Bug 18497

Summary: libgd new security issue CVE-2015-8874
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: lewyssmith, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/688208/
Whiteboard: has_procedure advisory mga5-64-ok MGA5-32-OK
Source RPM: libgd-2.1.1-1.1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-05-20 18:20:25 CEST 
Debian-LTS has issued an advisory on May 19:
http://lwn.net/Alerts/688192/

Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated libgd packages fix security vulnerability:

It was discovered that there was a stack consumption vulnerability in the
libgd2 graphics library which allowed remote attackers to cause a denial of
service via a crafted imagefilltoborder() call (CVE-2015-8874).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8874
http://lwn.net/Alerts/688192/
========================

Updated packages in core/updates_testing:
========================
libgd3-2.1.1-1.2.mga5
libgd-devel-2.1.1-1.2.mga5
libgd-static-devel-2.1.1-1.2.mga5
gd-utils-2.1.1-1.2.mga5

from libgd-2.1.1-1.2.mga5.src.rpm
Comment 1 David Walser 2016-05-20 18:22:29 CEST 
Unfortunately this was missed when we updated to PHP 5.6.12.

From the upstream PHP bug:
https://bugs.php.net/bug.php?id=66387

PoC is:
<?php
$im = imagecreatetruecolor(20, 20);
$c = imagecolorallocate($im, 255, 0, 0);
imagefilltoborder($im, 0, -999355, $c, $c);
?>

save that as foo.php and run "php foo.php" and you get a segfault.

Whiteboard: (none) => has_procedure

Comment 2 David Walser 2016-05-20 18:47:30 CEST 
Mageia 5 i586, after the update, no segfault.

Whiteboard: has_procedure => has_procedure MGA5-32-OK

Comment 3 claire robinson 2016-05-21 22:00:27 CEST 
Tested mga5 64

Validating

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK => has_procedure advisory mga5-64-ok MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 4 Lewis Smith 2016-05-21 22:05:23 CEST 
Had just done the x64 test... To confirm Claire's findings.

Testing M5 x64

@David: Thanks for the neat test in Comment 1.

BEFORE update:
 lib64gd3-2.1.1-1.1.mga5
 gd-utils-2.1.1-1.1.mga5
$ php foo.php
Segmentation fault

AFTER update:
 lib64gd3-2.1.1-1.2.mga5
 gd-utils-2.1.1-1.2.mga5
$ php foo.php
$ 
So the update is fine.

CC: (none) => lewyssmith

Comment 5 Mageia Robot 2016-05-22 00:12:26 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0203.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED