SUSE has issued an advisory today (March 5): http://lists.suse.com/pipermail/sle-security-updates/2020-March/006579.html The issue was fixed upstream in this commit: https://github.com/libgd/libgd/commit/c76ed17aee1f88e1bf9b9fc2c9b29a9a462aa347 Mageia 7 is also affected.
Status comment: (none) => Patch available from upstreamWhiteboard: (none) => MGA7TOO
Suggested advisory: ======================== The updated packages fix a security vulnerability: When using the gdImageCreateFromXbm() function in the GD Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code. (CVE-2019-11038) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11038 http://lists.suse.com/pipermail/sle-security-updates/2020-March/006579.html ======================== Updated packages in core/updates_testing: ======================== lib(64)gd3-2.2.5-5.2.mga7 lib(64)gd-devel-2.2.5-5.2.mga7 lib(64)gd-static-devel-2.2.5-5.2.mga7 gd-utils-2.2.5-5.2.mga7 from SRPMS: libgd-2.2.5-5.2.mga7.src.rpm
CVE: (none) => CVE-2019-11038Status: NEW => ASSIGNEDStatus comment: Patch available from upstream => (none)Component: RPM Packages => SecuritySource RPM: libgd-2.2.5-7.mga8.src.rpm => libgd-2.2.5-5.1.mga7.src.rpmWhiteboard: MGA7TOO => (none)QA Contact: (none) => securityCC: (none) => nicolas.salgueroVersion: Cauldron => 7
Assignee: bugsquad => qa-bugs
CC: (none) => tmbKeywords: (none) => advisory
Taking this one on for x86_64. Later. Need sleep.
CC: (none) => tarazed25
mga7, x86_64 Before updates: CVE-2019-11038 https://github.com/libgd/libgd/issues/501 $ printf "23646566696e6520776964746820320a23646566696e652068656967687420320a737461746963206368617220626974735b5d203d7b0a7a7a787a7a" | xxd -r -p - github_bug_501.xbm $ cat bug_501.c #include "gd.h" #include <stdio.h> int main() { gdImagePtr im; FILE *xbm_in; xbm_in = fopen("github_bug_501.xbm", "rb"); im = gdImageCreateFromXbm(xbm_in); fclose(xbm_in); gdImageDestroy(im); } $ gcc -o bug_501 -lgd bug_501.c $ ./bug_501 GD Warning: EOF before image was completeSegmentation fault (core dumped) Updated the four packages. Recompiled the PoC file and ran it: $ ./bug_501 GD Warning: invalid XBMSegmentation fault (core dumped) The warning message seems appropriate but the error is not handled tidily. Utility tests: This library has been tested fairly recently; referring to bug 26220. $ pngtogd imlib2.png imlib2.gd $ file imlib2.gd imlib2.gd: data $ pngtogd2 imlib2.png imlib2.gd2 2048 1 $ ll imlib2* -rw-r--r-- 1 lcl lcl 480011 Mar 8 15:44 imlib2.gd -rw-r--r-- 1 lcl lcl 480023 Mar 8 15:47 imlib2.gd2 -rw-r--r-- 1 lcl lcl 53192 Apr 29 2013 imlib2.png $ od -xa imlib2.gd | less 0000000 feff 9001 2c01 ff01 ffff 00ff 5b0c 0091 del ~ soh dle soh , soh del del del del nul ff [ dc1 nul $ od -xa imlib2.gd2 | less 0000000 6467 0032 0200 9001 2c01 0008 0300 0100 g d 2 nul nul stx soh dle soh , bs nul nul etx nul soh $ eom imlib2b.png Looks the same as the original although the binaries differ. $ gdparttopng imlib2.gd2 extract.png 30 20 350 260 Extracting from (30, 20), size is 350x260 $ display extract.png The extract is the original with a border removed. The help is still misleading: $ gdparttopng --help Usage: gdparttopng filename.gd filename.png x y w h $ gdparttopng imlib2.gd extract.png 30 20 350 260 Extracting from (30, 20), size is 350x260 Input is not in GD2 format! Enough for this update.
Whiteboard: (none) => MGA7-64-OK
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0134.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED