Bug 1123354 (CVE-2019-6977)

Summary: VUL-0: CVE-2019-6977: php5,php7,php53: A heap based buffer overflow is discovered in GD Graphics library
Product: [Novell Products] SUSE Security Incidents Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/223820/
Whiteboard: CVSSv3:SUSE:CVE-2019-6977:6.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L) CVSSv2:NVD:CVE-2019-6977:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv3:NVD:CVE-2019-6977:8.8:(AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) maint:released:sle10-sp3:64207 CVSSv3:RedHat:CVE-2019-6977:6.3:(AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexandros Toptsoglou 2019-01-28 12:31:33 UTC
CVE-2019-6977

gdImageColorMatch in gd_color_match.c in the GD Graphics Library (aka LibGD)
2.2.5, as used in the imagecolormatch function in PHP before 5.6.40, 7.x before
7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1, has a heap-based buffer
overflow. This can be exploited by an attacker who is able to trigger
imagecolormatch calls with crafted image data.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6977
https://bugs.php.net/bug.php?id=77270
http://php.net/ChangeLog-7.php
http://php.net/ChangeLog-5.php
Comment 1 Alexandros Toptsoglou 2019-01-28 13:34:20 UTC
The vulnerable code is the same in all codestream but is located in different files; gd_color_match.c / gd_color.c / gd_topal.c For the first two, fixes are available at [1] and [2] respectively. For the third there is none. However, the patch should be similar, since the code which is affected is exactly the same. Two POCs are available at [3] 

This bug affectes all codestreams. 
Specifically:
 For php7  
SUSE:SLE-15:Update --> version 7.2.5 --> fix at [1] 
SUSE:SLE-12:Update  --> version 7.0.7 --> fix at [2] 
 For php53 
SUSE:SLE-11-SP3:Update --> version 5.3.17 --> fix at [2] 
 For php5 
SUSE:SLE-12:Update --> version 5.5.14 --> fix at [2] 
SUSE:SLE-11:Update and SUSE:SLE-10-SP3:Update  --> version 5.2.14 --> vulnerable code at gd_topal.c --> fix should be similar with [1] or/and [2] 

[1]http://git.php.net/?p=php-src.git;a=commit;h=a15af81b5f0058e020eda0f109f51a3c863f5212
[2] http://git.php.net/?p=php-src.git;a=commit;h=7a12dad4dd6c370835b13afae214b240082c7538
[3] https://gist.github.com/cmb69/911de73cc2fbdad85570ea7143455457
Comment 2 Alexandros Toptsoglou 2019-01-28 13:43:18 UTC
This bug is also related to gd bug 1123361 [1] 

[1] https://bugzilla.suse.com/show_bug.cgi?id=1123361
Comment 3 Petr Gajdos 2019-02-04 08:47:59 UTC
TW/php7, 15/php7: php is built against system libgd, thus it will be solved via gd package update (got the same crashes as in gd testcase, got none after libgd-2.2.5 update)

BEFORE

12/php7,php5

$ valgrind -q php 77270.php
$
[no crash as in TW,15/php7 case]

11sp3/php53, 11,10sp3/php5

$ php 77270.php
PHP Fatal error:  Call to undefined function imagepalettetotruecolor() in /123354/77270.php on line 4
$
[testcase does not work]


PATCH

in comment 1


AFTER

12/php7,php5

$ valgrind -q php 77270.php
$
[result the same, no regression found]
Comment 4 Petr Gajdos 2019-02-04 08:49:23 UTC
Will submit for: 12/php7, 12/php5(Leap), 11sp3/php53, 11/php5 and 10sp3/php5.
Comment 5 Petr Gajdos 2019-02-04 09:32:45 UTC
I believe all fixed.
Comment 7 Swamp Workflow Management 2019-02-08 14:28:51 UTC
An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2019-03-08.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64206
Comment 9 Swamp Workflow Management 2019-02-12 17:09:45 UTC
SUSE-SU-2019:0333-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1118832,1123354,1123522
CVE References: CVE-2018-19935,CVE-2019-6977,CVE-2019-6978
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    php7-7.0.7-50.63.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    php7-7.0.7-50.63.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-50.63.1
Comment 10 Swamp Workflow Management 2019-02-14 20:09:09 UTC
SUSE-SU-2019:13961-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1123354,1123522
CVE References: CVE-2019-6977,CVE-2019-6978
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    php53-5.3.17-112.53.1
SUSE Linux Enterprise Server 11-SP4 (src):    php53-5.3.17-112.53.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-112.53.1
Comment 11 Swamp Workflow Management 2019-02-19 11:09:47 UTC
openSUSE-SU-2019:0207-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1118832,1123354,1123522
CVE References: CVE-2018-19935,CVE-2019-6977,CVE-2019-6978
Sources used:
openSUSE Leap 42.3 (src):    php7-7.0.7-55.1
Comment 12 Swamp Workflow Management 2019-02-20 17:09:41 UTC
SUSE-SU-2019:0449-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1123354
CVE References: CVE-2019-6977
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    php5-5.5.14-109.48.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    php5-5.5.14-109.48.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-109.48.1
Comment 13 Swamp Workflow Management 2019-03-01 20:09:22 UTC
openSUSE-SU-2019:0276-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1123354
CVE References: CVE-2019-6977
Sources used:
openSUSE Leap 42.3 (src):    php5-5.5.14-112.1
Comment 14 Marcus Meissner 2019-07-16 06:05:23 UTC
done