Bug 868624 - (CVE-2014-2497) VUL-1: CVE-2014-2497: php53,php5,gd: NULL ptr deref in GD XPM decoder
(CVE-2014-2497)
VUL-1: CVE-2014-2497: php53,php5,gd: NULL ptr deref in GD XPM decoder
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Petr Gajdos
Security Team bot
https://smash.suse.de/issue/97035/
maint:running:57647:moderate maint:ru...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-03-17 08:11 UTC by Marcus Meissner
Modified: 2020-05-18 11:53 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
CVE-2014-2497.xpm (428 bytes, text/plain)
2014-03-17 08:14 UTC, Marcus Meissner
Details
CVE-2014-2497.xpm (694 bytes, text/plain)
2014-03-17 08:15 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-03-17 08:11:18 UTC
via oss-sec

CVE-2014-2497

From: Pierre Joye <pierre.php@gmail.com>
Date: Fri, 14 Mar 2014 15:03:25 +0100
Subject: [oss-security] CVE request, libgd and php's gd


hi,

Can someone request a CVE for

https://bugs.php.net/bug.php?id=66901

please?

Affect all versions of libgd and php with XPM support enabled. This
issue is already public.



References:
https://bugzilla.redhat.com/show_bug.cgi?id=1076676
Comment 1 Marcus Meissner 2014-03-17 08:14:42 UTC
Created attachment 582348 [details]
CVE-2014-2497.xpm

reproducer:

echo '<?php print imagecreatefromxpm("CVE-2014-2497.xpm")."\n"; ?>'|php


does not seem to work though, just reports
PHP Warning:  imagecreatefromxpm(): 'CVE-2014-2497.xpm' is not a valid XPM file in - on line 1
Comment 2 Marcus Meissner 2014-03-17 08:15:51 UTC
Created attachment 582349 [details]
CVE-2014-2497.xpm

corrected reproducer.

echo '<?php print imagecreatefromxpm("CVE-2014-2497.xpm")."\n"; ?>'|php
Segmentation fault

(should not segfault ;)
Comment 3 SMASH SMASH 2014-03-17 08:40:12 UTC
Affected packages:

SLE-11-SP3: gd, php53
SLE-10-SP3-TERADATA: gd
SLE-11-SP2: gd, php53
Comment 4 Petr Gajdos 2014-03-17 11:54:52 UTC
I get segfault for php down to 5.2.14, so all products are affected.
Comment 5 Marcus Meissner 2014-03-17 12:46:47 UTC
i would put it on planned updates for older SLE11 for now, 

you should fix SLE12

you can fix openSUSE * if you want to already.
Comment 6 Petr Gajdos 2014-03-17 12:51:37 UTC
Ok -- as soon as upstream commit appears.
Comment 7 Petr Gajdos 2014-03-17 13:13:30 UTC
P3 for sles12.
Comment 8 Petr Gajdos 2014-03-18 08:46:22 UTC
P3 I said.
Comment 9 Petr Gajdos 2014-03-21 07:15:10 UTC
Still no commit addresses this.
Comment 10 Petr Gajdos 2014-03-28 09:23:28 UTC
... maybe because php bug was wrongfully in 'Feedback' state. I have notified relevant list.
Comment 11 Petr Gajdos 2014-03-31 06:38:31 UTC
No response on the list, contacting remi at php personally.
Comment 12 Petr Gajdos 2014-04-02 10:42:59 UTC
A patch appeared in php bugzilla from mejiaa at amazon:
https://bugs.php.net/patch-display.php?bug_id=66901&patch=bug66901-fix.patch&revision=latest

It seems it is not April fool :), tested with 5.5.10:

# echo '<?php print imagecreatefromxpm("CVE-2014-2497.xpm")."\n"; ?>'|php
PHP Warning:  imagecreatefromxpm(): 'CVE-2014-2497.xpm' is not a valid XPM file in - on line 1

I would wait for upstream statement for a while though.
Comment 13 Petr Gajdos 2014-04-03 07:42:40 UTC
This patch simply rejects images with !image.colorTable[i].c_color for some i. Maybe we could proceed with this fix, as these xpms was not readable by gd before due segfault anyway, what do you think?
Comment 14 Marcus Meissner 2014-04-03 15:41:57 UTC
the fix looks sensible. for old SLE an update can be on the planned list, but sle12 and factory could be fixed already
Comment 16 Petr Gajdos 2014-04-04 12:47:24 UTC
I get the idea to build php against system libgd. I have been successful, but it appears, that libgd doesn't work as upstream correctly though.
Comment 17 Petr Gajdos 2014-04-04 12:48:03 UTC
Reproducer for libgd:

