Red Hat Bugzilla – Bug 670799
CVE-2010-4698 php: GD crash in imagepstext with invalid anti-aliasing argument
Last modified: 2015-08-19 05:02:54 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4698 to the following issue: Stack-based buffer overflow in the GD extension in PHP before 5.2.15 and 5.3.x before 5.3.4 allows context-dependent attackers to cause a denial of service (application crash) via vectors related to the imagepstext function and invalid anti-aliasing. References: http://bugs.php.net/53492 (currently not public) http://www.php.net/ChangeLog-5.php#5.3.4 http://www.php.net/ChangeLog-5.php#5.2.15 Upstream commit: http://svn.php.net/viewvc?view=revision&revision=306075
(In reply to comment #0) > Upstream commit: > http://svn.php.net/viewvc?view=revision&revision=306075 And the correction of the initial commit: http://svn.php.net/viewvc/?view=revision&revision=306234
PHP GD extension only provides imagepstext() function when PHP was compiled with t1lib support. That is not the case for PHP packages in Red Hat Enterprise Linux 4, 5 and 6, which are hence unaffected by this issue. Fedora PHP packages are build with t1lib support. Stable Fedora versions are currently updated to PHP version 5.3.4, that have the stack-based buffer overflow fixed. However, 5.3.4 (and 5.3.5 too) only include the first fix, r306075, and do not yet provide corrected fix, r306234. Due to the broken check, imagepstext() function now always returns false and reports: PHP Warning: imagepstext(): AA steps must be 4 or 16 in .. It's also reasonable to assume that antialias_steps parameter passed to the function does not come from an untrusted input, even more that documentation explicitly lists 4 and 16 as the only valid values. Therefore, this issue is only likely to be relevant for safe_mode / open_basedir restriction bypasses (see also bug #169857). Statement: Not vulnerable. This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 4, 5, or 6.