[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE Request -- PHP 5 - 5.2.11
From: Tomas Hoger <thoger () redhat ! com>
Date: 2009-10-15 15:38:22
Message-ID: 20091015173822.084de220 () redhat ! com
[Download RAW message or body]
On Tue, 22 Sep 2009 03:24:34 -0400 (EDT) "Steven M. Christey"
<coley@linus.mitre.org> wrote:
> Name: CVE-2009-3293
>
> Unspecified vulnerability in the imagecolortransparent function in PHP
> before 5.2.11 has unknown impact and attack vectors related to an
> incorrect "sanity check for the color index."
While looking into this one, I spotted few interesting things.
Patch for this is:
- if (color > -1 && color<im->colorsTotal && color<=gdMaxColors) {
+ if (color > -1 && color < im->colorsTotal && color < gdMaxColors) {
Besides "color<=gdMaxColors" check, there is also "color<im->colorsTotal"
check. GD code also assumes that im->colorsTotal is <= gdMaxColors, as
it is used as an upper bound in multiple cases when accessing arrays of
gdMaxColors size. You can see "im->colorsTotal<=gdMaxColors" enforced in
e.g. gdImageColorAllocateAlpha(), which is called for PHP function
imagecolorallocate().
Hence:
color<im->colorsTotal (from the check)
and
im->colorsTotal<=gdMaxColors (assumed in the rest of the code)
implies
color < gdMaxColor
So the change should not really introduce any extra protection for current
PHP versions.
This change is relevant for pre-4.3.5 PHP versions, which do not have
"color<im->colorsTotal" part of the check. It is possible to trigger
im->alpha[] off-by-one over-write in those versions. This changes
neighbor member of the gdImageStruct structure - trueColor. If that
happens, gd will believe that previously non-TrueColor image is now
TrueColor, which can lead to buffer over-reads or over-writes in
subsequent gd operations (due to a different storage space needed for
pixels of TrueColor and non-TrueColor images).
But there is also concern for current PHP versions, as im->colorsTotal may
be initialized with a value greater than gdMaxColors when using
imagecreatefromgd() PHP function on a specially crafted GD file. Value
read from file is not properly checked in _gdGetColors() (gd_gd.c),
possibly allowing previously mentioned over-reads or over-writes on
various places (e.g. colorsTotal is used in _gdGetColors()
when initializing im->open[] with 0s). CVE-2009-3546 was assigned to
this problem and the fix is now committed in PHP SVN:
http://svn.php.net/viewvc?view=revision&revision=289557
--
Tomas Hoger / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic