Bugzilla – Bug 962057
VUL-0: CVE-2016-1903: php5: Memory Read via gdImageRotateInterpolated Array Index Out of Bounds
Last modified: 2016-04-27 19:49:59 UTC
CVE-2016-1903 Description: ------------ This is the function prototype for ImageRotate: resource imagerotate ( resource $image , float $angle , int $bgd_color [, int $ignore_transparent = 0 ] ) $bgd_color specifies the background color of an image have it has been rotated. This is passed in as an integer that represents an index to the color palette. There is a lack of validation of $bgd_color. One can pass in a large number that exceeds the color palette array. This reads memory beyond the color palette. Information of the memory leak can then be obtained via the background color after the image has been rotated. More details in https://bugs.php.net/bug.php?id=70976 >= SLE 12 affected References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1903 http://seclists.org/oss-sec/2016/q1/100 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1903.html
bugbot adjusting priority
Hoping I have read php bug correctly, the appropriate fix is contained in: https://github.com/php/php-src/commit/aa8d3a8cc612ba87c0497275f58a2317a90fb1c4
Tested with php5 @ sle12. $ rpm -qa | grep php5 php5-gd-5.5.14-0.x86_64 php5-5.5.14-0.x86_64 $ BEFORE: $ php -r "imagerotate(imagecreate(1,1),45,0x7ffffff9);" Segmentation fault (core dumped) $ AFTER: $ php -r "imagerotate(imagecreate(1,1),45,0x7ffffff9);" PHP Warning: imagerotate(): gd warning: one parameter to a memory allocation multiplication is negative or zero, failing operation gracefully in Command line code on line 1 $
Submitted for sle12 (-> 42.1) and 13.2.
This is an autogenerated message for OBS integration: This bug (962057) was mentioned in https://build.opensuse.org/request/show/354582 13.2 / php5
openSUSE-SU-2016:0251-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 949961,949962,962057 CVE References: CVE-2015-7803,CVE-2015-7804,CVE-2016-1903 Sources used: openSUSE 13.2 (src): php5-5.6.1-39.1
SUSE-SU-2016:0284-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 949961,962057 CVE References: CVE-2015-7803,CVE-2016-1903 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): php5-5.5.14-42.2 SUSE Linux Enterprise Software Development Kit 12 (src): php5-5.5.14-42.2 SUSE Linux Enterprise Module for Web Scripting 12 (src): php5-5.5.14-42.2
openSUSE-SU-2016:0366-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 949961,962057 CVE References: CVE-2015-7803,CVE-2016-1903 Sources used: openSUSE Leap 42.1 (src): php5-5.5.14-41.1
sle11 seems not affected. closing