Fedora has issued an advisory on January 23: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QHE3SM4HVAEXCO4WZKPXPIVEC7DBIDLK/ The issues are fixed upstream in libgd 2.2.4: https://github.com/libgd/libgd/releases/tag/gd-2.2.4 Mageia 5 is also affected.
CC: (none) => geiger.david68210Whiteboard: (none) => MGA5TOO
URL: (none) => https://lwn.net/Vulnerabilities/712364/
Hi David, I have a strange problem: when building libgd-2.2.4 locally (either Mga5 or Cauldron, using either X11 or console), all tests are successful but on the build system, the test "fontconfig/basic" fails (see: http://pkgsubmit.mageia.org/uploads/failure/5/core/updates_testing/20170124154217.ns80.duvel.38107/log/libgd-2.2.4-1.mga5/build.0.20170124154303.log) and I have no idea why that happens. Do you think I can disable that test for the moment? Best regards, Nico.
Maybe the test only works when run in X or something. If it passes locally, I think it'd be OK to disable it.
Looks like it's built for Mageia 5, just not Cauldron. libgd3-2.2.4-1.mga5 libgd-devel-2.2.4-1.mga5 libgd-static-devel-2.2.4-1.mga5 gd-utils-2.2.4-1.mga5 from libgd-2.2.4-1.mga5.src.rpm CVEs were requested for more fixes: http://openwall.com/lists/oss-security/2017/01/26/1
Suggested advisory: ======================== The updated packages fix security vulnerabilities: gdImageCreate() doesn't check for oversized images and as such is prone to DoS vulnerabilities. (CVE-2016-9317) Double-free in gdImageWebPtr(). (CVE-2016-6912) Potential unsigned underflow in gd_interpolation.c. (CVE not assigned yet) DOS vulnerability in gdImageCreateFromGd2Ctx(). (CVE not assigned yet) Signed Integer Overflow gd_io.c. (CVE not assigned yet) References: https://github.com/libgd/libgd/releases/tag/gd-2.2.4 http://openwall.com/lists/oss-security/2017/01/26/1 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9317 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6912 ======================== Updated packages in core/updates_testing: ======================== libgd3-2.2.4-1.mga5 libgd-devel-2.2.4-1.mga5 libgd-static-devel-2.2.4-1.mga5 gd-utils-2.2.4-1.mga5 from SRPMS: libgd-2.2.4-1.mga5.src.rpm
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)Status: NEW => ASSIGNEDAssignee: nicolas.salguero => qa-bugs
Nicolas, While people can test this if they want, we can't formally push it yet since it hasn't been built in Cauldron. I try to make sure things get built there first, to prevent this kind of issue.
CC: (none) => qa-bugsAssignee: qa-bugs => nicolas.salguero
(In reply to David Walser from comment #5) > Nicolas, > > While people can test this if they want, we can't formally push it yet since > it hasn't been built in Cauldron. I try to make sure things get built there > first, to prevent this kind of issue. Just in case you didn't see, one more test fails in Cauldron: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20170127165834.akien.duvel.30979/log/libgd-2.2.4-1.mga6/build.0.20170127165906.log
CVE-2016-1016[6-8] assigned: http://openwall.com/lists/oss-security/2017/01/28/6
Summary: libgd new security issues CVE-2016-6912 and CVE-2016-9317 => libgd new security issues CVE-2016-6912, CVE-2016-9317, CVE-2016-1016[6-8]
Now it's been uploaded for Cauldron. Thanks. QA team: please test this along with the PHP update.
