Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-7064: PHP :: Sec Bug #79282 :: Use-of-uninitialized-value in exif

In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while parsing EXIF data with exif_read_data() function, it is possible for malicious data to cause PHP to read one byte of uninitialized memory. This could potentially lead to information disclosure or crash.

CVE
#git#php#chrome#sap

Sec Bug #79282

Use-of-uninitialized-value in exif

Submitted:

2020-02-19 09:31 UTC

Modified:

2020-03-17 05:39 UTC

From:

[email protected]

Assigned:

stas (profile)

Status:

Closed

Package:

EXIF related

PHP Version:

master-Git-2020-02-19 (Git)

OS:

Private report:

No

CVE-ID:

2020-7064

[2020-02-19 09:31 UTC] [email protected]

Description:

From https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19581.

<?php var_dump(exif_read_data(‘data://image/jpeg;base64,/9jhAAlFeGlmAAAg’));

Results in:

Uninitialized bytes in MemcmpInterceptorCommon at offset 1 inside \[0x7010000006e8, 2)
==1==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x5004dc in \_\_interceptor\_bcmp /src/llvm-project/compiler-rt/lib/sanitizer\_common/sanitizer\_common\_interceptors.inc:885:10
    #1 0x86693b in exif\_process\_TIFF\_in\_JPEG php-src/ext/exif/exif.c:3596:6
    #2 0x861b7e in exif\_scan\_JPEG\_header php-src/ext/exif/exif.c:3793:6
    #3 0x8609eb in exif\_scan\_FILE\_header php-src/ext/exif/exif.c:4186:8
    #4 0x8602bb in exif\_read\_from\_impl php-src/ext/exif/exif.c:4327:8
    #5 0x858b52 in exif\_read\_from\_stream php-src/ext/exif/exif.c:4344:8
    #6 0x856001 in zif\_exif\_read\_data php-src/ext/exif/exif.c:4434:9
    #7 0x112596d in zend\_call\_function php-src/Zend/zend\_execute\_API.c:817:4
    #8 0x11236e2 in \_call\_user\_function\_ex php-src/Zend/zend\_execute\_API.c:638:9
    #9 0x1696c7a in fuzzer\_call\_php\_func\_zval php-src/sapi/fuzzer/fuzzer-sapi.c:247:2
    #10 0x169596f in LLVMFuzzerTestOneInput php-src/sapi/fuzzer/fuzzer-exif.c:52:2
    #11 0x481101 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const\*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
    #12 0x46bc21 in fuzzer::RunOneTest(fuzzer::Fuzzer\*, char const\*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:292:6
    #13 0x4718de in fuzzer::FuzzerDriver(int\*, char\*\*\*, int (\*)(unsigned char const\*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:774:9
    #14 0x49b802 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #15 0x7f3e6199882f in \_\_libc\_start\_main /build/glibc-LK5gWL/glibc-2.23/csu/libc-start.c:291
    #16 0x445098 in \_start

  Uninitialized value was created by a heap allocation
    #0 0x4fc67d in malloc /src/llvm-project/compiler-rt/lib/msan/msan\_interceptors.cpp:925:3
    #1 0x1088155 in \_\_zend\_malloc php-src/Zend/zend\_alloc.c:2975:14
    #2 0x1082159 in \_emalloc php-src/Zend/zend\_alloc.c:2535:10
    #3 0x865d76 in exif\_file\_sections\_add php-src/ext/exif/exif.c:2042:10
    #4 0x8618c0 in exif\_scan\_JPEG\_header php-src/ext/exif/exif.c:3747:8
    #5 0x8609eb in exif\_scan\_FILE\_header php-src/ext/exif/exif.c:4186:8
    #6 0x8602bb in exif\_read\_from\_impl php-src/ext/exif/exif.c:4327:8
    #7 0x858b52 in exif\_read\_from\_stream php-src/ext/exif/exif.c:4344:8
    #8 0x856001 in zif\_exif\_read\_data php-src/ext/exif/exif.c:4434:9
    #9 0x112596d in zend\_call\_function php-src/Zend/zend\_execute\_API.c:817:4
    #10 0x11236e2 in \_call\_user\_function\_ex php-src/Zend/zend\_execute\_API.c:638:9
    #11 0x1696c7a in fuzzer\_call\_php\_func\_zval php-src/sapi/fuzzer/fuzzer-sapi.c:247:2
    #12 0x169596f in LLVMFuzzerTestOneInput php-src/sapi/fuzzer/fuzzer-exif.c:52:2
    #13 0x481101 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const\*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
    #14 0x46bc21 in fuzzer::RunOneTest(fuzzer::Fuzzer\*, char const\*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:292:6
    #15 0x4718de in fuzzer::FuzzerDriver(int\*, char\*\*\*, int (\*)(unsigned char const\*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:774:9
    #16 0x49b802 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #17 0x7f3e6199882f in \_\_libc\_start\_main /build/glibc-LK5gWL/glibc-2.23/csu/libc-start.c:291

I can’t reproduce under valgrind, so also can’t tell which versions are affected.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2020-02-19 10:08 UTC] [email protected]

-Assigned To: +Assigned To: stas

[2020-02-24 18:12 UTC] [email protected]

-CVE-ID: +CVE-ID: 2020-7064

[2020-03-16 03:30 UTC] [email protected]

I’ve verified that the fix fixes the issue on oss-fuzz setup.

[2020-03-17 05:39 UTC] [email protected]

-Status: Assigned +Status: Closed

Related news

CVE-2021-2119: Oracle Critical Patch Update Advisory - January 2021

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.18. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).

CVE-2020-7064: PHP :: Sec Bug #79282 :: Use-of-uninitialized-value in exif

In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while parsing EXIF data with exif_read_data() function, it is possible for malicious data to cause PHP to read one byte of uninitialized memory. This could potentially lead to information disclosure or crash.

CVE-2016-4343: PHP: PHP 7 ChangeLog

The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files, which allows remote attackers to cause a denial of service (uninitialized pointer dereference) or possibly have unspecified other impact via a crafted TAR archive.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907