Bug 962057 (CVE-2016-1903)

Summary: VUL-0: CVE-2016-1903: php5: Memory Read via gdImageRotateInterpolated Array Index Out of Bounds
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: astieger, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/160706/
Whiteboard: CVSSv2:SUSE:CVE-2016-1903:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSSv2:RedHat:CVE-2016-1903:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSSv2:NVD:CVE-2016-1903:6.4:(AV:N/AC:L/Au:N/C:P/I:N/A:P)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Johannes Segitz 2016-01-15 09:54:45 UTC

This is the function prototype for ImageRotate:

resource imagerotate ( resource $image , float $angle , int $bgd_color [, int $ignore_transparent = 0 ] )

$bgd_color specifies the background color of an image have it has been rotated. This is passed in as an integer that represents an index to the color palette.

There is a lack of validation of $bgd_color. One can pass in a large number that exceeds the color palette array. This reads memory beyond the color palette. Information of the memory leak can then be obtained via the background color after the image has been rotated.

More details in https://bugs.php.net/bug.php?id=70976

>= SLE 12 affected

Comment 1 Swamp Workflow Management 2016-01-15 23:00:24 UTC
bugbot adjusting priority
Comment 2 Petr Gajdos 2016-01-18 09:39:35 UTC
Hoping I have read php bug correctly, the appropriate fix is contained in:
Comment 3 Petr Gajdos 2016-01-18 10:27:44 UTC
Tested with php5 @ sle12.

$ rpm -qa | grep php5

$ php -r "imagerotate(imagecreate(1,1),45,0x7ffffff9);"
Segmentation fault (core dumped)

$ php -r "imagerotate(imagecreate(1,1),45,0x7ffffff9);"
PHP Warning:  imagerotate(): gd warning: one parameter to a memory allocation multiplication is negative or zero, failing operation gracefully
 in Command line code on line 1
Comment 4 Petr Gajdos 2016-01-18 12:37:38 UTC
Submitted for sle12 (-> 42.1) and 13.2.
Comment 6 Bernhard Wiedemann 2016-01-18 13:00:29 UTC
This is an autogenerated message for OBS integration:
This bug (962057) was mentioned in
https://build.opensuse.org/request/show/354582 13.2 / php5
Comment 7 Swamp Workflow Management 2016-01-26 17:15:34 UTC
openSUSE-SU-2016:0251-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 949961,949962,962057
CVE References: CVE-2015-7803,CVE-2015-7804,CVE-2016-1903
Sources used:
openSUSE 13.2 (src):    php5-5.6.1-39.1
Comment 9 Swamp Workflow Management 2016-01-29 15:13:42 UTC
SUSE-SU-2016:0284-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 949961,962057
CVE References: CVE-2015-7803,CVE-2016-1903
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php5-5.5.14-42.2
SUSE Linux Enterprise Software Development Kit 12 (src):    php5-5.5.14-42.2
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-42.2
Comment 10 Swamp Workflow Management 2016-02-07 19:14:15 UTC
openSUSE-SU-2016:0366-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 949961,962057
CVE References: CVE-2015-7803,CVE-2016-1903
Sources used:
openSUSE Leap 42.1 (src):    php5-5.5.14-41.1
Comment 11 Marcus Meissner 2016-02-10 07:38:20 UTC
sle11 seems not affected.