php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #67730 CVE-2014-5120 Null byte injection possible with imagexxx functions
Submitted: 2014-07-31 20:37 UTC Modified: 2014-08-19 08:35 UTC
From: ryan at rmauger dot co dot uk Assigned: stas
Status: Closed Package: GD related
PHP Version: 5.6.0RC2 OS: All
Private report: No CVE-ID: 2014-5120
 [2014-07-31 20:37 UTC] ryan at rmauger dot co dot uk
Description:
------------
The paths passed to the imagepng, imagejpeg, imagegif, imagewebp and imagewbmp functions are not validated to not contain null bytes, and as such may allow paths to be prematurely terminated by an attacker.

This could be used to overwrite a file in a location other than the intended destination.

The attached patch will check for null bytes in the given path, and return false, raising a warning in the event a null byte is encountered.

Test script:
---------------
phpt tests are included in the patch.


Patches

gd-null-injection (last revision 2014-08-04 06:48 UTC) by stas@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-08-04 06:48 UTC] stas@php.net
The following patch has been added/updated:

Patch Name: gd-null-injection
Revision:   1407134918
URL:        https://bugs.php.net/patch-display.php?bug=67730&patch=gd-null-injection&revision=1407134918
 [2014-08-04 08:07 UTC] ryan at rmauger dot co dot uk
Stas, Was the patch I supplied not ok? I seem to be unable to view what you have changed, or even see the patch I uploaded
 [2014-08-04 08:17 UTC] stas@php.net
That was the patch that was supplied, no other patch was attached to the bug before that.
 [2014-08-05 05:39 UTC] pajoye@php.net
-Assigned To: +Assigned To: stas
 [2014-08-05 05:39 UTC] pajoye@php.net
Go ahead, 5.4+, not sure Johannes likes it in 5.3 too :)
 [2014-08-05 05:39 UTC] pajoye@php.net
-Status: Assigned +Status: Open
 [2014-08-05 05:39 UTC] pajoye@php.net
Go ahead, 5.4+, not sure Johannes likes it in 5.3 too :)
 [2014-08-05 12:20 UTC] johannes@php.net
I think the risk of exploiting this is quite small as it requires users to take unverified paths and the attacker can access only images of a specific type to which he also has to know the path (unless error reporting is switched on the attacker can't even distinguish between "file does not exist" and "file is not an image of that type")

Nonetheless the fix is quite trivial, so adding it to 5.3 looks fine.
 [2014-08-13 16:34 UTC] johannes@php.net
Note on 5.3: In 5.3 we already have the check

 94         if (strlen(file) != file_len) {
 95             RETURN_FALSE;
 96         }

The issue was introduced with 5.4 while cleaning up stream usage after safe_mode removal. My previous comment on 5.3 can therefore be ignored.
 [2014-08-19 05:47 UTC] stas@php.net
-CVE-ID: +CVE-ID: 2014-5120
 [2014-08-19 08:35 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2014-08-19 08:35 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2014-08-19 12:30 UTC] kaplan@php.net
Fix was done in commit 706aefb78112a44d4932d4c9430c6a898696f51f
 [2014-08-19 14:13 UTC] jpauli@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1daa4c0090b7cd8178dcaa96287234c69ac6ca18
Log: Fix bug #67730 - Null byte injection possible with imagexxx functions
 [2014-08-27 03:17 UTC] tyrael@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c9da6430d37326e866ccae28aa5a4f835a459071
Log: Fix bug #67730 - Null byte injection possible with imagexxx functions
 [2014-10-07 23:13 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=706aefb78112a44d4932d4c9430c6a898696f51f
Log: Fix bug #67730 - Null byte injection possible with imagexxx functions
 [2014-10-07 23:24 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=706aefb78112a44d4932d4c9430c6a898696f51f
Log: Fix bug #67730 - Null byte injection possible with imagexxx functions
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC