Bug 991422 – VUL-0: CVE-2016-6292: php: Null pointer dereference in exif_process_user_comment

Bug 991422 - (CVE-2016-6292) VUL-0: CVE-2016-6292: php: Null pointer dereference in exif_process_user_comment

(CVE-2016-6292)
Summary:	VUL-0: CVE-2016-6292: php: Null pointer dereference in exif_process_user_comment

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/171315/
Whiteboard:	CVSSv2:SUSE:CVE-2016-6292:4.3:(AV:N/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-08-01 08:32 UTC by Sebastian Krahmer
Modified:	2016-11-01 15:22 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
test jpg (3.62 KB, image/jpeg) 2016-08-02 14:52 UTC, Petr Gajdos	Details
phpt (386 bytes, text/x-vhdl) 2016-08-02 14:53 UTC, Petr Gajdos	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Krahmer 2016-08-01 08:32:36 UTC

Quoting from RH BZ:

Null pointer dereference vulnerability was found in exif_process_user_comment when trying to encode JIS string.

rh#1359756

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1359756
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6292
http://seclists.org/oss-sec/2016/q3/137
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6292.html
http://www.debian.org/security/2016/dsa-3631
http://www.cvedetails.com/cve/CVE-2016-6292/

Comment 1 Petr Gajdos 2016-08-02 09:05:20 UTC

Quoting from RH BZ:

Null pointer dereference vulnerability was found in exif_process_user_comment when trying to encode JIS string.

Upstream bug:

https://bugs.php.net/bug.php?id=72618

Upstream patch:

http://git.php.net/?p=php-src.git;a=commit;h=41131cd41d2fd2e0c2f332a27988df75659c42e4

CVE assignment:

http://seclists.org/oss-sec/2016/q3/137

Comment 2 Petr Gajdos 2016-08-02 14:52:57 UTC

Created attachment 686499 [details]
test jpg

Comment 3 Petr Gajdos 2016-08-02 14:53:27 UTC

Created attachment 686500 [details]
phpt

Comment 4 Petr Gajdos 2016-08-02 15:08:23 UTC

BEFORE I get segfault on 12/php7, 13.2/php5 and 12/php5. In the 11sp3/php53, I get no segfault, but 'PHP Warning:  exif_read_data(bug72618.jpg): Illegal IFD offset in /991422/bug72618.phpt on line 7' instead. As the code is not there, also, considering 11sp3/php53 and older not affected.

AFTER patch is applied, I get similar warning above.

Comment 5 Petr Gajdos 2016-08-04 08:54:27 UTC

I believe all affected code streams fixed.

Comment 6 Bernhard Wiedemann 2016-08-04 10:01:21 UTC

This is an autogenerated message for OBS integration:
This bug (991422) was mentioned in
https://build.opensuse.org/request/show/416889 13.2 / php5

Comment 8 Swamp Workflow Management 2016-08-15 13:09:07 UTC

openSUSE-SU-2016:2071-1: An update that fixes 12 vulnerabilities is now available.

Category: security (moderate)
Bug References: 987580,988032,991422,991424,991426,991427,991428,991429,991430,991433,991434,991437
CVE References: CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297
Sources used:
openSUSE 13.2 (src):    php5-5.6.1-72.1

Comment 10 Swamp Workflow Management 2016-09-28 13:10:31 UTC

SUSE-SU-2016:2408-1: An update that fixes 24 vulnerabilities is now available.

Category: security (important)
Bug References: 987530,987580,988032,991422,991424,991426,991427,991428,991429,991430,991433,991434,991437,997206,997207,997208,997210,997211,997220,997225,997230,997248,997257
CVE References: CVE-2014-3587,CVE-2016-3587,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7134
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php5-5.5.14-73.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-73.1

Comment 11 Swamp Workflow Management 2016-10-04 15:11:47 UTC

openSUSE-SU-2016:2451-1: An update that fixes 24 vulnerabilities is now available.

Category: security (important)
Bug References: 987530,987580,988032,991422,991424,991426,991427,991428,991429,991430,991433,991434,991437,997206,997207,997208,997210,997211,997220,997225,997230,997248,997257
CVE References: CVE-2014-3587,CVE-2016-3587,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7134
Sources used:
openSUSE Leap 42.1 (src):    php5-5.5.14-59.1

Comment 12 Andreas Stieger 2016-10-05 15:24:01 UTC

done

Comment 13 Swamp Workflow Management 2016-10-05 19:09:26 UTC

SUSE-SU-2016:2460-1: An update that solves 29 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1001950,987580,988032,991422,991424,991426,991427,991428,991429,991430,991434,991437,995512,997206,997207,997208,997210,997211,997220,997225,997230,997247,997248,997257,999313,999679,999680,999684,999685,999819,999820
CVE References: CVE-2016-4473,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7133,CVE-2016-7134,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php7-7.0.7-15.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-15.1

Comment 14 Swamp Workflow Management 2016-11-01 15:22:13 UTC

SUSE-SU-2016:2460-2: An update that solves 29 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1001950,987580,988032,991422,991424,991426,991427,991428,991429,991430,991434,991437,995512,997206,997207,997208,997210,997211,997220,997225,997230,997247,997248,997257,999313,999679,999680,999684,999685,999819,999820
CVE References: CVE-2016-4473,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7133,CVE-2016-7134,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-15.1