Red Hat Bugzilla – Bug 1609637
CVE-2018-14883 php: exif: integer overflow leading to out-of-bound buffer read in exif_thumbnail_extract()
Last modified: 2018-08-12 22:38:42 EDT
PHP before versions 5.6.37, 7.0.31, 7.1.20 and 7.2.8 is vulnerable to an integer overflow with subsequent heap-based buffer overflow in the exif.c:exif_thumbnail_extract() function. An attacker could exploit this to cause a denial of service via crafted file. Upstream Bug: https://bugs.php.net/bug.php?id=76423 Upstream Patch: http://git.php.net/?p=php-src.git;a=commit;h=1baeae42703f9b2ec21fff787146eeca08d45535
Created php tracking bugs for this issue: Affects: fedora-all [bug 1609638]
As noted in comment 0, there is an integer overflow in the exif_thumbnail_extract() function, that leads to an out-of-bounds buffer read. This may possibly lead to crash or limited memory disclosure. The integer overflow is in the check: if ((ImageInfo->Thumbnail.offset + ImageInfo->Thumbnail.size) > length) { There are limits on the maximum values of offset (0xffffffff) and size (0xffff) and therefore the overflow only happens on 32bit builds. Therefore, this does not affect PHP packages as shipped with Red Hat Enterprise Linux 7 and Red Hat Software Collections for Red Hat Enterprise Linux 6 and 7, as those products only include 64bit builds of PHP. The size of the out-of-bounds read is determined by the size variable, and hence is limited to 64k bytes.
Note that the vulnerable code is only reached when extracting thumbnail data from images. That happens when using the exif_thumbnail() function, or when using the exif_read_data() with its fourth argument set to True (the default is False).
In Red Hat PHP packages, the Exif extension is included in the php-common sub-package, which is installed with all PHP installation. For PHP versions before 5.5, the extension is compiled directly into PHP binaries. This was changed for PHP 5.5 packages and the Exif extension is now available as loadable module: https://src.fedoraproject.org/cgit/rpms/php.git/commit/?id=77d120e92be73a895596c27a32ede91112048914 Deployments that do not require Exif extension and still want to ensure that the affected functionality can not be used by accident can do one of the following: * Prevent loading of the Exif extension (only in PHP 5.5 and later). This can be achieved by modifying configuration file exif.ini or 20-exif.ini, located in the php.d configuration directory. Depending on the packages, that directory can either be in /etc/php.d, or /etc/opt/rh/rh-php*/php.d or /opt/rh/php*/root/etc/php.d (for Red Hat Software Collections packages). In the exif.ini file, comment out the following line: extension=exif.so A PHP application trying to call any of the Exif module functions would get a "Call to undefined function" error. * Disable relevant functions using the disable_functions configuration directive. Locate the disable_functions configuration in the php.ini file (found in /etc/, /etc/opt/rh/rh-php*/ or /opt/rh/php*/root/etc/) and add relevant functions to the list. The list is empty by default, so after the change, it should contain: disable_functions = exif_read_data, exif_thumbnail, read_exif_data A PHP application trying to of the disabled function would get an error as "exif_read_data() has been disabled for security reasons". For more information about disable_functions configuration directive see: http://www.php.net/manual/en/ini.core.php#ini.disable-functions