Bug 29486

Summary: libgd new security issue CVE-2021-40812
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: libgd-2.3.1-1.1.mga8.src.rpm CVE: CVE-2021-40812
Status comment:

Description David Walser 2021-09-23 23:46:17 CEST 
SUSE has issued an advisory today (September 23):
https://lists.suse.com/pipermail/sle-security-updates/2021-September/009507.html

Mageia 8 is also affected.
David Walser 2021-09-23 23:46:34 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patch available from upstream

Comment 1 David Walser 2021-09-24 15:11:12 CEST 
We need to add this fix that was backported to the latest PHP update:
https://github.com/libgd/libgd/commit/a24e96f01989bf9ca05a08d33862a08d6f4c4ed6
Comment 2 Nicolas Salguero 2021-09-24 15:46:48 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

The GD Graphics Library (aka LibGD) through 2.3.2 has an out-of-bounds read because of the lack of certain gdGetBuf and gdPutBuf return value checks. (CVE-2021-40812)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40812
https://lists.suse.com/pipermail/sle-security-updates/2021-September/009507.html
========================

Updated packages in core/updates_testing:
========================
gd-utils-2.3.1-1.3.mga8
lib(64)gd3-2.3.1-1.3.mga8
lib(64)gd-devel-2.3.1-1.3.mga8
lib(64)gd-static-devel-2.3.1-1.3.mga8

from SRPM:
libgd-2.3.1-1.3.mga8.src.rpm

CC: (none) => nicolas.salguero
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Status comment: Patch available from upstream => (none)
CVE: (none) => CVE-2021-40812
Status: NEW => ASSIGNED
Assignee: bugsquad => qa-bugs

Comment 3 Herman Viaene 2021-09-25 14:05:34 CEST 
MGA8-64 Plasma on Lenovo B50
No installation issues.
At CLI:
$ pngtogd 20170905_0008.png 20170905_0008.gd
$ pngtogd2 20170905_0008.png 20170905_0008.gd2 2048 1
$ gd2togif 20170905_0008.gd2 20170905_0008.gif
$ gdtopng 20170905_0008.gd test1.png
$ gdparttopng 20170905_0008.gd2 extract.png 200 271 600 642
Extracting from (200, 271), size is 600x642

I have no idea how to display the gd or gd2 files, but the converted gif and png files diplay OK.
Should be good enough.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2021-09-27 14:15:33 CEST 
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 David Walser 2021-09-29 00:43:38 CEST 
openSUSE has issued an advisory for this on September 27:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FCVD7RYV2TSOLINPDAIY7P7Q4OSCOREN/

(we can use that in the advisory instead of the SUSE ref)
Thomas Backlund 2021-09-29 18:25:57 CEST

Keywords: (none) => advisory

Comment 6 Mageia Robot 2021-09-29 19:24:14 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0449.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED