[go: up one dir, main page]
Bug 978830 (CVE-2016-4542) - VUL-0: CVE-2016-4542, CVE-2016-4543, CVE-2016-4544: php5, php53: Out-of-bounds heap memory read in exif_read_data() caused by malformed input
Summary: VUL-0: CVE-2016-4542, CVE-2016-4543, CVE-2016-4544: php5, php53: Out-of-bound...
Status: RESOLVED FIXED
Alias: CVE-2016-4542
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/168653/
Whiteboard: CVSSv2:SUSE:CVE-2016-4542:2.1:(AV:L/...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-05-06 10:39 UTC by Alexander Bergmann
Modified: 2022-07-25 14:26 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
testcase taken from the commit (424 bytes, application/x-bzip2)
2016-05-10 07:51 UTC, Petr Gajdos 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2016-05-06 10:39:07 UTC 
rh#1332865 / CVE-2016-4542, CVE-2016-4543, CVE-2016-4544

It was found that malformed input to function exif_read_data() can cause out-of-bounds heap memory read access.

Upstream bug:

https://bugs.php.net/bug.php?id=72094

Upstream patch:

https://git.php.net/?p=php-src.git;a=commit;h=1366c0362f1fa85e82bde9c0b393bd3bb3d32892

As per CVE assignment:

http://seclists.org/oss-sec/2016/q2/259

Use CVE-2016-4542 for the issue associated with the spprintf call.

Use CVE-2016-4543 for both issues in which "Illegal IFD size" validation was added.

Use CVE-2016-4544 for the issue in which "Invalid TIFF start" validation was added.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1332865
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4543
http://seclists.org/oss-sec/2016/q2/259
Comment 1 Swamp Workflow Management 2016-05-06 22:02:31 UTC 
bugbot adjusting priority
Comment 2 Petr Gajdos 2016-05-10 07:51:40 UTC 
Created attachment 676270 [details]
testcase taken from the commit

Reproduced with 13.2 and 11.

Installed packages: php5, php5-mbstring, php5-exif

BEFORE

$ USE_ZEND_ALLOC=0 valgrind php test.php
  .. valgrind errors ..
$

AFTER

$ USE_ZEND_ALLOC=0 valgrind php test.php
  .. much less valgrind errors ..
$
Comment 3 Petr Gajdos 2016-05-10 11:18:25 UTC 
Packages submitted.
Comment 4 Bernhard Wiedemann 2016-05-10 12:01:09 UTC 
This is an autogenerated message for OBS integration:
This bug (978830) was mentioned in
https://build.opensuse.org/request/show/394633 13.2 / php5
Comment 8 Bernhard Wiedemann 2016-05-18 14:00:50 UTC 
This is an autogenerated message for OBS integration:
This bug (978830) was mentioned in
https://build.opensuse.org/request/show/396629 13.2 / php5
Comment 10 Swamp Workflow Management 2016-05-19 12:09:56 UTC 
openSUSE-SU-2016:1357-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 977991,977992,977994,978827,978828,978829,978830
CVE References: CVE-2016-4342,CVE-2016-4343,CVE-2016-4346,CVE-2016-4537,CVE-2016-4538,CVE-2016-4539,CVE-2016-4540,CVE-2016-4541,CVE-2016-4542,CVE-2016-4543,CVE-2016-4544
Sources used:
openSUSE 13.2 (src):    php5-5.6.1-61.1
Comment 14 Swamp Workflow Management 2016-06-06 19:08:37 UTC 
SUSE-SU-2016:1504-1: An update that fixes 13 vulnerabilities is now available.

Category: security (moderate)
Bug References: 977991,977994,978827,978828,978829,978830,980366,980373,980375
CVE References: CVE-2015-4116,CVE-2015-8873,CVE-2015-8874,CVE-2016-4342,CVE-2016-4346,CVE-2016-4537,CVE-2016-4538,CVE-2016-4539,CVE-2016-4540,CVE-2016-4541,CVE-2016-4542,CVE-2016-4543,CVE-2016-4544
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php5-5.5.14-59.2
SUSE Linux Enterprise Software Development Kit 12 (src):    php5-5.5.14-59.2
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-59.2
Comment 15 Swamp Workflow Management 2016-06-08 10:09:07 UTC 
openSUSE-SU-2016:1524-1: An update that fixes 13 vulnerabilities is now available.

Category: security (moderate)
Bug References: 977991,977994,978827,978828,978829,978830,980366,980373,980375
CVE References: CVE-2015-4116,CVE-2015-8873,CVE-2015-8874,CVE-2016-4342,CVE-2016-4346,CVE-2016-4537,CVE-2016-4538,CVE-2016-4539,CVE-2016-4540,CVE-2016-4541,CVE-2016-4542,CVE-2016-4543,CVE-2016-4544
Sources used:
openSUSE Leap 42.1 (src):    php5-5.5.14-50.1
Comment 16 Swamp Workflow Management 2016-06-14 18:11:13 UTC 
SUSE-SU-2016:1581-1: An update that fixes 31 vulnerabilities is now available.

