CVE-2014-5120
published 2014-08-23CVE-2014-5120: gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x before 5.5.16 does not ensure that pathnames lack %00 sequences, which might allow remote…
PriorityP347medium6.4CVSS 2.0
AVNACLAuNCNIPAP
EPSS
16.93%
96.7th percentile
gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x before 5.5.16 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to overwrite arbitrary files via crafted input to an application that calls the (1) imagegd, (2) imagegd2, (3) imagegif, (4) imagejpeg, (5) imagepng, (6) imagewbmp, or (7) imagewebp function.
Affected
50 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | os_x_yosemite_v10.10.3_and_security_update_2015-004 | — | — |
| debian | libgd2 | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
CVSS provenance
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:P
vendor_debian6.4LOW
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3wv8-w3p3-hq59: gd_ctx
ghsa_unreviewed·2022-05-17
CVE-2014-5120 [MEDIUM] CWE-20 GHSA-3wv8-w3p3-hq59: gd_ctx
gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x before 5.5.16 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to overwrite arbitrary files via crafted input to an application that calls the (1) imagegd, (2) imagegd2, (3) imagegif, (4) imagejpeg, (5) imagepng, (6) imagewbmp, or (7) imagewebp function.
Red Hat
php: gd extension NUL byte injection in file names
vendor_redhat·2014-07-31·CVSS 5.0
CVE-2014-5120 [MEDIUM] CWE-626 php: gd extension NUL byte injection in file names
php: gd extension NUL byte injection in file names
gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x before 5.5.16 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to overwrite arbitrary files via crafted input to an application that calls the (1) imagegd, (2) imagegd2, (3) imagegif, (4) imagejpeg, (5) imagepng, (6) imagewbmp, or (7) imagewebp function.
It was found that PHP's gd extension did not properly handle file names with a null character. A remote attacker could possibly use this flaw to make a PHP application access unexpected files and bypass intended file system access restrictions.
Statement: This issue does not affect the current php and php53 packages in Red Hat Enterprise Linux 5 and 6, as it was previously corrected as
Debian
CVE-2014-5120: libgd2 - gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x before 5.5.16 ...
vendor_debian·2014·CVSS 6.4
CVE-2014-5120 [MEDIUM] CVE-2014-5120: libgd2 - gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x before 5.5.16 ...
gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x before 5.5.16 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to overwrite arbitrary files via crafted input to an application that calls the (1) imagegd, (2) imagegd2, (3) imagegif, (4) imagejpeg, (5) imagepng, (6) imagewbmp, or (7) imagewebp function.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
Apple
CVE-2014-5120: OS X Yosemite v10.10.3 and Security Update 2015-004
vendor_apple·CVSS 6.4
CVE-2014-5120 [MEDIUM] CVE-2014-5120: OS X Yosemite v10.10.3 and Security Update 2015-004
Apple Security Update: About the security content of OS X Yosemite v10.10.3 and Security Update 2015-004
Product: OS X Yosemite v10.10.3 and Security Update 2015-004
CVE: CVE-2014-5120
Component: CVE-2014-5120
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-4025 php: CVE-2006-7243 regressions in 5.4+
bugzilla·2015-05-20·CVSS 5.0
CVE-2015-4025 [MEDIUM] CVE-2015-4025 php: CVE-2006-7243 regressions in 5.4+
CVE-2015-4025 php: CVE-2006-7243 regressions in 5.4+
Regressions of parts of the CVE-2006-7243 fix were found in PHP >= 5.4. This issue is similar to CVE-2015-2348 (bug 1207682) and CVE-2014-5120 (bug 1132793).
