Bugzilla – Bug 1140118
VUL-0: CVE-2019-11038: php5,php72, php7,php53: information disclosure in function gdImageCreateFromXbm()
Last modified: 2020-06-30 07:41:51 UTC
CVE-2019-11038 When using gdImageCreateFromXbm() function of PHP gd extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code. Reference: https://github.com/libgd/libgd/issues/501 https://bugs.php.net/bug.php?id=77973 References: https://bugzilla.redhat.com/show_bug.cgi?id=1724149 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11038 http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11038.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11038 https://bugs.php.net/bug.php?id=77973
All php that we ship are affected. The fix can be found at [1]. I reproduced the issue in LEAP 15 and php7. POC is attached. To reproduce simply run: valgrind php7 phpPOC OUTPUT: ==23483== Conditional jump or move depends on uninitialised value(s) ==23483== at 0x7E7A186: gdImageSetPixel (in /usr/lib64/libgd.so.3.0.5) ==23483== by 0x7E99117: gdImageCreateFromXbm (in /usr/lib64/libgd.so.3.0.5) ==23483== by 0x7C5CCE0: zif_imagecreatefromxbm (gd.c:2460) ==23483== by 0x7C0443: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:617) ==23483== by 0x7C0443: execute_ex (zend_vm_execute.h:59734) ==23483== by 0x7CB0A7: zend_execute (zend_vm_execute.h:63760) ==23483== by 0x6FF43F: zend_execute_scripts (zend.c:1496) ==23483== by 0x68D42F: php_execute_script (main.c:2590) ==23483== by 0x7CDAE7: do_cli (php_cli.c:1011) ==23483== by 0x50F79A: main (php_cli.c:1404) [1] http://git.php.net/?p=php-src.git;a=commit;h=ed6dee9a198c904ad5e03113e58a2d2c200f5184
Created attachment 809175 [details] POC
bsc#1140120 is the separate bug for gd
This is an autogenerated message for OBS integration: This bug (1140118) was mentioned in https://build.opensuse.org/request/show/715621 Factory / gd
(In reply to Alexandros Toptsoglou from comment #1) > All php that we ship are affected. The fix can be found at [1]. I reproduced > the issue in LEAP 15 and php7. POC is attached. > To reproduce simply run: valgrind php7 phpPOC > OUTPUT: > ==23483== Conditional jump or move depends on uninitialised value(s) > ==23483== at 0x7E7A186: gdImageSetPixel (in /usr/lib64/libgd.so.3.0.5) > ==23483== by 0x7E99117: gdImageCreateFromXbm (in > /usr/lib64/libgd.so.3.0.5) > ==23483== by 0x7C5CCE0: zif_imagecreatefromxbm (gd.c:2460) > ==23483== by 0x7C0443: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER > (zend_vm_execute.h:617) > ==23483== by 0x7C0443: execute_ex (zend_vm_execute.h:59734) > ==23483== by 0x7CB0A7: zend_execute (zend_vm_execute.h:63760) > ==23483== by 0x6FF43F: zend_execute_scripts (zend.c:1496) > ==23483== by 0x68D42F: php_execute_script (main.c:2590) > ==23483== by 0x7CDAE7: do_cli (php_cli.c:1011) > ==23483== by 0x50F79A: main (php_cli.c:1404) However, as you can see from the above, php gd extension is built against system gd, thus the gd update will fix it. This is unfortunately not true for older versions of php than 7.2.5 that we have in 15/php7 and 12/php72.
BEFORE 12/php7,11sp3/php53,11/php5 $ valgrind -q php phpPOC ==19355== Conditional jump or move depends on uninitialised value(s) ==19355== at 0x7214244: php_gd_gdImageSetPixel (gd.c:721) ==19355== by 0x7229F3D: php_gd_gdImageCreateFromXbm (xbm.c:140) ==19355== by 0x720ECA2: _php_image_create_from (gd.c:2385) ==19355== by 0x720ECA2: zif_imagecreatefromxbm (gd.c:2449) ==19355== by 0x3E32AC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) ==19355== by 0x3D5F9A: execute_ex (zend_vm_execute.h:414) ==19355== by 0x431FD2: zend_execute (zend_vm_execute.h:458) ==19355== by 0x392E7F: zend_execute_scripts (zend.c:1427) ==19355== by 0x32B28F: php_execute_script (main.c:2494) ==19355== by 0x433D77: do_cli (php_cli.c:974) ==19355== by 0x1DE05A: main (php_cli.c:1344) ==19355== PHP Warning: imagecreatefromxbm(): EOF before image was complete in /140118/phpPOC on line 5 PHP Warning: imagecreatefromxbm(): '/140118/test.xbm' is not a valid XBM file in /140118/phpPOC on line 5 $ I had to avoid using hex2bin() for 11sp3/php53 and older: $ xxd test.xbm 0000000: 2364 6566 696e 6520 7769 6474 6820 320a #define width 2. 0000010: 2364 6566 696e 6520 6865 6967 6874 2032 #define height 2 0000020: 0a73 7461 7469 6320 6368 6172 2062 6974 .static char bit 0000030: 735b 5d20 3d7b 0a7a 7a78 7a7a s[] ={.zzxzz $ cat phpPOC <?php $filepath = dirname(__FILE__).DIRECTORY_SEPARATOR."test.xbm"; $xbm = imagecreatefromxbm($filepath); ?> $ PATCH http://git.php.net/?p=php-src.git;a=commit;h=ed6dee9a198c904ad5e03113e58a2d2c200f5184 AFTER $ valgrind -q php phpPOC PHP Warning: imagecreatefromxbm(): invalid XBM in /140118/phpPOC on line 5 PHP Warning: imagecreatefromxbm(): '/140118/test.xbm' is not a valid XBM file in /140118/phpPOC on line 5 $
Will submit for 12/php7, 11sp3/php53, 11/php5 and 10sp3/php5.
Also fixed in devel:languages:php:php56/php5.
I believe all fixed.
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2019-08-21. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64336
SUSE-SU-2019:2243-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1140118,1145095,1146360 CVE References: CVE-2019-11038,CVE-2019-11041,CVE-2019-11042 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): php7-7.0.7-50.85.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php7-7.0.7-50.85.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:14158-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1140118,1145095,1146360 CVE References: CVE-2019-11038,CVE-2019-11041,CVE-2019-11042 Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): php53-5.3.17-112.71.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): php53-5.3.17-112.71.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): php53-5.3.17-112.71.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): php53-5.3.17-112.71.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done