Bug 680972 (CVE-2011-0708) - CVE-2011-0708 php: buffer over-read in Exif extension
Summary: CVE-2011-0708 php: buffer over-read in Exif extension
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-0708
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact: David Kutálek
URL:
Whiteboard: impact=low,public=20110214,reported=2...
Depends On: 740731 740732 740733 740734 768025 769756 769761 831135
Blocks: 715030 750552
TreeView+ depends on / blocked
 
Reported: 2011-02-28 16:51 UTC by Tomas Hoger
Modified: 2019-06-08 18:45 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-01-30 18:45:08 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1423 normal SHIPPED_LIVE Moderate: php53 and php security update 2011-11-02 22:24:16 UTC
Red Hat Product Errata RHSA-2012:0033 normal SHIPPED_LIVE Moderate: php security update 2012-01-18 23:40:02 UTC
Red Hat Product Errata RHSA-2012:0071 normal SHIPPED_LIVE Moderate: php security update 2012-01-30 23:17:22 UTC

Description Tomas Hoger 2011-02-28 16:51:52 UTC
An insufficient input validation flaws was discovered in the PHP's Exif extension that allows extracting Exif data from image files:
  http://thread.gmane.org/gmane.comp.security.oss.general/4198

An integer overflow causes PHP to not validate offsets read from the file properly, causing it to read behind the end of the buffer.  This leads to PHP interpreter crash when reading specially crafted Exif data.

Before the code over-reading the buffer is reached, PHP needs to allocate a large amount of memory (based on the components / length value read from the file).  This attempt triggers the integer overflow check in safe_emalloc on 32bit platforms and requires the memory_limit for the script to be set to -1 (i.e. no limit is enforced by PHP) on 64bit platforms.

Upstream commits, which include reproducers:
  http://svn.php.net/viewvc?view=revision&revision=308316
  http://svn.php.net/viewvc?view=revision&revision=308317

The follow-up commit replaces the use of hard-coded numeric constant with INT32_MAX:
  http://svn.php.net/viewvc?view=revision&revision=308362

This fix should first appear in upstream version 5.3.6.

Comment 4 errata-xmlrpc 2011-11-02 22:24:35 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2011:1423 https://rhn.redhat.com/errata/RHSA-2011-1423.html

Comment 5 Vincent Danen 2011-11-02 23:00:38 UTC
Statement:

(none)

Comment 11 Huzaifa S. Sidhpurwala 2012-01-17 04:09:44 UTC
This issue did not affect the version of php as shipped with Fedora 15 and Fedora 16.

Comment 12 errata-xmlrpc 2012-01-18 18:44:40 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0033 https://rhn.redhat.com/errata/RHSA-2012-0033.html

Comment 13 errata-xmlrpc 2012-01-30 18:18:26 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2012:0071 https://rhn.redhat.com/errata/RHSA-2012-0071.html


Note You need to log in before you can comment on or make changes to this bug.