Upstream report:
https://bugs.php.net/bug.php?id=69418
Upstream fix:
http://git.php.net/?p=php-src.git;a=commitdiff;h=be9b2a95adb504abd5acdc092d770444ad6f6854
Discussion:
Created php tracking bugs for this issue:
Affects: fedora-all [bug 1223447]
---
I noted CVE-2006-7243 (see bug 662707) regressions in PHP 5.4+ for the following functions in the upstream bug report:
- set_include_path()
- tempnam() - second argument only
- rmdir()
- readlink()
readlink() was already fixed in 5.4.40 / 5.5.24 / 5.6.8, see bug 1213407 comment 5.
Linked upstream commit includes additional fi
Bugzilla
CVE-2015-2348 php: move_uploaded_file() NUL byte injection in file name
bugzilla·2015-03-31·CVSS 5.0
CVE-2015-2348 [MEDIUM] CVE-2015-2348 php: move_uploaded_file() NUL byte injection in file name
CVE-2015-2348 php: move_uploaded_file() NUL byte injection in file name
Common Vulnerabilities and Exposures assigned an identifier CVE-2015-2348 to
the following vulnerability:
Name: CVE-2015-2348
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2348
Assigned: 20150319
Reference: https://bugs.php.net/bug.php?id=69207
The move_uploaded_file implementation in
ext/standard/basic_functions.c in PHP before 5.4.39, 5.5.x before
5.5.23, and 5.6.x before 5.6.7 truncates a pathname upon encountering
a \x00 character, which allows remote attackers to bypass intended
extension restrictions and create files with unexpected names via a
crafted second argument. NOTE: this vulnerability exists because of an
incomplete fix for CVE-2006-7243.
Discussion:
Created php tracking bugs for this
Bugzilla
CVE-2014-5120 php: gd extension NUL byte injection in file names
bugzilla·2014-08-22·CVSS 5.0
CVE-2014-5120 [MEDIUM] CVE-2014-5120 php: gd extension NUL byte injection in file names
CVE-2014-5120 php: gd extension NUL byte injection in file names
The PHP 5.4.32 releases fixes an issue in its embedded copy of the gd library. When using certain image handling functions, if an attacker can supply a path containing a NUL byte, it would terminate the path early, possibly leading to an unexpected file being overwritten.
The upstream bug notes this issue was introduced in PHP version 5.4.
From an initial code review it looks less likely that the gd library package is affected.
References:
http://php.net/ChangeLog-5.php#5.4.32
https://bugs.php.net/bug.php?id=67730
https://bugs.php.net/patch-display.php?bug_id=67730&patch=gd-null-injection&revision=latest
Discussion:
Created php tracking bugs for this issue:
Affects: fedora-all [bug 1132794]
---
This is corrected in
Bugzilla
CVE-2014-5120 php: gd: NUL byte injection in filenames passed to image handling functions [fedora-all]
bugzilla·2014-08-22·CVSS 6.4
CVE-2014-5120 [MEDIUM] CVE-2014-5120 php: gd: NUL byte injection in filenames passed to image handling functions [fedora-all]
CVE-2014-5120 php: gd: NUL byte injection in filenames passed to image handling functions [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multip
http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.htmlhttp://lists.opensuse.org/opensuse-updates/2014-09/msg00024.htmlhttp://php.net/ChangeLog-5.phphttp://rhn.redhat.com/errata/RHSA-2014-1327.htmlhttp://rhn.redhat.com/errata/RHSA-2014-1765.htmlhttp://rhn.redhat.com/errata/RHSA-2014-1766.htmlhttp://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.htmlhttps://bugs.php.net/bug.php?id=67730https://support.apple.com/HT204659http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.htmlhttp://lists.opensuse.org/opensuse-updates/2014-09/msg00024.htmlhttp://php.net/ChangeLog-5.phphttp://rhn.redhat.com/errata/RHSA-2014-1327.htmlhttp://rhn.redhat.com/errata/RHSA-2014-1765.htmlhttp://rhn.redhat.com/errata/RHSA-2014-1766.htmlhttp://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.htmlhttps://bugs.php.net/bug.php?id=67730https://support.apple.com/HT204659
2014-08-23
Published