Debian has issued an advisory on February 4: https://www.debian.org/security/2019/dsa-4384 We should have fixed CVE-2019-6977 in Bug 24165, but the patched libgd package wasn't pushed. I've added the missing part of the upstream patch I referenced in: https://bugs.mageia.org/show_bug.cgi?id=24165#c12 as well as added the patch for CVE-2019-6978. Advisory: ======================== Updated libgd packages fix security vulnerabilities: gdImageColorMatch in gd_color_match.c in the GD Graphics Library (aka LibGD) 2.2.5 has a heap-based buffer overflow. This can be exploited by an attacker who is able to trigger calls to the function with crafted image data (CVE-2019-6977). The GD Graphics Library (aka LibGD) 2.2.5 has a double free in the gdImage*Ptr() functions in gd_gif_out.c, gd_jpeg.c, and gd_wbmp.c (CVE-2019-6978). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6977 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6978 https://www.debian.org/security/2019/dsa-4384 ======================== Updated packages in core/updates_testing: ======================== libgd3-2.2.5-2.3.mga6 libgd-devel-2.2.5-2.3.mga6 libgd-static-devel-2.2.5-2.3.mga6 gd-utils-2.2.5-2.3.mga6 from libgd-2.2.5-2.3.mga6.src.rpm
Blocks: (none) => 24165
mga6, x86_64 Before update: lib64gd3-2.2.5-2.2.mga6 ------------------------------------------------- CVE-2019-6977 use-after-free test script: <?php $img = imagecreate(pow(2, 27), 0x01); var_dump(imagescale($img, 0x01, 0x01, 20)); echo "Execution continues!\n"; $ php use-after-free resource(5) of type (gd) Execution continues! $ ------------------------------------------------- CVE-2019-6978 out-of-bounds-read test script: <?php $img1 = imagecreatetruecolor(0xfff, 0xfff); $img2 = imagecreate(0xfff, 0xfff); imagecolorallocate($img2, 0, 0, 0); imagesetpixel($img2, 0, 0, 255); imagecolormatch($img1, $img2); $ php out-of-bounds-read $ No output. Waiting for mirrors to synchronize.
CC: (none) => tarazed25
Oops - those tests were back to front: CVE-2019-6977 out-of-bounds-write https://bugs.php.net/bug.php?id=77270 Quote from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920728: > CVE-2019-6978[0]: > | The GD Graphics Library (aka LibGD) 2.2.5 has a double free in the > | gdImage*Ptr() functions in gd_gif_out.c, gd_jpeg.c, and gd_wbmp.c. > | NOTE: PHP is unaffected. Does that mean we cannot use PHP scriptlets to test the vulnerability? If so then I shall have to look for a C test for 6978 or else forget it. https://github.com/libgd/libgd/commit/553702980ae89c83f2d6e254d62cf82e204956d0 $ cat useafterfree.c /** * Test that failure to convert to JPEG returns NULL * * We are creating an image, set its width to zero, and pass this image to * `gdImageJpegPtr()` which is supposed to fail, and as such should return NULL. * * See also <https://github.com/libgd/libgd/issues/381> */ #include "gd.h" int main() { gdImagePtr src, dst; int size, numf=0; src = gdImageCreateTrueColor(1, 10); if (src != NULL) { src->sx = 0; /* this hack forces gdImageJpegPtr() to fail */ dst = gdImageJpegPtr(src, &size, 0); if (dst == NULL) numf += 1; } gdImageDestroy(src); return numf; } $ gcc -o useafterfree -lgd useafterfree.c $ chmod +x useafterfree $ ./useafterfree GD Warning: gd-jpeg: JPEG library reports unrecoverable error: Empty JPEG image (DNL not supported)*** Error in `./useafterfree': double free or corruption (!prev): 0x0000000001587ee0 *** ======= Backtrace: ========= /lib64/libc.so.6(+0x72435)[0x7f6ea8fbb435] [...] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Aborted (core dumped)
Clean update for the four packages. CVE-2019-6977 $ php out-of-bounds-write $ No output, as before - probably good result. CVE-2019-6978 $ ./useafterfree GD Warning: gd-jpeg: JPEG library reports unrecoverable error: Empty JPEG image $ That looks like a good result. ------------------------------------------------------------------- This is a very simple utility test for the library using PHP. Script based on a snippet from one of the libgd websites. $ cat makepng.php <?php header("Content-type: image/png"); $string = "Songbird"; $im = imagecreatefrompng("songbird.png"); $blue = imagecolorallocate($im, 90, 90, 220); $px = (imagesx($im) - 7.5 * strlen($string)) / 2; imagestring($im, 3, $px, 9, $string, $blue); imagepng($im); imagedestroy($im); $ php makepng.php > test.png $ eom test.png Shows a copy of the original with a superimposed title "Songbird". Reran under trace to verify libgd is used. $ cat trace | egrep "libgd|gd"| grep -v qa stat("/etc/php.d/23_gd.ini", {st_mode=S_IFREG|0644, st_size=227, ...}) = 0 open("/etc/php.d/23_gd.ini", O_RDONLY) = 3 open("/lib64/libgdbm.so.4", O_RDONLY|O_CLOEXEC) = 3 open("/usr/lib64/php/extensions/gd", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/usr/lib64/php/extensions/gd.so", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libgd.so.3", O_RDONLY|O_CLOEXEC) = 3 Assigning OK for 64-bits.
Whiteboard: (none) => MGA6-64-OK
since libgd is the same in cauldron, have to be applied there too.
Comment 3: s/Reran under trace/Reran under strace/
Missed a bit: $ ./useafterfree GD Warning: gd-jpeg: JPEG library reports unrecoverable error: Empty JPEG image (DNL not supported) $
(In reply to Marc Krämer from comment #4) > since libgd is the same in cauldron, have to be applied there too. Oops, thanks for catching that!
Len's tests look sufficient to me. Validating for Mageia 6. Advisory in Comment 0.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0073.html
Status: NEW => RESOLVEDResolution: (none) => FIXED