26220 – libgd new security issue CVE-2018-14553

Bug 26220 - libgd new security issue CVE-2018-14553

Summary: libgd new security issue CVE-2018-14553

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	7
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA7-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2020-02-19 23:21 CET by David Walser
Modified:	2020-02-24 22:46 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	libgd-2.2.5-5.mga7.src.rpm
CVE:	CVE-2018-14553
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-02-19 23:21:25 CET

Debian-LTS has issued an advisory on February 17:
https://www.debian.org/lts/security/2020/dla-2106

Mageia 7 is also affected.

David Walser 2020-02-19 23:21:34 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-02-20 19:45:17 CET

'libgd' has no registered nor evident maintainer, so assigning this globally.

Assignee: bugsquad => pkg-bugs

David Walser 2020-02-21 17:52:44 CET

Status comment: (none) => Patch available from upstream

Comment 2 Nicolas Salguero 2020-02-21 22:22:15 CET

Suggested advisory:
========================

The updated packages fix a security vulnerability:

gdImageClone in gd.c in libgd 2.1.0-rc2 through 2.2.5 has a NULL pointer dereference allowing attackers to crash an application via a specific function call sequence. (CVE-2018-14553)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14553
https://www.debian.org/lts/security/2020/dla-2106
========================

Updated packages in core/updates_testing:
========================
lib(64)gd3-2.2.5-5.1.mga7
lib(64)gd-devel-2.2.5-5.1.mga7
lib(64)gd-static-devel-2.2.5-5.1.mga7
gd-utils-2.2.5-5.1.mga7

from SRPMS:
libgd-2.2.5-5.1.mga7.src.rpm

Version: Cauldron => 7
CVE: (none) => CVE-2018-14553
CC: (none) => nicolas.salguero
Whiteboard: MGA7TOO => (none)
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
Source RPM: libgd-2.2.5-6.mga8.src.rpm => libgd-2.2.5-5.mga7.src.rpm

David Walser 2020-02-21 23:13:52 CET

Status comment: Patch available from upstream => (none)

Comment 3 Len Lawrence 2020-02-22 20:23:32 CET

Mageia7, x86_64

Updated the packages.
Referring to tests on bug 23496, carried out some image conversions using gd-utils.

$ pngtogd jessica1.png jessica.gd
$ file jessica.gd
jessica.gd: data
$ pngtogd2 jessica1.png jessica.gd2 2048 1
$ file jessica.pd2
jessica.gd2: data
$ gd2togif jessica.gd2 jessica.gif
$ eom jessica.gif
The displayed image looked like the original jessica1.png, with the same dimensions.
$ gdtopng jessica.gd jessica2.png
$ eom jessica2.png
The image matched the original.
$ gdparttopng jessica.gd2 extract.png 300 271 600 542
Extracting from (300, 271), size is 600x542
$ eom extract.png
The image sample looked as expected.

The help is still in error:
$ gdparttopng --help
Usage: gdparttopng filename.gd filename.png x y w h
$ gdparttopng jessica.gd jessica3.png 300 271 600 542 
Extracting from (300, 271), size is 600x542
Input is not in GD2 format!

Either the command should be renamed to gd2parttopng or the usage string should be edited.  A small matter; not enough to block this update.

CC: (none) => tarazed25

Len Lawrence 2020-02-22 20:23:56 CET

Whiteboard: (none) => MGA7-64-OK

Comment 4 Thomas Andrews 2020-02-23 16:15:08 CET

Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2020-02-24 21:56:13 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 5 Mageia Robot 2020-02-24 22:46:02 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0098.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.