A CVE has been assigned for an issue in libgd that was found in PHP: http://openwall.com/lists/oss-security/2014/03/14/6 It sounds like we'll need to update gd and php in Mageia 3, and we'll need to update libgd in Mageia 4 for this. I'm also wondering if the various gd-related issues in Bug 12842 affect libgd in Mageia 4. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
PoC here: https://bugzilla.redhat.com/show_bug.cgi?id=1076676
(In reply to David Walser from comment #0) > A CVE has been assigned for an issue in libgd that was found in PHP: > http://openwall.com/lists/oss-security/2014/03/14/6 There appears to be no fix available yet. > I'm also wondering if the various gd-related issues in Bug 12842 affect > libgd in Mageia 4. According to the upstream PHP bugs as well as RedHat, libgd 2.1.0 is not affected.
OpenSuSE has issued an advisory for this today (June 12): http://lists.opensuse.org/opensuse-updates/2014-06/msg00024.html
URL: (none) => http://lwn.net/Vulnerabilities/602204/
It sounds like OpenSuSE used the patch attached to the PHP bug referenced here: https://bugzilla.novell.com/show_bug.cgi?id=868624#c12 Note that OpenSuSE's bug has (apparently) the same PHP PoC as Oden referenced from RedHat in Comment 1, as well as a PoC in C to use libgd directly here: https://bugzilla.novell.com/show_bug.cgi?id=868624#c17 To use, save the XPM file attached here: https://bugzilla.novell.com/attachment.cgi?id=582349 as test.xpm, save the C code in the comment above as test.c, compile it: gcc -lgd -o test test.c (note that you need libgd-devel installed to compile it), and run the test: ./test If it's vulnerable you get a Segmentation Fault, otherwise you don't. I've verified the vulnerability and the fix in gd in Mageia 3 and libgd in Mageia 4 and checked the fix into SVN. All that should be needed now is adding the fix to php itself in Mageia 3 (testable with the php-gd package), which we can include in our next PHP update. I've added the patch in Mageia 3 SVN for php, but not tested it.
libgd-2.1.0-4.mga5 uploaded for Cauldron.
Version: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
(In reply to David Walser from comment #4) > All that should be needed now is adding the fix to php itself in Mageia 3 > (testable with the php-gd package), which we can include in our next PHP > update. Which may be sooner rather than later :o) Already one public CVE (CVE-2014-4049): http://openwall.com/lists/oss-security/2014/06/13/4
(In reply to David Walser from comment #6) > Which may be sooner rather than later :o) Already one public CVE > (CVE-2014-4049): > http://openwall.com/lists/oss-security/2014/06/13/4 And another couple that aren't publicly announced yet, but commits have been made in file and php git to fix more buffer issues in CDF parsing (similar to what we just fixed in Bug 13460 and Bug 13476) and in mconvert() in softmagic.c. file commits for CDF issues: https://github.com/file/file/commit/40bade80cbe2af1d0b2cd0420cebd5d5905a2382 https://github.com/file/file/commit/36fadd29849b8087af9f4586f89dbf74ea45be67 https://github.com/file/file/commit/93e063ee374b6a75729df9e7201fb511e47e259d file commit for the other issue: https://github.com/file/file/commit/27a14bc7ba285a0a5ebfdb55e54001aa11932b08 PHP has these same commits, and they correspond to PHP bugs 67410 through 67413. php commit for mconvert issue: http://git.php.net/?p=php-src.git;a=commitdiff;h=e77659a8c87272e5061738a31430d2111482c426 php commits for CDF issues: http://git.php.net/?p=php-src.git;a=commitdiff;h=5c9f96799961818944d43b22c241cc56c215c2e4 http://git.php.net/?p=php-src.git;a=commitdiff;h=40ef6e07e0b2cdced57c506e08cf18f47122292d http://git.php.net/?p=php-src.git;a=commitdiff;h=25b1dc917a53787dbb2532721ca22f3f36eb13c0 I've collected these patches for file and committed them to Mageia 3 and Mageia 4 SVN (they're also in Cauldron in the file 5.19 release). For PHP, we'll pick them up in our next update. The CVEs should become available at that time.
