Bug 1132793 (CVE-2014-5120) - CVE-2014-5120 php: gd extension NUL byte injection in file names
Summary: CVE-2014-5120 php: gd extension NUL byte injection in file names
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-5120
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1132794 1140026 1140027 1149762 1149771
Blocks: 1132795 1138881 1149858
TreeView+ depends on / blocked
 
Reported: 2014-08-22 05:10 UTC by Murray McAllister
Modified: 2021-02-17 06:16 UTC (History)
13 users (show)

Fixed In Version: php 5.5.16, php 5.4.32
Doc Type: Bug Fix
Doc Text:
It was found that PHP's gd extension did not properly handle file names with a null character. A remote attacker could possibly use this flaw to make a PHP application access unexpected files and bypass intended file system access restrictions.
Clone Of:
Environment:
Last Closed: 2014-10-31 10:26:18 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1327 0 normal SHIPPED_LIVE Moderate: php security update 2014-09-30 13:09:42 UTC
Red Hat Product Errata RHSA-2014:1765 0 normal SHIPPED_LIVE Important: php54-php security update 2014-10-30 23:45:24 UTC
Red Hat Product Errata RHSA-2014:1766 0 normal SHIPPED_LIVE Important: php55-php security update 2014-10-30 23:45:12 UTC

Description Murray McAllister 2014-08-22 05:10:07 UTC
The PHP 5.4.32 releases fixes an issue in its embedded copy of the gd library. When using certain image handling functions, if an attacker can supply a path containing a NUL byte, it would terminate the path early, possibly leading to an unexpected file being overwritten.

The upstream bug notes this issue was introduced in PHP version 5.4.

From an initial code review it looks less likely that the gd library package is affected.

References:

http://php.net/ChangeLog-5.php#5.4.32
https://bugs.php.net/bug.php?id=67730
https://bugs.php.net/patch-display.php?bug_id=67730&patch=gd-null-injection&revision=latest

Comment 1 Murray McAllister 2014-08-22 05:11:13 UTC
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1132794]

Comment 2 Vincent Danen 2014-08-22 18:57:02 UTC
This is corrected in upstream PHP 5.5.16:

http://php.net/ChangeLog-5.php#5.5.16

Comment 3 Fedora Update System 2014-09-02 06:40:48 UTC
php-5.5.16-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2014-09-02 06:47:52 UTC
php-5.5.16-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Tomas Hoger 2014-09-04 15:15:31 UTC
This isn't GD issue, but PHP GD extension issue.

Comment 7 Tomas Hoger 2014-09-04 15:25:03 UTC
(In reply to Murray McAllister from comment #0)
> The upstream bug notes this issue was introduced in PHP version 5.4.

This issue existed in earlier PHP versions too, but was corrected as part of CVE-2006-7243 (bug 662707).  Hence this issue is corrected in all php packages in Red Hat Enterprise Linux 5 and 6.

It seems the fix was not correctly merged to 5.4 branch upstream, leading to regression of the fix in upstream PHP 5.4 versions.

The php packages in Red Hat Enterprise Linux 7 and Red Hat Software Collections 1 are based on upstream 5.4 or 5.5 and are therefore affected.

Comment 8 Tomas Hoger 2014-09-04 18:52:23 UTC
(In reply to Tomas Hoger from comment #7)
> It seems the fix was not correctly merged to 5.4 branch upstream, leading to
> regression of the fix in upstream PHP 5.4 versions.

The fix for CVE-2006-7243 that was applied to PHP 5.4 was different from the fix applied to 5.3.  The internal zend_parse_parameters() function was extended to add support for a new type specifier 'p' (specifier meant for use for parsing string arguments that will be used as file paths) that differs from the 's' (specifier used for parsing string function arguments) specifier previously used to parse file name arguments by ensuring returned value does not contain any embedded NUL character.

In case of GD extension, such change was properly applied to code paths used by imagegd, imagegd2 and imagexbm functions.  However, the code path used by remaining functions (imagegif, imagejpeg, imagepng, imagewbmp, imagewebp) was not corrected.  PHP applications using one of the above functions can be affected by this issue.

For reference, I'm adding links to CVE-2006-7243 patches in 5.4 and 5.3:

5.4  http://git.php.net/?p=php-src.git;a=commitdiff;h=32b5f8a
5.3  http://git.php.net/?p=php-src.git;a=commitdiff;h=ce96fd6

Comment 12 Vincent Danen 2014-09-18 22:05:30 UTC
Statement:

This issue does not affect the current php and php53 packages in Red Hat Enterprise Linux 5 and 6, as it was previously corrected as part of the fix for CVE-2006-7243.

Comment 13 Martin Prpič 2014-09-25 12:13:43 UTC
IssueDescription:

It was found that PHP's gd extension did not properly handle file names with a null character. A remote attacker could possibly use this flaw to make a PHP application access unexpected files and bypass intended file system access restrictions.

Comment 14 errata-xmlrpc 2014-09-30 09:10:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:1327 https://rhn.redhat.com/errata/RHSA-2014-1327.html

Comment 17 errata-xmlrpc 2014-10-30 19:46:41 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6

Via RHSA-2014:1766 https://rhn.redhat.com/errata/RHSA-2014-1766.html

Comment 18 errata-xmlrpc 2014-10-30 19:49:02 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6

Via RHSA-2014:1765 https://rhn.redhat.com/errata/RHSA-2014-1765.html


Note You need to log in before you can comment on or make changes to this bug.