Univention Bugzilla – Bug 41208
libgd2: multiple issues (4.0)
Last modified: 2016-09-29 17:10:14 CEST
Upstream Debian package version 2.0.36~rc1~dfsg-6.1+deb7u2 fixes this issue: * Integer signedness error in GD Graphics Library 2.1.1 (aka libgd or libgd2) allows remote attackers to cause a denial of service (crash) or potentially execute arbitrary code via crafted compressed gd2 data, which triggers a heap-based buffer overflow (CVE-2016-3074) In Debian libgd2 is used by php5.
libgd2 2.0.36~rc1~dfsg-6.1+deb7u2 was imported and built in scope errata4.0-5. Advisory: r69190
OK: ucr set repository/online/unmaintained=yes univention-install -qq git php5-gd python-pip python-requests pip install --upgrade requests git clone https://github.com/dyntopia/exploits.git cp exploits/CVE-2016-3074/upload.php /var/www/ iptables -P INPUT ACCEPT iptables -F INPUT python exploits/CVE-2016-3074/exploit.py --bind-port 5555 http://127.0.0.1/upload.php (gdb) bt #0 0x00007f5d8b547390 in _int_free (av=0x7f5d8b858e40, p=0x55e2ae70d220) at malloc.c:5002 #1 0x00007f5d8b54a95c in *__GI___libc_free (mem=<optimized out>) at malloc.c:3738 #2 0x00007f5d8076e0f5 in gdImageCreateFromGd2Ctx () from /usr/lib/x86_64-linux-gnu/libgd.so.2 #3 0x00007f5d8076e1de in gdImageCreateFromGd2 () from /usr/lib/x86_64-linux-gnu/libgd.so.2 #4 0x00007f5d809b00a9 in ?? () from /usr/lib/php5/20100525/gd.so #5 0x00007f5d87d354c1 in ?? () from /usr/lib/apache2/modules/libphp5.so #6 0x00007f5d87ceee77 in execute () from /usr/lib/apache2/modules/libphp5.so #7 0x00007f5d87c8d8cc in zend_execute_scripts () from /usr/lib/apache2/modules/libphp5.so #8 0x00007f5d87c2d143 in php_execute_script () from /usr/lib/apache2/modules/libphp5.so #9 0x00007f5d87d37bda in ?? () from /usr/lib/apache2/modules/libphp5.so #10 0x000055e2acd2fb10 in ap_run_handler (r=0x7f5d876c90a0) at config.c:159 #11 0x000055e2acd2ff5b in ap_invoke_handler (r=r@entry=0x7f5d876c90a0) at config.c:377 #12 0x000055e2acd3fec8 in ap_process_request (r=r@entry=0x7f5d876c90a0) at http_request.c:282 #13 0x000055e2acd3cd48 in ap_process_http_connection (c=0x7f5d8a250290) at http_core.c:190 #14 0x000055e2acd36280 in ap_run_process_connection (c=0x7f5d8a250290) at connection.c:43 #15 0x000055e2acd36638 in ap_process_connection (c=c@entry=0x7f5d8a250290, csd=<optimized out>) at connection.c:190 #16 0x000055e2acd4469e in child_main (child_num_arg=child_num_arg@entry=4) at prefork.c:667 #17 0x000055e2acd44df2 in make_child (slot=4, s=0x7f5d8c317818) at prefork.c:768 #18 make_child (s=0x7f5d8c317818, slot=4) at prefork.c:696 #19 0x000055e2acd44e96 in startup_children (number_to_start=1) at prefork.c:786 #20 0x000055e2acd457f5 in ap_mpm_run (_pconf=_pconf@entry=0x7f5d8c321028, plog=<optimized out>, s=s@entry=0x7f5d8c317818) at prefork.c:1007 #21 0x000055e2acd1a7a0 in main (argc=3, argv=0x7ffd0e7a8448) at main.c:755 OK: DEBIAN_FRONTEND=noninteractive aptitude install -y -q '?source-package(libgd2)~i' /etc/init.d/apache2 restart OK: zless /usr/share/doc/libgd2-xpm/changelog.Debian.gz Univention Bugzilla – Bug 41208 libgd2: multiple issues (4.0) Last modified: 2016-05-09 15:29:43 CEST Home | New | Browse | Search | Search [?] | Reports | My Requests | Preferences | Administration | Help | Log out hahn@univention.de Bug List: (1 of 2) First Last Prev Next Show last search results Save Changes Bug 41208 - libgd2: multiple issues (4.0) (edit) Status: RESOLVED FIXED (edit) Product: Component: Version: Hardware: Importance: (vote) Target Milestone: Assigned To: Daniel Tröder (edit) (take) QA Contact: Philipp Hahn (edit) URL: Keywords: Tags: Depends on: 41209 (edit) Blocks: Show dependency tree / graph Reported: 2016-05-04 20:10 CEST by Arvid Requate Modified: 2016-05-09 15:29 CEST (History) CC List: