Bug 1015187 - (CVE-2016-9933) VUL-0: CVE-2016-9933: php5,php53,php7: imagefilltoborder stackoverflow on truecolor images
(CVE-2016-9933)
VUL-0: CVE-2016-9933: php5,php53,php7: imagefilltoborder stackoverflow on tru...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: unspecified
Assigned To: Security Team bot
Security Team bot
CVSSv2:SUSE:CVE-2016-9933:2.1:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-12-12 18:18 UTC by Mikhail Kasimov
Modified: 2017-09-20 06:36 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
CVE-2016-9933.php (104 bytes, application/x-php)
2016-12-13 13:56 UTC, Marcus Meissner
Details
github_bug_215.c (536 bytes, text/x-c++src)
2016-12-19 07:39 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2016-12-12 18:18:01 UTC
Reference: http://seclists.org/oss-sec/2016/q4/658
===================================================
    Fixed in PHP 5.6.28, 7.0.13 and 7.1.0:
    Bug #72696    imagefilltoborder stackoverflow on truecolor images
    https://bugs.php.net/bug.php?id=72696
    https://github.com/php/php-src/commit/863d37ea66d5c960db08d6f4a2cbd2518f0f80d1


Use CVE-2016-9933. The scope of this CVE is only the missing
"color < 0" test in older versions.
https://github.com/libgd/libgd/commit/77f619d48259383628c3ec4654b1ad578e9eb40e
is also about comparisons to "im->colorsTotal - 1" - if that's also a
libgd vulnerability fix, and someone wants a CVE ID for that, please
let us know.
===================================================
Comment 1 Swamp Workflow Management 2016-12-12 23:02:16 UTC
bugbot adjusting priority
Comment 2 Marcus Meissner 2016-12-13 13:56:24 UTC
Created attachment 706258 [details]
CVE-2016-9933.php

QA REPRODUCER:

run 

php CVE-2016-9933.php

Speicherzugriffsfehler (Speicherabzug geschrieben)

should not segfault by too deep recursion.
Comment 3 Petr Gajdos 2016-12-14 09:49:35 UTC
Patch fixes the segfault everywhere.
Comment 4 Bernhard Wiedemann 2016-12-14 17:00:37 UTC
This is an autogenerated message for OBS integration:
This bug (1015187) was mentioned in
https://build.opensuse.org/request/show/445803 13.2 / gd
Comment 6 Petr Gajdos 2016-12-14 19:07:00 UTC
Packages submitted.
Comment 8 Bernhard Wiedemann 2016-12-14 21:00:33 UTC
This is an autogenerated message for OBS integration:
This bug (1015187) was mentioned in
https://build.opensuse.org/request/show/445958 13.2 / php5
Comment 9 Marcus Meissner 2016-12-19 07:39:27 UTC
Created attachment 706934 [details]
github_bug_215.c

QA REPRODUCER:

(For gd)

gcc -o github_bug_215 github_bug_215.c -lgd -O2 -Wall
./github_bug_215

should not segfault (on success output will be empty)
Comment 11 Swamp Workflow Management 2016-12-19 14:34:41 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2017-01-02.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63302
Comment 12 Swamp Workflow Management 2016-12-19 14:38:33 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2017-01-02.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63304
Comment 16 Swamp Workflow Management 2016-12-21 19:09:14 UTC
SUSE-SU-2016:3211-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1015187
CVE References: CVE-2016-9933
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    gd-2.1.0-20.1
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    gd-2.1.0-20.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    gd-2.1.0-20.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    gd-2.1.0-20.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    gd-2.1.0-20.1
SUSE Linux Enterprise Server 12-SP2 (src):    gd-2.1.0-20.1
SUSE Linux Enterprise Server 12-SP1 (src):    gd-2.1.0-20.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    gd-2.1.0-20.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    gd-2.1.0-20.1
Comment 17 Swamp Workflow Management 2016-12-22 14:07:53 UTC
openSUSE-SU-2016:3228-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1015187
CVE References: CVE-2016-9933
Sources used:
openSUSE 13.2 (src):    gd-2.1.0-7.22.1
Comment 18 Swamp Workflow Management 2016-12-22 14:16:39 UTC
openSUSE-SU-2016:3239-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1015187,1015188,1015189
CVE References: CVE-2016-9933,CVE-2016-9934,CVE-2016-9935
Sources used:
openSUSE 13.2 (src):    php5-5.6.1-89.1
Comment 19 Swamp Workflow Management 2016-12-22 19:08:03 UTC
SUSE-SU-2016:3251-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1015187
CVE References: CVE-2016-9933
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    gd-2.0.36.RC1-52.29.1
SUSE Linux Enterprise Server 11-SP4 (src):    gd-2.0.36.RC1-52.29.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    gd-2.0.36.RC1-52.29.1
Comment 21 Swamp Workflow Management 2017-01-02 12:08:01 UTC
openSUSE-SU-2017:0006-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1015187
CVE References: CVE-2016-9933
Sources used:
openSUSE Leap 42.2 (src):    gd-2.1.0-13.1
openSUSE Leap 42.1 (src):    gd-2.1.0-16.1
Comment 22 Petr Gajdos 2017-01-03 13:23:51 UTC
I can confirm the issue.
Comment 23 Petr Gajdos 2017-01-03 13:48:41 UTC
First, just for 11/gd, the testcase falls to some sort of recursion:

