Upstream has released version 2.2.2 on June 23, fixing several security bugs: https://github.com/libgd/libgd/releases/tag/gd-2.2.2 They are also listed in the PHP 5.6.23 Changelog: http://php.net/ChangeLog-5.php#5.6.23 Updated packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated libgd packages fix security vulnerabilities: Stack overflow with imagefilltoborder (CVE-2015-8874). Integer Overflow in _gd2GetHeader() resulting in heap overflow (CVE-2016-5766). Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow (CVE-2016-5767). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8874 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5766 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5767 https://github.com/libgd/libgd/releases/tag/gd-2.2.2 http://php.net/ChangeLog-5.php#5.6.23 ======================== Updated packages in core/updates_testing: ======================== libgd3-2.2.2-1.mga5 libgd-devel-2.2.2-1.mga5 libgd-static-devel-2.2.2-1.mga5 gd-utils-2.2.2-1.mga5 from libgd-2.2.2-1.mga5.src.rpm
Blocks: (none) => 18765
A CVE has been assigned for another security issue fixed upstream in libgd since the 2.2.2 release, also corresponding to a PHP bug: http://openwall.com/lists/oss-security/2016/06/30/1 The CVE-2016-5766 fix apparently wasn't included in the 2.2.2 release after all, and was also recently committed upstream. That has also been added to the package. Patched packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated libgd packages fix security vulnerabilities: Stack overflow with imagefilltoborder (CVE-2015-8874). Integer Overflow in _gd2GetHeader() resulting in heap overflow (CVE-2016-5766). Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow (CVE-2016-5767). Improperly handling invalid color index in gdImageCropThreshold() could result in denial of service (CVE-2016-6128). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8874 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5766 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5767 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6128 https://github.com/libgd/libgd/releases/tag/gd-2.2.2 http://php.net/ChangeLog-5.php#5.6.23 http://openwall.com/lists/oss-security/2016/06/30/1 ======================== Updated packages in core/updates_testing: ======================== libgd3-2.2.2-1.1.mga5 libgd-devel-2.2.2-1.1.mga5 libgd-static-devel-2.2.2-1.1.mga5 gd-utils-2.2.2-1.1.mga5 from libgd-2.2.2-1.1.mga5.src.rpm
Working fine on Mageia 5 i586 with my usual test case. PoC's not checked yet.
Whiteboard: (none) => MGA5-32-OK
CVE-2016-6128 (php#72494) PoC: #include <stdio.h> #include <stdlib.h> #include "gd.h" int main() { gdImagePtr im, exp; int error = 0; im = gdImageCreate(50, 50); gdImageCropThreshold(im, 1337, 0); gdImageDestroy(im); /* this bug tests a crash, it never reaches this point if the bug exists*/ return 0; } saved as php72494.c and compiled with gcc -lgd php72494.c runs fine on Mageia 5 i586. No output after the update. Before the update gave: GD Warning: one parameter to a memory allocation multiplication is negative or zero, failing operation gracefully
Summary: libgd new security issues CVE-2015-8874, CVE-2016-5766, and CVE-2016-5767 => libgd new security issues CVE-2015-8874, CVE-2016-5766, CVE-2016-5767, and CVE-2016-6128
php#66387 (CVE-2015-8874) PoC gives no output before or after update. php#72339 (CVE-2016-5766) before gives a segfault. After gives: PHP Parse error: imagecreatefromgd2(): product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully in /tmp/php72339.php on line 1 PHP Warning: imagecreatefromgd2(): 'poc.gd' is not a valid GD2 file in /tmp/php72339.php on line 1 php#72446 (CVE-2016-5767) before and after gives: PHP Parse error: imagecreate(): product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully in /tmp/php72446.php on line 4 PHP Warning: imagecolorallocatealpha() expects parameter 1 to be resource, boolean given in /tmp/php72446.php on line 5 PHP Warning: imagepalettetotruecolor() expects parameter 1 to be resource, boolean given in /tmp/php72446.php on line 7 All looks fine.
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK => MGA5-32-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0242.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
LWN reference for CVE-2016-6128: http://lwn.net/Vulnerabilities/693576/
CVE-2016-9933 also fixed by this update: http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9933.html