Bug 13021 - gd image library new security issue CVE-2014-2497
Summary: gd image library new security issue CVE-2014-2497
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/602204/
Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-32...
Keywords: validated_update
Depends on: 13532
Blocks:
  Show dependency treegraph
 
Reported: 2014-03-14 20:31 CET by David Walser
Modified: 2014-07-09 00:45 CEST (History)
5 users (show)

See Also:
Source RPM: gd, libgd, php
CVE:
Status comment:


Attachments

Description David Walser 2014-03-14 20:31:40 CET
A CVE has been assigned for an issue in libgd that was found in PHP:
http://openwall.com/lists/oss-security/2014/03/14/6

It sounds like we'll need to update gd and php in Mageia 3, and we'll need to update libgd in Mageia 4 for this.

I'm also wondering if the various gd-related issues in Bug 12842 affect libgd in Mageia 4.

Reproducible: 

Steps to Reproduce:
David Walser 2014-03-14 20:31:46 CET

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 Oden Eriksson 2014-03-17 08:57:29 CET
PoC here: https://bugzilla.redhat.com/show_bug.cgi?id=1076676
Comment 2 David Walser 2014-03-28 18:31:22 CET
(In reply to David Walser from comment #0)
> A CVE has been assigned for an issue in libgd that was found in PHP:
> http://openwall.com/lists/oss-security/2014/03/14/6

There appears to be no fix available yet.

> I'm also wondering if the various gd-related issues in Bug 12842 affect
> libgd in Mageia 4.

According to the upstream PHP bugs as well as RedHat, libgd 2.1.0 is not affected.
Comment 3 David Walser 2014-06-12 18:50:32 CEST
OpenSuSE has issued an advisory for this today (June 12):
http://lists.opensuse.org/opensuse-updates/2014-06/msg00024.html

URL: (none) => http://lwn.net/Vulnerabilities/602204/

Comment 4 David Walser 2014-06-12 20:09:10 CEST
It sounds like OpenSuSE used the patch attached to the PHP bug referenced here:
https://bugzilla.novell.com/show_bug.cgi?id=868624#c12

Note that OpenSuSE's bug has (apparently) the same PHP PoC as Oden referenced from RedHat in Comment 1, as well as a PoC in C to use libgd directly here:
https://bugzilla.novell.com/show_bug.cgi?id=868624#c17

To use, save the XPM file attached here:
https://bugzilla.novell.com/attachment.cgi?id=582349

as test.xpm, save the C code in the comment above as test.c, compile it:
gcc -lgd -o test test.c

(note that you need libgd-devel installed to compile it), and run the test:
./test

If it's vulnerable you get a Segmentation Fault, otherwise you don't.

I've verified the vulnerability and the fix in gd in Mageia 3 and libgd in Mageia 4 and checked the fix into SVN.

All that should be needed now is adding the fix to php itself in Mageia 3 (testable with the php-gd package), which we can include in our next PHP update.  I've added the patch in Mageia 3 SVN for php, but not tested it.
Comment 5 David Walser 2014-06-12 20:15:02 CEST
libgd-2.1.0-4.mga5 uploaded for Cauldron.

Version: Cauldron => 4
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 6 David Walser 2014-06-13 15:19:26 CEST
(In reply to David Walser from comment #4)
> All that should be needed now is adding the fix to php itself in Mageia 3
> (testable with the php-gd package), which we can include in our next PHP
> update.

Which may be sooner rather than later :o)  Already one public CVE (CVE-2014-4049):
http://openwall.com/lists/oss-security/2014/06/13/4
Comment 7 David Walser 2014-06-13 19:03:54 CEST
(In reply to David Walser from comment #6)
> Which may be sooner rather than later :o)  Already one public CVE
> (CVE-2014-4049):
> http://openwall.com/lists/oss-security/2014/06/13/4

And another couple that aren't publicly announced yet, but commits have been made in file and php git to fix more buffer issues in CDF parsing (similar to what we just fixed in Bug 13460 and Bug 13476) and in mconvert() in softmagic.c.

file commits for CDF issues:
https://github.com/file/file/commit/40bade80cbe2af1d0b2cd0420cebd5d5905a2382
https://github.com/file/file/commit/36fadd29849b8087af9f4586f89dbf74ea45be67
https://github.com/file/file/commit/93e063ee374b6a75729df9e7201fb511e47e259d

file commit for the other issue:
https://github.com/file/file/commit/27a14bc7ba285a0a5ebfdb55e54001aa11932b08

PHP has these same commits, and they correspond to PHP bugs 67410 through 67413.

php commit for mconvert issue:
http://git.php.net/?p=php-src.git;a=commitdiff;h=e77659a8c87272e5061738a31430d2111482c426

php commits for CDF issues:
http://git.php.net/?p=php-src.git;a=commitdiff;h=5c9f96799961818944d43b22c241cc56c215c2e4
http://git.php.net/?p=php-src.git;a=commitdiff;h=40ef6e07e0b2cdced57c506e08cf18f47122292d
http://git.php.net/?p=php-src.git;a=commitdiff;h=25b1dc917a53787dbb2532721ca22f3f36eb13c0

I've collected these patches for file and committed them to Mageia 3 and Mageia 4 SVN (they're also in Cauldron in the file 5.19 release).  For PHP, we'll pick them up in our next update.  The CVEs should become available at that time.
David Walser 2014-06-17 20:52:49 CEST

Depends on: (none) => 13532

Comment 8 David Walser 2014-06-27 18:05:49 CEST
Patched packages uploaded for Mageia 3 and Mageia 4.

Note to QA, please see the PoC's referenced in Comment 4 and Comment 1 for gd/libgd and PHP (php-gd) respectively.  Also note that for the issue to be fixed on Mageia 3 in PHP, you'll also need the PHP 5.4.30 update being built in Bug 13532.

