Bug 29448

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

read_header_tga in gd_tga.c in the GD Graphics Library (aka LibGD) through 2.3.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted TGA file. (CVE-2021-38115)

gdImageGd2Ptr in gd_gd2.c in the GD Graphics Library (aka LibGD) through 2.3.2 has a double free. (CVE-2021-40145)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38115
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40145
https://ubuntu.com/security/notices/USN-5068-1
========================

Updated packages in core/updates_testing:
========================
gd-utils-2.3.1-1.1.mga8
lib(64)gd3-2.3.1-1.1.mga8
lib(64)gd-devel-2.3.1-1.1.mga8
lib(64)gd-static-devel-2.3.1-1.1.mga8

from SRPM:
libgd-2.3.1-1.1.mga8.src.rpm

CVE: (none) => CVE-2021-38115, CVE-2021-40145
Whiteboard: MGA8TOO => (none)
Assignee: bugsquad => qa-bugs
Version: Cauldron => 8
Status comment: Patches available from Ubuntu => (none)
Status: NEW => ASSIGNED

mga8, x64

CVE-2021-38115
https://github.com/libgd/libgd/issues/697
Downloaded the test payload.
Hopefully bug00084.c is the correct test script.
https://fossies.org/linux/libgd/tests/tga/bug00084.c
Unfortunately the gdtest.h include file does not exist here so the compilation fails.

CVE-2021-40145
https://github.com/libgd/libgd/issues/700
The discussion of memory leak tests here is somewhat confusing.  It is not clear if the suggested tests are effective or not.  One of them requires a special JPEG file but there is no link.

https://github.com/libgd/libgd/tree/master/examples
Provides code examples of use of library functions.

Updated the four packages.

$ urpmf gd-utils | grep bin
gd-utils:/usr/bin/annotate
gd-utils:/usr/bin/bdftogd
gd-utils:/usr/bin/gd2copypal
gd-utils:/usr/bin/gd2togif
gd-utils:/usr/bin/gd2topng
gd-utils:/usr/bin/gdcmpgif
gd-utils:/usr/bin/gdparttopng
gd-utils:/usr/bin/gdtopng
gd-utils:/usr/bin/giftogd2
gd-utils:/usr/bin/pngtogd
gd-utils:/usr/bin/pngtogd2
gd-utils:/usr/bin/webpng

gnuplot uses libgd3 - downloaded a couple of files from http://www.gnuplot.info/demo/

$ strace -o plot.trace gnuplot -c rgb_variable.7.gnu
$ grep libgd plot.trace
openat(AT_FDCWD, "/lib64/libgd.so.3", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libgdk-3.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libgdk_pixbuf-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3
getcwd("/home/lcl/qa/libgd", 4096)      = 19

The plot was displayed momentarily.  Could not figure out how to keep it on screen.  It remained longer with strace.  It works anyway.

$ pngtogd jessica_big.png jessica1.gd
$ pngtogd2 jessica_big.png jessica1.gd2 2048 1
$ gd2togif jessica1.gd2 jessica1.gif
$ eom jessica1.gif
$ gdtopng jessica1.gd jessica1.png
$ ll jessica1*
-rw-r--r-- 1 lcl lcl 4300811 Sep  9 17:17 jessica1.gd
-rw-r--r-- 1 lcl lcl 4300823 Sep  9 17:22 jessica1.gd2
-rw-r--r-- 1 lcl lcl  585943 Sep  9 17:23 jessica1.gif
-rw-r--r-- 1 lcl lcl  947010 Sep  9 17:27 jessica1.png

Input and output images look identical.

$ gdparttopng jessica1.gd2 extract.png 200 271 600 642
Extracting from (200, 271), size is 600x642
$ eom extract.png
The extracted sample matches the original where expected.  The lower edge was deliberately set too high - resulting in a black border underneath.

The report on bug 26220 notes that gd files did not work with extract, but they do now.
$ gdparttopng jessica1.gd2 extract1.png 200 271 600 642
Extracting from (200, 271), size is 600x642

This should be good enough.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0433.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED