Bugzilla – Bug 991427
VUL-0: CVE-2016-6291: php: Out-of-bounds access in exif_process_IFD_in_MAKERNOTE
Last modified: 2017-09-19 14:35:37 UTC
Quoting from RH BZ: An out-of-bounds access due to lack of size check of buffer may lead to memory buffer overflow. rh#1359718 References: https://bugzilla.redhat.com/show_bug.cgi?id=1359718 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6291 http://seclists.org/oss-sec/2016/q3/137 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6291.html http://www.debian.org/security/2016/dsa-3631 http://www.cvedetails.com/cve/CVE-2016-6291/
Quoting from RH BZ: An out-of-bounds access due to lack of size check of buffer may lead to memory buffer overflow. Upstream bug: https://bugs.php.net/bug.php?id=72603 Upstream patch: http://git.php.net/?p=php-src.git;a=commit;h=eebcbd5de38a0f1c2876035402cb770e37476519 CVE assignment: http://seclists.org/oss-sec/2016/q3/137
Not sure how to reproduce bug with the testcase in the php bug. Patches applied everywhere, considering affected.
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2016-08-17. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62922
I believe all affected code streams fixed.
This is an autogenerated message for OBS integration: This bug (991427) was mentioned in https://build.opensuse.org/request/show/416889 13.2 / php5
CVSSv2:SUSE:CVE-2016-6291:5.8:(AV:N/AC:M/Au:N/C:N/I:P/A:P)
openSUSE-SU-2016:2071-1: An update that fixes 12 vulnerabilities is now available. Category: security (moderate) Bug References: 987580,988032,991422,991424,991426,991427,991428,991429,991430,991433,991434,991437 CVE References: CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297 Sources used: openSUSE 13.2 (src): php5-5.6.1-72.1
SUSE-SU-2016:2080-1: An update that fixes 12 vulnerabilities is now available. Category: security (important) Bug References: 986004,986244,986386,986388,986393,991426,991427,991428,991429,991430,991433,991437 CVE References: CVE-2015-8935,CVE-2016-5399,CVE-2016-5766,CVE-2016-5767,CVE-2016-5769,CVE-2016-5772,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6296,CVE-2016-6297 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): php5-5.2.14-0.7.30.89.1 SUSE Linux Enterprise Debuginfo 11-SP2 (src): php5-5.2.14-0.7.30.89.1
Created attachment 689043 [details] CVE-2016-6291.jpg QA REPRODUCER: jpeg file for next comment. CVE-2016-6291.jpg
Created attachment 689044 [details] CVE-2016-6291.php QA REPRODUCER: php CVE-2016-6291.jpg (unclear what bad and good is , the output should change though)
SUSE-SU-2016:2210-1: An update that fixes 9 vulnerabilities is now available. Category: security (moderate) Bug References: 987530,991426,991427,991428,991429,991430,991433,991437 CVE References: CVE-2014-3587,CVE-2016-3587,CVE-2016-5399,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6296,CVE-2016-6297 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): php53-5.3.17-79.2 SUSE Linux Enterprise Server 11-SP4 (src): php53-5.3.17-79.2 SUSE Linux Enterprise Debuginfo 11-SP4 (src): php53-5.3.17-79.2
Using the attached reproducer with the attached jpeg I get the below output: Before: ~~~~~~~ d21:/tmp/kostas # php 991427.php PHP Warning: exif_read_data(CVE-2016-6291.jpg): Illegal IFD offset in /tmp/kostas/991427.php on line 2 array(16) { ["FileName"]=> string(17) "CVE-2016-6291.jpg" ["FileDateTime"]=> int(1473934530) ["FileSize"]=> int(3711) ["FileType"]=> int(2) ["MimeType"]=> string(10) "image/jpeg" ["SectionsFound"]=> string(30) "ANY_TAG, IFD0, EXIF, MAKERNOTE" ["COMPUTED"]=> array(8) { ["IsColor"]=> int(0) ["ByteOrderMotorola"]=> int(0) ["ApertureFNumber"]=> string(5) "f/1.0" ["UserComment"]=> string(80) "????????????????????????????????????????????????????????????????????????????????" ["UserCommentEncoding"]=> string(7) "UNICODE" ["Copyright"]=> string(45) "FFFFFFFFFFFFF, DDDDDDDDDDDDDDDDDDDDDDDDDDDDDD" ["Copyright.Photographer"]=> string(13) "FFFFFFFFFFFFF" ["Copyright.Editor"]=> string(30) "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDD" } ["XResolution"]=> string(21) "1414812756/1414812756" ["ExposureTime"]=> string(21) "1414812756/1414812756" ["FNumber"]=> string(21) "1414812756/1414812756" ["UserComment"]=> string(7) "UNICODE" ["Copyright"]=> string(13) "FFFFFFFFFFFFF" ["Make"]=> string(5) "Canon" ["MakerNote"]=> array(7) { [0]=> int(34078722) [1]=> int(65538) [2]=> int(-91095040) [3]=> int(-1836646401) [4]=> int(16711682) [5]=> int(0) [6]=> int(1381105664) } ["UndefinedTag:0x0208"]=> string(1) "�" ["UndefinedTag:0x9286"]=> string(12) "ExposureTime" } After: ~~~~~~ d21:/tmp/kostas # php 991427.php PHP Warning: exif_read_data(CVE-2016-6291.jpg): IFD data bad offset: 0x058C length 0x001C in /tmp/kostas/991427.php on line 2 