Advisory:
========================

Updated gd and libgd packages fix security vulnerability:

The gdImageCreateFromXpm function in gdxpm.c in the gd image library allows
remote attackers to cause a denial of service (NULL pointer dereference and
application crash) via a crafted color table in an XPM file (CVE-2014-2497).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2497
http://lists.opensuse.org/opensuse-updates/2014-06/msg00024.html
========================

Updated packages in core/updates_testing:
========================
libgd2-2.0.35-20.1.mga3
libgd-devel-2.0.35-20.1.mga3
libgd-static-devel-2.0.35-20.1.mga3
gd-utils-2.0.35-20.1.mga3
libgd3-2.1.0-3.1.mga4
libgd-devel-2.1.0-3.1.mga4
libgd-static-devel-2.1.0-3.1.mga4
gd-utils-2.1.0-3.1.mga4

from SRPMS:
gd-2.0.35-20.1.mga3.src.rpm
libgd-2.1.0-3.1.mga4.src.rpm

Assignee: oe => qa-bugs
CC: (none) => oe

Comment 9 Lewis Smith 2014-06-30 22:02:38 CEST
Testing MGA4 64-bit real hardware.
Initial comment *before* trying the fix: 2 tests of the fault.

1]
As per comment 1 of this bug ->
Comment 2 of https://bugzilla.redhat.com/show_bug.cgi?id=1076676 ->
 https://bugzilla.redhat.com/attachment.cgi?id=874847
Saved the last as reproducer.xpm
The test given in the first URL above:
 $ php -r 'var_dump(imagecreatefromxpm("reproducer.xpm"));'
Segmentation fault

2]
As per comment 4 of this bug ->
 https://bugzilla.novell.com/show_bug.cgi?id=868624#c17
Saved the C code therein as test.c
 https://bugzilla.novell.com/attachment.cgi?id=582349
Saved this as test.xpm
(note that you need libgd-devel installed) So installed that, which pulled in 30 pkgs!
Compiled the C code with
 gcc -lgd -o test test.c
The test:
 $ ./test
Segmentation fault

So far so good. Test of the update to follow.

CC: (none) => lewyssmith

Comment 10 Lewis Smith 2014-06-30 22:38:40 CEST
Testing MGA4 64-bit real hardware [continued from comment 9]

From Core Updates Testing, updated
 lib64gd3-2.1.0-3.1.mga4
 lib64gd-devel-2.1.0-3.1.mga4
and installed specifically
 gd-utils-2.1.0-3.1.mga4.x86_64.rpm
which was apparently not needed for the tests cited in comment 9.

Re-running the tests:
$ php -r 'var_dump(imagecreatefromxpm("reproducer.xpm"));'
 PHP Warning:  imagecreatefromxpm(): 'reproducer.xpm' is not a valid XPM file in
 Command line code on line 1
 bool(false)
which is like comment 1 of https://bugzilla.redhat.com/show_bug.cgi?id=1076676. However, previously this segfaulted.
The same PHP Warning also happened using
 $ php -r 'var_dump(imagecreatefromxpm("test.xpm"));'
& from the comment 1 noted above
 $ echo '<?php print imagecreatefromxpm("reproducer.xpm")."\n"; ?>' | php
&
 $ echo '<?php print imagecreatefromxpm("test.xpm")."\n"; ?>' | php

However,
 $ ./test
did *not* segfault.

Whiteboard: MGA3TOO => MGA3TOO MGA4-64-OK

Comment 11 Marc Lattemann 2014-07-05 01:39:40 CEST
confirm Lewis' findings from comment 9 and comment 10 on mga4 32bit. Prior to update both tests segfaulted.
After update I get same result:
php -r 'var_dump(imagecreatefromxpm("reproducer.xpm"));'
PHP Warning:  imagecreatefromxpm(): 'reproducer.xpm' is not a valid XPM file in Command line code on line 1
bool(false)

 $ ./test
did *not* segfault as well

CC: (none) => marc.lattemann
Whiteboard: MGA3TOO MGA4-64-OK => MGA3TOO MGA4-64-OK MGA4-32-OK

Comment 12 Marc Lattemann 2014-07-05 02:00:13 CEST
slightly different result on mga3 32bit:

no segfault for first test prior to update (no result at all) but after update I get 
[root@MGA3_32bit Documents]# php -r 'var_dump(imagecreatefromxpm("reproducer.xpm"));'
bool(false)
but seems similar to results for mga4 tests by Lewis

same result for second test: segfault prior update and no segfault anymore after update, so OK for mga 3 32 bit

BTW: thanks Lewis for the details procedure description

CC: marc.lattemann => (none)
Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK => MGA3TOO MGA4-64-OK MGA4-32-OK MGA-32-OK

Comment 13 Marc Lattemann 2014-07-05 02:15:51 CEST
same result for mga3 64bit as described in Comment 12 so OK for mga3 64bit as well.

Advisory can be uploaded and update validated and pushed to production.

Thanks.

CC: (none) => marc.lattemann
Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK MGA-32-OK => MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK

Marc Lattemann 2014-07-05 02:16:57 CEST

CC: marc.lattemann => (none)

Comment 14 Rémi Verschelde 2014-07-06 22:57:07 CEST
Advisory uploaded, validating the update.

Please push gd to Mageia 3 core/updates and libgd to Mageia 4 core/updates.

Keywords: (none) => validated_update
Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK => MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK advisory
CC: (none) => remi, sysadmin-bugs

Comment 15 Pascal Terjan 2014-07-09 00:45:57 CEST
http://advisories.mageia.org/MGASA-2014-0288.html

Status: NEW => RESOLVED
CC: (none) => pterjan
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.