Bugzilla – Bug 1204979
VUL-0: CVE-2022-31630: php53,php74,php8,php7: php: OOB read due to insufficient input validation in imageloadfont()
Last modified: 2022-11-23 10:59:27 UTC
It is possible to construct font files supposed to be loaded by imageloadfont() which trigger OOB reads if the fonts are actually accessed (e.g. by imagechar()). The given test scripts exploits that by triggering the assignment of a zero byte memory allocation to gdFont.data (which is happily accepted by imageloadfont()), and to read beyond this "buffer" when calling imagechar(). So if an application allows to upload arbitrary font files and working with these, it is likely vulnerable. References: https://www.php.net/ChangeLog-8.php#8.0.25 https://bugs.php.net/bug.php?id=81739 References: https://bugzilla.redhat.com/show_bug.cgi?id=2139280 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31630
This is an autogenerated message for OBS integration: This bug (1204979) was mentioned in https://build.opensuse.org/request/show/1033030 Factory / php7
BEFORE 15sp4/php8, 15sp4,15sp2/php7, 12/php74 <?php $s = fopen(__DIR__ . "/font.font", "w"); // header without character data fwrite($s, "\x01\x00\x00\x00\x20\x00\x00\x00\x08\x00\x00\x00\x08\x00\x00\x00"); fclose($s); $font = imageloadfont(__DIR__ . "/font.font"); $im = imagecreate(10, 10); imagechar($im, $font, 0, 0, " ", imagecolorallocate($im, 255, 255, 255)); ?> :/204979 # php test.php Segmentation fault (core dumped) :/204979 # PATCH https://github.com/php/php-src/commit/d50532be91f054ef9beb1afca2ea94f4a70f7c4d [2022-10-18 10:17 UTC] cmb@php.net This issue has been introduced with commit 88b6037[1], so versions prior to PHP 7.4.0 are not affected. We could simply revert that commit, but maybe it is better to duplicate the overflow check to avoid confusion. I have verified that 15/php7 adn 11sp3/php53 does not crash. AFTER 15sp4/php8, 15sp4,15sp2/php7, 12/php74 :/204979 # php test.php PHP Warning: imageloadfont(): Product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully in /204979/test.php on line 7 PHP Warning: imageloadfont(): Error reading font, invalid font header in /204979/test.php on line 7 :/204979 #
Submitted for 15sp4/php8, 15sp4,15sp2/php7, 12/php74. I believe all fixed.
SUSE-SU-2022:4005-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1204577,1204979 CVE References: CVE-2022-31630,CVE-2022-37454 JIRA References: Sources used: openSUSE Leap 15.4 (src): apache2-mod_php8-8.0.25-150400.4.17.1, php8-8.0.25-150400.4.17.1, php8-embed-8.0.25-150400.4.17.1, php8-fastcgi-8.0.25-150400.4.17.1, php8-fpm-8.0.25-150400.4.17.1, php8-test-8.0.25-150400.4.17.1 SUSE Linux Enterprise Module for Web Scripting 15-SP4 (src): apache2-mod_php8-8.0.25-150400.4.17.1, php8-8.0.25-150400.4.17.1, php8-embed-8.0.25-150400.4.17.1, php8-fastcgi-8.0.25-150400.4.17.1, php8-fpm-8.0.25-150400.4.17.1, php8-test-8.0.25-150400.4.17.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3997-1: An update that fixes 8 vulnerabilities, contains one feature is now available. Category: security (important) Bug References: 1203867,1203870,1204577,1204979 CVE References: CVE-2021-21707,CVE-2021-21708,CVE-2022-31625,CVE-2022-31626,CVE-2022-31628,CVE-2022-31629,CVE-2022-31630,CVE-2022-37454 JIRA References: SLE-23639 Sources used: openSUSE Leap 15.4 (src): apache2-mod_php7-7.4.33-150400.4.13.1, php7-7.4.33-150400.4.13.1, php7-embed-7.4.33-150400.4.13.1, php7-fastcgi-7.4.33-150400.4.13.1, php7-fpm-7.4.33-150400.4.13.1, php7-test-7.4.33-150400.4.13.2 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (src): php7-embed-7.4.33-150400.4.13.1 SUSE Linux Enterprise Module for Legacy Software 15-SP4 (src): apache2-mod_php7-7.4.33-150400.4.13.1, php7-7.4.33-150400.4.13.1, php7-fastcgi-7.4.33-150400.4.13.1, php7-fpm-7.4.33-150400.4.13.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:4068-1: An update that fixes 18 vulnerabilities, contains one feature is now available. Category: security (important) Bug References: 1203867,1203870,1204577,1204979 CVE References: CVE-2017-8923,CVE-2020-7068,CVE-2020-7069,CVE-2020-7070,CVE-2020-7071,CVE-2021-21702,CVE-2021-21703,CVE-2021-21704,CVE-2021-21705,CVE-2021-21706,CVE-2021-21707,CVE-2021-21708,CVE-2022-31625,CVE-2022-31626,CVE-2022-31628,CVE-2022-31629,CVE-2022-31630,CVE-2022-37454 JIRA References: SLE-23639 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): php74-7.4.33-1.47.2 SUSE Linux Enterprise Module for Web Scripting 12 (src): php74-7.4.33-1.47.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:4069-1: An update that fixes 18 vulnerabilities, contains one feature is now available. Category: security (important) Bug References: 1203867,1203870,1204577,1204979 CVE References: CVE-2017-8923,CVE-2020-7068,CVE-2020-7069,CVE-2020-7070,CVE-2020-7071,CVE-2021-21702,CVE-2021-21703,CVE-2021-21704,CVE-2021-21705,CVE-2021-21706,CVE-2021-21707,CVE-2021-21708,CVE-2022-31625,CVE-2022-31626,CVE-2022-31628,CVE-2022-31629,CVE-2022-31630,CVE-2022-37454 JIRA References: SLE-23639 Sources used: openSUSE Leap 15.4 (src): php7-7.4.33-150200.3.46.2 openSUSE Leap 15.3 (src): php7-7.4.33-150200.3.46.2, php7-test-7.4.33-150200.3.46.2 SUSE Manager Server 4.1 (src): php7-7.4.33-150200.3.46.2 SUSE Manager Retail Branch Server 4.1 (src): php7-7.4.33-150200.3.46.2 SUSE Manager Proxy 4.1 (src): php7-7.4.33-150200.3.46.2 SUSE Linux Enterprise Server for SAP 15-SP2 (src): php7-7.4.33-150200.3.46.2 SUSE Linux Enterprise Server 15-SP2-LTSS (src): php7-7.4.33-150200.3.46.2 SUSE Linux Enterprise Server 15-SP2-BCL (src): php7-7.4.33-150200.3.46.2 SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src): php7-7.4.33-150200.3.46.2 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src): php7-7.4.33-150200.3.46.2 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): php7-7.4.33-150200.3.46.2 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): php7-7.4.33-150200.3.46.2 SUSE Enterprise Storage 7 (src): php7-7.4.33-150200.3.46.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.