Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 520438 (CVE-2014-5120) - <dev-lang/php-{5.4.32,5.5.16}: Null byte injection possible with imagexxx functions (CVE-2014-5120)
Summary: <dev-lang/php-{5.4.32,5.5.16}: Null byte injection possible with imagexxx fun...
Status: RESOLVED FIXED
Alias: CVE-2014-5120
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugs.php.net/bug.php?id=67730
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-08-21 21:29 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2014-08-31 11:28 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-08-21 21:29:40 UTC
From upstream sec bug in ${URL}:

##
The paths passed to the imagepng, imagejpeg, imagegif, imagewebp and imagewbmp functions are not validated to not contain null bytes, and as such may allow paths to be prematurely terminated by an attacker.

This could be used to overwrite a file in a location other than the intended destination.

The attached patch will check for null bytes in the given path, and return false, raising a warning in the event a null byte is encountered.
##

This affects both 5.4 and 5.5 series, 5.3 series is not affected. 

Patch at: 
http://git.php.net/?p=php-src.git;a=commitdiff;h=276bead9c47e91fa3fffce87a6911eaafdb1f8ab;hp=359bc0ee2f965ee0a76ddf0a7bb3bffb62662495

+  . Fixed bug #67730 (Null byte injection possible with imagexxx functions).
+    (CVE-2014-5120) (Ryan Mauger)
Comment 1 Agostino Sarubbo gentoo-dev 2014-08-22 08:58:10 UTC
this bug, basically affects gd and not php.
Comment 2 Ole Markus With (RETIRED) gentoo-dev 2014-08-22 09:30:20 UTC
PHP uses bundled gd, so I guess it should affect php.

Fixes should be committed though.
Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-08-22 18:58:05 UTC
This is fixed in PHP 5.5.16 and 5.4.32
Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-08-23 19:01:14 UTC
Continuing this bug as PHP only, media-libs/gd is handled in bug 520716
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2014-08-25 02:46:09 UTC
CVE-2014-5120 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5120):
  gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x before
  5.5.16 does not ensure that pathnames lack %00 sequences, which might allow
  remote attackers to overwrite arbitrary files via crafted input to an
  application that calls the (1) imagegd, (2) imagegd2, (3) imagegif, (4)
  imagejpeg, (5) imagepng, (6) imagewbmp, or (7) imagewebp function.
Comment 6 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-08-26 10:04:33 UTC
Stabilization, cleanup done. In existing GLSA request.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2014-08-31 11:28:35 UTC
This issue was resolved and addressed in
 GLSA 201408-11 at http://security.gentoo.org/glsa/glsa-201408-11.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).