Bug 1204979 (CVE-2022-31630)

Summary: VUL-0: CVE-2022-31630: php53,php74,php8,php7: php: OOB read due to insufficient input validation in imageloadfont()
Product: [Novell Products] SUSE Security Incidents Reporter: Stoyan Manolov <stoyan.manolov>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team, thomas.leroy
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/346922/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-31630:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Stoyan Manolov 2022-11-02 16:47:36 UTC 
It is possible to construct font files supposed to be loaded by imageloadfont() which trigger OOB reads if the fonts are actually accessed (e.g. by imagechar()).  The given test scripts exploits that by triggering the assignment of a zero byte memory allocation to gdFont.data (which is happily accepted by imageloadfont()), and to read beyond this "buffer" when calling imagechar(). So if an application allows to upload arbitrary font files and working with these, it is likely vulnerable.

References:
https://www.php.net/ChangeLog-8.php#8.0.25
https://bugs.php.net/bug.php?id=81739

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2139280
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31630
Comment 1 OBSbugzilla Bot 2022-11-03 11:35:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1204979) was mentioned in
https://build.opensuse.org/request/show/1033030 Factory / php7
Comment 2 Petr Gajdos 2022-11-03 11:43:46 UTC 
BEFORE

15sp4/php8, 15sp4,15sp2/php7, 12/php74

<?php

$s = fopen(__DIR__ . "/font.font", "w");
// header without character data
fwrite($s, "\x01\x00\x00\x00\x20\x00\x00\x00\x08\x00\x00\x00\x08\x00\x00\x00");
fclose($s);
$font = imageloadfont(__DIR__ . "/font.font");
$im = imagecreate(10, 10);
imagechar($im, $font, 0, 0, " ", imagecolorallocate($im, 255, 255, 255));
?>

:/204979 # php test.php
Segmentation fault (core dumped)
:/204979 #



PATCH

https://github.com/php/php-src/commit/d50532be91f054ef9beb1afca2ea94f4a70f7c4d

[2022-10-18 10:17 UTC] cmb@php.net

This issue has been introduced with commit 88b6037[1], so versions
prior to PHP 7.4.0 are not affected.  We could simply revert that
commit, but maybe it is better to duplicate the overflow check to
avoid confusion.

I have verified that 15/php7 adn 11sp3/php53 does not crash.



AFTER

15sp4/php8, 15sp4,15sp2/php7, 12/php74

:/204979 # php test.php
PHP Warning:  imageloadfont(): Product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
 in /204979/test.php on line 7
PHP Warning:  imageloadfont(): Error reading font, invalid font header in /204979/test.php on line 7
:/204979 #
Comment 3 Petr Gajdos 2022-11-03 11:50:16 UTC 
Submitted for 15sp4/php8, 15sp4,15sp2/php7, 12/php74.

I believe all fixed.
Comment 6 Swamp Workflow Management 2022-11-15 20:30:30 UTC 
SUSE-SU-2022:4005-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1204577,1204979
CVE References: CVE-2022-31630,CVE-2022-37454
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    apache2-mod_php8-8.0.25-150400.4.17.1, php8-8.0.25-150400.4.17.1, php8-embed-8.0.25-150400.4.17.1, php8-fastcgi-8.0.25-150400.4.17.1, php8-fpm-8.0.25-150400.4.17.1, php8-test-8.0.25-150400.4.17.1
SUSE Linux Enterprise Module for Web Scripting 15-SP4 (src):    apache2-mod_php8-8.0.25-150400.4.17.1, php8-8.0.25-150400.4.17.1, php8-embed-8.0.25-150400.4.17.1, php8-fastcgi-8.0.25-150400.4.17.1, php8-fpm-8.0.25-150400.4.17.1, php8-test-8.0.25-150400.4.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2022-11-15 20:33:15 UTC 
SUSE-SU-2022:3997-1: An update that fixes 8 vulnerabilities, contains one feature is now available.

Category: security (important)
Bug References: 1203867,1203870,1204577,1204979
CVE References: CVE-2021-21707,CVE-2021-21708,CVE-2022-31625,CVE-2022-31626,CVE-2022-31628,CVE-2022-31629,CVE-2022-31630,CVE-2022-37454
JIRA References: SLE-23639
Sources used:
openSUSE Leap 15.4 (src):    apache2-mod_php7-7.4.33-150400.4.13.1, php7-7.4.33-150400.4.13.1, php7-embed-7.4.33-150400.4.13.1, php7-fastcgi-7.4.33-150400.4.13.1, php7-fpm-7.4.33-150400.4.13.1, php7-test-7.4.33-150400.4.13.2
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (src):    php7-embed-7.4.33-150400.4.13.1
SUSE Linux Enterprise Module for Legacy Software 15-SP4 (src):    apache2-mod_php7-7.4.33-150400.4.13.1, php7-7.4.33-150400.4.13.1, php7-fastcgi-7.4.33-150400.4.13.1, php7-fpm-7.4.33-150400.4.13.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2022-11-18 14:26:09 UTC 
SUSE-SU-2022:4068-1: An update that fixes 18 vulnerabilities, contains one feature is now available.

Category: security (important)
Bug References: 1203867,1203870,1204577,1204979
CVE References: CVE-2017-8923,CVE-2020-7068,CVE-2020-7069,CVE-2020-7070,CVE-2020-7071,CVE-2021-21702,CVE-2021-21703,CVE-2021-21704,CVE-2021-21705,CVE-2021-21706,CVE-2021-21707,CVE-2021-21708,CVE-2022-31625,CVE-2022-31626,CVE-2022-31628,CVE-2022-31629,CVE-2022-31630,CVE-2022-37454
JIRA References: SLE-23639
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    php74-7.4.33-1.47.2
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php74-7.4.33-1.47.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2022-11-18 14:28:12 UTC 
SUSE-SU-2022:4069-1: An update that fixes 18 vulnerabilities, contains one feature is now available.

Category: security (important)
Bug References: 1203867,1203870,1204577,1204979
CVE References: CVE-2017-8923,CVE-2020-7068,CVE-2020-7069,CVE-2020-7070,CVE-2020-7071,CVE-2021-21702,CVE-2021-21703,CVE-2021-21704,CVE-2021-21705,CVE-2021-21706,CVE-2021-21707,CVE-2021-21708,CVE-2022-31625,CVE-2022-31626,CVE-2022-31628,CVE-2022-31629,CVE-2022-31630,CVE-2022-37454
JIRA References: SLE-23639
Sources used:
openSUSE Leap 15.4 (src):    php7-7.4.33-150200.3.46.2
openSUSE Leap 15.3 (src):    php7-7.4.33-150200.3.46.2, php7-test-7.4.33-150200.3.46.2
SUSE Manager Server 4.1 (src):    php7-7.4.33-150200.3.46.2
SUSE Manager Retail Branch Server 4.1 (src):    php7-7.4.33-150200.3.46.2
SUSE Manager Proxy 4.1 (src):    php7-7.4.33-150200.3.46.2
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    php7-7.4.33-150200.3.46.2
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    php7-7.4.33-150200.3.46.2
SUSE Linux Enterprise Server 15-SP2-BCL (src):    php7-7.4.33-150200.3.46.2
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    php7-7.4.33-150200.3.46.2
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src):    php7-7.4.33-150200.3.46.2
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    php7-7.4.33-150200.3.46.2
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    php7-7.4.33-150200.3.46.2
SUSE Enterprise Storage 7 (src):    php7-7.4.33-150200.3.46.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.