stuart just pointed out that php4/5 includes gd2 for vulnerabilities in gd2 see bug 69070
see my comments in Bug 69070 where i talked about this :P basically someone needs to verify this ... the code isnt exactly the same but it stands to reason that it's a problem
I'll be looking at this on Friday. Best regards, Stu
Stuart any news on this one?
Sorry. I'm awaiting replacements parts after a hardware failure. Won't be able to commit anything before the weekend. Best regards, Stu
Robin any chance you will have time to check this before the weekend?
Sune: definetly not, sorry. I'm in middle of exams, then i'm away the weekend at the ACM contest regionals (in Portland).
Ok, good luck with exams and the contest. One small request though: please use devaway:-)
Stuart,Robin please advise.
I've spoken with Ilia from UPSTREAM, who assures me that PHP's version of gd2 doesn't include this vulnerability. Best regards, Stu
Then we'll assume there is nothing here... But it looks like a good target for auditing team :)
confirmed, the version of gd in the php-4.3.10 distribution is not vulnerable to this. the advisory describes a user supplied value being passed to malloc() while reading in png data, here's the vulnerable statement from an affected libgd: image_data = (png_bytep) gdMalloc (rowbytes * height); where gdMalloc is a simple malloc() wrapper (no validation is performed). the libgd in php uses this alternative: image_data = (png_bytep) safe_emalloc(rowbytes, height, 0); where safe_emalloc() is a comprehensive checking routine that specifically includes checks for overflow. marking resolved.
