Bug 986386 – VUL-0: CVE-2016-5766: php5,php53: Integer Overflow in _gd2GetHeader() resulting in heap overflow

Bug 986386 - (CVE-2016-5766) VUL-0: CVE-2016-5766: php5,php53: Integer Overflow in _gd2GetHeader() resulting in heap overflow

(CVE-2016-5766)
Summary:	VUL-0: CVE-2016-5766: php5,php53: Integer Overflow in _gd2GetHeader() resulti...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/170460/
Whiteboard:	CVSSv2:SUSE:CVE-2016-5766:6.8:(AV:N/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-06-24 10:00 UTC by Marcus Meissner
Modified:	2017-10-26 05:47 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
bug72339.gd.bz2 (110 bytes, application/octet-stream) 2016-06-24 10:07 UTC, Marcus Meissner	Details
xx.php (44 bytes, text/plain) 2016-06-24 10:07 UTC, Marcus Meissner	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2016-06-24 10:00:10 UTC

http://seclists.org/oss-sec/2016/q2/589

    GD:
        Fixed bug #72339 (Integer Overflow in _gd2GetHeader() resulting in
        heap overflow). (Pierre)

    https://bugs.php.net/bug.php?id=72339
    http://git.php.net/?p=php-src.git;a=commitdiff;h=7722455726bec8c53458a32851d2a87982cf0eac


Use CVE-2016-5766.

Comment 1 Petr Gajdos 2016-06-24 10:04:27 UTC

Note that you maybe should start to write also php7 as we are going to maintain it in 12sp2 and there is no room for version update anymore - Leonardo push it into QA.

Comment 2 Marcus Meissner 2016-06-24 10:07:12 UTC

Created attachment 682013 [details]
bug72339.gd.bz2

QA REPRODUCER:

download this file,
bunzip2 bug72339.gd.bz2

... continue in next comment ...

Comment 3 Marcus Meissner 2016-06-24 10:07:39 UTC

Created attachment 682014 [details]
xx.php

QA REPRODUCER:

php xx.php


will crash with the supplied gd file.

Comment 4 Marcus Meissner 2016-06-24 10:09:38 UTC

hmm yes.

you can still push a minor version update for php7 currently, as QA has not started testing it yet.

Comment 5 Swamp Workflow Management 2016-06-24 22:00:44 UTC

bugbot adjusting priority

Comment 6 Petr Gajdos 2016-06-27 15:17:48 UTC

Segfaults for 12sp2/php7 down to 11/php5.

Comment 7 Petr Gajdos 2016-06-29 08:43:02 UTC

Packages submitted.

Comment 9 Bernhard Wiedemann 2016-06-29 10:00:43 UTC

This is an autogenerated message for OBS integration:
This bug (986386) was mentioned in
https://build.opensuse.org/request/show/405425 13.2 / php5

Comment 11 Bernhard Wiedemann 2016-06-29 14:03:17 UTC

This is an autogenerated message for OBS integration:
This bug (986386) was mentioned in
https://build.opensuse.org/request/show/405458 13.2 / php5

Comment 12 Swamp Workflow Management 2016-07-07 16:09:07 UTC

openSUSE-SU-2016:1761-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 986004,986244,986246,986247,986386,986388,986391,986392,986393
CVE References: CVE-2015-8935,CVE-2016-5766,CVE-2016-5767,CVE-2016-5768,CVE-2016-5769,CVE-2016-5770,CVE-2016-5771,CVE-2016-5772,CVE-2016-5773
Sources used:
openSUSE 13.2 (src):    php5-5.6.1-69.1

Comment 15 Swamp Workflow Management 2016-07-20 22:10:04 UTC

SUSE-SU-2016:1842-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 986004,986244,986246,986386,986388,986391,986392,986393,988486
CVE References: CVE-2015-8935,CVE-2016-5385,CVE-2016-5766,CVE-2016-5767,CVE-2016-5768,CVE-2016-5769,CVE-2016-5770,CVE-2016-5771,CVE-2016-5772
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php5-5.5.14-68.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-68.1

Comment 16 Swamp Workflow Management 2016-08-01 03:09:53 UTC

openSUSE-SU-2016:1922-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 986004,986244,986246,986386,986388,986391,986392,986393,988486
CVE References: CVE-2015-8935,CVE-2016-5385,CVE-2016-5766,CVE-2016-5767,CVE-2016-5768,CVE-2016-5769,CVE-2016-5770,CVE-2016-5771,CVE-2016-5772
Sources used:
openSUSE Leap 42.1 (src):    php5-5.5.14-56.1

