The PHP 5.4.32 releases fixes an issue in its embedded copy of the gd library. When using certain image handling functions, if an attacker can supply a path containing a NUL byte, it would terminate the path early, possibly leading to an unexpected file being overwritten. The upstream bug notes this issue was introduced in PHP version 5.4. From an initial code review it looks less likely that the gd library package is affected. References: http://php.net/ChangeLog-5.php#5.4.32 https://bugs.php.net/bug.php?id=67730 https://bugs.php.net/patch-display.php?bug_id=67730&patch=gd-null-injection&revision=latest
Created php tracking bugs for this issue: Affects: fedora-all [bug 1132794]
This is corrected in upstream PHP 5.5.16: http://php.net/ChangeLog-5.php#5.5.16
php-5.5.16-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
php-5.5.16-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Upstream commit: http://git.php.net/?p=php-src.git;a=commitdiff;h=1daa4c0090b7cd8178dcaa96287234c69ac6ca18
This isn't GD issue, but PHP GD extension issue.
(In reply to Murray McAllister from comment #0) > The upstream bug notes this issue was introduced in PHP version 5.4. This issue existed in earlier PHP versions too, but was corrected as part of CVE-2006-7243 (bug 662707). Hence this issue is corrected in all php packages in Red Hat Enterprise Linux 5 and 6. It seems the fix was not correctly merged to 5.4 branch upstream, leading to regression of the fix in upstream PHP 5.4 versions. The php packages in Red Hat Enterprise Linux 7 and Red Hat Software Collections 1 are based on upstream 5.4 or 5.5 and are therefore affected.
(In reply to Tomas Hoger from comment #7) > It seems the fix was not correctly merged to 5.4 branch upstream, leading to > regression of the fix in upstream PHP 5.4 versions. The fix for CVE-2006-7243 that was applied to PHP 5.4 was different from the fix applied to 5.3. The internal zend_parse_parameters() function was extended to add support for a new type specifier 'p' (specifier meant for use for parsing string arguments that will be used as file paths) that differs from the 's' (specifier used for parsing string function arguments) specifier previously used to parse file name arguments by ensuring returned value does not contain any embedded NUL character. In case of GD extension, such change was properly applied to code paths used by imagegd, imagegd2 and imagexbm functions. However, the code path used by remaining functions (imagegif, imagejpeg, imagepng, imagewbmp, imagewebp) was not corrected. PHP applications using one of the above functions can be affected by this issue. For reference, I'm adding links to CVE-2006-7243 patches in 5.4 and 5.3: 5.4 http://git.php.net/?p=php-src.git;a=commitdiff;h=32b5f8a 5.3 http://git.php.net/?p=php-src.git;a=commitdiff;h=ce96fd6
Statement: This issue does not affect the current php and php53 packages in Red Hat Enterprise Linux 5 and 6, as it was previously corrected as part of the fix for CVE-2006-7243.
IssueDescription: It was found that PHP's gd extension did not properly handle file names with a null character. A remote attacker could possibly use this flaw to make a PHP application access unexpected files and bypass intended file system access restrictions.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2014:1327 https://rhn.redhat.com/errata/RHSA-2014-1327.html
This issue has been addressed in the following products: Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 Via RHSA-2014:1766 https://rhn.redhat.com/errata/RHSA-2014-1766.html
This issue has been addressed in the following products: Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 Via RHSA-2014:1765 https://rhn.redhat.com/errata/RHSA-2014-1765.html