Bug 986386 (CVE-2016-5766)

Summary: VUL-0: CVE-2016-5766: php5,php53: Integer Overflow in _gd2GetHeader() resulting in heap overflow
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: astieger, krahmer, pgajdos, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/170460/
Whiteboard: CVSSv2:SUSE:CVE-2016-5766:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2016-5766:5.1:(AV:N/AC:H/Au:N/C:P/I:P/A:P) maint:running:62922:moderate
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: bug72339.gd.bz2
xx.php

Description Marcus Meissner 2016-06-24 10:00:10 UTC 
http://seclists.org/oss-sec/2016/q2/589

    GD:
        Fixed bug #72339 (Integer Overflow in _gd2GetHeader() resulting in
        heap overflow). (Pierre)

    https://bugs.php.net/bug.php?id=72339
    http://git.php.net/?p=php-src.git;a=commitdiff;h=7722455726bec8c53458a32851d2a87982cf0eac


Use CVE-2016-5766.
Comment 1 Petr Gajdos 2016-06-24 10:04:27 UTC 
Note that you maybe should start to write also php7 as we are going to maintain it in 12sp2 and there is no room for version update anymore - Leonardo push it into QA.
Comment 2 Marcus Meissner 2016-06-24 10:07:12 UTC 
Created attachment 682013 [details]
bug72339.gd.bz2

QA REPRODUCER:

download this file,
bunzip2 bug72339.gd.bz2

... continue in next comment ...
Comment 3 Marcus Meissner 2016-06-24 10:07:39 UTC 
Created attachment 682014 [details]
xx.php

QA REPRODUCER:

php xx.php


will crash with the supplied gd file.
Comment 4 Marcus Meissner 2016-06-24 10:09:38 UTC 
hmm yes.

you can still push a minor version update for php7 currently, as QA has not started testing it yet.
Comment 5 Swamp Workflow Management 2016-06-24 22:00:44 UTC 
bugbot adjusting priority
Comment 6 Petr Gajdos 2016-06-27 15:17:48 UTC 
Segfaults for 12sp2/php7 down to 11/php5.
Comment 7 Petr Gajdos 2016-06-29 08:43:02 UTC 
Packages submitted.
Comment 9 Bernhard Wiedemann 2016-06-29 10:00:43 UTC 
This is an autogenerated message for OBS integration:
This bug (986386) was mentioned in
https://build.opensuse.org/request/show/405425 13.2 / php5
Comment 11 Bernhard Wiedemann 2016-06-29 14:03:17 UTC 
This is an autogenerated message for OBS integration:
This bug (986386) was mentioned in
https://build.opensuse.org/request/show/405458 13.2 / php5
Comment 12 Swamp Workflow Management 2016-07-07 16:09:07 UTC 
openSUSE-SU-2016:1761-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 986004,986244,986246,986247,986386,986388,986391,986392,986393
CVE References: CVE-2015-8935,CVE-2016-5766,CVE-2016-5767,CVE-2016-5768,CVE-2016-5769,CVE-2016-5770,CVE-2016-5771,CVE-2016-5772,CVE-2016-5773
Sources used:
openSUSE 13.2 (src):    php5-5.6.1-69.1
Comment 15 Swamp Workflow Management 2016-07-20 22:10:04 UTC 
SUSE-SU-2016:1842-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 986004,986244,986246,986386,986388,986391,986392,986393,988486
CVE References: CVE-2015-8935,CVE-2016-5385,CVE-2016-5766,CVE-2016-5767,CVE-2016-5768,CVE-2016-5769,CVE-2016-5770,CVE-2016-5771,CVE-2016-5772
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php5-5.5.14-68.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-68.1
Comment 16 Swamp Workflow Management 2016-08-01 03:09:53 UTC 
openSUSE-SU-2016:1922-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 986004,986244,986246,986386,986388,986391,986392,986393,988486
CVE References: CVE-2015-8935,CVE-2016-5385,CVE-2016-5766,CVE-2016-5767,CVE-2016-5768,CVE-2016-5769,CVE-2016-5770,CVE-2016-5771,CVE-2016-5772
Sources used:
openSUSE Leap 42.1 (src):    php5-5.5.14-56.1
Comment 19 Swamp Workflow Management 2016-08-09 15:38:25 UTC 
SUSE-SU-2016:2013-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 986004,986244,986386,986388,986393
CVE References: CVE-2015-8935,CVE-2016-5766,CVE-2016-5767,CVE-2016-5769,CVE-2016-5772
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    php53-5.3.17-74.1
SUSE Linux Enterprise Server 11-SP4 (src):    php53-5.3.17-74.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-74.1
Comment 20 Sebastian Krahmer 2016-08-10 10:03:28 UTC 
CVSSv2:SUSE:CVE-2016-5766:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Comment 21 Swamp Workflow Management 2016-08-16 11:10:31 UTC 
SUSE-SU-2016:2080-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 986004,986244,986386,986388,986393,991426,991427,991428,991429,991430,991433,991437
CVE References: CVE-2015-8935,CVE-2016-5399,CVE-2016-5766,CVE-2016-5767,CVE-2016-5769,CVE-2016-5772,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6296,CVE-2016-6297
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    php5-5.2.14-0.7.30.89.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    php5-5.2.14-0.7.30.89.1
Comment 23 Petr Gajdos 2017-08-08 11:10:55 UTC 
http://git.php.net/?p=php-src.git;a=commit;h=5f107ab8a66f8b36ac0c0b32e0231bf94e083c94

