Bug 1140118 (CVE-2019-11038) - VUL-0: CVE-2019-11038: php5,php72, php7,php53: information disclosure in function gdImageCreateFromXbm()
Summary: VUL-0: CVE-2019-11038: php5,php72, php7,php53: information disclosure in fun...
Status: RESOLVED FIXED
Alias: CVE-2019-11038
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2019-08-21
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/235402/
Whiteboard: CVSSv2:NVD:CVE-2019-11038:5.0:(AV:N/...
Keywords:
Depends on:
Blocks:
 
Reported: 2019-07-02 15:56 UTC by Alexandros Toptsoglou
Modified: 2020-06-30 07:41 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
POC (295 bytes, application/x-php)
2019-07-02 16:00 UTC, Alexandros Toptsoglou
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-07-02 15:56:31 UTC
CVE-2019-11038

When using gdImageCreateFromXbm() function of PHP gd extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code.

Reference:
https://github.com/libgd/libgd/issues/501
https://bugs.php.net/bug.php?id=77973

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1724149
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11038
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11038.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11038
https://bugs.php.net/bug.php?id=77973
Comment 1 Alexandros Toptsoglou 2019-07-02 15:59:57 UTC
All php that we ship are affected. The fix can be found at [1]. I reproduced the issue in LEAP 15 and php7. POC is attached. 
To reproduce simply run: valgrind php7 phpPOC 
 OUTPUT:
==23483== Conditional jump or move depends on uninitialised value(s)
==23483==    at 0x7E7A186: gdImageSetPixel (in /usr/lib64/libgd.so.3.0.5)
==23483==    by 0x7E99117: gdImageCreateFromXbm (in /usr/lib64/libgd.so.3.0.5)
==23483==    by 0x7C5CCE0: zif_imagecreatefromxbm (gd.c:2460)
==23483==    by 0x7C0443: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:617)
==23483==    by 0x7C0443: execute_ex (zend_vm_execute.h:59734)
==23483==    by 0x7CB0A7: zend_execute (zend_vm_execute.h:63760)
==23483==    by 0x6FF43F: zend_execute_scripts (zend.c:1496)
==23483==    by 0x68D42F: php_execute_script (main.c:2590)
==23483==    by 0x7CDAE7: do_cli (php_cli.c:1011)
==23483==    by 0x50F79A: main (php_cli.c:1404)



[1] http://git.php.net/?p=php-src.git;a=commit;h=ed6dee9a198c904ad5e03113e58a2d2c200f5184
Comment 2 Alexandros Toptsoglou 2019-07-02 16:00:30 UTC
Created attachment 809175 [details]
POC
Comment 3 Alexandros Toptsoglou 2019-07-02 16:03:08 UTC
bsc#1140120 is the separate bug for gd
Comment 5 Swamp Workflow Management 2019-07-16 09:50:07 UTC
This is an autogenerated message for OBS integration:
This bug (1140118) was mentioned in
https://build.opensuse.org/request/show/715621 Factory / gd
Comment 6 Petr Gajdos 2019-07-16 09:54:03 UTC
(In reply to Alexandros Toptsoglou from comment #1)
> All php that we ship are affected. The fix can be found at [1]. I reproduced
> the issue in LEAP 15 and php7. POC is attached. 
> To reproduce simply run: valgrind php7 phpPOC 
>  OUTPUT:
> ==23483== Conditional jump or move depends on uninitialised value(s)
> ==23483==    at 0x7E7A186: gdImageSetPixel (in /usr/lib64/libgd.so.3.0.5)
> ==23483==    by 0x7E99117: gdImageCreateFromXbm (in
> /usr/lib64/libgd.so.3.0.5)
> ==23483==    by 0x7C5CCE0: zif_imagecreatefromxbm (gd.c:2460)
> ==23483==    by 0x7C0443: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER
> (zend_vm_execute.h:617)
> ==23483==    by 0x7C0443: execute_ex (zend_vm_execute.h:59734)
> ==23483==    by 0x7CB0A7: zend_execute (zend_vm_execute.h:63760)
> ==23483==    by 0x6FF43F: zend_execute_scripts (zend.c:1496)
> ==23483==    by 0x68D42F: php_execute_script (main.c:2590)
> ==23483==    by 0x7CDAE7: do_cli (php_cli.c:1011)
> ==23483==    by 0x50F79A: main (php_cli.c:1404)

