already fixed in cauldron

Version: Cauldron => 6
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
CC: (none) => mageia

(In reply to Nicolas Lécureuil from comment #1)
> already fixed in cauldron

Not quite.  It didn't build.

Version: 6 => Cauldron
Whiteboard: MGA5TOO => MGA6TOO, MGA5TOO

Assigning to all packagers collectively, since the registered maintainer for this package is currently unavailable.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Debian has issued an advisory for this on September 3:
https://www.debian.org/security/2017/dsa-3961

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Double free vulnerability in the gdImagePngPtr function in libgd2 before 2.2.5 allows remote attackers to cause a denial of service via vectors related to a palette with no colors. (CVE-2017-6362)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6362
========================

Updated packages in 5/core/updates_testing:
========================
lib(64)gd3-2.2.5-1.mga5
lib(64)gd-devel-2.2.5-1.mga5
lib(64)gd-static-devel-2.2.5-1.mga5
gd-utils-2.2.5-1.mga5

from SRPMS:
libgd-2.2.5-1.mga5.src.rpm

Updated packages in 6/core/updates_testing:
========================
lib(64)gd3-2.2.5-1.mga6
lib(64)gd-devel-2.2.5-1.mga6
lib(64)gd-static-devel-2.2.5-1.mga6
gd-utils-2.2.5-1.mga6

from SRPMS:
libgd-2.2.5-1.mga6.src.rpm

Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
Source RPM: libgd-2.2.4-5.mga7.src.rpm => libgd-2.2.4-3.1.mga6.src.rpm
CC: (none) => nicolas.salguero
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Version: Cauldron => 6

Pointers: bug 20171 comments 12, especially 13, 14.

CC: (none) => lewyssmith

I'll take this one for maga5 and mga6.
There is a reproducer which entails compiling C code but that should be OK seeing as we are installing the devel package.

CC: (none) => tarazed25

Testing on mga6 for x86_64

Reproducer for the CVE-2017-6362 issue is at https://github.com/libgd/libgd/issues/381
Downloaded the special data file doublefree.txt and copy/pasted the two specimen programs to test.c and doublefree.c.
Test creates the data internally and doublefree reads the data file.

Discovered the hard way that gdtest.h is not a standard part of the package but comes from a separate test harness.  Commented out the gdtest references and compiled the two scripts.
$ gcc -o gdtest -lgd test.c
$ gcc -o doublefree -lgd doublefree.c

$ ./gdtest
Aborted with a core dump.
$ ./doublefree doublefree.txt
Segmentation fault (core dumped)

Installed the updates and recompiled the two test scripts.
$ ./gdtest
GD Warning: gd-png error: no colors in palette
$ ./doublefree doublefree.txt
Segmentation fault (core dumped)

Interesting.  It may be that the second test is yet another which only returns meaningful results within a testing framework.  My inclination is to say the issue is fixed.

Functionality tests later, following Lewis's lead.

Created attachment 9685 [details]
Script to create a specimen image in memory, free the memory then try to access it again via a dangling pointer.

$ gcc -o gdtest -lgd test.c

Created attachment 9686 [details]
Script to load a file into memory and try to free it twice.

$ gcc -o doublefree -lgd doublefree.c
$ ./doublefree doublefree.txt

Created attachment 9687 [details]
Dat file for the doublefree program

Pardon me.  I just noticed the hyphen in the file name.
$ ./doublefree double-free.txt
GD Warning: gd-png error: no colors in palette

So clipped free of the test-harness the second program is essentially the same as the first.

Utility tests following on from comments 8-12.

$ giftogd2 Maggie.gif Maggie.gd2 256 1
$ ls -l Maggie.*
-rw-r--r-- 1 lcl lcl 531905 Sep 24 22:09 Maggie.gd2
-rw-r--r-- 1 lcl lcl 315652 Sep 24 22:07 Maggie.gif
$ gd2topng Maggie.gd2 maggie.png
$ display maggie.png 
That reproduces the original image.
$ gd2togif Maggie.gd2 maggie.gif
That also.

$ pngtogd2 SantaMaria.png SantaMaria.gd 2048 1
$ ls -l SantaMaria.*
-rw-r--r-- 1 lcl lcl 5915255 Sep 24 22:27 SantaMaria.gd
-rw-r--r-- 1 lcl lcl  954440 Aug 22 23:43 SantaMaria.png
$ identify SantaMaria.png
SantaMaria.png PNG 1311x1128 1311x1128+0+0 8-bit sRGB 954440B 0.000u 0:00.000
$ gd2topng SantaMaria.gd crater.png 200 200 911 728
This cropped a 200 pixel border from the image.
$ identify crater.png
crater.png PNG 911x728 911x728+0+0 8-bit sRGB 476640B 0.000u 0:00.000

There is a distinct difference between compressed and raw:
$ pngtogd2 maggie.png maggie.gd 256 2
$ ls -l maggie.gd
-rw-r--r-- 1 lcl lcl 283690 Sep 24 22:44 maggie.gd
$ pngtogd2 maggie.png maggie.gd 256 1
$ ls -l maggie.gd
-rw-r--r-- 1 lcl lcl 531905 Sep 24 22:46 maggie.gd

$ webpng -i y -l SantaMaria.png
Truecolor image, no palette entries to list.
$ webpng -i n -l SantaMaria.png
libpng warning: Interlace handling should be turned on when using png_read_image
Truecolor image, no palette entries to list.

This looks good for 64-bits.

Addendum to comment 13:
xv can be used to show the a gd image as an ASCII or hex dump.  The gd2 string shows up in the file header but is not recognized by file which merely reports it as 'data'.

Testing in mga5 for x86_64
Referring to tests in comments 8-13.
Compiled the test.c and doublefree.c scripts.
Before the updates the two reproducers generated stack dumps and aborted.
Ran the updates and recompiled the test programs and ran them again.

$ gcc -o gdtest -lgd test.c
$ gcc -o doublefree -lgd doublefree.c
$ ./gdtest
GD Warning: gd-png error: no colors in palette
$ ./doublefree double-free.txt
GD Warning: gd-png error: no colors in palette

Repeated the utility tests as listed in comment 13.
All output was identical to that of the mga6 tests.

OK for mga5.

Thank you Len for your painstaking tests. Validating.
Advisory from comments 0, 4, 5.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0356.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED