A CVE has been assigned for a security issue fixed upstream in libgd: http://openwall.com/lists/oss-security/2016/09/28/7 The upstream commit to fix the issue is linked in the message above. A new version containing the fix has not yet been released. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Assigning to all packagers collectively, since the registered maintainer is unavailable.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
lingd testsuite are for now broken due to new freetype 2.7, see upstream issue: https://github.com/libgd/libgd/issues/302
CC: (none) => geiger.david68210
s/lingd/libgd/ :) I mean only on Cauldron.
I temporarily disabled the test suite in Cauldron. Suggested advisory: ======================== The updated packages fix a security vulnerability: Integer overflow in the gdImageWebpCtx function in gd_webp.c in the GD Graphics Library (aka libgd) through 2.2.3, as used in PHP through 7.0.11, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted imagewebp and imagedestroy calls. (CVE-2016-7568) References: http://openwall.com/lists/oss-security/2016/09/28/7 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7568 ======================== Updated packages in core/updates_testing: ======================== i586: libgd3-2.2.3-1.2.mga5.i586.rpm libgd-devel-2.2.3-1.2.mga5.i586.rpm libgd-static-devel-2.2.3-1.2.mga5.i586.rpm gd-utils-2.2.3-1.2.mga5.i586.rpm x86_64: lib64gd3-2.2.3-1.2.mga5.x86_64.rpm lib64gd-devel-2.2.3-1.2.mga5.x86_64.rpm lib64gd-static-devel-2.2.3-1.2.mga5.x86_64.rpm gd-utils-2.2.3-1.2.mga5.x86_64.rpm Source RPMs: libgd-2.2.3-1.2.mga5.src.rpm
Status: NEW => ASSIGNEDCC: (none) => nicolas.salgueroVersion: Cauldron => 5Assignee: pkg-bugs => qa-bugsSource RPM: libgd-2.2.3-2.mga6.src.rpm => libgd-2.2.3-1.1.mga5.src.rpmWhiteboard: MGA5TOO => (none)
Testing on 64bit hardware. Part 1: pre-updates The gd-utils package supplies some utilities but a list of them is not easily found. Searching /usr/bin turns up these possibles: bdftogd gd2copypal gd2togif gd2topng gdcmpgif gdparttopng gdtopng giftogd2 pngtogd and urpmqf shows that gnuplot uses gd. The online tutorial at https://libgd.github.io/manuals/2.2.3/files/preamble-txt.html includes a simple program as a demonstration, attached here. When compiled and run it creates a PNG image of a black rectangle with a diagonal white line (test.png). $ pngtogd test.png test.gd produces a binary file which can be converted back to a PNG. gdtopng test.gd test2.png The test2.png looks exactly like test.png. It looks like gd2 is a different format so ignore those utilities with gd2 in the name. gnuplot can be used to run the demos already on board at /usr/share/doc/gnuplot-nox/demo/ e.g. $ cd demos $ gnuplot orbits.dem ctrl-C A PoC exists for PHP but not libgd (programmer required). <?php ini_set('memory_limit', -1); $im = imagecreatetruecolor(0x8000, 0x8001); imagewebp($im, 'php.webp'); imagedestroy($im); ?> This needs somebody conversant with web programming. I don't know how to run this. Details of output at https://bugs.php.net/bug.php?id=73003
CC: (none) => tarazed25
Created attachment 8514 [details] Simple test of libgd This generates test.png which displays as a diagonal white line on a black background. Use the command at the head of the file to compile and link.
The test program actually generates test.jpg also.
Generally PHP is the best way to test libgd. It's fine if you want to use the C API too of course.
As I said, this needs somebody who knows PHP. I have not yet got up to speed.
(In reply to Len Lawrence from comment #9) > As I said, this needs somebody who knows PHP. I have not yet got up to > speed. And using the C API needs someone who knows C. PHP is generally an easier language, and it should be easier to find snippets out there using PHP via GD.
There is no PoC in C. PHP is all that I could find but I don't know how to run the snippet. I tried wrapping it in HTML and pointing firefox at localhost - the header came up but nothing else. Then tried copying naked PHP PoC (called php) to /var/www/html and using localhost/php. Nothing. I just have no idea.
It looks like you should be able to run it at the command-line (install php-cli) by saving it to a file (say foo.php) and running "php foo.php" Note that for your testing through the browser, it should be saved with a .php extension, otherwise Apache won't know to run it through mod_php.
Many thanks for that David. $ php foo.php PHP Warning: imagewebp(): gd-webp encoding failed in /home/lcl/qa/gd/foo.php on line 4 *** Error in `php': free(): invalid pointer: 0x00007fec4c457010 *** ======= Backtrace: ========= /usr/lib64/libc.so.6(+0x7238e)[0x7fec6437e38e] .................. Abort Now we have something to work with.
Part 2. Installed the updates. $ php foo.php PHP Warning: imagewebp(): product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully in /home/lcl/qa/gd/foo.php on line 4 Looks like it has been fixed. Shall run the functional tests tomorrow.
Created attachment 8515 [details] poc.php From https://bugs.php.net/bug.php?id=73003
Ran gnuplot on some of the demos and tried the gdex program. Both functioning normally. In view of the pressure on QA we should skip the 32bit test and validate this.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA5-64-OKCC: (none) => sysadmin-bugs
CC: (none) => mageiaWhiteboard: MGA5-64-OK => MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0339.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/703328/