Bugzilla – Bug 868624
VUL-1: CVE-2014-2497: php53,php5,gd: NULL ptr deref in GD XPM decoder
Last modified: 2020-05-18 11:53:41 UTC
via oss-sec CVE-2014-2497 From: Pierre Joye <pierre.php@gmail.com> Date: Fri, 14 Mar 2014 15:03:25 +0100 Subject: [oss-security] CVE request, libgd and php's gd hi, Can someone request a CVE for https://bugs.php.net/bug.php?id=66901 please? Affect all versions of libgd and php with XPM support enabled. This issue is already public. References: https://bugzilla.redhat.com/show_bug.cgi?id=1076676
Created attachment 582348 [details] CVE-2014-2497.xpm reproducer: echo '<?php print imagecreatefromxpm("CVE-2014-2497.xpm")."\n"; ?>'|php does not seem to work though, just reports PHP Warning: imagecreatefromxpm(): 'CVE-2014-2497.xpm' is not a valid XPM file in - on line 1
Created attachment 582349 [details] CVE-2014-2497.xpm corrected reproducer. echo '<?php print imagecreatefromxpm("CVE-2014-2497.xpm")."\n"; ?>'|php Segmentation fault (should not segfault ;)
Affected packages: SLE-11-SP3: gd, php53 SLE-10-SP3-TERADATA: gd SLE-11-SP2: gd, php53
I get segfault for php down to 5.2.14, so all products are affected.
i would put it on planned updates for older SLE11 for now, you should fix SLE12 you can fix openSUSE * if you want to already.
Ok -- as soon as upstream commit appears.
P3 for sles12.
P3 I said.
Still no commit addresses this.
... maybe because php bug was wrongfully in 'Feedback' state. I have notified relevant list.
No response on the list, contacting remi at php personally.
A patch appeared in php bugzilla from mejiaa at amazon: https://bugs.php.net/patch-display.php?bug_id=66901&patch=bug66901-fix.patch&revision=latest It seems it is not April fool :), tested with 5.5.10: # echo '<?php print imagecreatefromxpm("CVE-2014-2497.xpm")."\n"; ?>'|php PHP Warning: imagecreatefromxpm(): 'CVE-2014-2497.xpm' is not a valid XPM file in - on line 1 I would wait for upstream statement for a while though.
This patch simply rejects images with !image.colorTable[i].c_color for some i. Maybe we could proceed with this fix, as these xpms was not readable by gd before due segfault anyway, what do you think?
the fix looks sensible. for old SLE an update can be on the planned list, but sle12 and factory could be fixed already
I get the idea to build php against system libgd. I have been successful, but it appears, that libgd doesn't work as upstream correctly though.
Reproducer for libgd: #include <gd.h> gdImagePtr myLoadXpm(char *filename) { gdImagePtr im; im = gdImageCreateFromXpm(filename); /* WE allocated the memory, WE free it with our normal free function */ return im; } int main(void) { myLoadXpm("test.xpm"); }
Submitted to sle12 and factory -> planned update for older distributions -> P4.
This is an autogenerated message for OBS integration: This bug (868624) was mentioned in https://build.opensuse.org/request/show/229014 Factory / php5 https://build.opensuse.org/request/show/229015 Factory / gd
This is an autogenerated message for OBS integration: This bug (868624) was mentioned in https://build.opensuse.org/request/show/229236 Factory / gd
php packages have been submitted. Leaving this bug assigned to me because of gd.
Affected packages: SLE-11-SP3: php5, php53 SLE-11-SP1: php5 SLE-10-SP3: php5
php packages submitted again without a fix for CVE-2014-0185.
