[pkg-GD-devel] Bug#822242: libgd2: CVE-2016-3074: Signedness vulnerability causing heap overflow
Salvatore Bonaccorso
carnil at debian.org
Sat Apr 23 14:31:25 UTC 2016
Hi Ondrej and GD team,
On Fri, Apr 22, 2016 at 02:32:54PM +0200, Salvatore Bonaccorso wrote:
> Source: libgd2
> Version: 2.1.1-4
> Severity: grave
> Tags: security upstream patch fixed-upstream
>
> Hi,
>
> the following vulnerability was published for libgd2.
>
> CVE-2016-3074[0]:
> Signedness vulnerability causing heap overflow
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2016-3074
> [1] https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19
I prepared an upload for wheezy- and jessie-security, and attached is
a debdiff for sid as well.
I can upload to unstable with a NMU if needed as well.
Regards,
Salvatore
-------------- next part --------------
diff -Nru libgd2-2.0.36~rc1~dfsg/debian/changelog libgd2-2.0.36~rc1~dfsg/debian/changelog
--- libgd2-2.0.36~rc1~dfsg/debian/changelog 2015-04-06 15:44:00.000000000 +0200
+++ libgd2-2.0.36~rc1~dfsg/debian/changelog 2016-04-23 16:14:32.000000000 +0200
@@ -1,3 +1,11 @@
+libgd2 (2.0.36~rc1~dfsg-6.1+deb7u2) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * CVE-2016-3074: Signedness vulnerability causing heap overflow
+ (Closes: #822242)
+
+ -- Salvatore Bonaccorso <carnil at debian.org> Sat, 23 Apr 2016 11:39:20 +0200
+
libgd2 (2.0.36~rc1~dfsg-6.1+deb7u1) wheezy-security; urgency=high
* Fix NULL pointer dereference when reading XPM files with a
diff -Nru libgd2-2.0.36~rc1~dfsg/debian/patches/0007_gd2-handle-corrupt-images-better-CVE-2016-3074.patch libgd2-2.0.36~rc1~dfsg/debian/patches/0007_gd2-handle-corrupt-images-better-CVE-2016-3074.patch
--- libgd2-2.0.36~rc1~dfsg/debian/patches/0007_gd2-handle-corrupt-images-better-CVE-2016-3074.patch 1970-01-01 01:00:00.000000000 +0100
+++ libgd2-2.0.36~rc1~dfsg/debian/patches/0007_gd2-handle-corrupt-images-better-CVE-2016-3074.patch 2016-04-23 16:14:32.000000000 +0200
@@ -0,0 +1,38 @@
+Description: gd2: handle corrupt images better (CVE-2016-3074)
+Origin: backport, https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19
+Bug-Debian: https://bugs.debian.org/822242
+Forwarded: not-needed
+Author: Mike Frysinger <vapier at gentoo.org>
+Reviewed-by: Salvatore Bonaccorso <carnil at debian.org>
+Last-Update: 2016-04-23
+
+---
+
+--- a/gd_gd2.c
++++ b/gd_gd2.c
+@@ -178,12 +178,14 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, i
+ {
+ if (gdGetInt (&cidx[i].offset, in) != 1)
+ {
+- goto fail1;
++ goto fail2;
+ };
+ if (gdGetInt (&cidx[i].size, in) != 1)
+ {
+- goto fail1;
++ goto fail2;
+ };
++ if (cidx[i].offset < 0 || cidx[i].size < 0)
++ goto fail2;
+ };
+ *chunkIdx = cidx;
+ };
+@@ -192,6 +194,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, i
+
+ return 1;
+
++fail2:
++ gdFree(cidx);
+ fail1:
+ return 0;
+ }
diff -Nru libgd2-2.0.36~rc1~dfsg/debian/patches/series libgd2-2.0.36~rc1~dfsg/debian/patches/series
--- libgd2-2.0.36~rc1~dfsg/debian/patches/series 2015-04-06 15:44:00.000000000 +0200
+++ libgd2-2.0.36~rc1~dfsg/debian/patches/series 2016-04-23 16:14:32.000000000 +0200
@@ -4,3 +4,4 @@
0004_fix_fprint_string_formatting.patch
0005_CVE-2014-2497.patch
0006_CVE-2014-9709.patch
+0007_gd2-handle-corrupt-images-better-CVE-2016-3074.patch
-------------- next part --------------
diff -Nru libgd2-2.1.0/debian/changelog libgd2-2.1.0/debian/changelog
--- libgd2-2.1.0/debian/changelog 2014-12-18 13:31:20.000000000 +0100
+++ libgd2-2.1.0/debian/changelog 2016-04-23 11:19:39.000000000 +0200
@@ -1,3 +1,11 @@
+libgd2 (2.1.0-5+deb8u1) jessie-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * CVE-2016-3074: Signedness vulnerability causing heap overflow
+ (Closes: #822242)
+
+ -- Salvatore Bonaccorso <carnil at debian.org> Sat, 23 Apr 2016 11:19:01 +0200
+
libgd2 (2.1.0-5) unstable; urgency=high
* Remove seanius from Uploaders. So Long, and Thanks for All the Fish.
