Bug 1336772 – CVE-2015-8874 gd: gdImageFillToBorder deep recursion leading to stack overflow

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1336772 - (CVE-2015-8874) CVE-2015-8874 gd: gdImageFillToBorder deep recursion leading to stack overflow

Summary:	CVE-2015-8874 gd: gdImageFillToBorder deep recursion leading to stack overflow

Status:	CLOSED ERRATA

Aliases:	CVE-2015-8874

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20150602,reported=2...
Keywords:	Security

Depends On:
Blocks:	1336786
	Show dependency tree / graph

Reported:	2016-05-17 08:30 EDT by Andrej Nemec
Modified:	2016-11-15 09:33 EST (History)
CC List:	18 users (show)

See Also:
Fixed In Version:	php 5.6.12, php 5.5.37
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2016-05-19 16:42:16 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:2750	normal	SHIPPED_LIVE	Moderate: rh-php56 security, bug fix, and enhancement update	2016-11-15 11:40:02 EST

Groups: None (edit)

Description Andrej Nemec 2016-05-17 08:30:07 EDT

Stack consumption vulnerability in GD in PHP before 5.6.12 allows remote attackers to cause a denial of service via a crafted imagefilltoborder call.

Upstream bug:

https://bugs.php.net/bug.php?id=66387

Comment 1 Andrej Nemec 2016-05-17 08:30:59 EDT

Upstream fix:

http://git.php.net/?p=php-src.git;a=commit;h=e7f2356665c2569191a946b6fc35b437f0ae1384

Comment 2 Tomas Hoger 2016-05-19 16:23:35 EDT

This is not PHP flaw, but rather gd/libgd flaw.  PHP embeds the gd library as part of its gd extension.  Upstream gd bug report is still unresolved.  Apparently, the issue is not yet resolved in any released gd version.

https://github.com/libgd/libgd/issues/178

Additionally, in gd itself, both large positive and large negative coordinate can trigger deep recursion leading to stack overflow and crash.

Comment 4 Tomas Hoger 2016-05-19 16:42:16 EDT

This has limited impact (crash), and is triggered if gdImageFillToBorder (libgd) or imagefilltoborder (php) function is called with starting coordinate outside the image boundaries, and the function is not very likely to get called with coordinate from untrusted source.  There is currently no plan to backport the fix to PHP packages in Red Hat products.

Comment 5 Tomas Hoger 2016-05-19 16:45:07 EDT

PHP patch that added upper boundary:

http://git.php.net/?p=php-src.git;a=commitdiff;h=feba44546c27b0158f9ac20e72040a224b918c75
https://bugs.php.net/bug.php?id=22965

Comment 6 errata-xmlrpc 2016-11-15 06:52:14 EST

This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS

Via RHSA-2016:2750 https://rhn.redhat.com/errata/RHSA-2016-2750.html

Note You need to log in before you can comment on or make changes to this bug.