Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 520716

Summary: media-libs/gd: Null byte injection possible with imagexxx functions (CVE-2014-5120)
Product: Gentoo Security Reporter: Kristian Fiskerstrand (RETIRED) <k_f>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal CC: graphics+disabled, vapier
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugs.php.net/bug.php?id=67730
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-08-23 19:00:18 UTC 
+++ This bug was initially created as a clone of Bug #520438 +++

It's better to handle these as separate bugs. This one is for media-libs/gd, the original PHP bug continues in bug 520438

From upstream sec bug in ${URL}:

##
The paths passed to the imagepng, imagejpeg, imagegif, imagewebp and imagewbmp functions are not validated to not contain null bytes, and as such may allow paths to be prematurely terminated by an attacker.

This could be used to overwrite a file in a location other than the intended destination.

The attached patch will check for null bytes in the given path, and return false, raising a warning in the event a null byte is encountered.
##

This affects both 5.4 and 5.5 series, 5.3 series is not affected. 

Patch at: 
http://git.php.net/?p=php-src.git;a=commitdiff;h=276bead9c47e91fa3fffce87a6911eaafdb1f8ab;hp=359bc0ee2f965ee0a76ddf0a7bb3bffb62662495

+  . Fixed bug #67730 (Null byte injection possible with imagexxx functions).
+    (CVE-2014-5120) (Ryan Mauger)
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2014-08-25 05:00:36 UTC 
CVE-2014-5120 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5120):
  gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x before
  5.5.16 does not ensure that pathnames lack %00 sequences, which might allow
  remote attackers to overwrite arbitrary files via crafted input to an
  application that calls the (1) imagegd, (2) imagegd2, (3) imagegif, (4)
  imagejpeg, (5) imagepng, (6) imagewbmp, or (7) imagewebp function.
Comment 2 SpanKY gentoo-dev 2015-02-16 13:01:31 UTC 
this fix was to php-specific gd module code.  the file/code in question doesn't exist in media-libs/gd itself.  so we can punt this bug.

http://git.php.net/?p=php-src.git;a=commitdiff;h=706aefb78112a44d4932d4c9430c6a898696f51f
Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-02-16 13:04:17 UTC 
(In reply to SpanKY from comment #2)
> this fix was to php-specific gd module code.  the file/code in question
> doesn't exist in media-libs/gd itself.  so we can punt this bug.
> 
> http://git.php.net/?p=php-src.git;a=commitdiff;
> h=706aefb78112a44d4932d4c9430c6a898696f51f

Thanks for verifying that the issue does not exist in the stand-alone library.