diff -Nru libgd2-2.1.0/debian/patches/gd2-handle-corrupt-images-better-CVE-2016-3074.patch libgd2-2.1.0/debian/patches/gd2-handle-corrupt-images-better-CVE-2016-3074.patch
--- libgd2-2.1.0/debian/patches/gd2-handle-corrupt-images-better-CVE-2016-3074.patch 1970-01-01 01:00:00.000000000 +0100
+++ libgd2-2.1.0/debian/patches/gd2-handle-corrupt-images-better-CVE-2016-3074.patch 2016-04-23 11:19:39.000000000 +0200
@@ -0,0 +1,21 @@
+Description: gd2: handle corrupt images better (CVE-2016-3074)
+Origin: upstream, https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19
+Bug-Debian: https://bugs.debian.org/822242
+Forwarded: not-needed
+Author: Mike Frysinger <vapier at gentoo.org>
+Reviewed-by: Salvatore Bonaccorso <carnil at debian.org>
+Last-Update: 2016-04-23
+
+---
+
+--- a/src/gd_gd2.c
++++ b/src/gd_gd2.c
+@@ -167,6 +167,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, i
+ if (gdGetInt (&cidx[i].size, in) != 1) {
+ goto fail2;
+ };
++ if (cidx[i].offset < 0 || cidx[i].size < 0)
++ goto fail2;
+ };
+ *chunkIdx = cidx;
+ };
diff -Nru libgd2-2.1.0/debian/patches/series libgd2-2.1.0/debian/patches/series
--- libgd2-2.1.0/debian/patches/series 2014-12-18 13:31:20.000000000 +0100
+++ libgd2-2.1.0/debian/patches/series 2016-04-23 11:19:39.000000000 +0200
@@ -3,3 +3,4 @@
fix-compiled-in-version.patch
subdir-objects.patch
CVE-2014-2497.patch
+gd2-handle-corrupt-images-better-CVE-2016-3074.patch
-------------- next part --------------
diff -Nru libgd2-2.1.1/debian/changelog libgd2-2.1.1/debian/changelog
--- libgd2-2.1.1/debian/changelog 2015-07-07 13:09:41.000000000 +0200
+++ libgd2-2.1.1/debian/changelog 2016-04-23 10:50:10.000000000 +0200
@@ -1,3 +1,11 @@
+libgd2 (2.1.1-4.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2016-3074: Signedness vulnerability causing heap overflow
+ (Closes: #822242)
+
+ -- Salvatore Bonaccorso <carnil at debian.org> Sat, 23 Apr 2016 10:49:43 +0200
+
libgd2 (2.1.1-4) unstable; urgency=medium
* Fix xmp vs xpm typo in Provides (Closes: #791435)
diff -Nru libgd2-2.1.1/debian/patches/gd2-handle-corrupt-images-better-CVE-2016-3074.patch libgd2-2.1.1/debian/patches/gd2-handle-corrupt-images-better-CVE-2016-3074.patch
--- libgd2-2.1.1/debian/patches/gd2-handle-corrupt-images-better-CVE-2016-3074.patch 1970-01-01 01:00:00.000000000 +0100
+++ libgd2-2.1.1/debian/patches/gd2-handle-corrupt-images-better-CVE-2016-3074.patch 2016-04-23 10:50:10.000000000 +0200
@@ -0,0 +1,21 @@
+Description: gd2: handle corrupt images better (CVE-2016-3074)
+Origin: upstream, https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19
+Bug-Debian: https://bugs.debian.org/822242
+Forwarded: not-needed
+Author: Mike Frysinger <vapier at gentoo.org>
+Reviewed-by: Salvatore Bonaccorso <carnil at debian.org>
+Last-Update: 2016-04-23
+
+---
+
+--- a/src/gd_gd2.c
++++ b/src/gd_gd2.c
+@@ -167,6 +167,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, i
+ if (gdGetInt (&cidx[i].size, in) != 1) {
+ goto fail2;
+ };
++ if (cidx[i].offset < 0 || cidx[i].size < 0)
++ goto fail2;
+ };
+ *chunkIdx = cidx;
+ };
diff -Nru libgd2-2.1.1/debian/patches/series libgd2-2.1.1/debian/patches/series
--- libgd2-2.1.1/debian/patches/series 2015-07-07 13:09:41.000000000 +0200
+++ libgd2-2.1.1/debian/patches/series 2016-04-23 10:50:10.000000000 +0200
@@ -1,2 +1,3 @@
gdlib-config-uses-pkgconfig.patch
libvpx-1.4.patch
+gd2-handle-corrupt-images-better-CVE-2016-3074.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gd-devel/attachments/20160423/d17d4be5/attachment.sig>
More information about the pkg-GD-devel
mailing list