Univention Bugzilla – Bug 41209
libgd2: multiple issues (4.1)
Last modified: 2016-09-29 17:10:13 CEST
+++ This bug was initially created as a clone of Bug #41208 +++ Upstream Debian package version 2.0.36~rc1~dfsg-6.1+deb7u2 fixes this issue: * Integer signedness error in GD Graphics Library 2.1.1 (aka libgd or libgd2) allows remote attackers to cause a denial of service (crash) or potentially execute arbitrary code via crafted compressed gd2 data, which triggers a heap-based buffer overflow (CVE-2016-3074) In Debian libgd2 is used by php5.
libgd2 2.0.36~rc1~dfsg-6.1+deb7u2 was imported and built in scope errata4.1-1. Advisory: r69191
OK: ucr set repository/online/unmaintained=yes univention-install -qq git php5-gd python-pip python-requests pip install --upgrade requests git clone https://github.com/dyntopia/exploits.git cp exploits/CVE-2016-3074/upload.php /var/www/ iptables -P INPUT ACCEPT iptables -F INPUT python exploits/CVE-2016-3074/exploit.py --bind-port 5555 http://127.0.0.1/upload.php (gdb) bt #0 0x00007f5d8b547390 in _int_free (av=0x7f5d8b858e40, p=0x55e2ae70d220) at malloc.c:5002 #1 0x00007f5d8b54a95c in *__GI___libc_free (mem=<optimized out>) at malloc.c:3738 #2 0x00007f5d8076e0f5 in gdImageCreateFromGd2Ctx () from /usr/lib/x86_64-linux-gnu/libgd.so.2 #3 0x00007f5d8076e1de in gdImageCreateFromGd2 () from /usr/lib/x86_64-linux-gnu/libgd.so.2 #4 0x00007f5d809b00a9 in ?? () from /usr/lib/php5/20100525/gd.so #5 0x00007f5d87d354c1 in ?? () from /usr/lib/apache2/modules/libphp5.so #6 0x00007f5d87ceee77 in execute () from /usr/lib/apache2/modules/libphp5.so #7 0x00007f5d87c8d8cc in zend_execute_scripts () from /usr/lib/apache2/modules/libphp5.so #8 0x00007f5d87c2d143 in php_execute_script () from /usr/lib/apache2/modules/libphp5.so #9 0x00007f5d87d37bda in ?? () from /usr/lib/apache2/modules/libphp5.so #10 0x000055e2acd2fb10 in ap_run_handler (r=0x7f5d876c90a0) at config.c:159 #11 0x000055e2acd2ff5b in ap_invoke_handler (r=r@entry=0x7f5d876c90a0) at config.c:377 #12 0x000055e2acd3fec8 in ap_process_request (r=r@entry=0x7f5d876c90a0) at http_request.c:282 #13 0x000055e2acd3cd48 in ap_process_http_connection (c=0x7f5d8a250290) at http_core.c:190 #14 0x000055e2acd36280 in ap_run_process_connection (c=0x7f5d8a250290) at connection.c:43 #15 0x000055e2acd36638 in ap_process_connection (c=c@entry=0x7f5d8a250290, csd=<optimized out>) at connection.c:190 #16 0x000055e2acd4469e in child_main (child_num_arg=child_num_arg@entry=4) at prefork.c:667 #17 0x000055e2acd44df2 in make_child (slot=4, s=0x7f5d8c317818) at prefork.c:768 #18 make_child (s=0x7f5d8c317818, slot=4) at prefork.c:696 #19 0x000055e2acd44e96 in startup_children (number_to_start=1) at prefork.c:786 #20 0x000055e2acd457f5 in ap_mpm_run (_pconf=_pconf@entry=0x7f5d8c321028, plog=<optimized out>, s=s@entry=0x7f5d8c317818) at prefork.c:1007 #21 0x000055e2acd1a7a0 in main (argc=3, argv=0x7ffd0e7a8448) at main.c:755 OK: DEBIAN_FRONTEND=noninteractive aptitude install -y -q '?source-package(libgd2)~i' /etc/init.d/apache2 restart OK: zless /usr/share/doc/libgd2-xpm/changelog.Debian.gz CVE-2016-3074 OK: dpkg-query -W libgd2\* # 2.0.36~rc1~dfsg-6.1.35.201605091028 OK: SELECT binpkg,binver,site,major,minor,patch,scope FROM binpkg WHERE binpkg='libgd2-xpm' AND major=4 AND site='apt' ORDER BY srcver ASC; FIXED: errata-announce -V --only libgd2.yaml r69401 | Bug #41209 QA: libgdb2 YAML
Upstream Debian package version 2.0.36~rc1~dfsg-6.1+deb7u3 fixes this issue: * Stack consumption vulnerability in GD in PHP before 5.6.12 allows remote attackers to cause a denial of service via a crafted imagefilltoborder call. (CVE-2015-8874)
libgd2 2.0.36~rc1~dfsg-6.1+deb7u3 was imported and built in scope errata4.1-2. Advisory: r69497
OK: php5 -r '$im=imagecreatetruecolor(20,20);$c=imagecolorallocate($im,255,0,0);imagefilltoborder($im,0,-999355,$c,$c);' OK: DEBIAN_FRONTEND=noninteractive aptitude install -y -q '?source-package(libgd2)~i' OK: dpkg-query -W libgd2-xpm # 2.0.36~rc1~dfsg-6.1.39.201605240918 OK: zless /usr/share/doc/libgd2-xpm/changelog.Debian.gz OK: errata-announce -V --only libgd2.yaml FIXED: libgd2.yaml r69499 | Bug #41209: libgd2 YAML
<http://errata.software-univention.de/ucs/4.1/184.html>