An update workflow for this issue was started. This issue was rated as low. Please submit fixed packages until 2014-07-01. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/57652
openSUSE-SU-2014:0784-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 868624,875826,880904,880905 CVE References: CVE-2014-0185,CVE-2014-0237,CVE-2014-0238,CVE-2014-2497 Sources used: openSUSE 13.1 (src): php5-5.4.20-8.2 openSUSE 12.3 (src): php5-5.3.17-3.12.2 openSUSE 12.2 (src): php5-5.3.15-1.25.1
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2014-06-26. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/57809
openSUSE-SU-2014:0786-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 868624,875826,880904,880905 CVE References: CVE-2014-0185,CVE-2014-0237,CVE-2014-0238,CVE-2014-2497 Sources used: openSUSE 11.4 (src): php5-5.3.5-363.2
Update released for: apache2-mod_php53, php53, php53-bcmath, php53-bz2, php53-calendar, php53-ctype, php53-curl, php53-dba, php53-debuginfo, php53-debugsource, php53-devel, php53-dom, php53-enchant, php53-exif, php53-fastcgi, php53-fileinfo, php53-fpm, php53-ftp, php53-gd, php53-gettext, php53-gmp, php53-iconv, php53-imap, php53-intl, php53-json, php53-ldap, php53-mbstring, php53-mcrypt, php53-mysql, php53-odbc, php53-openssl, php53-pcntl, php53-pdo, php53-pear, php53-pgsql, php53-phar, php53-posix, php53-pspell, php53-readline, php53-shmop, php53-snmp, php53-soap, php53-sockets, php53-sqlite, php53-suhosin, php53-sysvmsg, php53-sysvsem, php53-sysvshm, php53-tidy, php53-tokenizer, php53-wddx, php53-xmlreader, php53-xmlrpc, php53-xmlwriter, php53-xsl, php53-zip, php53-zlib Products: SLE-DEBUGINFO 11-SP2 (i386, s390x, x86_64) SLE-SERVER 11-SP2-LTSS (i386, s390x, x86_64)
Update released for: apache2-mod_php53, php53, php53-bcmath, php53-bz2, php53-calendar, php53-ctype, php53-curl, php53-dba, php53-debuginfo, php53-debugsource, php53-devel, php53-dom, php53-enchant, php53-exif, php53-fastcgi, php53-fileinfo, php53-fpm, php53-ftp, php53-gd, php53-gettext, php53-gmp, php53-iconv, php53-imap, php53-intl, php53-json, php53-ldap, php53-mbstring, php53-mcrypt, php53-mysql, php53-odbc, php53-openssl, php53-pcntl, php53-pdo, php53-pear, php53-pgsql, php53-phar, php53-posix, php53-pspell, php53-readline, php53-shmop, php53-snmp, php53-soap, php53-sockets, php53-sqlite, php53-suhosin, php53-sysvmsg, php53-sysvsem, php53-sysvshm, php53-tidy, php53-tokenizer, php53-wddx, php53-xmlreader, php53-xmlrpc, php53-xmlwriter, php53-xsl, php53-zip, php53-zlib Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
SUSE-SU-2014:0868-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 868624,882992 CVE References: CVE-2014-2497,CVE-2014-4049 Sources used: SUSE Linux Enterprise Server 11 SP2 LTSS (src): php5-5.2.14-0.7.30.54.1
SUSE-SU-2014:0869-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 868624,880904,880905,882992 CVE References: CVE-2014-0237,CVE-2014-0238,CVE-2014-2497,CVE-2014-4049 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): php53-5.3.17-0.23.5 SUSE Linux Enterprise Server 11 SP3 for VMware (src): php53-5.3.17-0.23.5 SUSE Linux Enterprise Server 11 SP3 (src): php53-5.3.17-0.23.5 SUSE Linux Enterprise Server 11 SP2 LTSS (src): php53-5.3.8-0.45.1