Comment 19 Swamp Workflow Management 2016-08-09 15:38:25 UTC

SUSE-SU-2016:2013-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 986004,986244,986386,986388,986393
CVE References: CVE-2015-8935,CVE-2016-5766,CVE-2016-5767,CVE-2016-5769,CVE-2016-5772
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    php53-5.3.17-74.1
SUSE Linux Enterprise Server 11-SP4 (src):    php53-5.3.17-74.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-74.1

Comment 20 Sebastian Krahmer 2016-08-10 10:03:28 UTC

CVSSv2:SUSE:CVE-2016-5766:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P)

Comment 21 Swamp Workflow Management 2016-08-16 11:10:31 UTC

SUSE-SU-2016:2080-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 986004,986244,986386,986388,986393,991426,991427,991428,991429,991430,991433,991437
CVE References: CVE-2015-8935,CVE-2016-5399,CVE-2016-5766,CVE-2016-5767,CVE-2016-5769,CVE-2016-5772,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6296,CVE-2016-6297
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    php5-5.2.14-0.7.30.89.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    php5-5.2.14-0.7.30.89.1

Comment 23 Petr Gajdos 2017-08-08 11:10:55 UTC

http://git.php.net/?p=php-src.git;a=commit;h=5f107ab8a66f8b36ac0c0b32e0231bf94e083c94

This is also needed to not use unitialized variable.

Comment 24 Petr Gajdos 2017-08-08 11:37:09 UTC

Packages submitted for: 12/php7, 12/php5, 11sp3/php53, 11/php5 and 10sp3/php5.

Comment 28 Swamp Workflow Management 2017-08-30 17:32:41 UTC

SUSE-SU-2017:2303-1: An update that solves 9 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1047454,1048094,1048096,1048100,1048111,1048112,1050241,1050726,1052389,1053645,986386
CVE References: CVE-2016-10397,CVE-2016-5766,CVE-2017-11142,CVE-2017-11144,CVE-2017-11145,CVE-2017-11146,CVE-2017-11147,CVE-2017-11628,CVE-2017-7890
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    php7-7.0.7-50.9.2
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    php7-7.0.7-50.9.2
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-50.9.2

Comment 29 Swamp Workflow Management 2017-09-01 01:08:36 UTC

SUSE-SU-2017:2317-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1047454,1048094,1048096,1048097,1048111,1048112,1050241,1050726,986386
CVE References: CVE-2016-10397,CVE-2016-5766,CVE-2017-11143,CVE-2017-11144,CVE-2017-11145,CVE-2017-11146,CVE-2017-11147,CVE-2017-11628,CVE-2017-7890
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    php5-5.5.14-109.5.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    php5-5.5.14-109.5.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-109.5.1

Comment 30 Swamp Workflow Management 2017-09-04 10:09:28 UTC

openSUSE-SU-2017:2337-1: An update that solves 9 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1047454,1048094,1048096,1048100,1048111,1048112,1050241,1050726,1052389,1053645,986386
CVE References: CVE-2016-10397,CVE-2016-5766,CVE-2017-11142,CVE-2017-11144,CVE-2017-11145,CVE-2017-11146,CVE-2017-11147,CVE-2017-11628,CVE-2017-7890
Sources used:
openSUSE Leap 42.3 (src):    php7-7.0.7-19.1
openSUSE Leap 42.2 (src):    php7-7.0.7-14.9.1

Comment 32 Swamp Workflow Management 2017-09-06 01:11:15 UTC

openSUSE-SU-2017:2366-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1047454,1048094,1048096,1048097,1048111,1048112,1050241,1050726,986386
CVE References: CVE-2016-10397,CVE-2016-5766,CVE-2017-11143,CVE-2017-11144,CVE-2017-11145,CVE-2017-11146,CVE-2017-11147,CVE-2017-11628,CVE-2017-7890
Sources used:
openSUSE Leap 42.3 (src):    php5-5.5.14-82.1
openSUSE Leap 42.2 (src):    php5-5.5.14-77.9.1

Comment 33 Swamp Workflow Management 2017-09-18 16:12:40 UTC

SUSE-SU-2017:2522-1: An update that fixes 10 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1047454,1048094,1048096,1048111,1048112,1050241,1050726,1054430,986386
CVE References: CVE-2016-10168,CVE-2016-10397,CVE-2016-5766,CVE-2017-11144,CVE-2017-11145,CVE-2017-11146,CVE-2017-11147,CVE-2017-11628,CVE-2017-12933,CVE-2017-7890
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    php53-5.3.17-112.5.1
SUSE Linux Enterprise Server 11-SP4 (src):    php53-5.3.17-112.5.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-112.5.1

Comment 34 Marcus Meissner 2017-10-26 05:47:34 UTC

released