Bug 18805

A CVE has been assigned for another security issue fixed upstream in libgd since the 2.2.2 release, also corresponding to a PHP bug:
http://openwall.com/lists/oss-security/2016/06/30/1

The CVE-2016-5766 fix apparently wasn't included in the 2.2.2 release after all, and was also recently committed upstream.  That has also been added to the package.

Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated libgd packages fix security vulnerabilities:

Stack overflow with imagefilltoborder (CVE-2015-8874).

Integer Overflow in _gd2GetHeader() resulting in heap overflow (CVE-2016-5766).

Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow
(CVE-2016-5767).

Improperly handling invalid color index in gdImageCropThreshold() could result
in denial of service (CVE-2016-6128).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8874
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5766
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5767
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6128
https://github.com/libgd/libgd/releases/tag/gd-2.2.2
http://php.net/ChangeLog-5.php#5.6.23
http://openwall.com/lists/oss-security/2016/06/30/1
========================

Updated packages in core/updates_testing:
========================
libgd3-2.2.2-1.1.mga5
libgd-devel-2.2.2-1.1.mga5
libgd-static-devel-2.2.2-1.1.mga5
gd-utils-2.2.2-1.1.mga5

from libgd-2.2.2-1.1.mga5.src.rpm

Working fine on Mageia 5 i586 with my usual test case.  PoC's not checked yet.

Whiteboard: (none) => MGA5-32-OK

CVE-2016-6128 (php#72494) PoC:
#include <stdio.h>
#include <stdlib.h>
#include "gd.h"

int main()
{
  gdImagePtr im, exp;
  int error = 0;

  im = gdImageCreate(50, 50);
  gdImageCropThreshold(im, 1337, 0);
  gdImageDestroy(im);
  /* this bug tests a crash, it never reaches this point if the bug exists*/
  return 0;
}

saved as php72494.c and compiled with gcc -lgd php72494.c runs fine on Mageia 5 i586.  No output after the update.  Before the update gave:
GD Warning: one parameter to a memory allocation multiplication is negative or zero, failing operation gracefully

php#66387 (CVE-2015-8874) PoC gives no output before or after update.

php#72339 (CVE-2016-5766) before gives a segfault.  After gives:
PHP Parse error:  imagecreatefromgd2(): product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
 in /tmp/php72339.php on line 1
PHP Warning:  imagecreatefromgd2(): 'poc.gd' is not a valid GD2 file in /tmp/php72339.php on line 1

php#72446 (CVE-2016-5767) before and after gives:
PHP Parse error:  imagecreate(): product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
 in /tmp/php72446.php on line 4
PHP Warning:  imagecolorallocatealpha() expects parameter 1 to be resource, boolean given in /tmp/php72446.php on line 5
PHP Warning:  imagepalettetotruecolor() expects parameter 1 to be resource, boolean given in /tmp/php72446.php on line 7

All looks fine.

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0242.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

LWN reference for CVE-2016-6128:
http://lwn.net/Vulnerabilities/693576/

CVE-2016-9933 also fixed by this update:
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9933.html