(gdb) bt
[...]
#104830 0x00007ffff7ba427c in gdImageFillToBorder (im=0x602010, x=<value optimized out>, y=1, border=2, color=-1) at gd.c:1817
#104831 0x00007ffff7ba4303 in gdImageFillToBorder (im=0x602010, x=0, y=<value optimized out>, border=2, color=-1) at gd.c:1838
#104832 0x00007ffff7ba427c in gdImageFillToBorder (im=0x602010, x=<value optimized out>, y=1, border=2, color=-1) at gd.c:1817
#104833 0x00007ffff7ba4303 in gdImageFillToBorder (im=0x602010, x=0, y=<value optimized out>, border=2, color=-1) at gd.c:1838
#104834 0x000000000040081e in main () at github_bug_215.c:14
(gdb)

Second, there is an additional commit, which could have been added everywhere, perhaps:

https://github.com/libgd/libgd/commit/6f5c4084c1a94e6312e81b3efc07b736fe938e16#diff-2ebe418bf93ac39773a117e4b38fe86a

nevertheless that does not help with the recursion.
Comment 24 Petr Gajdos 2017-01-03 14:00:00 UTC
Ah, ok, I had the not applied patch, too. Uncomenting it fixes the original problem. I will submit the additional fix now.
Comment 25 Petr Gajdos 2017-01-03 14:05:34 UTC
And, at the end, the additional commit seem to be redundant to me because color is checked against negative value one condition before.

I believe this bug is fully fixed.
Comment 26 Swamp Workflow Management 2017-01-04 14:07:46 UTC
SUSE-SU-2017:0017-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1015187,1015188,1015189,1015191
CVE References: CVE-2016-9933,CVE-2016-9934,CVE-2016-9935,CVE-2016-9936
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    php7-7.0.7-28.2
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php7-7.0.7-28.2
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-28.2
Comment 27 Swamp Workflow Management 2017-01-05 18:08:33 UTC
SUSE-SU-2017:0038-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1015187,1015188,1015189
CVE References: CVE-2016-9933,CVE-2016-9934,CVE-2016-9935
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    php5-5.5.14-89.2
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php5-5.5.14-89.2
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-89.2
Comment 28 Swamp Workflow Management 2017-01-08 00:10:00 UTC
openSUSE-SU-2017:0061-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1015187,1015188,1015189,1015191
CVE References: CVE-2016-9933,CVE-2016-9934,CVE-2016-9935,CVE-2016-9936
Sources used:
openSUSE Leap 42.2 (src):    php7-7.0.7-9.1
Comment 29 Swamp Workflow Management 2017-01-08 00:21:55 UTC
openSUSE-SU-2017:0081-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1015187,1015188,1015189
CVE References: CVE-2016-9933,CVE-2016-9934,CVE-2016-9935
Sources used:
openSUSE Leap 42.2 (src):    php5-5.5.14-72.1
openSUSE Leap 42.1 (src):    php5-5.5.14-71.1
Comment 30 Swamp Workflow Management 2017-01-11 20:09:21 UTC
SUSE-SU-2017:0109-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1012232,1015187,1015188,1015189,974305
CVE References: CVE-2014-9912,CVE-2016-9933,CVE-2016-9934,CVE-2016-9935
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    php53-5.3.17-94.1
SUSE Linux Enterprise Server 11-SP4 (src):    php53-5.3.17-94.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-94.1
Comment 32 Swamp Workflow Management 2017-01-30 13:26:36 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2017-02-13.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63367
Comment 34 Swamp Workflow Management 2017-03-03 17:08:41 UTC
openSUSE-SU-2017:0598-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1015187,1015188,1015189
CVE References: CVE-2016-9933,CVE-2016-9934,CVE-2016-9935
Sources used:
openSUSE Leap 42.2 (src):    php5-5.5.14-75.2
openSUSE Leap 42.1 (src):    php5-5.5.14-75.1
Comment 36 Marcus Meissner 2017-06-15 20:08:16 UTC
released