Debian has issued an advisory today (May 27): https://lists.debian.org/debian-security-announce/2016/msg00164.html The DSA will be posted here: https://www.debian.org/security/2016/dsa-3587 Updated packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated libgd packages fix security vulnerability: The gdImageScaleTwoPass function in gd_interpolation.c in libgd before 2.2.0 uses inconsistent allocate and free approaches, which allows remote attackers to cause a denial of service (memory consumption) via a crafted call, as demonstrated by a call to the PHP imagescale function (CVE-2015-8877). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8877 https://www.debian.org/security/2016/dsa-3587 ======================== Updated packages in core/updates_testing: ======================== libgd3-2.2.1-1.mga5 libgd-devel-2.2.1-1.mga5 libgd-static-devel-2.2.1-1.mga5 gd-utils-2.2.1-1.mga5 from libgd-2.2.1-1.mga5.src.rpm
Trying M5 x64 Two mini-tests, the first from an earlier POC, the second from a POC for this bug: <?php $im = imagecreatetruecolor(20, 20); $c = imagecolorallocate($im, 255, 0, 0); imagefilltoborder($im, 0, -999355, $c, $c); ?> <?php $im = imagecreatetruecolor(256, 256); imagedestroy(imagescale($im, 32, 32, IMG_BICUBIC)); imagedestroy($im); ?> BEFORE this update: gd-utils-2.1.1-1.2.mga5 lib64gd3-2.1.1-1.2.mga5 $ php foo.php $ php gdtest.php $ AFTER this update: gd-utils-2.2.1-1.mga5 lib64gd3-2.2.1-1.mga5 $ php foo.php PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib64/php/extensions/gd.so' - /usr/lib64/php/extensions/gd.so: undefined symbol: gdImageCreateFromWebp in Unknown on line 0 PHP Fatal error: Call to undefined function imagecreatetruecolor() in /home/lewis/tmp/foo.php on line 2 $ php gdtest.php PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib64/php/extensions/gd.so' - /usr/lib64/php/extensions/gd.so: undefined symbol: gdImageCreateFromWebp in Unknown on line 0 PHP Fatal error: Call to undefined function imagecreatetruecolor() in /home/lewis/tmp/gdtest.php on line 2 Not encouraging, even if the errors are PHP. I had a similar problem with the test script: https://bugs.php.net/bug.php?id=72114 $ php phpfread.php PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib64/php/extensions/gd.so' - /usr/lib64/php/extensions/gd.so: undefined symbol: gdImageCreateFromWebp in Unknown on line 0 I will apply the PHP update Bug 18545 and see if that makes a difference. If not - any advice welcome.
CC: (none) => lewyssmith
Sorry about that. Should be fixed now. Updated packages in core/updates_testing: ======================== libgd3-2.2.1-1.1.mga5 libgd-devel-2.2.1-1.1.mga5 libgd-static-devel-2.2.1-1.1.mga5 gd-utils-2.2.1-1.1.mga5 from libgd-2.2.1-1.1.mga5.src.rpm
A CVE has been assigned for another security issue fixed in this update: http://openwall.com/lists/oss-security/2016/05/29/5 Advisory: ======================== Updated libgd packages fix security vulnerabilities: The gdImageScaleTwoPass function in gd_interpolation.c in libgd before 2.2.0 uses inconsistent allocate and free approaches, which allows remote attackers to cause a denial of service (memory consumption) via a crafted call, as demonstrated by a call to the PHP imagescale function (CVE-2015-8877). While creating an XBM image (imagexbm) with an user supplied name, libgd before 2.2.0 did not check the vsnprintf return value, so an application might trust this length and read more memory than it should, causing a read-out-of boundaries, leaking stack memory (CVE-2016-5116). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8877 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5116 https://www.debian.org/security/2016/dsa-3587 http://openwall.com/lists/oss-security/2016/05/29/5
Summary: libgd new security issue CVE-2015-8877 => libgd new security issues CVE-2015-8877 and CVE-2016-5116
Re-trying M5 x64 gd-utils-2.2.1-1.1.mga5 lib64gd3-2.2.1-1.1.mga5 I had also updated PHP as per bug 18545. Alas, without re-logging in or re-booting, same results as Comment 1 AFTER update.
Sorry about that, I added the wrong BuildRequires. Should be fixed now. Updated packages in core/updates_testing: ======================== libgd3-2.2.1-1.2.mga5 libgd-devel-2.2.1-1.2.mga5 libgd-static-devel-2.2.1-1.2.mga5 gd-utils-2.2.1-1.2.mga5 from libgd-2.2.1-1.2.mga5.src.rpm
Testing M5 x64 gd-utils-2.2.1-1.2.mga5 lib64gd3-2.2.1-1.2.mga5 The two mini-scripts noted in Comment 1: $ php foo.php $ php gdtest.php Bingo! 3rd time lucky, and thank you David for reworking this so quickly. The third script I had misunderstood: Bug 18545 Comment 2 (end) and Comment 3 and Comment 4 attachments clarify things. gzread.php (C4) apparently calls fread (C3), though I cannot see how. BTAIM, now: $ php gzread.php PHP Warning: gzread(): Length parameter must be no more than 2147483647 in /home/lewis/tmp/gzread.php on line 7 is the expected result from https://bugs.mageia.org/show_bug.cgi?id=18545#c2 . The library error has gone. Thanks to Brian for collecting that. So finally OKing this update.
Whiteboard: (none) => MGA5-64-OK
My usual php-gd test case works fine with the update too, Mageia 5 i586.
Whiteboard: MGA5-64-OK => MGA5-32-OK MGA5-64-OK
(In reply to David Walser from comment #7) > My usual php-gd test case works fine with the update too, Mageia 5 i586. Again thanks for that. Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
LWN reference for CVE-2016-5116: http://lwn.net/Vulnerabilities/689578/
Advisory uploaded.
Whiteboard: MGA5-32-OK MGA5-64-OK => advisory MGA5-32-OK MGA5-64-OK
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0215.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
This update also fixed CVE-2016-6161: http://openwall.com/lists/oss-security/2016/07/05/7
(In reply to David Walser from comment #12) > This update also fixed CVE-2016-6161: > http://openwall.com/lists/oss-security/2016/07/05/7 LWN reference: http://lwn.net/Vulnerabilities/694243/