Category: security (important)
Bug References: 949961,968284,969821,971611,971612,971912,973351,973792,976996,976997,977003,977005,977991,977994,978827,978828,978829,978830,980366,980373,980375,981050,982010,982011,982012,982013,982162
CVE References: CVE-2014-9767,CVE-2015-4116,CVE-2015-7803,CVE-2015-8835,CVE-2015-8838,CVE-2015-8866,CVE-2015-8867,CVE-2015-8873,CVE-2015-8874,CVE-2015-8879,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185,CVE-2016-4070,CVE-2016-4073,CVE-2016-4342,CVE-2016-4346,CVE-2016-4537,CVE-2016-4538,CVE-2016-4539,CVE-2016-4540,CVE-2016-4541,CVE-2016-4542,CVE-2016-4543,CVE-2016-4544,CVE-2016-5093,CVE-2016-5094,CVE-2016-5095,CVE-2016-5096,CVE-2016-5114
Sources used:
SUSE OpenStack Cloud 5 (src):    php53-5.3.17-71.1
SUSE Manager Proxy 2.1 (src):    php53-5.3.17-71.1
SUSE Manager 2.1 (src):    php53-5.3.17-71.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    php53-5.3.17-71.1
SUSE Linux Enterprise Server 11-SP4 (src):    php53-5.3.17-71.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    php53-5.3.17-71.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-71.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    php53-5.3.17-71.1
Comment 17 Swamp Workflow Management 2016-06-21 11:19:57 UTC 
SUSE-SU-2016:1638-1: An update that fixes 85 vulnerabilities is now available.

Category: security (important)
Bug References: 884986,884987,884989,884990,884991,884992,885961,886059,886060,893849,893853,902357,902360,902368,910659,914690,917150,918768,919080,921950,922451,922452,923945,924972,925109,928506,928511,931421,931769,931772,931776,933227,935074,935224,935226,935227,935229,935232,935234,935274,935275,938719,938721,942291,942296,945412,945428,949961,968284,969821,971611,971612,971912,973351,973792,976996,976997,977003,977005,977991,977994,978827,978828,978829,978830,980366,980373,980375,981050,982010,982011,982012,982013,982162
CVE References: CVE-2004-1019,CVE-2006-7243,CVE-2014-0207,CVE-2014-3478,CVE-2014-3479,CVE-2014-3480,CVE-2014-3487,CVE-2014-3515,CVE-2014-3597,CVE-2014-3668,CVE-2014-3669,CVE-2014-3670,CVE-2014-4049,CVE-2014-4670,CVE-2014-4698,CVE-2014-4721,CVE-2014-5459,CVE-2014-8142,CVE-2014-9652,CVE-2014-9705,CVE-2014-9709,CVE-2014-9767,CVE-2015-0231,CVE-2015-0232,CVE-2015-0273,CVE-2015-1352,CVE-2015-2301,CVE-2015-2305,CVE-2015-2783,CVE-2015-2787,CVE-2015-3152,CVE-2015-3329,CVE-2015-3411,CVE-2015-3412,CVE-2015-4021,CVE-2015-4022,CVE-2015-4024,CVE-2015-4026,CVE-2015-4116,CVE-2015-4148,CVE-2015-4598,CVE-2015-4599,CVE-2015-4600,CVE-2015-4601,CVE-2015-4602,CVE-2015-4603,CVE-2015-4643,CVE-2015-4644,CVE-2015-5161,CVE-2015-5589,CVE-2015-5590,CVE-2015-6831,CVE-2015-6833,CVE-2015-6836,CVE-2015-6837,CVE-2015-6838,CVE-2015-7803,CVE-2015-8835,CVE-2015-8838,CVE-2015-8866,CVE-2015-8867,CVE-2015-8873,CVE-2015-8874,CVE-2015-8879,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185,CVE-2016-4070,CVE-2016-4073,CVE-2016-4342,CVE-2016-4346,CVE-2016-4537,CVE-2016-4538,CVE-2016-4539,CVE-2016-4540,CVE-2016-4541,CVE-2016-4542,CVE-2016-4543,CVE-2016-4544,CVE-2016-5093,CVE-2016-5094,CVE-2016-5095,CVE-2016-5096,CVE-2016-5114
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    php53-5.3.17-47.1
Comment 18 Marcus Meissner 2016-08-01 09:49:59 UTC 
all released