Bug 41209 – libgd2: multiple issues (4.1)

Bug 41209 - libgd2: multiple issues (4.1)


Summary:	libgd2: multiple issues (4.1)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P2 normal (vote)
Target Milestone:	UCS 4.1-2-errata
Assigned To:	Daniel Tröder
QA Contact:	Philipp Hahn

URL:
Keywords:

Depends on:
Blocks:	41208
	Show dependency tree / graph

Reported:	2016-05-04 20:11 CEST by Arvid Requate
Modified:	2016-09-29 17:10 CEST (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Max CVSS v3 score:

Flags:	requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2016-05-04 20:11:32 CEST

+++ This bug was initially created as a clone of Bug #41208 +++

Upstream Debian package version 2.0.36~rc1~dfsg-6.1+deb7u2 fixes this issue:

* Integer signedness error in GD Graphics Library 2.1.1 (aka libgd or libgd2) allows remote attackers to cause a denial of service (crash) or potentially execute arbitrary code via crafted compressed gd2 data, which triggers a heap-based buffer overflow (CVE-2016-3074)

In Debian libgd2 is used by php5.

Comment 1 Daniel Tröder

2016-05-09 10:40:09 CEST

libgd2 2.0.36~rc1~dfsg-6.1+deb7u2 was imported and built in scope errata4.1-1.
Advisory: r69191

Comment 2 Philipp Hahn

2016-05-19 13:52:17 CEST

OK:
 ucr set repository/online/unmaintained=yes
 univention-install -qq git php5-gd python-pip python-requests
 pip install --upgrade requests
 git clone https://github.com/dyntopia/exploits.git
 cp exploits/CVE-2016-3074/upload.php /var/www/
 iptables -P INPUT ACCEPT
 iptables -F INPUT
 python exploits/CVE-2016-3074/exploit.py --bind-port 5555 http://127.0.0.1/upload.php
(gdb) bt
#0  0x00007f5d8b547390 in _int_free (av=0x7f5d8b858e40, p=0x55e2ae70d220) at malloc.c:5002
#1  0x00007f5d8b54a95c in *__GI___libc_free (mem=<optimized out>) at malloc.c:3738
#2  0x00007f5d8076e0f5 in gdImageCreateFromGd2Ctx () from /usr/lib/x86_64-linux-gnu/libgd.so.2
#3  0x00007f5d8076e1de in gdImageCreateFromGd2 () from /usr/lib/x86_64-linux-gnu/libgd.so.2
#4  0x00007f5d809b00a9 in ?? () from /usr/lib/php5/20100525/gd.so
#5  0x00007f5d87d354c1 in ?? () from /usr/lib/apache2/modules/libphp5.so
#6  0x00007f5d87ceee77 in execute () from /usr/lib/apache2/modules/libphp5.so
#7  0x00007f5d87c8d8cc in zend_execute_scripts () from /usr/lib/apache2/modules/libphp5.so
#8  0x00007f5d87c2d143 in php_execute_script () from /usr/lib/apache2/modules/libphp5.so
#9  0x00007f5d87d37bda in ?? () from /usr/lib/apache2/modules/libphp5.so
#10 0x000055e2acd2fb10 in ap_run_handler (r=0x7f5d876c90a0) at config.c:159
#11 0x000055e2acd2ff5b in ap_invoke_handler (r=r@entry=0x7f5d876c90a0) at config.c:377
#12 0x000055e2acd3fec8 in ap_process_request (r=r@entry=0x7f5d876c90a0) at http_request.c:282
#13 0x000055e2acd3cd48 in ap_process_http_connection (c=0x7f5d8a250290) at http_core.c:190
#14 0x000055e2acd36280 in ap_run_process_connection (c=0x7f5d8a250290) at connection.c:43
#15 0x000055e2acd36638 in ap_process_connection (c=c@entry=0x7f5d8a250290, csd=<optimized out>) at connection.c:190
#16 0x000055e2acd4469e in child_main (child_num_arg=child_num_arg@entry=4) at prefork.c:667
#17 0x000055e2acd44df2 in make_child (slot=4, s=0x7f5d8c317818) at prefork.c:768
#18 make_child (s=0x7f5d8c317818, slot=4) at prefork.c:696
#19 0x000055e2acd44e96 in startup_children (number_to_start=1) at prefork.c:786
#20 0x000055e2acd457f5 in ap_mpm_run (_pconf=_pconf@entry=0x7f5d8c321028, plog=<optimized out>, s=s@entry=0x7f5d8c317818) at prefork.c:1007
#21 0x000055e2acd1a7a0 in main (argc=3, argv=0x7ffd0e7a8448) at main.c:755

OK:
 DEBIAN_FRONTEND=noninteractive aptitude install -y -q '?source-package(libgd2)~i'
 /etc/init.d/apache2 restart

OK: zless /usr/share/doc/libgd2-xpm/changelog.Debian.gz
 CVE-2016-3074

OK: dpkg-query -W libgd2\* # 2.0.36~rc1~dfsg-6.1.35.201605091028

OK: SELECT binpkg,binver,site,major,minor,patch,scope FROM binpkg WHERE binpkg='libgd2-xpm' AND major=4 AND site='apt' ORDER BY srcver ASC;

FIXED: errata-announce -V --only libgd2.yaml
 r69401 | Bug #41209 QA: libgdb2 YAML

Comment 3 Arvid Requate

2016-05-23 19:23:33 CEST

Upstream Debian package version 2.0.36~rc1~dfsg-6.1+deb7u3 fixes this issue:

* Stack consumption vulnerability in GD in PHP before 5.6.12 allows remote attackers to cause a denial of service via a crafted imagefilltoborder call. (CVE-2015-8874)

Comment 4 Daniel Tröder

2016-05-24 09:24:00 CEST

libgd2 2.0.36~rc1~dfsg-6.1+deb7u3 was imported and built in scope errata4.1-2.
Advisory: r69497

Comment 5 Philipp Hahn

2016-05-24 10:19:02 CEST

OK: php5 -r '$im=imagecreatetruecolor(20,20);$c=imagecolorallocate($im,255,0,0);imagefilltoborder($im,0,-999355,$c,$c);'
OK: DEBIAN_FRONTEND=noninteractive aptitude install -y -q '?source-package(libgd2)~i'
OK: dpkg-query -W libgd2-xpm # 2.0.36~rc1~dfsg-6.1.39.201605240918
OK: zless /usr/share/doc/libgd2-xpm/changelog.Debian.gz
OK: errata-announce -V --only libgd2.yaml
FIXED: libgd2.yaml
 r69499 | Bug #41209: libgd2 YAML

Comment 6 Janek Walkenhorst

2016-05-27 13:45:18 CEST

<http://errata.software-univention.de/ucs/4.1/184.html>