However, as you can see from the above, php gd extension is built against system gd, thus the gd update will fix it. This is unfortunately not true for older versions of php than 7.2.5 that we have in 15/php7 and 12/php72.
Comment 7 Petr Gajdos 2019-07-16 11:22:47 UTC
BEFORE

12/php7,11sp3/php53,11/php5

$ valgrind  -q php phpPOC
==19355== Conditional jump or move depends on uninitialised value(s)
==19355==    at 0x7214244: php_gd_gdImageSetPixel (gd.c:721)
==19355==    by 0x7229F3D: php_gd_gdImageCreateFromXbm (xbm.c:140)
==19355==    by 0x720ECA2: _php_image_create_from (gd.c:2385)
==19355==    by 0x720ECA2: zif_imagecreatefromxbm (gd.c:2449)
==19355==    by 0x3E32AC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==19355==    by 0x3D5F9A: execute_ex (zend_vm_execute.h:414)
==19355==    by 0x431FD2: zend_execute (zend_vm_execute.h:458)
==19355==    by 0x392E7F: zend_execute_scripts (zend.c:1427)
==19355==    by 0x32B28F: php_execute_script (main.c:2494)
==19355==    by 0x433D77: do_cli (php_cli.c:974)
==19355==    by 0x1DE05A: main (php_cli.c:1344)
==19355== 
PHP Warning:  imagecreatefromxbm(): EOF before image was complete in /140118/phpPOC on line 5
PHP Warning:  imagecreatefromxbm(): '/140118/test.xbm' is not a valid XBM file in /140118/phpPOC on line 5
$

I had to avoid using hex2bin() for 11sp3/php53 and older:

$ xxd test.xbm         
0000000: 2364 6566 696e 6520 7769 6474 6820 320a  #define width 2.
0000010: 2364 6566 696e 6520 6865 6967 6874 2032  #define height 2
0000020: 0a73 7461 7469 6320 6368 6172 2062 6974  .static char bit
0000030: 735b 5d20 3d7b 0a7a 7a78 7a7a            s[] ={.zzxzz
$ cat phpPOC 
<?php
$filepath = dirname(__FILE__).DIRECTORY_SEPARATOR."test.xbm";
$xbm = imagecreatefromxbm($filepath);
?>
$

PATCH

http://git.php.net/?p=php-src.git;a=commit;h=ed6dee9a198c904ad5e03113e58a2d2c200f5184

AFTER

$ valgrind  -q php phpPOC
PHP Warning:  imagecreatefromxbm(): invalid XBM in /140118/phpPOC on line 5
PHP Warning:  imagecreatefromxbm(): '/140118/test.xbm' is not a valid XBM file in /140118/phpPOC on line 5
$
Comment 8 Petr Gajdos 2019-07-16 11:23:40 UTC
Will submit for 12/php7, 11sp3/php53, 11/php5 and 10sp3/php5.
Comment 9 Petr Gajdos 2019-07-16 11:26:26 UTC
Also fixed in devel:languages:php:php56/php5.
Comment 10 Petr Gajdos 2019-07-16 12:10:20 UTC
I believe all fixed.
Comment 12 Swamp Workflow Management 2019-08-07 11:53:07 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2019-08-21.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64336
Comment 14 Swamp Workflow Management 2019-08-28 19:14:08 UTC
SUSE-SU-2019:2243-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1140118,1145095,1146360
CVE References: CVE-2019-11038,CVE-2019-11041,CVE-2019-11042
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    php7-7.0.7-50.85.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-50.85.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2019-09-03 16:12:22 UTC
SUSE-SU-2019:14158-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1140118,1145095,1146360
CVE References: CVE-2019-11038,CVE-2019-11041,CVE-2019-11042
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    php53-5.3.17-112.71.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    php53-5.3.17-112.71.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-112.71.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    php53-5.3.17-112.71.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Alexandros Toptsoglou 2020-06-30 07:41:51 UTC
Done