Add me to CC list 3 users (edit) See Also: (add) Customer ID: 000060000900021000260004500063000880011700713013270150501700019380199701997_IN80220902302024840249005520063400666307142072760731207317076970828108418085050850709407097110975309801099361009710643118181185013588137291381515607170942169931092 Bug group (optional): API changeBrowser compatibilityCleanupDesignError handlingExternal feedbackForked for projectFurther conceptual developmentInternationalizationIPv6Large environmentsMobile devices/tabletsRelease GoalRoadmap discussionRoadmap discussion (moved)SAMLSecurityTroubleshootingTypo/text changesU@S: Administrational DCUCS PerformanceUsability Flags: requate: Patch_Available Attachments Add an attachment (proposed patch, testcase, etc.) Additional Comments: OK: ucr set repository/online/unmaintained=yes univention-install -qq git php5-gd python-pip python-requests pip install --upgrade requests git clone https://github.com/dyntopia/exploits.git cp exploits/CVE-2016-3074/upload.php /var/www/ iptables -P INPUT ACCEPT iptables -F INPUT python exploits/CVE-2016-3074/exploit.py --bind-port 5555 http://127.0.0.1/upload.php (gdb) bt #0 0x00007f5d8b547390 in _int_free (av=0x7f5d8b858e40, p=0x55e2ae70d220) at malloc.c:5002 #1 0x00007f5d8b54a95c in *__GI___libc_free (mem=<optimized out>) at malloc.c:3738 #2 0x00007f5d8076e0f5 in gdImageCreateFromGd2Ctx () from /usr/lib/x86_64-linux-gnu/libgd.so.2 #3 0x00007f5d8076e1de in gdImageCreateFromGd2 () from /usr/lib/x86_64-linux-gnu/libgd.so.2 #4 0x00007f5d809b00a9 in ?? () from /usr/lib/php5/20100525/gd.so #5 0x00007f5d87d354c1 in ?? () from /usr/lib/apache2/modules/libphp5.so #6 0x00007f5d87ceee77 in execute () from /usr/lib/apache2/modules/libphp5.so #7 0x00007f5d87c8d8cc in zend_execute_scripts () from /usr/lib/apache2/modules/libphp5.so #8 0x00007f5d87c2d143 in php_execute_script () from /usr/lib/apache2/modules/libphp5.so #9 0x00007f5d87d37bda in ?? () from /usr/lib/apache2/modules/libphp5.so #10 0x000055e2acd2fb10 in ap_run_handler (r=0x7f5d876c90a0) at config.c:159 #11 0x000055e2acd2ff5b in ap_invoke_handler (r=r@entry=0x7f5d876c90a0) at config.c:377 #12 0x000055e2acd3fec8 in ap_process_request (r=r@entry=0x7f5d876c90a0) at http_request.c:282 #13 0x000055e2acd3cd48 in ap_process_http_connection (c=0x7f5d8a250290) at http_core.c:190 #14 0x000055e2acd36280 in ap_run_process_connection (c=0x7f5d8a250290) at connection.c:43 #15 0x000055e2acd36638 in ap_process_connection (c=c@entry=0x7f5d8a250290, csd=<optimized out>) at connection.c:190 #16 0x000055e2acd4469e in child_main (child_num_arg=child_num_arg@entry=4) at prefork.c:667 #17 0x000055e2acd44df2 in make_child (slot=4, s=0x7f5d8c317818) at prefork.c:768 #18 make_child (s=0x7f5d8c317818, slot=4) at prefork.c:696 #19 0x000055e2acd44e96 in startup_children (number_to_start=1) at prefork.c:786 #20 0x000055e2acd457f5 in ap_mpm_run (_pconf=_pconf@entry=0x7f5d8c321028, plog=<optimized out>, s=s@entry=0x7f5d8c317818) at prefork.c:1007 #21 0x000055e2acd1a7a0 in main (argc=3, argv=0x7ffd0e7a8448) at main.c:755 OK: DEBIAN_FRONTEND=noninteractive aptitude install -y -q '?source-package(libgd2)~i' /etc/init.d/apache2 restart OK: zless /usr/share/doc/libgd2-xpm/changelog.Debian.gz CVE-2016-3074 OK: dpkg-query -W libgd2\* # 2.0.36~rc1~dfsg-6.1.34.201605091025 OK: SELECT binpkg,binver,site,major,minor,patch,scope FROM binpkg WHERE binpkg='libgd2-xpm' AND major=4 AND site='apt' ORDER BY srcver ASC; OK: errata-announce -V --only libgd2.yaml Save Changes Status: Mark as Duplicate Only users in all of the selected groups can view this bug: Unchecking all boxes makes this a more public bug. Univention staff [reply] [−] Description Arvid Requate univentionstaff 2016-05-04 20:10:16 CEST Upstream Debian package version 2.0.36~rc1~dfsg-6.1+deb7u2 fixes this issue: * Integer signedness error in GD Graphics Library 2.1.1 (aka libgd or libgd2) allows remote attackers to cause a denial of service (crash) or potentially execute arbitrary code via crafted compressed gd2 data, which triggers a heap-based buffer overflow (CVE-2016-3074) In Debian libgd2 is used by php5. [reply] [−] Comment 1 Daniel Tröder univentionstaff 2016-05-09 10:39:56 CEST libgd2 2.0.36~rc1~dfsg-6.1+deb7u2 was imported and built in scope errata4.0-5. Advisory: r69190 Add Comment Collapse All Comments Expand All Comments Format For Printing - XML - Clone This Bug - Top of page Bug List: (1 of 2) First Last Prev Next Show last search results Home | New | Browse | Search | Search [?] | Reports | My Requests | Preferences | Administration | Help | Log out hahn@univention.de My Bugs | d-i | Doc | ES24 | ES31 | Listener | OLB | patchy | PendingDoc | PendingQA | QA | RepoNG | Today | TODO | TopVotes | UVMM Univention Bugzilla – Bug 41208 libgd2: multiple issues (4.0) Last modified: 2016-05-09 15:29:43 CEST Home | New | Browse | Search | Search [?] | Reports | My Requests | Preferences | Administration | Help | Log out hahn@univention.de Bug List: (1 of 2) First Last Prev Next Show last search results Save Changes Bug 41208 - libgd2: multiple issues (4.0) (edit) Status: RESOLVED FIXED (edit) Product: Component: Version: Hardware: Importance: (vote) Target Milestone: Assigned To: Daniel Tröder (edit) (take) QA Contact: Philipp Hahn (edit) URL: Keywords: Tags: Depends on: 41209 (edit) Blocks: Show dependency tree / graph Reported: 2016-05-04 20:10 CEST by Arvid Requate Modified: 2016-05-09 15:29 CEST (History) CC List: Add me to CC list 3 users (edit) See Also: (add) Customer ID: 000060000900021000260004500063000880011700713013270150501700019380199701997_IN80220902302024840249005520063400666307142072760731207317076970828108418085050850709407097110975309801099361009710643118181185013588137291381515607170942169931092 Bug group (optional): API changeBrowser compatibilityCleanupDesignError handlingExternal feedbackForked for projectFurther conceptual developmentInternationalizationIPv6Large environmentsMobile devices/tabletsRelease GoalRoadmap discussionRoadmap discussion (moved)SAMLSecurityTroubleshootingTypo/text changesU@S: Administrational DCUCS PerformanceUsability Flags: requate: Patch_Available Attachments Add an attachment (proposed patch, testcase, etc.) Additional Comments: OK: ucr set repository/online/unmaintained=yes univention-install -qq git php5-gd python-pip python-requests pip install --upgrade requests git clone https://github.com/dyntopia/exploits.git cp exploits/CVE-2016-3074/upload.php /var/www/ iptables -P INPUT ACCEPT iptables -F INPUT python exploits/CVE-2016-3074/exploit.py --bind-port 5555 http://127.0.0.1/upload.php (gdb) bt #0 0x00007f5d8b547390 in _int_free (av=0x7f5d8b858e40, p=0x55e2ae70d220) at malloc.c:5002 #1 0x00007f5d8b54a95c in *__GI___libc_free (mem=<optimized out>) at malloc.c:3738 #2 0x00007f5d8076e0f5 in gdImageCreateFromGd2Ctx () from /usr/lib/x86_64-linux-gnu/libgd.so.2 #3 0x00007f5d8076e1de in gdImageCreateFromGd2 () from /usr/lib/x86_64-linux-gnu/libgd.so.2 #4 0x00007f5d809b00a9 in ?? () from /usr/lib/php5/20100525/gd.so #5 0x00007f5d87d354c1 in ?? () from /usr/lib/apache2/modules/libphp5.so #6 0x00007f5d87ceee77 in execute () from /usr/lib/apache2/modules/libphp5.so #7 0x00007f5d87c8d8cc in zend_execute_scripts () from /usr/lib/apache2/modules/libphp5.so #8 0x00007f5d87c2d143 in php_execute_script () from /usr/lib/apache2/modules/libphp5.so #9 0x00007f5d87d37bda in ?? () from /usr/lib/apache2/modules/libphp5.so #10 0x000055e2acd2fb10 in ap_run_handler (r=0x7f5d876c90a0) at config.c:159 #11 0x000055e2acd2ff5b in ap_invoke_handler (r=r@entry=0x7f5d876c90a0) at config.c:377 #12 0x000055e2acd3fec8 in ap_process_request (r=r@entry=0x7f5d876c90a0) at http_request.c:282 #13 0x000055e2acd3cd48 in ap_process_http_connection (c=0x7f5d8a250290) at http_core.c:190 #14 0x000055e2acd36280 in ap_run_process_connection (c=0x7f5d8a250290) at connection.c:43 #15 0x000055e2acd36638 in ap_process_connection (c=c@entry=0x7f5d8a250290, csd=<optimized out>) at connection.c:190 #16 0x000055e2acd4469e in child_main (child_num_arg=child_num_arg@entry=4) at prefork.c:667 #17 0x000055e2acd44df2 in make_child (slot=4, s=0x7f5d8c317818) at prefork.c:768 #18 make_child (s=0x7f5d8c317818, slot=4) at prefork.c:696 #19 0x000055e2acd44e96 in startup_children (number_to_start=1) at prefork.c:786 #20 0x000055e2acd457f5 in ap_mpm_run (_pconf=_pconf@entry=0x7f5d8c321028, plog=<optimized out>, s=s@entry=0x7f5d8c317818) at prefork.c:1007 #21 0x000055e2acd1a7a0 in main (argc=3, argv=0x7ffd0e7a8448) at main.c:755 OK: DEBIAN_FRONTEND=noninteractive aptitude install -y -q '?source-package(libgd2)~i' /etc/init.d/apache2 restart OK: zless /usr/share/doc/libgd2-xpm/changelog.Debian.gz CVE-2016-3074 OK: dpkg-query -W libgd2\* # 2.0.36~rc1~dfsg-6.1.34.201605091025 OK: SELECT binpkg,binver,site,major,minor,patch,scope FROM binpkg WHERE binpkg='libgd2-xpm' AND major=4 AND site='apt' ORDER BY srcver ASC; OK: errata-announce -V --only libgd2.yaml Save Changes Status: Mark as Duplicate Only users in all of the selected groups can view this bug: Unchecking all boxes makes this a more public bug. Univention staff [reply] [−] Description Arvid Requate univentionstaff 2016-05-04 20:10:16 CEST Upstream Debian package version 2.0.36~rc1~dfsg-6.1+deb7u2 fixes this issue: * Integer signedness error in GD Graphics Library 2.1.1 (aka libgd or libgd2) allows remote attackers to cause a denial of service (crash) or potentially execute arbitrary code via crafted compressed gd2 data, which triggers a heap-based buffer overflow (CVE-2016-3074) In Debian libgd2 is used by php5. [reply] [−] Comment 1 Daniel Tröder univentionstaff 2016-05-09 10:39:56 CEST libgd2 2.0.36~rc1~dfsg-6.1+deb7u2 was imported and built in scope errata4.0-5. Advisory: r69190 Add Comment Collapse All Comments Expand All Comments Format For Printing - XML - Clone This Bug - Top of page Bug List: (1 of 2) First Last Prev Next Show last search results Home | New | Browse | Search | Search [?] | Reports | My Requests | Preferences | Administration | Help | Log out hahn@univention.de My Bugs | d-i | Doc | ES24 | ES31 | Listener | OLB | patchy | PendingDoc | PendingQA | QA | RepoNG | Today | TODO | TopVotes | UVMM CVE-2016-3074 OK: dpkg-query -W libgd2\* # 2.0.36~rc1~dfsg-6.1.34.201605091025 OK: SELECT binpkg,binver,site,major,minor,patch,scope FROM binpkg WHERE binpkg='libgd2-xpm' AND major=4 AND site='apt' ORDER BY srcver ASC; OK: errata-announce -V --only libgd2.yaml
Upstream Debian package version 2.0.36~rc1~dfsg-6.1+deb7u3 fixes this issue: * Stack consumption vulnerability in GD in PHP before 5.6.12 allows remote attackers to cause a denial of service via a crafted imagefilltoborder call. (CVE-2015-8874)
libgd2 2.0.36~rc1~dfsg-6.1+deb7u3 was imported and built in scope errata4.0-5. Advisory: r69496
OK: php5 -r '$im=imagecreatetruecolor(20,20);$c=imagecolorallocate($im,255,0,0);imagefilltoborder($im,0,-999355,$c,$c);' OK: DEBIAN_FRONTEND=noninteractive aptitude install -y -q '?source-package(libgd2)~i' OK: dpkg-query -W libgd2-xpm # 2.0.36~rc1~dfsg-6.1.38.201605240916 OK: zless /usr/share/doc/libgd2-xpm/changelog.Debian.gz OK: errata-announce -V --only libgd2.yaml FIXED: libgd2.yaml r69500 | Bug #41208: libgd2 YAML
<http://errata.software-univention.de/ucs/4.0/425.html>