Assignee: nicolas.salguero => qa-bugsCC: qa-bugs => nicolas.salguero
(In reply to David Walser from comment #7) > CVE-2016-1016[6-8] assigned: > http://openwall.com/lists/oss-security/2017/01/28/6 LWN reference for CVE-2016-1016[78]: https://lwn.net/Vulnerabilities/713050/
To be consistent with the Cauldron version, I rebuilt libgd without the patch disabling fontconfig/basic test (I used the variable XFAIL_TESTS instead). Suggested advisory: ======================== The updated packages fix security vulnerabilities: gdImageCreate() doesn't check for oversized images and as such is prone to DoS vulnerabilities. (CVE-2016-9317) Double-free in gdImageWebPtr(). (CVE-2016-6912) Potential unsigned underflow in gd_interpolation.c. (CVE-2016-10166) DOS vulnerability in gdImageCreateFromGd2Ctx(). (CVE-2016-10167) Signed Integer Overflow gd_io.c. (CVE-2016-10168) References: https://github.com/libgd/libgd/releases/tag/gd-2.2.4 http://openwall.com/lists/oss-security/2017/01/26/1 http://openwall.com/lists/oss-security/2017/01/28/6 https://lwn.net/Vulnerabilities/713050/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9317 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6912 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10166 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10167 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10168 ======================== Updated packages in core/updates_testing: ======================== libgd3-2.2.4-1.1.mga5 libgd-devel-2.2.4-1.1.mga5 libgd-static-devel-2.2.4-1.1.mga5 gd-utils-2.2.4-1.1.mga5 from SRPMS: libgd-2.2.4-1.1.mga5.src.rpm
CVE-2016-6906 is also fixed with this update: https://security-tracker.debian.org/tracker/CVE-2016-6906 LWN reference (for that and CVE-2016-10166): https://lwn.net/Vulnerabilities/713270/ Suggested advisory: ======================== The updated packages fix security vulnerabilities: OOB reads of the TGA decompression buffer (CVE-2016-6906). Double-free in gdImageWebPtr() (CVE-2016-6912). gdImageCreate() doesn't check for oversized images and as such is prone to DoS vulnerabilities (CVE-2016-9317). Potential unsigned underflow in gd_interpolation.c (CVE-2016-10166). DOS vulnerability in gdImageCreateFromGd2Ctx() (CVE-2016-10167). Signed Integer Overflow gd_io.c (CVE-2016-10168). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6906 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6912 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9317 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10166 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10167 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10168 https://github.com/libgd/libgd/releases/tag/gd-2.2.4 http://openwall.com/lists/oss-security/2017/01/26/1 http://openwall.com/lists/oss-security/2017/01/28/6 https://www.debian.org/security/2017/dsa-3777
Whiteboard: (none) => advisoryCC: (none) => davidwhodgins
Pre-test info ------------- I could find no test file in the references above; but this library has a host of associated programs in gd-utils which use it. None of these have man pages, but <command> -h gives a clue. For convenience I summarise them here (which makes a long post; sorry): $ annotate -h Usage: annotate imagein.jpg imageout.jpg [gets complicated] $ bdftogd -h usage: bdftogd fontname filename, eg. bdftogd FontLarge gdfontl $ gd2copypal -h Usage: gd2copypal palettefile.gd2 filename.gd2 $ gd2togif -h Usage: gd2togif filename.gd2 filename.gif $ gd2topng -h Usage: gd2topng filename.gd2 filename.png [srcx srcy width height] If the coordinates are absent, the entire image is converted. $ gdcmpgif -h Usage: gdcmpgif filename.gif filename.gif $ gdparttopng -h Usage: gdparttopng filename.gd filename.png x y w h $ gdtopng -h Usage: gdtopng filename.gd filename.png $ giftogd2 -h Usage: giftogd2 filename.gif filename.gd2 cs fmt where cs is the chunk size; fmt is 1 for raw, 2 for compressed $ pngtogd -h Usage: pngtogd filename.png filename.gd $ pngtogd2 -h Usage: pngtogd2 filename.png filename.gd2 cs fmt where cs is the chunk size; fmt is 1 for raw, 2 for compressed รข/usr/bin/webpng $ webpng -h Usage: webpng [-i y|n] [-l] [-t index|none] [-d] [-a] pngname.png [gets complicated] The library is specifically aimed at web image formats. It uses its own formats 'gd' and 'gd2': "GD and GD2 are image formats invented by libgd ... nobody else implemented GD/GD2 support" (perhaps not true).
CC: (none) => lewyssmith
Conversion summary ----------------- To help sort the wood from the trees in the previous comment... GD GD2 GIF - giftogd2 - gd2togif PNG pngtpgd pngtogd2 gdtopng gd2topng
Testing M5 x64 BEFORE update: lib64gd3-2.2.3-1.4.mga5 gd-utils-2.2.3-1.4.mga5 Armed myself with static .gif and .png images, converted them to & from .gd and .gd2 (where possible according to the grid above), compared the final output images to the originals - all looked OK. $ giftogd2 200_s.gif 200_s.gd2 1000 2 [chunksize, guess; compress] $ gd2togif 200_s.gd2 200a_s.gif $ display 200a_s.gif $ gd2topng 200_s.gd2 200a_s.png $ display 200a_s.png $ pngtogd XferWise.png XferWise.gd $ gdtopng XferWise.gd XferWisea.png $ display XferWisea.png $ pngtogd2 RyanAirLim-Leeds.png RyanAirLim-Leeds.gd2 1000 2 [chunksize, compress] $ gd2topng RyanAirLim-Leeds.gd2 RyanAirLim-Leedsa.png $ display RyanAirLim-Leedsa.png $ gd2togif RyanAirLim-Leeds.gd2 RyanAirLim-Leedsa.gif $ display RyanAirLim-Leedsa.gif AFTER the update: lib64gd3-2.2.4-1.1.mga5 gd-utils-2.2.4-1.1.mga5 The same sequence of commands yielded the same correct end results. OK
Whiteboard: advisory => advisory MGA5-64-OK
Tested converting a png to a gd2 file, then the gd2 file to a gif file. Viewed original and result in xv. Testing complete on Mageia 5 i586. Validating the update
Keywords: (none) => validated_updateWhiteboard: advisory MGA5-64-OK => advisory MGA5-64-OK MGA5-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0055.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED