| Summary: | libgd new security issue CVE-2016-7568 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | geiger.david68210, mageia, marja11, nicolas.salguero, sysadmin-bugs, tarazed25 |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/703328/ | ||
| Whiteboard: | MGA5-64-OK advisory | ||
| Source RPM: | libgd-2.2.3-1.1.mga5.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: |
Simple test of libgd
poc.php |
||
|
Description
David Walser
2016-09-28 21:48:02 CEST
David Walser
2016-09-28 21:48:12 CEST
Whiteboard:
(none) =>
MGA5TOO Assigning to all packagers collectively, since the registered maintainer is unavailable. CC:
(none) =>
marja11 lingd testsuite are for now broken due to new freetype 2.7, see upstream issue: https://github.com/libgd/libgd/issues/302 CC:
(none) =>
geiger.david68210 s/lingd/libgd/ :) I mean only on Cauldron. I temporarily disabled the test suite in Cauldron. Suggested advisory: ======================== The updated packages fix a security vulnerability: Integer overflow in the gdImageWebpCtx function in gd_webp.c in the GD Graphics Library (aka libgd) through 2.2.3, as used in PHP through 7.0.11, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted imagewebp and imagedestroy calls. (CVE-2016-7568) References: http://openwall.com/lists/oss-security/2016/09/28/7 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7568 ======================== Updated packages in core/updates_testing: ======================== i586: libgd3-2.2.3-1.2.mga5.i586.rpm libgd-devel-2.2.3-1.2.mga5.i586.rpm libgd-static-devel-2.2.3-1.2.mga5.i586.rpm gd-utils-2.2.3-1.2.mga5.i586.rpm x86_64: lib64gd3-2.2.3-1.2.mga5.x86_64.rpm lib64gd-devel-2.2.3-1.2.mga5.x86_64.rpm lib64gd-static-devel-2.2.3-1.2.mga5.x86_64.rpm gd-utils-2.2.3-1.2.mga5.x86_64.rpm Source RPMs: libgd-2.2.3-1.2.mga5.src.rpm Status:
NEW =>
ASSIGNED Testing on 64bit hardware. Part 1: pre-updates The gd-utils package supplies some utilities but a list of them is not easily found. Searching /usr/bin turns up these possibles: bdftogd gd2copypal gd2togif gd2topng gdcmpgif gdparttopng gdtopng giftogd2 pngtogd and urpmqf shows that gnuplot uses gd. The online tutorial at https://libgd.github.io/manuals/2.2.3/files/preamble-txt.html includes a simple program as a demonstration, attached here. When compiled and run it creates a PNG image of a black rectangle with a diagonal white line (test.png). $ pngtogd test.png test.gd produces a binary file which can be converted back to a PNG. gdtopng test.gd test2.png The test2.png looks exactly like test.png. It looks like gd2 is a different format so ignore those utilities with gd2 in the name. gnuplot can be used to run the demos already on board at /usr/share/doc/gnuplot-nox/demo/ e.g. $ cd demos $ gnuplot orbits.dem ctrl-C A PoC exists for PHP but not libgd (programmer required). <?php ini_set('memory_limit', -1); $im = imagecreatetruecolor(0x8000, 0x8001); imagewebp($im, 'php.webp'); imagedestroy($im); ?> This needs somebody conversant with web programming. I don't know how to run this. Details of output at https://bugs.php.net/bug.php?id=73003 CC:
(none) =>
tarazed25 Created attachment 8514 [details]
Simple test of libgd
This generates test.png which displays as a diagonal white line on a black background. Use the command at the head of the file to compile and link.
The test program actually generates test.jpg also. Generally PHP is the best way to test libgd. It's fine if you want to use the C API too of course. As I said, this needs somebody who knows PHP. I have not yet got up to speed. (In reply to Len Lawrence from comment #9) > As I said, this needs somebody who knows PHP. I have not yet got up to > speed. And using the C API needs someone who knows C. PHP is generally an easier language, and it should be easier to find snippets out there using PHP via GD. There is no PoC in C. PHP is all that I could find but I don't know how to run the snippet. I tried wrapping it in HTML and pointing firefox at localhost - the header came up but nothing else. Then tried copying naked PHP PoC (called php) to /var/www/html and using localhost/php. Nothing. I just have no idea. It looks like you should be able to run it at the command-line (install php-cli) by saving it to a file (say foo.php) and running "php foo.php" Note that for your testing through the browser, it should be saved with a .php extension, otherwise Apache won't know to run it through mod_php. Many thanks for that David. $ php foo.php PHP Warning: imagewebp(): gd-webp encoding failed in /home/lcl/qa/gd/foo.php on line 4 *** Error in `php': free(): invalid pointer: 0x00007fec4c457010 *** ======= Backtrace: ========= /usr/lib64/libc.so.6(+0x7238e)[0x7fec6437e38e] .................. Abort Now we have something to work with. Part 2. Installed the updates. $ php foo.php PHP Warning: imagewebp(): product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully in /home/lcl/qa/gd/foo.php on line 4 Looks like it has been fixed. Shall run the functional tests tomorrow. Created attachment 8515 [details] poc.php From https://bugs.php.net/bug.php?id=73003 Ran gnuplot on some of the demos and tried the gdex program. Both functioning normally. In view of the pressure on QA we should skip the 32bit test and validate this.
Len Lawrence
2016-10-12 12:13:33 CEST
Keywords:
(none) =>
validated_update
Nicolas Lécureuil
2016-10-12 15:37:42 CEST
CC:
(none) =>
mageia An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0339.html Status:
ASSIGNED =>
RESOLVED
David Walser
2016-10-12 18:17:22 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/703328/ |