Bugzilla – Bug 893855
VUL-0: CVE-2014-5120: php5, php53: php5-gd, php53-gd: NUL byte injection in filenames passed to image handling functions
Last modified: 2019-05-01 16:17:57 UTC
rh#1132793 gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x before 5.5.16 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to overwrite arbitrary files via crafted input to an application that calls the (1) imagegd, (2) imagegd2, (3) imagegif, (4) imagejpeg, (5) imagepng, (6) imagewbmp, or (7) imagewebp function. References: https://bugzilla.redhat.com/show_bug.cgi?id=1132793 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5120 http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-5120.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5120 https://bugs.php.net/bug.php?id=67730
Comment inside the php bug: "The issue was introduced with 5.4..." Therefore closing as invalid.
SLE12 GA has 5.5.14. we canm even try a version update, or at least backports before GA.
bugbot adjusting priority
php5 submitted into sle12.
If I understand correctly, CVE-2006-7243 was assigned to this issue in the past. It was corrected upstream in php 5.3.4 and thus php53 is not affected. Unfortunately, the fix was not merged into 5.4 branch sufficiently, so 5.4 and 5.5 branch is affected by CVE-2014-5120. Therefore submitting to 13.1 too.
Packages submitted.
released
openSUSE-SU-2014:1133-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 893849,893853,893855,895658 CVE References: CVE-2014-3597,CVE-2014-5120,CVE-2014-5459 Sources used: openSUSE 13.1 (src): php5-5.4.20-30.1 openSUSE 12.3 (src): php5-5.3.17-3.34.1