Depends on: (none) => 13532
Patched packages uploaded for Mageia 3 and Mageia 4. Note to QA, please see the PoC's referenced in Comment 4 and Comment 1 for gd/libgd and PHP (php-gd) respectively. Also note that for the issue to be fixed on Mageia 3 in PHP, you'll also need the PHP 5.4.30 update being built in Bug 13532. Advisory: ======================== Updated gd and libgd packages fix security vulnerability: The gdImageCreateFromXpm function in gdxpm.c in the gd image library allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted color table in an XPM file (CVE-2014-2497). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2497 http://lists.opensuse.org/opensuse-updates/2014-06/msg00024.html ======================== Updated packages in core/updates_testing: ======================== libgd2-2.0.35-20.1.mga3 libgd-devel-2.0.35-20.1.mga3 libgd-static-devel-2.0.35-20.1.mga3 gd-utils-2.0.35-20.1.mga3 libgd3-2.1.0-3.1.mga4 libgd-devel-2.1.0-3.1.mga4 libgd-static-devel-2.1.0-3.1.mga4 gd-utils-2.1.0-3.1.mga4 from SRPMS: gd-2.0.35-20.1.mga3.src.rpm libgd-2.1.0-3.1.mga4.src.rpm
Assignee: oe => qa-bugsCC: (none) => oe
Testing MGA4 64-bit real hardware. Initial comment *before* trying the fix: 2 tests of the fault. 1] As per comment 1 of this bug -> Comment 2 of https://bugzilla.redhat.com/show_bug.cgi?id=1076676 -> https://bugzilla.redhat.com/attachment.cgi?id=874847 Saved the last as reproducer.xpm The test given in the first URL above: $ php -r 'var_dump(imagecreatefromxpm("reproducer.xpm"));' Segmentation fault 2] As per comment 4 of this bug -> https://bugzilla.novell.com/show_bug.cgi?id=868624#c17 Saved the C code therein as test.c https://bugzilla.novell.com/attachment.cgi?id=582349 Saved this as test.xpm (note that you need libgd-devel installed) So installed that, which pulled in 30 pkgs! Compiled the C code with gcc -lgd -o test test.c The test: $ ./test Segmentation fault So far so good. Test of the update to follow.
CC: (none) => lewyssmith
Testing MGA4 64-bit real hardware [continued from comment 9] From Core Updates Testing, updated lib64gd3-2.1.0-3.1.mga4 lib64gd-devel-2.1.0-3.1.mga4 and installed specifically gd-utils-2.1.0-3.1.mga4.x86_64.rpm which was apparently not needed for the tests cited in comment 9. Re-running the tests: $ php -r 'var_dump(imagecreatefromxpm("reproducer.xpm"));' PHP Warning: imagecreatefromxpm(): 'reproducer.xpm' is not a valid XPM file in Command line code on line 1 bool(false) which is like comment 1 of https://bugzilla.redhat.com/show_bug.cgi?id=1076676. However, previously this segfaulted. The same PHP Warning also happened using $ php -r 'var_dump(imagecreatefromxpm("test.xpm"));' & from the comment 1 noted above $ echo '<?php print imagecreatefromxpm("reproducer.xpm")."\n"; ?>' | php & $ echo '<?php print imagecreatefromxpm("test.xpm")."\n"; ?>' | php However, $ ./test did *not* segfault.
Whiteboard: MGA3TOO => MGA3TOO MGA4-64-OK
confirm Lewis' findings from comment 9 and comment 10 on mga4 32bit. Prior to update both tests segfaulted. After update I get same result: php -r 'var_dump(imagecreatefromxpm("reproducer.xpm"));' PHP Warning: imagecreatefromxpm(): 'reproducer.xpm' is not a valid XPM file in Command line code on line 1 bool(false) $ ./test did *not* segfault as well
CC: (none) => marc.lattemannWhiteboard: MGA3TOO MGA4-64-OK => MGA3TOO MGA4-64-OK MGA4-32-OK
slightly different result on mga3 32bit: no segfault for first test prior to update (no result at all) but after update I get [root@MGA3_32bit Documents]# php -r 'var_dump(imagecreatefromxpm("reproducer.xpm"));' bool(false) but seems similar to results for mga4 tests by Lewis same result for second test: segfault prior update and no segfault anymore after update, so OK for mga 3 32 bit BTW: thanks Lewis for the details procedure description
CC: marc.lattemann => (none)Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK => MGA3TOO MGA4-64-OK MGA4-32-OK MGA-32-OK
same result for mga3 64bit as described in Comment 12 so OK for mga3 64bit as well. Advisory can be uploaded and update validated and pushed to production. Thanks.
CC: (none) => marc.lattemannWhiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK MGA-32-OK => MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK
CC: marc.lattemann => (none)
Advisory uploaded, validating the update. Please push gd to Mageia 3 core/updates and libgd to Mageia 4 core/updates.
Keywords: (none) => validated_updateWhiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK => MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK advisoryCC: (none) => remi, sysadmin-bugs
http://advisories.mageia.org/MGASA-2014-0288.html
Status: NEW => RESOLVEDCC: (none) => pterjanResolution: (none) => FIXED