A security issue in libgd was reported and fixed upstream: http://openwall.com/lists/oss-security/2016/04/21/6 A PoC is included in the message above. Patched packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated libgd packages fix security vulnerability: A signedness vulnerability exists in libgd 2.1.1 and earlier which may result in a heap overflow when processing compressed gd2 data (CVE-2016-3074). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3074 http://openwall.com/lists/oss-security/2016/04/21/6 ======================== Updated packages in core/updates_testing: ======================== libgd3-2.1.1-1.1.mga5 libgd-devel-2.1.1-1.1.mga5 libgd-static-devel-2.1.1-1.1.mga5 gd-utils-2.1.1-1.1.mga5 from libgd-2.1.1-1.1.mga5.src.rpm
Ran the PoC before the update, it gives a lot of errors like: AttributeError: 'module' object has no attribute 'ReadTimeout' I ran it until offset 2866, which is a lot farther than they said they ran it in the message about the PoC, and it never stopped (if there was an 'id' output amongst all the errors and it keeps going, I missed it). I just verified that a normal PHP script using gd still works fine after the update.
Whiteboard: (none) => MGA5-32-OK
Yes, I have similar results after spending half the morning on it. Testing on x86_64 Ensured that all listed packages were installed before the update. Obtained the git files referenced through footnote [3] in the message http://openwall.com/lists/oss-security/2016/04/21/6 Cut and pasted them into local files exploit.py and upload.php. $ cat upload.php <?php imagecreatefromgd2($_FILES["file"]["tmp_name"]); ?> Installed python-requests to satisfy the 'import requests' command in exploit.py. Ran the PoC as advertized: $ python exploit.py --bind-port 5555 http://1.2.3.4/upload.php This generated a stack of errors like [*] this may take a while [*] offset 0 of 10000...Exception in thread Thread-2: Traceback (most recent call last): File "/usr/lib64/python2.7/threading.py", line 810, in __bootstrap_inner self.run() File "/usr/lib64/python2.7/threading.py", line 763, in run self.__target(*self.__args, **self.__kwargs) File "exploit.py", line 253, in send_gd2 except requests.exceptions.ReadTimeout: AttributeError: 'module' object has no attribute 'ReadTimeout' Exception in thread Thread-5: and needed Ctrl-C to return to the command line. After the update the same failure occurred so tried something like a real URL and raised a 404 error. $ python exploit.py --bind-port 5555 http://192.168.1.103/home/lcl/qa/libgd/upload.php [*] this may take a while [*] offset 0 of 10000... [-] 404: http://192.168.1.103/home/lcl/qa/libgd/upload.php My conclusion is that I am not exercising the PoC correctly. Adding some diagnostics inline shows that 20 threads are started OK. Returning to the original url causes an exception to be raised in each of the 20 threads and then the program seems to hang. In fact it is looping so I am letting it run for a while. The exception is AttributeError: 'module' object has no attribute 'ReadTimeout' The offset increases by 1 each time and each iteration takes several minutes so the process should run for 10000xseveralminutes! Clobbering this. No idea where the heap overflow would have occurred so how to judge this?
CC: (none) => tarazed25
You shouldn't get a 404, that means where you put the upload.php isn't matching the URL you are using. It doesn't look like this bug is easy to reproduce though, so just a general php-gd test should suffice.
It is a LAN address and the file is definitely in that path so it must be a malformed URL. Again I have to confess ignorance; where do I find php-gd scripts? Not something I have ever had to use.
Test with anything from .. $ urpmq --whatrequires php-gd
Thanks Claire. I did not realize even that php-gd was a package or I would have looked. My ignorance is profound.
Debian has issued an advisory for this on April 24: https://www.debian.org/security/2016/dsa-3556
URL: (none) => http://lwn.net/Vulnerabilities/685004/
astpp cacti drupal egroupware galette ganglia-web mediawiki moodle ocsinventory-reports owncloud php-gd php-jpgraph phplot php-pear-Image_Color php-pear-Image_GIS php-pear-Numbers_Roman php-syslog-ng php-ZendFramework2-Barcode php-ZendFramework2-Captcha php-ZendFramework-Captcha php-ZendFramework-Pdf roundcubemail task-lamp-php webacula This stuff is way above my pay grade. Without any knowledge of PHP or web programming I do not see how to test libgd.
Testing complete mga5 64. Used owncloud to view images & thumbnails in the browser.
Whiteboard: MGA5-32-OK => has_procedure MGA5-32-OK mga5-64-ok
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: has_procedure MGA5-32-OK mga5-64-ok => has_procedure advisory MGA5-32-OK mga5-64-ok
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0152.html
Status: NEW => RESOLVEDResolution: (none) => FIXED