Ubuntu has issued an advisory on August 27: https://usn.ubuntu.com/3755-1/ Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since the registered maintainer for this package is currently unavailable. Also CC'ing some committers.
CC: (none) => geiger.david68210, mageia, marja11, nicolas.salguero, oeAssignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix security vulnerabilities: gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1, has an integer signedness error that leads to an infinite loop via a crafted GIF file, as demonstrated by a call to the imagecreatefromgif or imagecreatefromstring PHP function. This is related to GetCode_ and gdImageCreateFromGifCtx. (CVE-2018-5711) Libgd version 2.2.5 contains a Double Free Vulnerability vulnerability in gdImageBmpPtr Function that can result in Remote Code Execution . This attack appear to be exploitable via Specially Crafted Jpeg Image can trigger double free. This vulnerability appears to have been fixed in after commit ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5. (CVE-2018-1000222) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5711 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000222 https://usn.ubuntu.com/3755-1/ ======================== Updated packages in core/updates_testing: ======================== lib(64)gd3-2.2.5-2.1.mga6 lib(64)gd-devel-2.2.5-2.1.mga6 lib(64)gd-static-devel-2.2.5-2.1.mga6 gd-utils-2.2.5-2.1.mga6 from SRPMS: libgd-2.2.5-2.1.mga6.src.rpm
Status: NEW => ASSIGNEDWhiteboard: MGA6TOO => (none)Assignee: pkg-bugs => qa-bugsSource RPM: libgd-2.2.5-3.mga7.src.rpm => libgd-2.2.5-2.mga6.src.rpmCVE: (none) => CVE-2018-5711, CVE-2018-1000222Version: Cauldron => 6
Mageia 6, x86_64 POC trail: CVE-2018-5711 https://bugs.php.net/bug.php?id=75571 $ curl https://gist.githubusercontent.com/orangetw/adb0e2519df267eb54d8b68027a91d4c/raw/7a7d6938f59dd89e9a9b7304d71f8f6640609479/poc.gif.xxd | xxd -r > poc.gif $ identify poc.gif POC.gif GIF 64x64 12352x12418+48+48 8-bit sRGB 4c 1731B 0.000u 0:00.000 identify: corrupt image `POC.gif' @ error/gif.c/PingGIFImage/959. $ file poc.gif poc.gif: GIF image data, version 89a, 12352 x 12418 The file displays in eom but not ImageMagick display. $ php -r 'imagecreatefromgif("poc.gif");' <This is supposed to hang but it does not.> CVE-2018-1000222 Nothing useful. Updated the four packages. CVE-2018-5711 $ php -r 'imagecreatefromgif("poc.gif");' PHP Warning: imagecreatefromgif(): 'poc.gif' is not a valid GIF file in Command line code on line 1 That counts as confirmation of the fix. Functionality tests using image conversion tools: $ pngtogd ikapati.png ikapati.gd $ pngtogd2 ikapati.png ikapati.gd2 2048 1 $ ll *.gd* -rw-r--r-- 1 lcl lcl 1007588 Sep 1 22:50 ikapati.gd -rw-r--r-- 1 lcl lcl 1007600 Sep 1 22:52 ikapati.gd2 $ ll ikapati.png -rw-r--r-- 1 lcl lcl 676503 May 5 13:08 ikapati.png $ gd2togif ikapati.gd2 ikapati.gif $ ll ikapati.gif -rw-r--r-- 1 lcl lcl 1058224 Sep 1 22:56 ikapati.gif $ eom ikapati.gif The image looks just like the original PNG. $ gdtopng ikapati.gd ikapati2.png $ ll ikapati2.png -rw-r--r-- 1 lcl lcl 852302 Sep 1 23:01 ikapati2.png Note that ikapati2.png looks just like ikapati.png but is a larger file than the original. $ identify ikapati2.png ikapati2.png PNG 1229x819 1229x819+0+0 8-bit sRGB 256c 852302B 0.000u 0:00.000 $ gdparttopng ikapati.gd2 sample.png 200 160 800 500 Extracting from (200, 160), size is 800x500 $ identify sample.png sample.png PNG 800x500 800x500+0+0 8-bit sRGB 256c 338914B 0.000u 0:00.000 $ gdparttopng --help Usage: gdparttopng filename.gd filename.png x y w h The help is wrong - see this: $ gdparttopng ikapati.gd sample1.png 200 160 800 500 Extracting from (200, 160), size is 800x500 Input is not in GD2 format! Apart from that everything is in order. Good for 64-bits.
CC: (none) => tarazed25Whiteboard: (none) => MGA6-64-OK
CC: (none) => tmbKeywords: (none) => advisory
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0367.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED