Bug 78094 (CVE-2005-1043)

Summary: VUL-0: CVE-2005-1043: php buffer overflow in exif_process_IFD_TAG
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-1043: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: corrupted-exif.jpg

Description Ludwig Nussel 2005-04-15 11:36:35 UTC 
The issue is public.

We don't have these, right? *sigh*

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1042
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1043

Date: Thu, 14 Apr 2005 11:33:56 +0200
From: Martin Pitt <martin.pitt@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Cc: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Subject: [Full-disclosure] [USN-112-1] PHP4 vulnerabilities

===========================================================
Ubuntu Security Notice USN-112-1	     April 14, 2005
php4 vulnerabilities
CAN-2005-1042, CAN-2005-1043
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

libapache2-mod-php4
php4-cgi

The problem can be corrected by upgrading the affected package to
version 4:4.3.8-3ubuntu7.8. After performing a standard system upgrade
you need to reload the PHP module in the webserver by executing

  sudo /etc/init.d/apache2 reload

to effect the necessary changes. 

Details follow:

An integer overflow was discovered in the exif_process_IFD_TAG()
function in PHP4's EXIF module. EXIF tags with a specially crafted
"Image File Directory" (IFD) tag caused a buffer overflow which could
have been exploited to execute arbitrary code with the privileges of
the PHP4 server. (CAN-2005-1042)

The same module also contained a Denial of Service vulnerability. EXIF
headers with a large IFD nesting level caused an unbound recursion
which would eventually overflow the stack and cause the executed
program to crash. (CAN-2005-1043)

In web applications that automatically process EXIF tags of uploaded
images, both vulnerabilities could be exploited remotely.


  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4.3.8-3ubuntu7.8.diff.gz
      Size/MD5:   615279 bccbf61fbd657d604778ef0807602269
    http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4.3.8-3ubuntu7.8.dsc
      Size/MD5:     1624 50fb00c9c97235f29bd5e0b5be38719f
    http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4.3.8.orig.tar.gz
      Size/MD5:  4832570 dd69f8c89281f088eadf4ade3dbd39ee
[...]
Comment 1 Michal Čihař 2005-04-15 11:54:07 UTC 
We probably have it - php4-exif and php5-exif packages.
Comment 2 Ludwig Nussel 2005-04-15 11:55:36 UTC 
I was referring to the patches :)
Comment 3 Michal Čihař 2005-04-15 12:06:28 UTC 
AFAIK not.
Comment 4 Michal Čihař 2005-04-15 15:31:49 UTC 
Fixed packages submitted, porting patch was quite easy :-).
Comment 5 Ludwig Nussel 2005-04-18 07:59:00 UTC 
affected subpackages in distros where they are split up are php4-exif and  
php5-exif I suppose?
Comment 6 Ludwig Nussel 2005-04-18 08:03:16 UTC 
SM-Tracker-952
Comment 7 Michal Čihař 2005-04-18 08:10:42 UTC 
You're right.
Comment 8 Marcus Meissner 2005-04-26 07:22:41 UTC 
Created attachment 35473 [details]
corrupted-exif.jpg

jpeg with corrupted (recursive) exif data
Comment 9 Marcus Meissner 2005-04-27 15:22:10 UTC 
updates released. no extra advisory, will go into summary advisory-.
Comment 10 Thomas Biege 2009-10-13 21:16:54 UTC 
CVE-2005-1043: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)