php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #67730 CVE-2014-5120 Null byte injection possible with imagexxx functions
Submitted: 2014-07-31 20:37 UTC Modified: 2014-08-19 08:35 UTC
From: ryan at rmauger dot co dot uk Assigned: stas (profile)
Status: Closed Package: GD related
PHP Version: 5.6.0RC2 OS: All
Private report: No CVE-ID: 2014-5120
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: ryan at rmauger dot co dot uk
New email:
PHP Version: OS:

 

 [2014-07-31 20:37 UTC] ryan at rmauger dot co dot uk
Description:
------------
The paths passed to the imagepng, imagejpeg, imagegif, imagewebp and imagewbmp functions are not validated to not contain null bytes, and as such may allow paths to be prematurely terminated by an attacker.

This could be used to overwrite a file in a location other than the intended destination.

The attached patch will check for null bytes in the given path, and return false, raising a warning in the event a null byte is encountered.

Test script:
---------------
phpt tests are included in the patch.


Patches

gd-null-injection (last revision 2014-08-04 06:48 UTC by stas@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-08-04 06:48 UTC] stas@php.net
The following patch has been added/updated:

Patch Name: gd-null-injection
Revision:   1407134918
URL:        https://bugs.php.net/patch-display.php?bug=67730&patch=gd-null-injection&revision=1407134918
 [2014-08-04 08:07 UTC] ryan at rmauger dot co dot uk
Stas, Was the patch I supplied not ok? I seem to be unable to view what you have changed, or even see the patch I uploaded
 [2014-08-04 08:17 UTC] stas@php.net
That was the patch that was supplied, no other patch was attached to the bug before that.
 [2014-08-05 05:39 UTC] pajoye@php.net
-Assigned To: +Assigned To: stas
 [2014-08-05 05:39 UTC] pajoye@php.net
Go ahead, 5.4+, not sure Johannes likes it in 5.3 too :)
 [2014-08-05 05:39 UTC] pajoye@php.net
-Status: Assigned +Status: Open
 [2014-08-05 05:39 UTC] pajoye@php.net
Go ahead, 5.4+, not sure Johannes likes it in 5.3 too :)
 [2014-08-05 12:20 UTC] johannes@php.net
I think the risk of exploiting this is quite small as it requires users to take unverified paths and the attacker can access only images of a specific type to which he also has to know the path (unless error reporting is switched on the attacker can't even distinguish between "file does not exist" and "file is not an image of that type")

Nonetheless the fix is quite trivial, so adding it to 5.3 looks fine.
 [2014-08-13 16:34 UTC] johannes@php.net
Note on 5.3: In 5.3 we already have the check

 94         if (strlen(file) != file_len) {
 95             RETURN_FALSE;
 96         }

The issue was introduced with 5.4 while cleaning up stream usage after safe_mode removal. My previous comment on 5.3 can therefore be ignored.
 [2014-08-19 05:47 UTC] stas@php.net
-CVE-ID: +CVE-ID: 2014-5120
 [2014-08-19 08:35 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2014-08-19 08:35 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2014-08-19 12:30 UTC] kaplan@php.net
Fix was done in commit 706aefb78112a44d4932d4c9430c6a898696f51f
 [2014-08-19 14:13 UTC] jpauli@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1daa4c0090b7cd8178dcaa96287234c69ac6ca18
Log: Fix bug #67730 - Null byte injection possible with imagexxx functions
 [2014-08-27 03:17 UTC] tyrael@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c9da6430d37326e866ccae28aa5a4f835a459071
Log: Fix bug #67730 - Null byte injection possible with imagexxx functions
 [2014-10-07 23:13 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=706aefb78112a44d4932d4c9430c6a898696f51f
Log: Fix bug #67730 - Null byte injection possible with imagexxx functions
 [2014-10-07 23:24 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=706aefb78112a44d4932d4c9430c6a898696f51f
Log: Fix bug #67730 - Null byte injection possible with imagexxx functions
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Tue Mar 31 20:01:24 2020 UTC