This is also needed to not use unitialized variable.
Comment 24 Petr Gajdos 2017-08-08 11:37:09 UTC 
Packages submitted for: 12/php7, 12/php5, 11sp3/php53, 11/php5 and 10sp3/php5.
Comment 28 Swamp Workflow Management 2017-08-30 17:32:41 UTC 
SUSE-SU-2017:2303-1: An update that solves 9 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1047454,1048094,1048096,1048100,1048111,1048112,1050241,1050726,1052389,1053645,986386
CVE References: CVE-2016-10397,CVE-2016-5766,CVE-2017-11142,CVE-2017-11144,CVE-2017-11145,CVE-2017-11146,CVE-2017-11147,CVE-2017-11628,CVE-2017-7890
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    php7-7.0.7-50.9.2
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    php7-7.0.7-50.9.2
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-50.9.2
Comment 29 Swamp Workflow Management 2017-09-01 01:08:36 UTC 
SUSE-SU-2017:2317-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1047454,1048094,1048096,1048097,1048111,1048112,1050241,1050726,986386
CVE References: CVE-2016-10397,CVE-2016-5766,CVE-2017-11143,CVE-2017-11144,CVE-2017-11145,CVE-2017-11146,CVE-2017-11147,CVE-2017-11628,CVE-2017-7890
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    php5-5.5.14-109.5.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    php5-5.5.14-109.5.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-109.5.1
Comment 30 Swamp Workflow Management 2017-09-04 10:09:28 UTC 
openSUSE-SU-2017:2337-1: An update that solves 9 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1047454,1048094,1048096,1048100,1048111,1048112,1050241,1050726,1052389,1053645,986386
CVE References: CVE-2016-10397,CVE-2016-5766,CVE-2017-11142,CVE-2017-11144,CVE-2017-11145,CVE-2017-11146,CVE-2017-11147,CVE-2017-11628,CVE-2017-7890
Sources used:
openSUSE Leap 42.3 (src):    php7-7.0.7-19.1
openSUSE Leap 42.2 (src):    php7-7.0.7-14.9.1
Comment 32 Swamp Workflow Management 2017-09-06 01:11:15 UTC 
openSUSE-SU-2017:2366-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1047454,1048094,1048096,1048097,1048111,1048112,1050241,1050726,986386
CVE References: CVE-2016-10397,CVE-2016-5766,CVE-2017-11143,CVE-2017-11144,CVE-2017-11145,CVE-2017-11146,CVE-2017-11147,CVE-2017-11628,CVE-2017-7890
Sources used:
openSUSE Leap 42.3 (src):    php5-5.5.14-82.1
openSUSE Leap 42.2 (src):    php5-5.5.14-77.9.1
Comment 33 Swamp Workflow Management 2017-09-18 16:12:40 UTC 
SUSE-SU-2017:2522-1: An update that fixes 10 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1047454,1048094,1048096,1048111,1048112,1050241,1050726,1054430,986386
CVE References: CVE-2016-10168,CVE-2016-10397,CVE-2016-5766,CVE-2017-11144,CVE-2017-11145,CVE-2017-11146,CVE-2017-11147,CVE-2017-11628,CVE-2017-12933,CVE-2017-7890
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    php53-5.3.17-112.5.1
SUSE Linux Enterprise Server 11-SP4 (src):    php53-5.3.17-112.5.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-112.5.1
Comment 34 Marcus Meissner 2017-10-26 05:47:34 UTC 
released