 Tomas Hoger 2014-09-04 14:52:23 EDT

(In reply to Tomas Hoger from comment #7)
> It seems the fix was not correctly merged to 5.4 branch upstream, leading to
> regression of the fix in upstream PHP 5.4 versions.

The fix for CVE-2006-7243 that was applied to PHP 5.4 was different from the fix applied to 5.3.  The internal zend_parse_parameters() function was extended to add support for a new type specifier 'p' (specifier meant for use for parsing string arguments that will be used as file paths) that differs from the 's' (specifier used for parsing string function arguments) specifier previously used to parse file name arguments by ensuring returned value does not contain any embedded NUL character.

In case of GD extension, such change was properly applied to code paths used by imagegd, imagegd2 and imagexbm functions.  However, the code path used by remaining functions (imagegif, imagejpeg, imagepng, imagewbmp, imagewebp) was not corrected.  PHP applications using one of the above functions can be affected by this issue.

For reference, I'm adding links to CVE-2006-7243 patches in 5.4 and 5.3:

5.4  http://git.php.net/?p=php-src.git;a=commitdiff;h=32b5f8a
5.3  http://git.php.net/?p=php-src.git;a=commitdiff;h=ce96fd6

Comment 12 Vincent Danen 2014-09-18 18:05:30 EDT

Statement:

This issue does not affect the current php and php53 packages in Red Hat Enterprise Linux 5 and 6, as it was previously corrected as part of the fix for CVE-2006-7243.

Comment 13 Martin Prpič 2014-09-25 08:13:43 EDT

IssueDescription:

It was found that PHP's gd extension did not properly handle file names with a null character. A remote attacker could possibly use this flaw to make a PHP application access unexpected files and bypass intended file system access restrictions.

Comment 14 errata-xmlrpc 2014-09-30 05:10:16 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:1327 https://rhn.redhat.com/errata/RHSA-2014-1327.html

Comment 17 errata-xmlrpc 2014-10-30 15:46:41 EDT

This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6

Via RHSA-2014:1766 https://rhn.redhat.com/errata/RHSA-2014-1766.html

Comment 18 errata-xmlrpc 2014-10-30 15:49:02 EDT

This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6

Via RHSA-2014:1765 https://rhn.redhat.com/errata/RHSA-2014-1765.html

Note You need to log in before you can comment on or make changes to this bug.