+++ This bug was initially created as a clone of Bug #520438 +++ It's better to handle these as separate bugs. This one is for media-libs/gd, the original PHP bug continues in bug 520438 From upstream sec bug in ${URL}: ## The paths passed to the imagepng, imagejpeg, imagegif, imagewebp and imagewbmp functions are not validated to not contain null bytes, and as such may allow paths to be prematurely terminated by an attacker. This could be used to overwrite a file in a location other than the intended destination. The attached patch will check for null bytes in the given path, and return false, raising a warning in the event a null byte is encountered. ## This affects both 5.4 and 5.5 series, 5.3 series is not affected. Patch at: http://git.php.net/?p=php-src.git;a=commitdiff;h=276bead9c47e91fa3fffce87a6911eaafdb1f8ab;hp=359bc0ee2f965ee0a76ddf0a7bb3bffb62662495 + . Fixed bug #67730 (Null byte injection possible with imagexxx functions). + (CVE-2014-5120) (Ryan Mauger)
CVE-2014-5120 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5120): gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x before 5.5.16 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to overwrite arbitrary files via crafted input to an application that calls the (1) imagegd, (2) imagegd2, (3) imagegif, (4) imagejpeg, (5) imagepng, (6) imagewbmp, or (7) imagewebp function.
this fix was to php-specific gd module code. the file/code in question doesn't exist in media-libs/gd itself. so we can punt this bug. http://git.php.net/?p=php-src.git;a=commitdiff;h=706aefb78112a44d4932d4c9430c6a898696f51f
(In reply to SpanKY from comment #2) > this fix was to php-specific gd module code. the file/code in question > doesn't exist in media-libs/gd itself. so we can punt this bug. > > http://git.php.net/?p=php-src.git;a=commitdiff; > h=706aefb78112a44d4932d4c9430c6a898696f51f Thanks for verifying that the issue does not exist in the stand-alone library.
