Bug 41209

Summary: libgd2: multiple issues (4.1)
Product: UCS Reporter: Arvid Requate <requate>
Component: Security updatesAssignee: Daniel Tröder <troeder>
Status: CLOSED FIXED QA Contact: Philipp Hahn <hahn>
Severity: normal    
Priority: P2 CC: gohmann, requate, walkenhorst
Version: UCS 4.1Flags: requate: Patch_Available+
Target Milestone: UCS 4.1-2-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: Security Issue What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional): Security
Max CVSS v3 score:
Bug Depends on:    
Bug Blocks: 41208    

Description Arvid Requate univentionstaff 2016-05-04 20:11:32 CEST 
+++ This bug was initially created as a clone of Bug #41208 +++

Upstream Debian package version 2.0.36~rc1~dfsg-6.1+deb7u2 fixes this issue:

* Integer signedness error in GD Graphics Library 2.1.1 (aka libgd or libgd2) allows remote attackers to cause a denial of service (crash) or potentially execute arbitrary code via crafted compressed gd2 data, which triggers a heap-based buffer overflow (CVE-2016-3074)

In Debian libgd2 is used by php5.
Comment 1 Daniel Tröder univentionstaff 2016-05-09 10:40:09 CEST 
libgd2 2.0.36~rc1~dfsg-6.1+deb7u2 was imported and built in scope errata4.1-1.
Advisory: r69191
Comment 2 Philipp Hahn univentionstaff 2016-05-19 13:52:17 CEST 
OK:
 ucr set repository/online/unmaintained=yes
 univention-install -qq git php5-gd python-pip python-requests
 pip install --upgrade requests
 git clone https://github.com/dyntopia/exploits.git
 cp exploits/CVE-2016-3074/upload.php /var/www/
 iptables -P INPUT ACCEPT
 iptables -F INPUT
 python exploits/CVE-2016-3074/exploit.py --bind-port 5555 http://127.0.0.1/upload.php
(gdb) bt
#0  0x00007f5d8b547390 in _int_free (av=0x7f5d8b858e40, p=0x55e2ae70d220) at malloc.c:5002
#1  0x00007f5d8b54a95c in *__GI___libc_free (mem=<optimized out>) at malloc.c:3738
#2  0x00007f5d8076e0f5 in gdImageCreateFromGd2Ctx () from /usr/lib/x86_64-linux-gnu/libgd.so.2
#3  0x00007f5d8076e1de in gdImageCreateFromGd2 () from /usr/lib/x86_64-linux-gnu/libgd.so.2
#4  0x00007f5d809b00a9 in ?? () from /usr/lib/php5/20100525/gd.so
#5  0x00007f5d87d354c1 in ?? () from /usr/lib/apache2/modules/libphp5.so
#6  0x00007f5d87ceee77 in execute () from /usr/lib/apache2/modules/libphp5.so
#7  0x00007f5d87c8d8cc in zend_execute_scripts () from /usr/lib/apache2/modules/libphp5.so
#8  0x00007f5d87c2d143 in php_execute_script () from /usr/lib/apache2/modules/libphp5.so
#9  0x00007f5d87d37bda in ?? () from /usr/lib/apache2/modules/libphp5.so
#10 0x000055e2acd2fb10 in ap_run_handler (r=0x7f5d876c90a0) at config.c:159
#11 0x000055e2acd2ff5b in ap_invoke_handler (r=r@entry=0x7f5d876c90a0) at config.c:377
#12 0x000055e2acd3fec8 in ap_process_request (r=r@entry=0x7f5d876c90a0) at http_request.c:282
#13 0x000055e2acd3cd48 in ap_process_http_connection (c=0x7f5d8a250290) at http_core.c:190
#14 0x000055e2acd36280 in ap_run_process_connection (c=0x7f5d8a250290) at connection.c:43
#15 0x000055e2acd36638 in ap_process_connection (c=c@entry=0x7f5d8a250290, csd=<optimized out>) at connection.c:190
#16 0x000055e2acd4469e in child_main (child_num_arg=child_num_arg@entry=4) at prefork.c:667
#17 0x000055e2acd44df2 in make_child (slot=4, s=0x7f5d8c317818) at prefork.c:768
#18 make_child (s=0x7f5d8c317818, slot=4) at prefork.c:696
#19 0x000055e2acd44e96 in startup_children (number_to_start=1) at prefork.c:786
#20 0x000055e2acd457f5 in ap_mpm_run (_pconf=_pconf@entry=0x7f5d8c321028, plog=<optimized out>, s=s@entry=0x7f5d8c317818) at prefork.c:1007
#21 0x000055e2acd1a7a0 in main (argc=3, argv=0x7ffd0e7a8448) at main.c:755

OK:
 DEBIAN_FRONTEND=noninteractive aptitude install -y -q '?source-package(libgd2)~i'
 /etc/init.d/apache2 restart

OK: zless /usr/share/doc/libgd2-xpm/changelog.Debian.gz
 CVE-2016-3074

OK: dpkg-query -W libgd2\* # 2.0.36~rc1~dfsg-6.1.35.201605091028

OK: SELECT binpkg,binver,site,major,minor,patch,scope FROM binpkg WHERE binpkg='libgd2-xpm' AND major=4 AND site='apt' ORDER BY srcver ASC;

FIXED: errata-announce -V --only libgd2.yaml
 r69401 | Bug #41209 QA: libgdb2 YAML
Comment 3 Arvid Requate univentionstaff 2016-05-23 19:23:33 CEST 
Upstream Debian package version 2.0.36~rc1~dfsg-6.1+deb7u3 fixes this issue:

* Stack consumption vulnerability in GD in PHP before 5.6.12 allows remote attackers to cause a denial of service via a crafted imagefilltoborder call. (CVE-2015-8874)
Comment 4 Daniel Tröder univentionstaff 2016-05-24 09:24:00 CEST 
libgd2 2.0.36~rc1~dfsg-6.1+deb7u3 was imported and built in scope errata4.1-2.
Advisory: r69497
Comment 5 Philipp Hahn univentionstaff 2016-05-24 10:19:02 CEST 
OK: php5 -r '$im=imagecreatetruecolor(20,20);$c=imagecolorallocate($im,255,0,0);imagefilltoborder($im,0,-999355,$c,$c);'
OK: DEBIAN_FRONTEND=noninteractive aptitude install -y -q '?source-package(libgd2)~i'
OK: dpkg-query -W libgd2-xpm # 2.0.36~rc1~dfsg-6.1.39.201605240918
OK: zless /usr/share/doc/libgd2-xpm/changelog.Debian.gz
OK: errata-announce -V --only libgd2.yaml
FIXED: libgd2.yaml
 r69499 | Bug #41209: libgd2 YAML
Comment 6 Janek Walkenhorst univentionstaff 2016-05-27 13:45:18 CEST 
<http://errata.software-univention.de/ucs/4.1/184.html>