Bug 1336772 (CVE-2015-8874) - CVE-2015-8874 gd: gdImageFillToBorder deep recursion leading to stack overflow
Summary: CVE-2015-8874 gd: gdImageFillToBorder deep recursion leading to stack overflow
Status: CLOSED ERRATA
Alias: CVE-2015-8874
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20150602,reported=2...
Keywords: Security
Depends On:
Blocks: 1336786
TreeView+ depends on / blocked
 
Reported: 2016-05-17 12:30 UTC by Andrej Nemec
Modified: 2019-06-08 21:12 UTC (History)
18 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2016-05-19 20:42:16 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2750 normal SHIPPED_LIVE Moderate: rh-php56 security, bug fix, and enhancement update 2016-11-15 16:40:02 UTC

Description Andrej Nemec 2016-05-17 12:30:07 UTC
Stack consumption vulnerability in GD in PHP before 5.6.12 allows remote attackers to cause a denial of service via a crafted imagefilltoborder call.

Upstream bug:

https://bugs.php.net/bug.php?id=66387

Comment 2 Tomas Hoger 2016-05-19 20:23:35 UTC
This is not PHP flaw, but rather gd/libgd flaw.  PHP embeds the gd library as part of its gd extension.  Upstream gd bug report is still unresolved.  Apparently, the issue is not yet resolved in any released gd version.

https://github.com/libgd/libgd/issues/178

Additionally, in gd itself, both large positive and large negative coordinate can trigger deep recursion leading to stack overflow and crash.

Comment 4 Tomas Hoger 2016-05-19 20:42:16 UTC
This has limited impact (crash), and is triggered if gdImageFillToBorder (libgd) or imagefilltoborder (php) function is called with starting coordinate outside the image boundaries, and the function is not very likely to get called with coordinate from untrusted source.  There is currently no plan to backport the fix to PHP packages in Red Hat products.

Comment 6 errata-xmlrpc 2016-11-15 11:52:14 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS

Via RHSA-2016:2750 https://rhn.redhat.com/errata/RHSA-2016-2750.html


Note You need to log in before you can comment on or make changes to this bug.