Bug 24336

Summary: libgd new security issue CVE-2019-6977 and CVE-2019-6978
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: libgd-2.2.5-2.1.mga6.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 24165    

Description David Walser 2019-02-10 20:30:46 CET 
Debian has issued an advisory on February 4:
https://www.debian.org/security/2019/dsa-4384

We should have fixed CVE-2019-6977 in Bug 24165, but the patched libgd package wasn't pushed.  I've added the missing part of the upstream patch I referenced in:
https://bugs.mageia.org/show_bug.cgi?id=24165#c12

as well as added the patch for CVE-2019-6978.

Advisory:
========================

Updated libgd packages fix security vulnerabilities:

gdImageColorMatch in gd_color_match.c in the GD Graphics Library (aka LibGD)
2.2.5 has a heap-based buffer overflow. This can be exploited by an attacker
who is able to trigger calls to the function with crafted image data
(CVE-2019-6977).

The GD Graphics Library (aka LibGD) 2.2.5 has a double free in the
gdImage*Ptr() functions in gd_gif_out.c, gd_jpeg.c, and gd_wbmp.c
(CVE-2019-6978).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6977
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6978
https://www.debian.org/security/2019/dsa-4384
========================

Updated packages in core/updates_testing:
========================
libgd3-2.2.5-2.3.mga6
libgd-devel-2.2.5-2.3.mga6
libgd-static-devel-2.2.5-2.3.mga6
gd-utils-2.2.5-2.3.mga6

from libgd-2.2.5-2.3.mga6.src.rpm
David Walser 2019-02-10 20:31:24 CET

Blocks: (none) => 24165

Comment 1 Len Lawrence 2019-02-10 21:58:20 CET 
mga6, x86_64
Before update:
lib64gd3-2.2.5-2.2.mga6
-------------------------------------------------
CVE-2019-6977
use-after-free test script:
<?php
$img = imagecreate(pow(2, 27), 0x01);
var_dump(imagescale($img, 0x01, 0x01, 20));
echo "Execution continues!\n";

$ php use-after-free
resource(5) of type (gd)
Execution continues!
$
-------------------------------------------------
CVE-2019-6978
out-of-bounds-read test script:
<?php
$img1 = imagecreatetruecolor(0xfff, 0xfff);
$img2 = imagecreate(0xfff, 0xfff);
imagecolorallocate($img2, 0, 0, 0);
imagesetpixel($img2, 0, 0, 255);
imagecolormatch($img1, $img2);

$ php out-of-bounds-read
$
No output.

Waiting for mirrors to synchronize.

CC: (none) => tarazed25

Comment 2 Len Lawrence 2019-02-10 23:32:12 CET 
Oops - those tests were back to front:
CVE-2019-6977
out-of-bounds-write
https://bugs.php.net/bug.php?id=77270

Quote from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920728:
> CVE-2019-6978[0]:
> | The GD Graphics Library (aka LibGD) 2.2.5 has a double free in the
> | gdImage*Ptr() functions in gd_gif_out.c, gd_jpeg.c, and gd_wbmp.c.
> | NOTE: PHP is unaffected.

Does that mean we cannot use PHP scriptlets to test the vulnerability?
If so then I shall have to look for a C test for 6978 or else forget it.

https://github.com/libgd/libgd/commit/553702980ae89c83f2d6e254d62cf82e204956d0
$ cat useafterfree.c
/**
 * Test that failure to convert to JPEG returns NULL
 *
 * We are creating an image, set its width to zero, and pass this image to
 * `gdImageJpegPtr()` which is supposed to fail, and as such should return NULL.
 *
 * See also <https://github.com/libgd/libgd/issues/381>
 */
#include "gd.h"
int main()
{
    gdImagePtr src, dst;
    int size, numf=0;

    src = gdImageCreateTrueColor(1, 10);
    if (src != NULL) {
       src->sx = 0; /* this hack forces gdImageJpegPtr() to fail */
       dst = gdImageJpegPtr(src, &size, 0);
       if (dst == NULL) numf += 1;
    }   
    gdImageDestroy(src);
    return numf;
}

$ gcc -o useafterfree -lgd useafterfree.c
$ chmod +x useafterfree
$ ./useafterfree
GD Warning: gd-jpeg: JPEG library reports unrecoverable error: Empty JPEG image (DNL not supported)*** Error in `./useafterfree': double free or corruption (!prev): 0x0000000001587ee0 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x72435)[0x7f6ea8fbb435]
[...]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted (core dumped)
Comment 3 Len Lawrence 2019-02-10 23:49:10 CET 
Clean update for the four packages.
CVE-2019-6977
$ php out-of-bounds-write
$ 
No output, as before - probably good result.

CVE-2019-6978
$ ./useafterfree
GD Warning: gd-jpeg: JPEG library reports unrecoverable error: Empty JPEG image 
$
That looks like a good result.
-------------------------------------------------------------------
This is a very simple utility test for the library using PHP.

Script based on a snippet from one of the libgd websites.
$ cat makepng.php
<?php
header("Content-type: image/png");
$string = "Songbird";
$im     = imagecreatefrompng("songbird.png");
$blue   = imagecolorallocate($im, 90, 90, 220);
$px     = (imagesx($im) - 7.5 * strlen($string)) / 2;
imagestring($im, 3, $px, 9, $string, $blue);
imagepng($im);
imagedestroy($im);

$ php makepng.php > test.png
$ eom test.png
Shows a copy of the original with a superimposed title "Songbird".

Reran under trace to verify libgd is used.
$ cat trace | egrep "libgd|gd"| grep -v qa
stat("/etc/php.d/23_gd.ini", {st_mode=S_IFREG|0644, st_size=227, ...}) = 0
open("/etc/php.d/23_gd.ini", O_RDONLY)  = 3
open("/lib64/libgdbm.so.4", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/php/extensions/gd", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib64/php/extensions/gd.so", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libgd.so.3", O_RDONLY|O_CLOEXEC) = 3

Assigning OK for 64-bits.

Whiteboard: (none) => MGA6-64-OK

Comment 4 Marc Krämer 2019-02-10 23:53:35 CET 
since libgd is the same in cauldron, have to be applied there too.
Comment 5 Len Lawrence 2019-02-10 23:55:21 CET 
Comment 3: s/Reran under trace/Reran under strace/
Comment 6 Len Lawrence 2019-02-11 00:01:34 CET 
Missed a bit:
$ ./useafterfree
GD Warning: gd-jpeg: JPEG library reports unrecoverable error: Empty JPEG image (DNL not supported)
$
Comment 7 David Walser 2019-02-11 00:10:29 CET 
(In reply to Marc Krämer from comment #4)
> since libgd is the same in cauldron, have to be applied there too.

Oops, thanks for catching that!
Comment 8 Thomas Andrews 2019-02-12 02:37:46 CET 
Len's tests look sufficient to me. Validating for Mageia 6. Advisory in Comment 0.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2019-02-13 03:49:15 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 9 Mageia Robot 2019-02-13 12:10:43 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0073.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED