Bug 1103659 (CVE-2018-14851) - VUL-1: CVE-2018-14851: php5,php7,php53: exif: buffer over-read in exif_process_IFD_in_MAKERNOTE()
Summary: VUL-1: CVE-2018-14851: php5,php7,php53: exif: buffer over-read in exif_proces...
Status: RESOLVED FIXED
Alias: CVE-2018-14851
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/212167/
Whiteboard: CVSSv3:RedHat:CVE-2018-14851:5.9:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-03 06:14 UTC by Marcus Meissner
Modified: 2023-10-26 10:35 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
bug76557.jpg (2.32 KB, image/jpeg)
2018-08-03 06:38 UTC, Marcus Meissner
Details
bug76557.php (58 bytes, application/x-php)
2018-08-03 06:39 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-08-03 06:14:48 UTC
rh#1609642

exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP before 5.6.37, 7.0.x
before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8 allows remote
attackers to cause a denial of service (out-of-bounds read and application
crash) via a crafted JPEG file.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1609642
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14851
http://www.cvedetails.com/cve/CVE-2018-14851/
https://bugs.php.net/bug.php?id=76557
Comment 1 Marcus Meissner 2018-08-03 06:38:09 UTC
Created attachment 778809 [details]
bug76557.jpg

QA REPRODUCER: jpeg file
Comment 2 Marcus Meissner 2018-08-03 06:39:06 UTC
Created attachment 778810 [details]
bug76557.php

QA REPRODUCER:

- needs php-exif installed


php bug76557.php

valgrind php bug76557.php


should not show uninitialized reads
Comment 3 Petr Gajdos 2018-08-04 06:55:20 UTC
However, I do not get any valgrind error:

$ valgrind -q php bug76557.php
PHP Warning:  exif_read_data(bug76557.jpg): Process tag(x010F=Make       ): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2
PHP Warning:  exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2
PHP Warning:  exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2
PHP Warning:  exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2
PHP Warning:  exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2
PHP Warning:  exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2
PHP Warning:  exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2
PHP Warning:  exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2
PHP Warning:  exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2
PHP Warning:  exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2
PHP Warning:  exif_read_data(bug76557.jpg): Process tag(x8769=Exif_IFD_Po): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2
PHP Warning:  exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2
PHP Warning:  exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2
PHP Warning:  exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2
PHP Warning:  exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2
PHP Warning:  exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2
PHP Warning:  exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2
PHP Warning:  exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2
PHP Warning:  exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2
PHP Warning:  exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2
PHP Warning:  exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2
PHP Warning:  exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2
PHP Warning:  exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2
PHP Warning:  exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2
PHP Warning:  exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2
PHP Warning:  exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2
PHP Warning:  exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2
PHP Warning:  exif_read_data(bug76557.jpg): Process tag(x927C=MakerNote  ): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2
PHP Warning:  exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2
PHP Warning:  exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2
PHP Warning:  exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2
PHP Warning:  exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal pointer offset(x30303030 + x30303030 = x60606060 > x0928) in /103659/bug76557.php on line 2
PHP Warning:  exif_read_data(bug76557.jpg): File structure corrupted in /103659/bug76557.php on line 2
PHP Warning:  exif_read_data(bug76557.jpg): Invalid JPEG file in /103659/bug76557.php on line 2
PHP Warning:  count(): Parameter must be an array or an object that implements Countable in /103659/bug76557.php on line 2
int(1)
$

The error output from php side is almost identical from 15/php7 to 10sp3/php5.
Comment 4 Petr Gajdos 2018-08-04 08:08:05 UTC
The code is everywhere.
Same output AFTER.
Comment 5 Petr Gajdos 2018-08-04 09:14:08 UTC
Will submit for 15/php7, 12/php7, 12/php5, 11sp3/php53, 11/php5 and 10sp3/php5.
Comment 6 Petr Gajdos 2018-08-04 09:37:13 UTC
I believe all fixed.
Comment 9 Swamp Workflow Management 2018-08-16 07:08:18 UTC
SUSE-SU-2018:2333-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1103659,1103661
CVE References: CVE-2017-9120,CVE-2018-14851
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    php7-7.0.7-50.44.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-50.44.1
Comment 10 Swamp Workflow Management 2018-08-16 07:11:12 UTC
SUSE-SU-2018:2337-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1103659,1103661
CVE References: CVE-2017-9120,CVE-2018-14851
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15 (src):    php7-7.2.5-4.6.1
Comment 11 Swamp Workflow Management 2018-08-17 10:31:30 UTC
openSUSE-SU-2018:2405-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1103659,1103661
CVE References: CVE-2017-9120,CVE-2018-14851
Sources used:
openSUSE Leap 42.3 (src):    php7-7.0.7-43.1
openSUSE Leap 15.0 (src):    php7-7.2.5-lp150.2.9.1
Comment 14 Swamp Workflow Management 2018-09-10 19:12:46 UTC
SUSE-SU-2018:2681-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1103659,1103836,1105466
CVE References: CVE-2017-9118,CVE-2018-14851,CVE-2018-14883
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    php53-5.3.17-112.38.1
SUSE Linux Enterprise Server 11-SP4 (src):    php53-5.3.17-112.38.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-112.38.1
Comment 15 Swamp Workflow Management 2018-09-10 19:13:57 UTC
SUSE-SU-2018:2682-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1096984,1099098,1103659,1105466
CVE References: CVE-2017-9118,CVE-2018-10360,CVE-2018-12882,CVE-2018-14851
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    php5-5.5.14-109.38.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-109.38.1
Comment 16 Marcus Meissner 2018-09-11 10:04:36 UTC
released
Comment 17 Swamp Workflow Management 2018-09-12 10:09:24 UTC
openSUSE-SU-2018:2694-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1096984,1099098,1103659,1105466
CVE References: CVE-2017-9118,CVE-2018-10360,CVE-2018-12882,CVE-2018-14851
Sources used:
openSUSE Leap 42.3 (src):    php5-5.5.14-103.1
Comment 28 OBSbugzilla Bot 2020-05-12 08:00:13 UTC
This is an autogenerated message for OBS integration:
This bug (1103659) was mentioned in
https://build.opensuse.org/request/show/802846 Factory / php7
Comment 35 OBSbugzilla Bot 2023-10-26 10:35:14 UTC
This is an autogenerated message for OBS integration:
This bug (1103659) was mentioned in
https://build.opensuse.org/request/show/1120490 Backports:SLE-15-SP5 / php81