Bug 29448 - libgd new security issues CVE-2021-38115 and CVE-2021-40145
Summary: libgd new security issues CVE-2021-38115 and CVE-2021-40145
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2021-09-08 22:41 CEST by David Walser
Modified: 2021-09-10 13:46 CEST (History)
4 users (show)

See Also:
Source RPM: libgd-2.3.1-1.mga8.src.rpm
CVE: CVE-2021-38115, CVE-2021-40145
Status comment:


Attachments

Description David Walser 2021-09-08 22:41:51 CEST
Ubuntu has issued an advisory today (September 8):
https://ubuntu.com/security/notices/USN-5068-1

Mageia 8 is also affected.
David Walser 2021-09-08 22:42:06 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patches available from Ubuntu
CC: (none) => nicolas.salguero

Comment 1 Nicolas Salguero 2021-09-09 11:50:41 CEST
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

read_header_tga in gd_tga.c in the GD Graphics Library (aka LibGD) through 2.3.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted TGA file. (CVE-2021-38115)

gdImageGd2Ptr in gd_gd2.c in the GD Graphics Library (aka LibGD) through 2.3.2 has a double free. (CVE-2021-40145)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38115
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40145
https://ubuntu.com/security/notices/USN-5068-1
========================

Updated packages in core/updates_testing:
========================
gd-utils-2.3.1-1.1.mga8
lib(64)gd3-2.3.1-1.1.mga8
lib(64)gd-devel-2.3.1-1.1.mga8
lib(64)gd-static-devel-2.3.1-1.1.mga8

from SRPM:
libgd-2.3.1-1.1.mga8.src.rpm

Assignee: bugsquad => qa-bugs
CVE: (none) => CVE-2021-38115, CVE-2021-40145
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Status comment: Patches available from Ubuntu => (none)
Status: NEW => ASSIGNED

Comment 2 Len Lawrence 2021-09-09 18:44:53 CEST
mga8, x64

CVE-2021-38115
https://github.com/libgd/libgd/issues/697
Downloaded the test payload.
Hopefully bug00084.c is the correct test script.
https://fossies.org/linux/libgd/tests/tga/bug00084.c
Unfortunately the gdtest.h include file does not exist here so the compilation fails.

CVE-2021-40145
https://github.com/libgd/libgd/issues/700
The discussion of memory leak tests here is somewhat confusing.  It is not clear if the suggested tests are effective or not.  One of them requires a special JPEG file but there is no link.

https://github.com/libgd/libgd/tree/master/examples
Provides code examples of use of library functions.

Updated the four packages.

$ urpmf gd-utils | grep bin
gd-utils:/usr/bin/annotate
gd-utils:/usr/bin/bdftogd
gd-utils:/usr/bin/gd2copypal
gd-utils:/usr/bin/gd2togif
gd-utils:/usr/bin/gd2topng
gd-utils:/usr/bin/gdcmpgif
gd-utils:/usr/bin/gdparttopng
gd-utils:/usr/bin/gdtopng
gd-utils:/usr/bin/giftogd2
gd-utils:/usr/bin/pngtogd
gd-utils:/usr/bin/pngtogd2
gd-utils:/usr/bin/webpng

gnuplot uses libgd3 - downloaded a couple of files from http://www.gnuplot.info/demo/

$ strace -o plot.trace gnuplot -c rgb_variable.7.gnu
$ grep libgd plot.trace
openat(AT_FDCWD, "/lib64/libgd.so.3", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libgdk-3.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libgdk_pixbuf-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3
getcwd("/home/lcl/qa/libgd", 4096)      = 19

The plot was displayed momentarily.  Could not figure out how to keep it on screen.  It remained longer with strace.  It works anyway.

$ pngtogd jessica_big.png jessica1.gd
$ pngtogd2 jessica_big.png jessica1.gd2 2048 1
$ gd2togif jessica1.gd2 jessica1.gif
$ eom jessica1.gif
$ gdtopng jessica1.gd jessica1.png
$ ll jessica1*
-rw-r--r-- 1 lcl lcl 4300811 Sep  9 17:17 jessica1.gd
-rw-r--r-- 1 lcl lcl 4300823 Sep  9 17:22 jessica1.gd2
-rw-r--r-- 1 lcl lcl  585943 Sep  9 17:23 jessica1.gif
-rw-r--r-- 1 lcl lcl  947010 Sep  9 17:27 jessica1.png

Input and output images look identical.

$ gdparttopng jessica1.gd2 extract.png 200 271 600 642
Extracting from (200, 271), size is 600x642
$ eom extract.png
The extracted sample matches the original where expected.  The lower edge was deliberately set too high - resulting in a black border underneath.

The report on bug 26220 notes that gd files did not work with extract, but they do now.
$ gdparttopng jessica1.gd2 extract1.png 200 271 600 642
Extracting from (200, 271), size is 600x642

This should be good enough.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 3 Thomas Andrews 2021-09-10 13:46:56 CEST
Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs


Note You need to log in before you can comment on or make changes to this bug.