23496 – libgd new security issues CVE-2018-5711 and CVE-2018-1000222

Bug 23496 - libgd new security issues CVE-2018-5711 and CVE-2018-1000222

Summary: libgd new security issues CVE-2018-5711 and CVE-2018-1000222

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA6-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2018-08-28 22:25 CEST by David Walser
Modified:	2018-09-02 21:08 CEST (History)
CC List:	8 users (show)

See Also:
Source RPM:	libgd-2.2.5-2.mga6.src.rpm
CVE:	CVE-2018-5711, CVE-2018-1000222
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-08-28 22:25:18 CEST

Ubuntu has issued an advisory on August 27:
https://usn.ubuntu.com/3755-1/

Mageia 5 and Mageia 6 are also affected.

David Walser 2018-08-28 22:25:26 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-08-30 19:57:49 CEST

Assigning to all packagers collectively, since the registered maintainer for this package is currently unavailable.

Also CC'ing some committers.

CC: (none) => geiger.david68210, mageia, marja11, nicolas.salguero, oe
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2018-08-31 09:29:59 CEST

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1, has an integer signedness error that leads to an infinite loop via a crafted GIF file, as demonstrated by a call to the imagecreatefromgif or imagecreatefromstring PHP function. This is related to GetCode_ and gdImageCreateFromGifCtx. (CVE-2018-5711)

Libgd version 2.2.5 contains a Double Free Vulnerability vulnerability in gdImageBmpPtr Function that can result in Remote Code Execution . This attack appear to be exploitable via Specially Crafted Jpeg Image can trigger double free. This vulnerability appears to have been fixed in after commit ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5. (CVE-2018-1000222)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5711
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000222
https://usn.ubuntu.com/3755-1/
========================

Updated packages in core/updates_testing:
========================
lib(64)gd3-2.2.5-2.1.mga6
lib(64)gd-devel-2.2.5-2.1.mga6
lib(64)gd-static-devel-2.2.5-2.1.mga6
gd-utils-2.2.5-2.1.mga6

from SRPMS:
libgd-2.2.5-2.1.mga6.src.rpm

Status: NEW => ASSIGNED
Whiteboard: MGA6TOO => (none)
Assignee: pkg-bugs => qa-bugs
Source RPM: libgd-2.2.5-3.mga7.src.rpm => libgd-2.2.5-2.mga6.src.rpm
CVE: (none) => CVE-2018-5711, CVE-2018-1000222
Version: Cauldron => 6

Comment 3 Len Lawrence 2018-09-02 00:23:53 CEST

Mageia 6, x86_64

POC trail:

CVE-2018-5711
https://bugs.php.net/bug.php?id=75571
$ curl https://gist.githubusercontent.com/orangetw/adb0e2519df267eb54d8b68027a91d4c/raw/7a7d6938f59dd89e9a9b7304d71f8f6640609479/poc.gif.xxd | xxd -r > poc.gif
$ identify poc.gif
POC.gif GIF 64x64 12352x12418+48+48 8-bit sRGB 4c 1731B 0.000u 0:00.000
identify: corrupt image `POC.gif' @ error/gif.c/PingGIFImage/959.
$ file poc.gif
poc.gif: GIF image data, version 89a, 12352 x 12418
The file displays in eom but not ImageMagick display.
$ php -r 'imagecreatefromgif("poc.gif");'
<This is supposed to hang but it does not.>

CVE-2018-1000222
Nothing useful.

Updated the four packages.

CVE-2018-5711
$ php -r 'imagecreatefromgif("poc.gif");'
PHP Warning:  imagecreatefromgif(): 'poc.gif' is not a valid GIF file in Command line code on line 1

That counts as confirmation of the fix.

Functionality tests using image conversion tools:

$ pngtogd ikapati.png ikapati.gd
$ pngtogd2 ikapati.png ikapati.gd2 2048 1
$ ll *.gd*
-rw-r--r-- 1 lcl lcl 1007588 Sep  1 22:50 ikapati.gd
-rw-r--r-- 1 lcl lcl 1007600 Sep  1 22:52 ikapati.gd2
$ ll ikapati.png
-rw-r--r-- 1 lcl lcl 676503 May  5 13:08 ikapati.png
$ gd2togif ikapati.gd2 ikapati.gif
$ ll ikapati.gif
-rw-r--r-- 1 lcl lcl 1058224 Sep  1 22:56 ikapati.gif
$ eom ikapati.gif
The image looks just like the original PNG.
$ gdtopng ikapati.gd ikapati2.png
$ ll ikapati2.png
-rw-r--r-- 1 lcl lcl 852302 Sep  1 23:01 ikapati2.png
Note that ikapati2.png looks just like ikapati.png but is a larger file than the original.
$ identify ikapati2.png
ikapati2.png PNG 1229x819 1229x819+0+0 8-bit sRGB 256c 852302B 0.000u 0:00.000
$ gdparttopng ikapati.gd2 sample.png 200 160 800 500
Extracting from (200, 160), size is 800x500
$ identify sample.png
sample.png PNG 800x500 800x500+0+0 8-bit sRGB 256c 338914B 0.000u 0:00.000

$ gdparttopng --help
Usage: gdparttopng filename.gd filename.png x y w h
The help is wrong - see this:
$ gdparttopng ikapati.gd sample1.png 200 160 800 500
Extracting from (200, 160), size is 800x500
Input is not in GD2 format!

Apart from that everything is in order.  Good for 64-bits.

CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK

Thomas Backlund 2018-09-02 19:55:26 CEST

CC: (none) => tmb
Keywords: (none) => advisory

Thomas Backlund 2018-09-02 20:35:01 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2018-09-02 21:08:28 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0367.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.