|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 6688 CVE : CVE-2009-3546 CWE : CWE-Other SecurityRisk : High  (About) Remote Exploit : Yes Local Exploit : No Victim interaction required : No Exploit Available : No Credit : Tomas Hoger Published : 22.10.2009
Advisory Content : While looking into this one, I spotted few interesting things. Patch for this is: - if (color > -1 && color<im->colorsTotal && color<=gdMaxColors) { + if (color > -1 && color < im->colorsTotal && color < gdMaxColors) { Besides "color<=gdMaxColors" check, there is also "color<im->colorsTotal" check. GD code also assumes that im->colorsTotal is <= gdMaxColors, as it is used as an upper bound in multiple cases when accessing arrays of gdMaxColors size. You can see "im->colorsTotal<=gdMaxColors" enforced in e.g. gdImageColorAllocateAlpha(), which is called for PHP function imagecolorallocate(). Hence: color<im->colorsTotal (from the check) and im->colorsTotal<=gdMaxColors (assumed in the rest of the code) implies color < gdMaxColor So the change should not really introduce any extra protection for current PHP versions. This change is relevant for pre-4.3.5 PHP versions, which do not have "color<im->colorsTotal" part of the check. It is possible to trigger im->alpha[] off-by-one over-write in those versions. This changes neighbor member of the gdImageStruct structure - trueColor. If that happens, gd will believe that previously non-TrueColor image is now TrueColor, which can lead to buffer over-reads or over-writes in subsequent gd operations (due to a different storage space needed for pixels of TrueColor and non-TrueColor images). But there is also concern for current PHP versions, as im->colorsTotal may be initialized with a value greater than gdMaxColors when using imagecreatefromgd() PHP function on a specially crafted GD file. Value read from file is not properly checked in _gdGetColors() (gd_gd.c),possibly allowing previously mentioned over-reads or over-writes on various places (e.g. colorsTotal is used in _gdGetColors() when initializing im->open[] with 0s). CVE-2009-3546 was assigned to this problem and the fix is now committed in PHP SVN: http://svn.php.net/viewvc?view=revision&revision=289557 References : http://www.vupen.com/english/advisories/2009/2930
http://www.vupen.com/english/advisories/2009/2929
http://www.securityfocus.com/bid/36712
http://svn.php.net/viewvc?view=revision&revision=289557
http://secunia.com/advisories/37080
http://secunia.com/advisories/37069
http://marc.info/?l=oss-security&m=125562113503923&w=2 2000  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
libc:fts_*() Multiple Denial of Service
The fts functions are provided for traversing UNIX file hierarchies... |
||
| Apache |  |
|
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
| PHP | |
|
» PHP 5.2.12/5.3.1 |
||
- 2009-10-02| Copyright © SecurityReason.com. All Rights Reserved. |