Bug 48596 – libgd2: Multiple issues (4.2)

Bug 48596 - libgd2: Multiple issues (4.2)


Summary:	libgd2: Multiple issues (4.2)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.2
Hardware:	All Linux

Importance:	P3 normal (vote)
Target Milestone:	UCS 4.2-5-errata
Assigned To:	Quality Assurance
QA Contact:	Philipp Hahn

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2019-02-04 08:24 CET by Quality Assurance
Modified:	2019-02-06 12:55 CET (History)
CC List:	0 users

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:	5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) NVD RedHat

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Quality Assurance

2019-02-04 08:24:34 CET

New Debian libgd2 2.1.0-5+deb8u12 fixes:
This update addresses the following issues:
* Denial of Service (DoS) via infinite loop in libgd gdImageCreateFromGifCtx  function in ext/gd/libgd/gd_gif_in.c (CVE-2018-5711)
* Double free in src/gd_bump.c:gdImageBmpPtr() via crafted JPEG  (CVE-2018-1000222)
* gdImageColorMatch in gd_color_match.c in the GD Graphics Library (aka  LibGD) 2.2.5, as used in the imagecolormatch function in PHP before 5.6.40,  7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1, has a  heap-based buffer overflow. This can be exploited by an attacker who is  able to trigger imagecolormatch calls with crafted image data.  (CVE-2019-6977)
* The GD Graphics Library (aka LibGD) 2.2.5 has a double free in the  gdImage*Ptr() functions in gd_gif_out.c, gd_jpeg.c, and gd_wbmp.c. NOTE:  PHP is unaffected. (CVE-2019-6978)

Comment 1 Quality Assurance

2019-02-04 09:00:37 CET

--- mirror/ftp/4.2/unmaintained/4.2-4/source/libgd2_2.1.0-5+deb8u11.dsc
+++ apt/ucs_4.2-0-errata4.2-5/source/libgd2_2.1.0-5+deb8u12.dsc
@@ -1,3 +1,18 @@
+2.1.0-5+deb8u12 [Wed, 30 Jan 2019 19:03:02 +0100] Thorsten Alteholz <debian@alteholz.de>:
+
+  * Non-maintainer upload by the LTS Team. 
+  * CVE-2019-6977
+    Fix for potential double free in gdImage*Ptr() 
+  * CVE-2019-6978
+    Fix for a heap-based buffer overflow, exploitable with
+    crafted image data.
+  * CVE-2018-1000222
+    Fix for a double free vulnerability by a crafted image,
+    that can result in remote code execution. 
+  * CVE-2018-5711
+    Fix for a integer signedness error that leads to an
+    infinite loop via a crafted GIF file.
+
 2.1.0-5+deb8u11 [Thu, 31 Aug 2017 14:31:50 +0200] Salvatore Bonaccorso <carnil@debian.org>:
 
   * Non-maintainer upload by the Security Team.

<http://10.200.17.11/4.2-5/#1313933890487732393>

Comment 2 Philipp Hahn

2019-02-05 09:53:41 CET

OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.2-5] e562406233 Bug #48596: libgd2 2.1.0-5+deb8u12
 doc/errata/staging/libgd2.yaml | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

[4.2-5] 3507e26140 Bug #48596: libgd2 2.1.0-5+deb8u12
 doc/errata/staging/libgd2.yaml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

Comment 3 Arvid Requate

2019-02-06 12:55:59 CET

<http://errata.software-univention.de/ucs/4.2/593.html>