Bug 26306 - libgd new security issue CVE-2019-11038
Summary: libgd new security issue CVE-2019-11038
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2020-03-05 23:11 CET by David Walser
Modified: 2020-03-08 23:39 CET (History)
5 users (show)

See Also:
Source RPM: libgd-2.2.5-5.1.mga7.src.rpm
CVE: CVE-2019-11038
Status comment:


Description David Walser 2020-03-05 23:11:47 CET
SUSE has issued an advisory today (March 5):

The issue was fixed upstream in this commit:

Mageia 7 is also affected.
David Walser 2020-03-05 23:16:30 CET

Status comment: (none) => Patch available from upstream
Whiteboard: (none) => MGA7TOO

Comment 1 Nicolas Salguero 2020-03-06 09:48:07 CET
Suggested advisory:

The updated packages fix a security vulnerability:

When using the gdImageCreateFromXbm() function in the GD Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code. (CVE-2019-11038)


Updated packages in core/updates_testing:

from SRPMS:

CVE: (none) => CVE-2019-11038
Status comment: Patch available from upstream => (none)
Component: RPM Packages => Security
Source RPM: libgd-2.2.5-7.mga8.src.rpm => libgd-2.2.5-5.1.mga7.src.rpm
Whiteboard: MGA7TOO => (none)
QA Contact: (none) => security
CC: (none) => nicolas.salguero
Version: Cauldron => 7

Nicolas Salguero 2020-03-06 09:48:43 CET

Assignee: bugsquad => qa-bugs

Thomas Backlund 2020-03-06 22:54:17 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 2 Len Lawrence 2020-03-08 03:37:27 CET
Taking this one on for x86_64.  Later.  Need sleep.

CC: (none) => tarazed25

Comment 3 Len Lawrence 2020-03-08 17:08:12 CET
mga7, x86_64

Before updates:

$ printf "23646566696e6520776964746820320a23646566696e652068656967687420320a737461746963206368617220626974735b5d203d7b0a7a7a787a7a" | xxd -r -p - github_bug_501.xbm
$ cat bug_501.c
#include "gd.h"
#include <stdio.h>

int main() {
    gdImagePtr im;
    FILE *xbm_in;

    xbm_in = fopen("github_bug_501.xbm", "rb");
    im = gdImageCreateFromXbm(xbm_in);

$ gcc -o bug_501 -lgd bug_501.c
$ ./bug_501
GD Warning: EOF before image was completeSegmentation fault (core dumped)

Updated the four packages.
Recompiled the PoC file and ran it:
$ ./bug_501
GD Warning: invalid XBMSegmentation fault (core dumped)

The warning message seems appropriate but the error is not handled tidily.

Utility tests:
This library has been tested fairly recently; referring to bug 26220.

$ pngtogd imlib2.png imlib2.gd
$ file imlib2.gd
imlib2.gd: data
$ pngtogd2 imlib2.png imlib2.gd2 2048 1
$ ll imlib2*
-rw-r--r-- 1 lcl lcl 480011 Mar  8 15:44 imlib2.gd
-rw-r--r-- 1 lcl lcl 480023 Mar  8 15:47 imlib2.gd2
-rw-r--r-- 1 lcl lcl  53192 Apr 29  2013 imlib2.png
$ od -xa imlib2.gd | less
0000000    feff    9001    2c01    ff01    ffff    00ff    5b0c    0091
        del   ~ soh dle soh   , soh del del del del nul  ff   [ dc1 nul
$ od -xa imlib2.gd2 | less
0000000    6467    0032    0200    9001    2c01    0008    0300    0100
          g   d   2 nul nul stx soh dle soh   ,  bs nul nul etx nul soh

$ eom imlib2b.png
Looks the same as the original although the binaries differ.

$ gdparttopng imlib2.gd2 extract.png 30 20 350 260
Extracting from (30, 20), size is 350x260
$ display extract.png
The extract is the original with a border removed.
The help is still misleading:
$ gdparttopng --help
Usage: gdparttopng filename.gd filename.png x y w h
$ gdparttopng imlib2.gd extract.png 30 20 350 260
Extracting from (30, 20), size is 350x260
Input is not in GD2 format!

Enough for this update.

Whiteboard: (none) => MGA7-64-OK

Comment 4 Thomas Andrews 2020-03-08 21:48:57 CET

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 5 Mageia Robot 2020-03-08 23:39:06 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.