Bugzilla – Bug 1103659
VUL-1: CVE-2018-14851: php5,php7,php53: exif: buffer over-read in exif_process_IFD_in_MAKERNOTE()
Last modified: 2023-10-26 10:35:14 UTC
rh#1609642 exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG file. References: https://bugzilla.redhat.com/show_bug.cgi?id=1609642 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14851 http://www.cvedetails.com/cve/CVE-2018-14851/ https://bugs.php.net/bug.php?id=76557
Created attachment 778809 [details] bug76557.jpg QA REPRODUCER: jpeg file
Created attachment 778810 [details] bug76557.php QA REPRODUCER: - needs php-exif installed php bug76557.php valgrind php bug76557.php should not show uninitialized reads
However, I do not get any valgrind error: $ valgrind -q php bug76557.php PHP Warning: exif_read_data(bug76557.jpg): Process tag(x010F=Make ): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2 PHP Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2 PHP Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2 PHP Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2 PHP Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2 PHP Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2 PHP Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2 PHP Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2 PHP Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2 PHP Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2 PHP Warning: exif_read_data(bug76557.jpg): Process tag(x8769=Exif_IFD_Po): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2 PHP Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2 PHP Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2 PHP Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2 PHP Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2 PHP Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2 PHP Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2 PHP Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2 PHP Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2 PHP Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2 PHP Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2 PHP Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2 PHP Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2 PHP Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2 PHP Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2 PHP Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2 PHP Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2 PHP Warning: exif_read_data(bug76557.jpg): Process tag(x927C=MakerNote ): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2 PHP Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2 PHP Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2 PHP Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in /103659/bug76557.php on line 2 PHP Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal pointer offset(x30303030 + x30303030 = x60606060 > x0928) in /103659/bug76557.php on line 2 PHP Warning: exif_read_data(bug76557.jpg): File structure corrupted in /103659/bug76557.php on line 2 PHP Warning: exif_read_data(bug76557.jpg): Invalid JPEG file in /103659/bug76557.php on line 2 PHP Warning: count(): Parameter must be an array or an object that implements Countable in /103659/bug76557.php on line 2 int(1) $ The error output from php side is almost identical from 15/php7 to 10sp3/php5.
The code is everywhere. Same output AFTER.
Will submit for 15/php7, 12/php7, 12/php5, 11sp3/php53, 11/php5 and 10sp3/php5.
I believe all fixed.
SUSE-SU-2018:2333-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1103659,1103661 CVE References: CVE-2017-9120,CVE-2018-14851 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): php7-7.0.7-50.44.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php7-7.0.7-50.44.1
SUSE-SU-2018:2337-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1103659,1103661 CVE References: CVE-2017-9120,CVE-2018-14851 Sources used: SUSE Linux Enterprise Module for Web Scripting 15 (src): php7-7.2.5-4.6.1
openSUSE-SU-2018:2405-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1103659,1103661 CVE References: CVE-2017-9120,CVE-2018-14851 Sources used: openSUSE Leap 42.3 (src): php7-7.0.7-43.1 openSUSE Leap 15.0 (src): php7-7.2.5-lp150.2.9.1
SUSE-SU-2018:2681-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1103659,1103836,1105466 CVE References: CVE-2017-9118,CVE-2018-14851,CVE-2018-14883 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): php53-5.3.17-112.38.1 SUSE Linux Enterprise Server 11-SP4 (src): php53-5.3.17-112.38.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): php53-5.3.17-112.38.1
SUSE-SU-2018:2682-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1096984,1099098,1103659,1105466 CVE References: CVE-2017-9118,CVE-2018-10360,CVE-2018-12882,CVE-2018-14851 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): php5-5.5.14-109.38.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php5-5.5.14-109.38.1
released
openSUSE-SU-2018:2694-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1096984,1099098,1103659,1105466 CVE References: CVE-2017-9118,CVE-2018-10360,CVE-2018-12882,CVE-2018-14851 Sources used: openSUSE Leap 42.3 (src): php5-5.5.14-103.1
This is an autogenerated message for OBS integration: This bug (1103659) was mentioned in https://build.opensuse.org/request/show/802846 Factory / php7
This is an autogenerated message for OBS integration: This bug (1103659) was mentioned in https://build.opensuse.org/request/show/1120490 Backports:SLE-15-SP5 / php81