Update released for: apache2-mod_php5, php5, php5-bcmath, php5-bz2, php5-calendar, php5-ctype, php5-curl, php5-dba, php5-dbase, php5-debuginfo, php5-devel, php5-dom, php5-exif, php5-fastcgi, php5-ftp, php5-gd, php5-gettext, php5-gmp, php5-hash, php5-iconv, php5-imap, php5-json, php5-ldap, php5-mbstring, php5-mcrypt, php5-mhash, php5-mysql, php5-ncurses, php5-odbc, php5-openssl, php5-pcntl, php5-pdo, php5-pear, php5-pgsql, php5-posix, php5-pspell, php5-readline, php5-shmop, php5-snmp, php5-soap, php5-sockets, php5-sqlite, php5-suhosin, php5-sysvmsg, php5-sysvsem, php5-sysvshm, php5-tidy, php5-tokenizer, php5-wddx, php5-xmlreader, php5-xmlrpc, php5-xmlwriter, php5-xsl, php5-zip, php5-zlib Products: SLE-DEBUGINFO 10-SP3 (i386, s390x, x86_64) SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)
Update released for: apache2-mod_php5, php5, php5-bcmath, php5-bz2, php5-calendar, php5-ctype, php5-curl, php5-dba, php5-dbase, php5-debuginfo, php5-devel, php5-dom, php5-exif, php5-fastcgi, php5-ftp, php5-gd, php5-gettext, php5-gmp, php5-hash, php5-iconv, php5-imap, php5-json, php5-ldap, php5-mbstring, php5-mcrypt, php5-mhash, php5-mysql, php5-ncurses, php5-odbc, php5-openssl, php5-pcntl, php5-pdo, php5-pear, php5-pgsql, php5-posix, php5-pspell, php5-readline, php5-shmop, php5-snmp, php5-soap, php5-sockets, php5-sqlite, php5-suhosin, php5-sysvmsg, php5-sysvsem, php5-sysvshm, php5-tidy, php5-tokenizer, php5-wddx, php5-xmlreader, php5-xmlrpc, php5-xmlwriter, php5-xsl, php5-zip, php5-zlib Products: SLE-DEBUGINFO 10-SP4 (i386, s390x, x86_64) SLE-SERVER 10-SP4-LTSS (i386, s390x, x86_64)
SUSE-SU-2014:0873-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 837746,854880,868624,882992 CVE References: CVE-2013-4248,CVE-2013-6420,CVE-2014-2497,CVE-2014-4049 Sources used: SUSE Linux Enterprise Server 10 SP4 LTSS (src): php5-5.2.14-0.48.1 SUSE Linux Enterprise Server 10 SP3 LTSS (src): php5-5.2.14-0.48.1
Update released for: apache2-mod_php5, php5, php5-bcmath, php5-bz2, php5-calendar, php5-ctype, php5-curl, php5-dba, php5-dbase, php5-debuginfo, php5-debugsource, php5-devel, php5-dom, php5-exif, php5-fastcgi, php5-ftp, php5-gd, php5-gettext, php5-gmp, php5-hash, php5-iconv, php5-imap, php5-json, php5-ldap, php5-mbstring, php5-mcrypt, php5-mysql, php5-ncurses, php5-odbc, php5-openssl, php5-pcntl, php5-pdo, php5-pear, php5-pgsql, php5-posix, php5-pspell, php5-readline, php5-shmop, php5-snmp, php5-soap, php5-sockets, php5-sqlite, php5-suhosin, php5-sysvmsg, php5-sysvsem, php5-sysvshm, php5-tidy, php5-tokenizer, php5-wddx, php5-xmlreader, php5-xmlrpc, php5-xmlwriter, php5-xsl, php5-zip, php5-zlib Products: SLE-DEBUGINFO 11-SP1 (i386, s390x, x86_64) SLE-SERVER 11-SP1-LTSS (i386, s390x, x86_64)
released
SUSE-SU-2014:0873-2: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 837746,854880,868624,882992 CVE References: CVE-2013-4248,CVE-2013-6420,CVE-2014-2497,CVE-2014-4049 Sources used: SUSE Linux Enterprise Server 11 SP1 LTSS (src): php5-5.2.14-0.7.30.54.1