#include <gd.h>

gdImagePtr myLoadXpm(char *filename)
{
  gdImagePtr im;
  im = gdImageCreateFromXpm(filename);
  /* WE allocated the memory, WE free
    it with our normal free function */
  return im;
}

int main(void)
{
  myLoadXpm("test.xpm");
}
Comment 18 Petr Gajdos 2014-04-04 12:50:20 UTC
Submitted to sle12 and factory -> planned update for older distributions -> P4.
Comment 19 Bernhard Wiedemann 2014-04-04 13:00:14 UTC
This is an autogenerated message for OBS integration:
This bug (868624) was mentioned in
https://build.opensuse.org/request/show/229014 Factory / php5
https://build.opensuse.org/request/show/229015 Factory / gd
Comment 21 Bernhard Wiedemann 2014-04-07 08:00:14 UTC
This is an autogenerated message for OBS integration:
This bug (868624) was mentioned in
https://build.opensuse.org/request/show/229236 Factory / gd
Comment 22 Petr Gajdos 2014-05-09 09:28:05 UTC
php packages have been submitted. Leaving this bug assigned to me because of gd.
Comment 24 SMASH SMASH 2014-05-23 11:00:16 UTC
Affected packages:

SLE-11-SP3: php5, php53
SLE-11-SP1: php5
SLE-10-SP3: php5
Comment 25 Petr Gajdos 2014-05-23 13:21:55 UTC
php packages submitted again without a fix for CVE-2014-0185.
Comment 28 Swamp Workflow Management 2014-06-03 15:13:27 UTC
An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2014-07-01.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/57652
Comment 29 Swamp Workflow Management 2014-06-12 15:05:12 UTC
openSUSE-SU-2014:0784-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 868624,875826,880904,880905
CVE References: CVE-2014-0185,CVE-2014-0237,CVE-2014-0238,CVE-2014-2497
Sources used:
openSUSE 13.1 (src):    php5-5.4.20-8.2
openSUSE 12.3 (src):    php5-5.3.17-3.12.2
openSUSE 12.2 (src):    php5-5.3.15-1.25.1
Comment 30 Swamp Workflow Management 2014-06-12 15:26:31 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2014-06-26.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/57809
Comment 31 Swamp Workflow Management 2014-06-12 19:04:21 UTC
openSUSE-SU-2014:0786-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 868624,875826,880904,880905
CVE References: CVE-2014-0185,CVE-2014-0237,CVE-2014-0238,CVE-2014-2497
Sources used:
openSUSE 11.4 (src):    php5-5.3.5-363.2
Comment 33 Swamp Workflow Management 2014-07-03 18:50:58 UTC
Update released for: apache2-mod_php53, php53, php53-bcmath, php53-bz2, php53-calendar, php53-ctype, php53-curl, php53-dba, php53-debuginfo, php53-debugsource, php53-devel, php53-dom, php53-enchant, php53-exif, php53-fastcgi, php53-fileinfo, php53-fpm, php53-ftp, php53-gd, php53-gettext, php53-gmp, php53-iconv, php53-imap, php53-intl, php53-json, php53-ldap, php53-mbstring, php53-mcrypt, php53-mysql, php53-odbc, php53-openssl, php53-pcntl, php53-pdo, php53-pear, php53-pgsql, php53-phar, php53-posix, php53-pspell, php53-readline, php53-shmop, php53-snmp, php53-soap, php53-sockets, php53-sqlite, php53-suhosin, php53-sysvmsg, php53-sysvsem, php53-sysvshm, php53-tidy, php53-tokenizer, php53-wddx, php53-xmlreader, php53-xmlrpc, php53-xmlwriter, php53-xsl, php53-zip, php53-zlib
Products:
SLE-DEBUGINFO 11-SP2 (i386, s390x, x86_64)
SLE-SERVER 11-SP2-LTSS (i386, s390x, x86_64)
Comment 34 Swamp Workflow Management 2014-07-03 19:57:52 UTC
Update released for: apache2-mod_php53, php53, php53-bcmath, php53-bz2, php53-calendar, php53-ctype, php53-curl, php53-dba, php53-debuginfo, php53-debugsource, php53-devel, php53-dom, php53-enchant, php53-exif, php53-fastcgi, php53-fileinfo, php53-fpm, php53-ftp, php53-gd, php53-gettext, php53-gmp, php53-iconv, php53-imap, php53-intl, php53-json, php53-ldap, php53-mbstring, php53-mcrypt, php53-mysql, php53-odbc, php53-openssl, php53-pcntl, php53-pdo, php53-pear, php53-pgsql, php53-phar, php53-posix, php53-pspell, php53-readline, php53-shmop, php53-snmp, php53-soap, php53-sockets, php53-sqlite, php53-suhosin, php53-sysvmsg, php53-sysvsem, php53-sysvshm, php53-tidy, php53-tokenizer, php53-wddx, php53-xmlreader, php53-xmlrpc, php53-xmlwriter, php53-xsl, php53-zip, php53-zlib
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)
