Bug 24336 - libgd new security issue CVE-2019-6977 and CVE-2019-6978
Summary: libgd new security issue CVE-2019-6977 and CVE-2019-6978
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 24165
  Show dependency treegraph
Reported: 2019-02-10 20:30 CET by David Walser
Modified: 2019-02-13 12:10 CET (History)
4 users (show)

See Also:
Source RPM: libgd-2.2.5-2.1.mga6.src.rpm
Status comment:


Description David Walser 2019-02-10 20:30:46 CET
Debian has issued an advisory on February 4:

We should have fixed CVE-2019-6977 in Bug 24165, but the patched libgd package wasn't pushed.  I've added the missing part of the upstream patch I referenced in:

as well as added the patch for CVE-2019-6978.


Updated libgd packages fix security vulnerabilities:

gdImageColorMatch in gd_color_match.c in the GD Graphics Library (aka LibGD)
2.2.5 has a heap-based buffer overflow. This can be exploited by an attacker
who is able to trigger calls to the function with crafted image data

The GD Graphics Library (aka LibGD) 2.2.5 has a double free in the
gdImage*Ptr() functions in gd_gif_out.c, gd_jpeg.c, and gd_wbmp.c


Updated packages in core/updates_testing:

from libgd-2.2.5-2.3.mga6.src.rpm
David Walser 2019-02-10 20:31:24 CET

Blocks: (none) => 24165

Comment 1 Len Lawrence 2019-02-10 21:58:20 CET
mga6, x86_64
Before update:
use-after-free test script:
$img = imagecreate(pow(2, 27), 0x01);
var_dump(imagescale($img, 0x01, 0x01, 20));
echo "Execution continues!\n";

$ php use-after-free
resource(5) of type (gd)
Execution continues!
out-of-bounds-read test script:
$img1 = imagecreatetruecolor(0xfff, 0xfff);
$img2 = imagecreate(0xfff, 0xfff);
imagecolorallocate($img2, 0, 0, 0);
imagesetpixel($img2, 0, 0, 255);
imagecolormatch($img1, $img2);

$ php out-of-bounds-read
No output.

Waiting for mirrors to synchronize.

CC: (none) => tarazed25

Comment 2 Len Lawrence 2019-02-10 23:32:12 CET
Oops - those tests were back to front:

Quote from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920728:
> CVE-2019-6978[0]:
> | The GD Graphics Library (aka LibGD) 2.2.5 has a double free in the
> | gdImage*Ptr() functions in gd_gif_out.c, gd_jpeg.c, and gd_wbmp.c.
> | NOTE: PHP is unaffected.

Does that mean we cannot use PHP scriptlets to test the vulnerability?
If so then I shall have to look for a C test for 6978 or else forget it.

$ cat useafterfree.c
 * Test that failure to convert to JPEG returns NULL
 * We are creating an image, set its width to zero, and pass this image to
 * `gdImageJpegPtr()` which is supposed to fail, and as such should return NULL.
 * See also <https://github.com/libgd/libgd/issues/381>
#include "gd.h"
int main()
    gdImagePtr src, dst;
    int size, numf=0;

    src = gdImageCreateTrueColor(1, 10);
    if (src != NULL) {
       src->sx = 0; /* this hack forces gdImageJpegPtr() to fail */
       dst = gdImageJpegPtr(src, &size, 0);
       if (dst == NULL) numf += 1;
    return numf;

$ gcc -o useafterfree -lgd useafterfree.c
$ chmod +x useafterfree
$ ./useafterfree
GD Warning: gd-jpeg: JPEG library reports unrecoverable error: Empty JPEG image (DNL not supported)*** Error in `./useafterfree': double free or corruption (!prev): 0x0000000001587ee0 ***
======= Backtrace: =========
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted (core dumped)
Comment 3 Len Lawrence 2019-02-10 23:49:10 CET
Clean update for the four packages.
$ php out-of-bounds-write
No output, as before - probably good result.

$ ./useafterfree
GD Warning: gd-jpeg: JPEG library reports unrecoverable error: Empty JPEG image 
That looks like a good result.
This is a very simple utility test for the library using PHP.

Script based on a snippet from one of the libgd websites.
$ cat makepng.php
header("Content-type: image/png");
$string = "Songbird";
$im     = imagecreatefrompng("songbird.png");
$blue   = imagecolorallocate($im, 90, 90, 220);
$px     = (imagesx($im) - 7.5 * strlen($string)) / 2;
imagestring($im, 3, $px, 9, $string, $blue);

$ php makepng.php > test.png
$ eom test.png
Shows a copy of the original with a superimposed title "Songbird".

Reran under trace to verify libgd is used.
$ cat trace | egrep "libgd|gd"| grep -v qa
stat("/etc/php.d/23_gd.ini", {st_mode=S_IFREG|0644, st_size=227, ...}) = 0
open("/etc/php.d/23_gd.ini", O_RDONLY)  = 3
open("/lib64/libgdbm.so.4", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/php/extensions/gd", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib64/php/extensions/gd.so", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libgd.so.3", O_RDONLY|O_CLOEXEC) = 3

Assigning OK for 64-bits.

Whiteboard: (none) => MGA6-64-OK

Comment 4 Marc Krämer 2019-02-10 23:53:35 CET
since libgd is the same in cauldron, have to be applied there too.
Comment 5 Len Lawrence 2019-02-10 23:55:21 CET
Comment 3: s/Reran under trace/Reran under strace/
Comment 6 Len Lawrence 2019-02-11 00:01:34 CET
Missed a bit:
$ ./useafterfree
GD Warning: gd-jpeg: JPEG library reports unrecoverable error: Empty JPEG image (DNL not supported)
Comment 7 David Walser 2019-02-11 00:10:29 CET
(In reply to Marc Krämer from comment #4)
> since libgd is the same in cauldron, have to be applied there too.

Oops, thanks for catching that!
Comment 8 Thomas Andrews 2019-02-12 02:37:46 CET
Len's tests look sufficient to me. Validating for Mageia 6. Advisory in Comment 0.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2019-02-13 03:49:15 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 9 Mageia Robot 2019-02-13 12:10:43 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.