Bug 986393 (CVE-2016-5767) - VUL-0: CVE-2016-5767: php5,php53: Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow
Summary: VUL-0: CVE-2016-5767: php5,php53: Integer Overflow in gdImagePaletteToTrueCol...
Status: RESOLVED FIXED
Alias: CVE-2016-5767
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/170465/
Whiteboard: CVSSv2:SUSE:CVE-2016-5767:6.8:(AV:N/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-24 10:38 UTC by Marcus Meissner
Modified: 2016-10-24 08:21 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
xx.php (168 bytes, text/plain)
2016-06-24 10:38 UTC, Marcus Meissner 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-06-24 10:38:05 UTC 
http://seclists.org/oss-sec/2016/q2/589

    GD:
        Fixed bug #72446 (Integer Overflow in gdImagePaletteToTrueColor() resulting
        in heap overflow). (Pierre)

    https://bugs.php.net/bug.php?id=72446
    http://git.php.net/?p=php-src.git;a=commitdiff;h=c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6


Use CVE-2016-5767.
Comment 1 Marcus Meissner 2016-06-24 10:38:55 UTC 
Created attachment 682021 [details]
xx.php

QA REPRODUCER:

php xx.php
Comment 2 Marcus Meissner 2016-06-24 10:39:56 UTC 
php53 says

PHP Fatal error:  Call to undefined function imagepalettetotruecolor() in /suse/meissner/xx.php on line 7

not sure if i missed a module
Comment 3 Swamp Workflow Management 2016-06-24 22:01:27 UTC 
bugbot adjusting priority
Comment 4 Petr Gajdos 2016-06-27 16:03:38 UTC 
Fix already part of 12sp2/php7.

(In reply to Marcus Meissner from comment #2)
> php53 says
> 
> PHP Fatal error:  Call to undefined function imagepalettetotruecolor() in
> /suse/meissner/xx.php on line 7
> 
> not sure if i missed a module

This is just because the imagepalettetotruecolor() is not available in gd. But the code is there everywhere.

Considering affected: 13.2/php5 trough 11/php5
Comment 5 Petr Gajdos 2016-06-27 16:10:48 UTC 
AFTER

$ php test.php
PHP Warning:  imagecreate(): gd warning: product of memory allocation multiplication would exceed INT_MAX
$
Comment 6 Petr Gajdos 2016-06-29 08:40:38 UTC 
Packages submitted.
Comment 8 Bernhard Wiedemann 2016-06-29 10:01:06 UTC 
This is an autogenerated message for OBS integration:
This bug (986393) was mentioned in
https://build.opensuse.org/request/show/405425 13.2 / php5
Comment 10 Bernhard Wiedemann 2016-06-29 14:04:18 UTC 
This is an autogenerated message for OBS integration:
This bug (986393) was mentioned in
https://build.opensuse.org/request/show/405458 13.2 / php5
Comment 11 Swamp Workflow Management 2016-07-07 16:09:45 UTC 
openSUSE-SU-2016:1761-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 986004,986244,986246,986247,986386,986388,986391,986392,986393
CVE References: CVE-2015-8935,CVE-2016-5766,CVE-2016-5767,CVE-2016-5768,CVE-2016-5769,CVE-2016-5770,CVE-2016-5771,CVE-2016-5772,CVE-2016-5773
Sources used:
openSUSE 13.2 (src):    php5-5.6.1-69.1
Comment 14 Swamp Workflow Management 2016-07-20 22:10:45 UTC 
SUSE-SU-2016:1842-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 986004,986244,986246,986386,986388,986391,986392,986393,988486
CVE References: CVE-2015-8935,CVE-2016-5385,CVE-2016-5766,CVE-2016-5767,CVE-2016-5768,CVE-2016-5769,CVE-2016-5770,CVE-2016-5771,CVE-2016-5772
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php5-5.5.14-68.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-68.1
Comment 15 Swamp Workflow Management 2016-08-01 03:10:29 UTC 
openSUSE-SU-2016:1922-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 986004,986244,986246,986386,986388,986391,986392,986393,988486
CVE References: CVE-2015-8935,CVE-2016-5385,CVE-2016-5766,CVE-2016-5767,CVE-2016-5768,CVE-2016-5769,CVE-2016-5770,CVE-2016-5771,CVE-2016-5772
Sources used:
openSUSE Leap 42.1 (src):    php5-5.5.14-56.1
Comment 18 Swamp Workflow Management 2016-08-09 15:38:43 UTC 
SUSE-SU-2016:2013-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 986004,986244,986386,986388,986393
CVE References: CVE-2015-8935,CVE-2016-5766,CVE-2016-5767,CVE-2016-5769,CVE-2016-5772
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    php53-5.3.17-74.1
SUSE Linux Enterprise Server 11-SP4 (src):    php53-5.3.17-74.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-74.1
Comment 19 Sebastian Krahmer 2016-08-10 10:02:48 UTC 
CVSSv2:SUSE:CVE-2016-5767:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Comment 20 Swamp Workflow Management 2016-08-16 11:10:51 UTC 
SUSE-SU-2016:2080-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 986004,986244,986386,986388,986393,991426,991427,991428,991429,991430,991433,991437
CVE References: CVE-2015-8935,CVE-2016-5399,CVE-2016-5766,CVE-2016-5767,CVE-2016-5769,CVE-2016-5772,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6296,CVE-2016-6297
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    php5-5.2.14-0.7.30.89.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    php5-5.2.14-0.7.30.89.1