Bugzilla – Bug 1123354
VUL-0: CVE-2019-6977: php5,php7,php53: A heap based buffer overflow is discovered in GD Graphics library
Last modified: 2019-07-16 06:36:56 UTC
CVE-2019-6977 gdImageColorMatch in gd_color_match.c in the GD Graphics Library (aka LibGD) 2.2.5, as used in the imagecolormatch function in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1, has a heap-based buffer overflow. This can be exploited by an attacker who is able to trigger imagecolormatch calls with crafted image data. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6977 https://bugs.php.net/bug.php?id=77270 http://php.net/ChangeLog-7.php http://php.net/ChangeLog-5.php
The vulnerable code is the same in all codestream but is located in different files; gd_color_match.c / gd_color.c / gd_topal.c For the first two, fixes are available at [1] and [2] respectively. For the third there is none. However, the patch should be similar, since the code which is affected is exactly the same. Two POCs are available at [3] This bug affectes all codestreams. Specifically: For php7 SUSE:SLE-15:Update --> version 7.2.5 --> fix at [1] SUSE:SLE-12:Update --> version 7.0.7 --> fix at [2] For php53 SUSE:SLE-11-SP3:Update --> version 5.3.17 --> fix at [2] For php5 SUSE:SLE-12:Update --> version 5.5.14 --> fix at [2] SUSE:SLE-11:Update and SUSE:SLE-10-SP3:Update --> version 5.2.14 --> vulnerable code at gd_topal.c --> fix should be similar with [1] or/and [2] [1]http://git.php.net/?p=php-src.git;a=commit;h=a15af81b5f0058e020eda0f109f51a3c863f5212 [2] http://git.php.net/?p=php-src.git;a=commit;h=7a12dad4dd6c370835b13afae214b240082c7538 [3] https://gist.github.com/cmb69/911de73cc2fbdad85570ea7143455457
This bug is also related to gd bug 1123361 [1] [1] https://bugzilla.suse.com/show_bug.cgi?id=1123361
TW/php7, 15/php7: php is built against system libgd, thus it will be solved via gd package update (got the same crashes as in gd testcase, got none after libgd-2.2.5 update) BEFORE 12/php7,php5 $ valgrind -q php 77270.php $ [no crash as in TW,15/php7 case] 11sp3/php53, 11,10sp3/php5 $ php 77270.php PHP Fatal error: Call to undefined function imagepalettetotruecolor() in /123354/77270.php on line 4 $ [testcase does not work] PATCH in comment 1 AFTER 12/php7,php5 $ valgrind -q php 77270.php $ [result the same, no regression found]
Will submit for: 12/php7, 12/php5(Leap), 11sp3/php53, 11/php5 and 10sp3/php5.
I believe all fixed.
An update workflow for this issue was started. This issue was rated as low. Please submit fixed packages until 2019-03-08. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64206
SUSE-SU-2019:0333-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1118832,1123354,1123522 CVE References: CVE-2018-19935,CVE-2019-6977,CVE-2019-6978 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): php7-7.0.7-50.63.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): php7-7.0.7-50.63.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php7-7.0.7-50.63.1
SUSE-SU-2019:13961-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1123354,1123522 CVE References: CVE-2019-6977,CVE-2019-6978 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): php53-5.3.17-112.53.1 SUSE Linux Enterprise Server 11-SP4 (src): php53-5.3.17-112.53.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): php53-5.3.17-112.53.1
openSUSE-SU-2019:0207-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1118832,1123354,1123522 CVE References: CVE-2018-19935,CVE-2019-6977,CVE-2019-6978 Sources used: openSUSE Leap 42.3 (src): php7-7.0.7-55.1
SUSE-SU-2019:0449-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1123354 CVE References: CVE-2019-6977 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): php5-5.5.14-109.48.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): php5-5.5.14-109.48.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php5-5.5.14-109.48.1
openSUSE-SU-2019:0276-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1123354 CVE References: CVE-2019-6977 Sources used: openSUSE Leap 42.3 (src): php5-5.5.14-112.1
done