Comment 35 Swamp Workflow Management 2014-07-03 22:04:29 UTC
SUSE-SU-2014:0868-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 868624,882992
CVE References: CVE-2014-2497,CVE-2014-4049
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    php5-5.2.14-0.7.30.54.1
Comment 36 Swamp Workflow Management 2014-07-03 23:04:28 UTC
SUSE-SU-2014:0869-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 868624,880904,880905,882992
CVE References: CVE-2014-0237,CVE-2014-0238,CVE-2014-2497,CVE-2014-4049
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    php53-5.3.17-0.23.5
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    php53-5.3.17-0.23.5
SUSE Linux Enterprise Server 11 SP3 (src):    php53-5.3.17-0.23.5
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    php53-5.3.8-0.45.1
Comment 37 Swamp Workflow Management 2014-07-04 19:54:24 UTC
Update released for: apache2-mod_php5, php5, php5-bcmath, php5-bz2, php5-calendar, php5-ctype, php5-curl, php5-dba, php5-dbase, php5-debuginfo, php5-devel, php5-dom, php5-exif, php5-fastcgi, php5-ftp, php5-gd, php5-gettext, php5-gmp, php5-hash, php5-iconv, php5-imap, php5-json, php5-ldap, php5-mbstring, php5-mcrypt, php5-mhash, php5-mysql, php5-ncurses, php5-odbc, php5-openssl, php5-pcntl, php5-pdo, php5-pear, php5-pgsql, php5-posix, php5-pspell, php5-readline, php5-shmop, php5-snmp, php5-soap, php5-sockets, php5-sqlite, php5-suhosin, php5-sysvmsg, php5-sysvsem, php5-sysvshm, php5-tidy, php5-tokenizer, php5-wddx, php5-xmlreader, php5-xmlrpc, php5-xmlwriter, php5-xsl, php5-zip, php5-zlib
Products:
SLE-DEBUGINFO 10-SP3 (i386, s390x, x86_64)
SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)
Comment 38 Swamp Workflow Management 2014-07-04 20:51:08 UTC
Update released for: apache2-mod_php5, php5, php5-bcmath, php5-bz2, php5-calendar, php5-ctype, php5-curl, php5-dba, php5-dbase, php5-debuginfo, php5-devel, php5-dom, php5-exif, php5-fastcgi, php5-ftp, php5-gd, php5-gettext, php5-gmp, php5-hash, php5-iconv, php5-imap, php5-json, php5-ldap, php5-mbstring, php5-mcrypt, php5-mhash, php5-mysql, php5-ncurses, php5-odbc, php5-openssl, php5-pcntl, php5-pdo, php5-pear, php5-pgsql, php5-posix, php5-pspell, php5-readline, php5-shmop, php5-snmp, php5-soap, php5-sockets, php5-sqlite, php5-suhosin, php5-sysvmsg, php5-sysvsem, php5-sysvshm, php5-tidy, php5-tokenizer, php5-wddx, php5-xmlreader, php5-xmlrpc, php5-xmlwriter, php5-xsl, php5-zip, php5-zlib
Products:
SLE-DEBUGINFO 10-SP4 (i386, s390x, x86_64)
SLE-SERVER 10-SP4-LTSS (i386, s390x, x86_64)
Comment 39 Swamp Workflow Management 2014-07-05 00:05:41 UTC
SUSE-SU-2014:0873-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 837746,854880,868624,882992
CVE References: CVE-2013-4248,CVE-2013-6420,CVE-2014-2497,CVE-2014-4049
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    php5-5.2.14-0.48.1
SUSE Linux Enterprise Server 10 SP3 LTSS (src):    php5-5.2.14-0.48.1
Comment 40 Swamp Workflow Management 2014-07-07 13:51:20 UTC
Update released for: apache2-mod_php5, php5, php5-bcmath, php5-bz2, php5-calendar, php5-ctype, php5-curl, php5-dba, php5-dbase, php5-debuginfo, php5-debugsource, php5-devel, php5-dom, php5-exif, php5-fastcgi, php5-ftp, php5-gd, php5-gettext, php5-gmp, php5-hash, php5-iconv, php5-imap, php5-json, php5-ldap, php5-mbstring, php5-mcrypt, php5-mysql, php5-ncurses, php5-odbc, php5-openssl, php5-pcntl, php5-pdo, php5-pear, php5-pgsql, php5-posix, php5-pspell, php5-readline, php5-shmop, php5-snmp, php5-soap, php5-sockets, php5-sqlite, php5-suhosin, php5-sysvmsg, php5-sysvsem, php5-sysvshm, php5-tidy, php5-tokenizer, php5-wddx, php5-xmlreader, php5-xmlrpc, php5-xmlwriter, php5-xsl, php5-zip, php5-zlib
Products:
SLE-DEBUGINFO 11-SP1 (i386, s390x, x86_64)
SLE-SERVER 11-SP1-LTSS (i386, s390x, x86_64)
Comment 41 Marcus Meissner 2014-07-07 15:25:46 UTC
released
Comment 42 Swamp Workflow Management 2014-07-07 17:05:17 UTC
SUSE-SU-2014:0873-2: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 837746,854880,868624,882992
CVE References: CVE-2013-4248,CVE-2013-6420,CVE-2014-2497,CVE-2014-4049
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    php5-5.2.14-0.7.30.54.1