Bug 962057 - (CVE-2016-1903) VUL-0: CVE-2016-1903: php5: Memory Read via gdImageRotateInterpolated Array Index Out of Bounds
(CVE-2016-1903)
VUL-0: CVE-2016-1903: php5: Memory Read via gdImageRotateInterpolated Array I...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/160706/
CVSSv2:SUSE:CVE-2016-1903:5.0:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-15 09:54 UTC by Johannes Segitz
Modified: 2016-04-27 19:49 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-01-15 09:54:45 UTC
CVE-2016-1903

Description:
------------
This is the function prototype for ImageRotate:

resource imagerotate ( resource $image , float $angle , int $bgd_color [, int $ignore_transparent = 0 ] )

$bgd_color specifies the background color of an image have it has been rotated. This is passed in as an integer that represents an index to the color palette.

There is a lack of validation of $bgd_color. One can pass in a large number that exceeds the color palette array. This reads memory beyond the color palette. Information of the memory leak can then be obtained via the background color after the image has been rotated.

More details in https://bugs.php.net/bug.php?id=70976

>= SLE 12 affected

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1903
http://seclists.org/oss-sec/2016/q1/100
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1903.html
Comment 1 Swamp Workflow Management 2016-01-15 23:00:24 UTC
bugbot adjusting priority
Comment 2 Petr Gajdos 2016-01-18 09:39:35 UTC
Hoping I have read php bug correctly, the appropriate fix is contained in:
https://github.com/php/php-src/commit/aa8d3a8cc612ba87c0497275f58a2317a90fb1c4
Comment 3 Petr Gajdos 2016-01-18 10:27:44 UTC
Tested with php5 @ sle12.

$ rpm -qa | grep php5
php5-gd-5.5.14-0.x86_64
php5-5.5.14-0.x86_64
$ 

BEFORE:
$ php -r "imagerotate(imagecreate(1,1),45,0x7ffffff9);"
Segmentation fault (core dumped)
$

AFTER:
$ php -r "imagerotate(imagecreate(1,1),45,0x7ffffff9);"
PHP Warning:  imagerotate(): gd warning: one parameter to a memory allocation multiplication is negative or zero, failing operation gracefully
 in Command line code on line 1
$
Comment 4 Petr Gajdos 2016-01-18 12:37:38 UTC
Submitted for sle12 (-> 42.1) and 13.2.
Comment 6 Bernhard Wiedemann 2016-01-18 13:00:29 UTC
This is an autogenerated message for OBS integration:
This bug (962057) was mentioned in
https://build.opensuse.org/request/show/354582 13.2 / php5
Comment 7 Swamp Workflow Management 2016-01-26 17:15:34 UTC
openSUSE-SU-2016:0251-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 949961,949962,962057
CVE References: CVE-2015-7803,CVE-2015-7804,CVE-2016-1903
Sources used:
openSUSE 13.2 (src):    php5-5.6.1-39.1
Comment 9 Swamp Workflow Management 2016-01-29 15:13:42 UTC
SUSE-SU-2016:0284-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 949961,962057
CVE References: CVE-2015-7803,CVE-2016-1903
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php5-5.5.14-42.2
SUSE Linux Enterprise Software Development Kit 12 (src):    php5-5.5.14-42.2
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-42.2
Comment 10 Swamp Workflow Management 2016-02-07 19:14:15 UTC
openSUSE-SU-2016:0366-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 949961,962057
CVE References: CVE-2015-7803,CVE-2016-1903
Sources used:
openSUSE Leap 42.1 (src):    php5-5.5.14-41.1
Comment 11 Marcus Meissner 2016-02-10 07:38:20 UTC
sle11 seems not affected.

closing