Bug 1297717 - (CVE-2016-1903) CVE-2016-1903 php: Out-of-bounds memory read via gdImageRotateInterpolated
CVE-2016-1903 php: Out-of-bounds memory read via gdImageRotateInterpolated
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20151126,repor...
: Security
Depends On: 1297718
Blocks: 1297732
  Show dependency treegraph
 
Reported: 2016-01-12 05:06 EST by Adam Mariš
Modified: 2016-11-15 08:46 EST (History)
16 users (show)

See Also:
Fixed In Version: php 5.5.31, php 5.6.17
Doc Type: Bug Fix
Doc Text:
A buffer over-read flaw was found in the GD library used by the PHP gd extension. A specially crafted image file could cause a PHP application using the imagerotate() function to disclose portions of the server memory or crash the PHP application.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-02-03 08:03:37 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2016-01-12 05:06:15 EST
In function:

resource imagerotate ( resource $image , float $angle , int $bgd_color [, int $ignore_transparent = 0 ] )

$bgd_color specifies the background color of an image. This is passed in as an integer that represents an index to the color palette. It was found that there is a lack of validation on $bgd_color. One can pass in a large number that exceeds the color palette array, which results in out-of-bounds memory read beyond the color palette. Information of the memory leak can then be obtained via the background color after the image has been rotated.

Upstream patches:

-> original fix
https://github.com/php/php-src/commit/4bb422343f29f06b7081323844d9b52e1a71e4a5
-> improvement
https://github.com/php/php-src/commit/2baeb167a08b0186a885208bdc8b5871f1681dc8
-> final correction, includes the reverse of the 2 above :
https://github.com/php/php-src/commit/aa8d3a8cc612ba87c0497275f58a2317a90fb1c4

Upstream bug (contains reproducer):

https://bugs.php.net/bug.php?id=70976
Comment 1 Adam Mariš 2016-01-12 05:06:48 EST
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1297718]
Comment 2 Remi Collet 2016-01-12 06:56:58 EST
This issue only affects PHP 5.5+ with bundled libgd >= 2.1

So it doesn't affects PHP 5.3 (RHEL-6) OR php 5.4 (RHEL-7)
Comment 7 errata-xmlrpc 2016-11-15 06:49:11 EST
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS

Via RHSA-2016:2750 https://rhn.redhat.com/errata/RHSA-2016-2750.html

Note You need to log in before you can comment on or make changes to this bug.