exif_read_data broken in a lot of use cases by the CVE-2016-6291 bugfix

Bug #1633031 reported by Josip Rodin on 2016-10-13
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
php5 (Ubuntu)
Low
Unassigned
Precise
High
Unassigned
Trusty
High
Marc Deslauriers

Bug Description

Hi,

Looks like this bug affects the 5.x series too: https://bugs.php.net/bug.php?id=72682

After the security upgrade:

php5 (5.3.10-1ubuntu3.24) precise-security; urgency=medium
...
    SECURITY UPDATE: out of bounds read in exif_process_IFD_in_MAKERNOTE
        debian/patches/CVE-2016-6291.patch: add more bounds checks to
        ext/exif/exif.c.
        CVE-2016-6291
...
    -- Marc Deslauriers <email address hidden> Mon, 01 Aug 2016 13:27:52 -0400

Looks like others noticed it too, cf. http://stackoverflow.com/questions/38772471/php-exif-read-data-no-longer-extracts-gps-location

Please update the security patch so the regression is resolved. TIA.

Nish Aravamudan (nacc) wrote :

Thank you for filing this bug report! It does seem like a regression and we will ensure the affected versions get the fix.

Changed in php5 (Ubuntu):
status: New → Triaged
importance: Undecided → Low
status: Triaged → Invalid
Changed in php5 (Ubuntu Precise):
status: New → Triaged
Changed in php5 (Ubuntu Trusty):
status: New → Triaged
Changed in php5 (Ubuntu Precise):
importance: Undecided → Medium
Changed in php5 (Ubuntu Trusty):
importance: Undecided → Medium
Changed in php5 (Ubuntu Precise):
importance: Medium → High
Changed in php5 (Ubuntu Trusty):
importance: Medium → High

This was unfortunately lost it seems.
I was able to confirm that trusty is still affected - later php versions seem fine.

I subscribe Marc who did the update and properly tag the bug as update regression.
Fix should be [1] but I want to leave that decision to Marc - not to break the CVe by that or anything like it.

[1]: http://git.php.net/?p=php-src.git;a=commit;h=c6bd054b86c52948505be7409ad8d6488db062f6

tags: added: regression-update
Marc Deslauriers (mdeslaur) wrote :

I'll make sure I include the fix for this in the next round of security updates, thanks.

Changed in php5 (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.5.9+dfsg-1ubuntu4.23

---------------
php5 (5.5.9+dfsg-1ubuntu4.23) trusty-security; urgency=medium

  * SECURITY UPDATE: buffer over-read while unserializing untrusted data
    - debian/patches/CVE-2017-12933.patch: add check to
      ext/standard/var_unserializer.*, add test to
      ext/standard/tests/serialize/bug74111.phpt, adjust test in
      ext/standard/tests/serialize/bug25378.phpt.
    - CVE-2017-12933
  * SECURITY UPDATE: information leak in php_parse_date function
    - debian/patches/CVE-2017-16642.patch: fix backof/frontof in
      ext/date/lib/parse_date.*, fix test in
      ext/date/tests/bug53437_var3.phpt, added test to
      ext/wddx/tests/bug75055.*.
    - CVE-2017-16642
  * SECURITY UPDATE: XSS in PHAR error page
    - debian/patches/CVE-2018-5712.patch: remove file name from output to
      avoid XSS in ext/phar/shortarc.php, ext/phar/stub.h, fix tests in
      ext/phar/tests/*.
    - CVE-2018-5712
  * SECURITY REGRESSION: exif_read_data broken (LP: #1633031)
    - debian/patches/CVE-2016-6291-regression.patch: add DJI signatures to
      the MAKERNOTE and its supported tags in ext/exif/exif.c.

 -- Marc Deslauriers <email address hidden> Thu, 08 Feb 2018 08:24:11 -0500

Changed in php5 (Ubuntu Trusty):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers