| Summary: | libgd new security issues CVE-2016-6912, CVE-2016-9317, CVE-2016-1016[6-8] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, geiger.david68210, lewyssmith, nicolas.salguero, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://lwn.net/Vulnerabilities/712364/ | ||
| Whiteboard: | advisory MGA5-64-OK MGA5-32-OK | ||
| Source RPM: | libgd-2.2.3-1.4.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2017-01-24 12:58:14 CET
David Walser
2017-01-24 12:58:27 CET
CC:
(none) =>
geiger.david68210
David Walser
2017-01-25 00:12:36 CET
URL:
(none) =>
https://lwn.net/Vulnerabilities/712364/ Hi David, I have a strange problem: when building libgd-2.2.4 locally (either Mga5 or Cauldron, using either X11 or console), all tests are successful but on the build system, the test "fontconfig/basic" fails (see: http://pkgsubmit.mageia.org/uploads/failure/5/core/updates_testing/20170124154217.ns80.duvel.38107/log/libgd-2.2.4-1.mga5/build.0.20170124154303.log) and I have no idea why that happens. Do you think I can disable that test for the moment? Best regards, Nico. Maybe the test only works when run in X or something. If it passes locally, I think it'd be OK to disable it. Looks like it's built for Mageia 5, just not Cauldron. libgd3-2.2.4-1.mga5 libgd-devel-2.2.4-1.mga5 libgd-static-devel-2.2.4-1.mga5 gd-utils-2.2.4-1.mga5 from libgd-2.2.4-1.mga5.src.rpm CVEs were requested for more fixes: http://openwall.com/lists/oss-security/2017/01/26/1 Suggested advisory: ======================== The updated packages fix security vulnerabilities: gdImageCreate() doesn't check for oversized images and as such is prone to DoS vulnerabilities. (CVE-2016-9317) Double-free in gdImageWebPtr(). (CVE-2016-6912) Potential unsigned underflow in gd_interpolation.c. (CVE not assigned yet) DOS vulnerability in gdImageCreateFromGd2Ctx(). (CVE not assigned yet) Signed Integer Overflow gd_io.c. (CVE not assigned yet) References: https://github.com/libgd/libgd/releases/tag/gd-2.2.4 http://openwall.com/lists/oss-security/2017/01/26/1 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9317 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6912 ======================== Updated packages in core/updates_testing: ======================== libgd3-2.2.4-1.mga5 libgd-devel-2.2.4-1.mga5 libgd-static-devel-2.2.4-1.mga5 gd-utils-2.2.4-1.mga5 from SRPMS: libgd-2.2.4-1.mga5.src.rpm Version:
Cauldron =>
5 Nicolas, While people can test this if they want, we can't formally push it yet since it hasn't been built in Cauldron. I try to make sure things get built there first, to prevent this kind of issue. CC:
(none) =>
qa-bugs (In reply to David Walser from comment #5) > Nicolas, > > While people can test this if they want, we can't formally push it yet since > it hasn't been built in Cauldron. I try to make sure things get built there > first, to prevent this kind of issue. Just in case you didn't see, one more test fails in Cauldron: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20170127165834.akien.duvel.30979/log/libgd-2.2.4-1.mga6/build.0.20170127165906.log CVE-2016-1016[6-8] assigned: http://openwall.com/lists/oss-security/2017/01/28/6 Summary:
libgd new security issues CVE-2016-6912 and CVE-2016-9317 =>
libgd new security issues CVE-2016-6912, CVE-2016-9317, CVE-2016-1016[6-8] Now it's been uploaded for Cauldron. Thanks. QA team: please test this along with the PHP update. Assignee:
nicolas.salguero =>
qa-bugs (In reply to David Walser from comment #7) > CVE-2016-1016[6-8] assigned: > http://openwall.com/lists/oss-security/2017/01/28/6 LWN reference for CVE-2016-1016[78]: https://lwn.net/Vulnerabilities/713050/ To be consistent with the Cauldron version, I rebuilt libgd without the patch disabling fontconfig/basic test (I used the variable XFAIL_TESTS instead). Suggested advisory: ======================== The updated packages fix security vulnerabilities: gdImageCreate() doesn't check for oversized images and as such is prone to DoS vulnerabilities. (CVE-2016-9317) Double-free in gdImageWebPtr(). (CVE-2016-6912) Potential unsigned underflow in gd_interpolation.c. (CVE-2016-10166) DOS vulnerability in gdImageCreateFromGd2Ctx(). (CVE-2016-10167) Signed Integer Overflow gd_io.c. (CVE-2016-10168) References: https://github.com/libgd/libgd/releases/tag/gd-2.2.4 http://openwall.com/lists/oss-security/2017/01/26/1 http://openwall.com/lists/oss-security/2017/01/28/6 https://lwn.net/Vulnerabilities/713050/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9317 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6912 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10166 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10167 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10168 ======================== Updated packages in core/updates_testing: ======================== libgd3-2.2.4-1.1.mga5 libgd-devel-2.2.4-1.1.mga5 libgd-static-devel-2.2.4-1.1.mga5 gd-utils-2.2.4-1.1.mga5 from SRPMS: libgd-2.2.4-1.1.mga5.src.rpm CVE-2016-6906 is also fixed with this update: https://security-tracker.debian.org/tracker/CVE-2016-6906 LWN reference (for that and CVE-2016-10166): https://lwn.net/Vulnerabilities/713270/ Suggested advisory: ======================== The updated packages fix security vulnerabilities: OOB reads of the TGA decompression buffer (CVE-2016-6906). Double-free in gdImageWebPtr() (CVE-2016-6912). gdImageCreate() doesn't check for oversized images and as such is prone to DoS vulnerabilities (CVE-2016-9317). Potential unsigned underflow in gd_interpolation.c (CVE-2016-10166). DOS vulnerability in gdImageCreateFromGd2Ctx() (CVE-2016-10167). Signed Integer Overflow gd_io.c (CVE-2016-10168). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6906 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6912 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9317 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10166 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10167 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10168 https://github.com/libgd/libgd/releases/tag/gd-2.2.4 http://openwall.com/lists/oss-security/2017/01/26/1 http://openwall.com/lists/oss-security/2017/01/28/6 https://www.debian.org/security/2017/dsa-3777
Dave Hodgins
2017-02-03 00:33:28 CET
Whiteboard:
(none) =>
advisory Pre-test info
-------------
I could find no test file in the references above; but this library has a host of associated programs in gd-utils which use it. None of these have man pages, but <command> -h gives a clue. For convenience I summarise them here (which makes a long post; sorry):
$ annotate -h
Usage: annotate imagein.jpg imageout.jpg
[gets complicated]
$ bdftogd -h
usage: bdftogd fontname filename, eg. bdftogd FontLarge gdfontl
$ gd2copypal -h
Usage: gd2copypal palettefile.gd2 filename.gd2
$ gd2togif -h
Usage: gd2togif filename.gd2 filename.gif
$ gd2topng -h
Usage: gd2topng filename.gd2 filename.png [srcx srcy width height]
If the coordinates are absent, the entire image is converted.
$ gdcmpgif -h
Usage: gdcmpgif filename.gif filename.gif
$ gdparttopng -h
Usage: gdparttopng filename.gd filename.png x y w h
$ gdtopng -h
Usage: gdtopng filename.gd filename.png
$ giftogd2 -h
Usage: giftogd2 filename.gif filename.gd2 cs fmt
where cs is the chunk size; fmt is 1 for raw, 2 for compressed
$ pngtogd -h
Usage: pngtogd filename.png filename.gd
$ pngtogd2 -h
Usage: pngtogd2 filename.png filename.gd2 cs fmt
where cs is the chunk size; fmt is 1 for raw, 2 for compressed
รข/usr/bin/webpng
$ webpng -h
Usage: webpng [-i y|n] [-l] [-t index|none] [-d] [-a] pngname.png
[gets complicated]
The library is specifically aimed at web image formats. It uses its own formats 'gd' and 'gd2': "GD and GD2 are image formats invented by libgd ... nobody else implemented GD/GD2 support" (perhaps not true).CC:
(none) =>
lewyssmith Conversion summary
-----------------
To help sort the wood from the trees in the previous comment...
GD GD2
GIF - giftogd2
- gd2togif
PNG pngtpgd pngtogd2
gdtopng gd2topng
Testing M5 x64 BEFORE update: lib64gd3-2.2.3-1.4.mga5 gd-utils-2.2.3-1.4.mga5 Armed myself with static .gif and .png images, converted them to & from .gd and .gd2 (where possible according to the grid above), compared the final output images to the originals - all looked OK. $ giftogd2 200_s.gif 200_s.gd2 1000 2 [chunksize, guess; compress] $ gd2togif 200_s.gd2 200a_s.gif $ display 200a_s.gif $ gd2topng 200_s.gd2 200a_s.png $ display 200a_s.png $ pngtogd XferWise.png XferWise.gd $ gdtopng XferWise.gd XferWisea.png $ display XferWisea.png $ pngtogd2 RyanAirLim-Leeds.png RyanAirLim-Leeds.gd2 1000 2 [chunksize, compress] $ gd2topng RyanAirLim-Leeds.gd2 RyanAirLim-Leedsa.png $ display RyanAirLim-Leedsa.png $ gd2togif RyanAirLim-Leeds.gd2 RyanAirLim-Leedsa.gif $ display RyanAirLim-Leedsa.gif AFTER the update: lib64gd3-2.2.4-1.1.mga5 gd-utils-2.2.4-1.1.mga5 The same sequence of commands yielded the same correct end results. OK Whiteboard:
advisory =>
advisory MGA5-64-OK Tested converting a png to a gd2 file, then the gd2 file to a gif file. Viewed original and result in xv. Testing complete on Mageia 5 i586. Validating the update Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0055.html Status:
ASSIGNED =>
RESOLVED |