PHP wbmp.c createwbmp / readwbmp Function WBMP Handling Overflow

2007-04-10T07:03:45
ID OSVDB:34671
Type osvdb
Reporter OSVDB
Modified 2007-04-10T07:03:45

Description

Vulnerability Description

PHP contains a flaw that may allow a context-dependent attacker to execute arbitrary code. The issue is due to the GD library (libgd) not properly sanitizing user-supplied input to the createwbmp or readwbmp functions in wbmp.c. Using a specially crafted Wireless Bitmap (WBMP) image with a large width or height value, an attacker could trigger an integer overflow and execute arbitrary code.

Solution Description

Upgrade to version 4.4.7, 5.2.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

PHP contains a flaw that may allow a context-dependent attacker to execute arbitrary code. The issue is due to the GD library (libgd) not properly sanitizing user-supplied input to the createwbmp or readwbmp functions in wbmp.c. Using a specially crafted Wireless Bitmap (WBMP) image with a large width or height value, an attacker could trigger an integer overflow and execute arbitrary code.

References:

Vendor URL: http://www.php.net/ Vendor Specific News/Changelog Entry: http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/wbmp.c?r1=1.2.4.1&r2=1.2.4.1.8.1 Vendor Specific News/Changelog Entry: http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/wbmp.c?revision=1.2.4.1.8.1&view=markup Secunia Advisory ID:25151 Secunia Advisory ID:25192 Secunia Advisory ID:24814 Secunia Advisory ID:24924 Secunia Advisory ID:26235 Secunia Advisory ID:24965 Secunia Advisory ID:24909 Secunia Advisory ID:25445 Secunia Advisory ID:24945 RedHat RHSA: RHSA-2007:0153 RedHat RHSA: RHSA-2007:0155 Other Advisory URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:089 Other Advisory URL: http://lists.rpath.com/pipermail/security-announce/2007-April/000176.html Other Advisory URL: http://ifsec.blogspot.com/2007/04/php-521-wbmp-file-handling-integer.html Other Advisory URL: ftp://patches.sgi.com/support/free/security/advisories/20070501-01-P.asc Other Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200705-19.xml Other Advisory URL: http://www.slackware.org/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.470053 Other Advisory URL: http://docs.info.apple.com/article.html?artnum=306172 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-04/0131.html ISS X-Force ID: 33453 FrSIRT Advisory: ADV-2007-1269 FrSIRT Advisory: ADV-2007-2732 CVE-2007-1001 Bugtraq ID: 23357 Bugtraq ID: 25159