Bug 1359770 - php,gd: gdImageTrueColorToPaletteBody allows arbitrary write/read access
Summary: php,gd: gdImageTrueColorToPaletteBody allows arbitrary write/read access
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1359837 1359839
Blocks: 1359830
TreeView+ depends on / blocked
 
Reported: 2016-07-25 12:24 UTC by Adam Mariš
Modified: 2019-09-29 13:53 UTC (History)
18 users (show)

Fixed In Version: php 5.5.38, php 5.6.24, php 7.0.9
Clone Of:
Environment:
Last Closed: 2016-08-12 05:43:39 UTC
Embargoed:

Attachments (Terms of Use)

Description Adam Mariš 2016-07-25 12:24:17 UTC 
It was found that gdImageTrueColorToPaletteBody doesn't check for negative transparent colors while converting the image that can lead to arbitrary null write and information leak.

Upstream bug:

https://bugs.php.net/bug.php?id=72512
Comment 1 Adam Mariš 2016-07-25 14:12:04 UTC 
Created gd tracking bugs for this issue:

Affects: fedora-all [bug 1359839]
Comment 2 Adam Mariš 2016-07-25 14:12:14 UTC 
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1359837]
Comment 3 Huzaifa S. Sidhpurwala 2016-08-12 05:43:39 UTC 
Analysis:

As per upstream: 

"Not sure how exploitable this is... theoretically could be if somebody had online image editor, etc. though it's a bit far-reaching by this point..."

This flaw can only be exploited, if some kind of special image wrangling is done by the PHP script, based on attacker input. 

Based on the above, Red Hat Product Security Team, does not consider this as a security flaw.
Note You need to log in before you can comment on or make changes to this bug.