array(13) { ["FileName"]=> string(17) "CVE-2016-6291.jpg" ["FileDateTime"]=> int(1473934530) ["FileSize"]=> int(3711) ["FileType"]=> int(2) ["MimeType"]=> string(10) "image/jpeg" ["SectionsFound"]=> string(30) "ANY_TAG, IFD0, EXIF, MAKERNOTE" ["COMPUTED"]=> array(8) { ["IsColor"]=> int(0) ["ByteOrderMotorola"]=> int(0) ["ApertureFNumber"]=> string(5) "f/1.0" ["UserComment"]=> string(80) "????????????????????????????????????????????????????????????????????????????????" ["UserCommentEncoding"]=> string(7) "UNICODE" ["Copyright"]=> string(45) "FFFFFFFFFFFFF, DDDDDDDDDDDDDDDDDDDDDDDDDDDDDD" ["Copyright.Photographer"]=> string(13) "FFFFFFFFFFFFF" ["Copyright.Editor"]=> string(30) "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDD" } ["XResolution"]=> string(21) "1414812756/1414812756" ["ExposureTime"]=> string(21) "1414812756/1414812756" ["FNumber"]=> string(21) "1414812756/1414812756" ["UserComment"]=> string(7) "UNICODE" ["Copyright"]=> string(13) "FFFFFFFFFFFFF" ["Make"]=> string(5) "Canon" } Running the testsuite I had a regression that showed this test failing after: PHPTEST2061 PHPTEST2061: Before: ~~~~~~~ s390vsw116:/usr/share/qa/qa_test_php53/ext/exif/tests # ./bug54002.sh Warning: exif_read_data(bug54002_1.jpeg): Process tag(x0205=UndefinedTa): Illegal byte_count in /usr/share/qa/qa_test_php53/ext/exif/tests/bug54002.php on line 2 Warning: exif_read_data(bug54002_1.jpeg): Process tag(xA000=FlashPixVer): Illegal pointer offset(x30303130 + x0044 = x30303174 > x1BF5) in /usr/share/qa/qa_test_php53/ext/exif/tests/bug54002.php on line 2 Warning: exif_read_data(bug54002_2.jpeg): Process tag(x0205=UndefinedTa): Illegal byte_count in /usr/share/qa/qa_test_php53/ext/exif/tests/bug54002.php on line 3 Warning: exif_read_data(bug54002_2.jpeg): Process tag(xA000=FlashPixVer): Illegal pointer offset(x30303130 + x0044 = x30303174 > x1BF5) in /usr/share/qa/qa_test_php53/ext/exif/tests/bug54002.php on line 3 After: ~~~~~~ s390vsw116:/usr/share/qa/qa_test_php53/ext/exif/tests # ./bug54002.sh Warning: exif_read_data(bug54002_1.jpeg): Process tag(x0205=UndefinedTa): Illegal byte_count in /usr/share/qa/qa_test_php53/ext/exif/tests/bug54002.php on line 2 Warning: exif_read_data(bug54002_2.jpeg): Process tag(x0205=UndefinedTa): Illegal byte_count in /usr/share/qa/qa_test_php53/ext/exif/tests/bug54002.php on line 3 The test's src code is: s390vsw116:/tmp/kostas # cat /usr/share/qa/qa_test_php53/ext/exif/tests/bug54002.php <?php exif_read_data(__DIR__ . '/bug54002_1.jpeg'); exif_read_data(__DIR__ . '/bug54002_2.jpeg'); ?> My question is: Are the results I have an improvement? And if so why do I get the Illegal byte_count warning still? Is this a new bug? Basically I think that there is an improvement since from 4 warnings we go to 2, but why are there still 2? The update with this patch is released today. I am not making the comment private since this is released, let me know if I should.
SUSE-SU-2016:2328-1: An update that fixes 18 vulnerabilities is now available. Category: security (important) Bug References: 987530,991426,991427,991428,991429,991430,991433,991437,997206,997207,997208,997210,997211,997220,997225,997230,997257 CVE References: CVE-2014-3587,CVE-2016-3587,CVE-2016-5399,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): php53-5.3.17-55.1 SUSE Linux Enterprise Debuginfo 11-SP2 (src): php53-5.3.17-55.1
SUSE-SU-2016:2408-1: An update that fixes 24 vulnerabilities is now available. Category: security (important) Bug References: 987530,987580,988032,991422,991424,991426,991427,991428,991429,991430,991433,991434,991437,997206,997207,997208,997210,997211,997220,997225,997230,997248,997257 CVE References: CVE-2014-3587,CVE-2016-3587,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7134 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): php5-5.5.14-73.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php5-5.5.14-73.1
openSUSE-SU-2016:2451-1: An update that fixes 24 vulnerabilities is now available. Category: security (important) Bug References: 987530,987580,988032,991422,991424,991426,991427,991428,991429,991430,991433,991434,991437,997206,997207,997208,997210,997211,997220,997225,997230,997248,997257 CVE References: CVE-2014-3587,CVE-2016-3587,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7134 Sources used: openSUSE Leap 42.1 (src): php5-5.5.14-59.1
SUSE-SU-2016:2460-1: An update that solves 29 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1001950,987580,988032,991422,991424,991426,991427,991428,991429,991430,991434,991437,995512,997206,997207,997208,997210,997211,997220,997225,997230,997247,997248,997257,999313,999679,999680,999684,999685,999819,999820 CVE References: CVE-2016-4473,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7133,CVE-2016-7134,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): php7-7.0.7-15.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php7-7.0.7-15.1
released
SUSE-SU-2016:2460-2: An update that solves 29 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1001950,987580,988032,991422,991424,991426,991427,991428,991429,991430,991434,991437,995512,997206,997207,997208,997210,997211,997220,997225,997230,997247,997248,997257,999313,999679,999680,999684,999685,999819,999820 CVE References: CVE-2016-4473,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7133,CVE-2016-7134,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418 Sources used: SUSE Linux Enterprise Module for Web Scripting 12 (src): php7-7.0.7-15.1
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2017-02-13. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63367