From upstream sec bug in ${URL}: ## The paths passed to the imagepng, imagejpeg, imagegif, imagewebp and imagewbmp functions are not validated to not contain null bytes, and as such may allow paths to be prematurely terminated by an attacker. This could be used to overwrite a file in a location other than the intended destination. The attached patch will check for null bytes in the given path, and return false, raising a warning in the event a null byte is encountered. ## This affects both 5.4 and 5.5 series, 5.3 series is not affected. Patch at: http://git.php.net/?p=php-src.git;a=commitdiff;h=276bead9c47e91fa3fffce87a6911eaafdb1f8ab;hp=359bc0ee2f965ee0a76ddf0a7bb3bffb62662495 + . Fixed bug #67730 (Null byte injection possible with imagexxx functions). + (CVE-2014-5120) (Ryan Mauger)
this bug, basically affects gd and not php.
PHP uses bundled gd, so I guess it should affect php. Fixes should be committed though.
This is fixed in PHP 5.5.16 and 5.4.32
Continuing this bug as PHP only, media-libs/gd is handled in bug 520716
CVE-2014-5120 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5120): gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x before 5.5.16 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to overwrite arbitrary files via crafted input to an application that calls the (1) imagegd, (2) imagegd2, (3) imagegif, (4) imagejpeg, (5) imagepng, (6) imagewbmp, or (7) imagewebp function.
Stabilization, cleanup done. In existing GLSA request.
This issue was resolved and addressed in GLSA 201408-11 at http://security.gentoo.org/glsa/glsa-201408-11.xml by GLSA coordinator Kristian Fiskerstrand (K_F).