Hamid Ebadi reported a boundary condition flaw in PHP: Array index error in the imageRotate function in PHP 5.2.8 and earlier allows context-dependent attackers to read the contents of arbitrary memory locations via a crafted value of the third argument (aka the bgd_color or clrBack argument) for an indexed image. Upstream fix: http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd.c?r1=1.90.2.1.2.23&r2=1.90.2.1.2.24&sortby=date&diff_format=l Reproducer: http://downloads.securityfocus.com/vulnerabilities/exploits/33002.php http://downloads.securityfocus.com/vulnerabilities/exploits/33002-2.php
Hamid Ebadi's advisory: http://www.milw0rm.com/exploits/7646 http://www.securiteam.com/unixfocus/6G00Y0ANFU.html
Created attachment 329104 [details] Simple PoC A local copy of: http://downloads.securityfocus.com/vulnerabilities/exploits/33002-2.php
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:0338 https://rhn.redhat.com/errata/RHSA-2009-0338.html
This issue has been addressed in following products: Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Via RHSA-2009:0337 https://rhn.redhat.com/errata/RHSA-2009-0337.html
This issue has been addressed in following products: Red Hat Web Application Stack for RHEL 5 Via RHSA-2009:0350 https://rhn.redhat.com/errata/RHSA-2009-0350.html
maniadrive-1.2-13.fc10, php-5.2.9-2.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
maniadrive-1.2-13.fc9, php-5.2.9-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.