[pkg-GD-devel] Bug#822242: libgd2: CVE-2016-3074: Signedness vulnerability causing heap overflow

Salvatore Bonaccorso carnil at debian.org
Sat Apr 23 14:31:25 UTC 2016 

Hi Ondrej and GD team,

On Fri, Apr 22, 2016 at 02:32:54PM +0200, Salvatore Bonaccorso wrote:
> Source: libgd2
> Version: 2.1.1-4
> Severity: grave
> Tags: security upstream patch fixed-upstream
> 
> Hi,
> 
> the following vulnerability was published for libgd2.
> 
> CVE-2016-3074[0]:
> Signedness vulnerability causing heap overflow
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2016-3074
> [1] https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19

I prepared an upload for wheezy- and jessie-security, and attached is
a debdiff for sid as well.

I can upload to unstable with a NMU if needed as well.

Regards,
Salvatore
-------------- next part --------------
diff -Nru libgd2-2.0.36~rc1~dfsg/debian/changelog libgd2-2.0.36~rc1~dfsg/debian/changelog
--- libgd2-2.0.36~rc1~dfsg/debian/changelog	2015-04-06 15:44:00.000000000 +0200
+++ libgd2-2.0.36~rc1~dfsg/debian/changelog	2016-04-23 16:14:32.000000000 +0200
@@ -1,3 +1,11 @@
+libgd2 (2.0.36~rc1~dfsg-6.1+deb7u2) wheezy-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * CVE-2016-3074: Signedness vulnerability causing heap overflow
+    (Closes: #822242)
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Sat, 23 Apr 2016 11:39:20 +0200
+
 libgd2 (2.0.36~rc1~dfsg-6.1+deb7u1) wheezy-security; urgency=high
 
   * Fix NULL pointer dereference when reading XPM files with a
diff -Nru libgd2-2.0.36~rc1~dfsg/debian/patches/0007_gd2-handle-corrupt-images-better-CVE-2016-3074.patch libgd2-2.0.36~rc1~dfsg/debian/patches/0007_gd2-handle-corrupt-images-better-CVE-2016-3074.patch
--- libgd2-2.0.36~rc1~dfsg/debian/patches/0007_gd2-handle-corrupt-images-better-CVE-2016-3074.patch	1970-01-01 01:00:00.000000000 +0100
+++ libgd2-2.0.36~rc1~dfsg/debian/patches/0007_gd2-handle-corrupt-images-better-CVE-2016-3074.patch	2016-04-23 16:14:32.000000000 +0200
@@ -0,0 +1,38 @@
+Description: gd2: handle corrupt images better (CVE-2016-3074)
+Origin: backport, https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19
+Bug-Debian: https://bugs.debian.org/822242
+Forwarded: not-needed
+Author: Mike Frysinger <vapier at gentoo.org>
+Reviewed-by: Salvatore Bonaccorso <carnil at debian.org>
+Last-Update: 2016-04-23
+
+---
+
+--- a/gd_gd2.c
++++ b/gd_gd2.c
+@@ -178,12 +178,14 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, i
+ 	{
+ 	  if (gdGetInt (&cidx[i].offset, in) != 1)
+ 	    {
+-	      goto fail1;
++	      goto fail2;
+ 	    };
+ 	  if (gdGetInt (&cidx[i].size, in) != 1)
+ 	    {
+-	      goto fail1;
++	      goto fail2;
+ 	    };
++	  if (cidx[i].offset < 0 || cidx[i].size < 0)
++	      goto fail2;
+ 	};
+       *chunkIdx = cidx;
+     };
+@@ -192,6 +194,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, i
+ 
+   return 1;
+ 
++fail2:
++  gdFree(cidx);
+ fail1:
+   return 0;
+ }
diff -Nru libgd2-2.0.36~rc1~dfsg/debian/patches/series libgd2-2.0.36~rc1~dfsg/debian/patches/series
--- libgd2-2.0.36~rc1~dfsg/debian/patches/series	2015-04-06 15:44:00.000000000 +0200
+++ libgd2-2.0.36~rc1~dfsg/debian/patches/series	2016-04-23 16:14:32.000000000 +0200
@@ -4,3 +4,4 @@
 0004_fix_fprint_string_formatting.patch
 0005_CVE-2014-2497.patch
 0006_CVE-2014-9709.patch
+0007_gd2-handle-corrupt-images-better-CVE-2016-3074.patch
-------------- next part --------------
diff -Nru libgd2-2.1.0/debian/changelog libgd2-2.1.0/debian/changelog
--- libgd2-2.1.0/debian/changelog	2014-12-18 13:31:20.000000000 +0100
+++ libgd2-2.1.0/debian/changelog	2016-04-23 11:19:39.000000000 +0200
@@ -1,3 +1,11 @@
+libgd2 (2.1.0-5+deb8u1) jessie-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * CVE-2016-3074: Signedness vulnerability causing heap overflow
+    (Closes: #822242)
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Sat, 23 Apr 2016 11:19:01 +0200
+
 libgd2 (2.1.0-5) unstable; urgency=high
 
   * Remove seanius from Uploaders.  So Long, and Thanks for All the Fish.
diff -Nru libgd2-2.1.0/debian/patches/gd2-handle-corrupt-images-better-CVE-2016-3074.patch libgd2-2.1.0/debian/patches/gd2-handle-corrupt-images-better-CVE-2016-3074.patch
--- libgd2-2.1.0/debian/patches/gd2-handle-corrupt-images-better-CVE-2016-3074.patch	1970-01-01 01:00:00.000000000 +0100
+++ libgd2-2.1.0/debian/patches/gd2-handle-corrupt-images-better-CVE-2016-3074.patch	2016-04-23 11:19:39.000000000 +0200
@@ -0,0 +1,21 @@
+Description: gd2: handle corrupt images better (CVE-2016-3074)
+Origin: upstream, https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19
+Bug-Debian: https://bugs.debian.org/822242
+Forwarded: not-needed
+Author: Mike Frysinger <vapier at gentoo.org>
+Reviewed-by: Salvatore Bonaccorso <carnil at debian.org>
+Last-Update: 2016-04-23
+
+---
+
+--- a/src/gd_gd2.c
++++ b/src/gd_gd2.c
+@@ -167,6 +167,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, i
+ 			if (gdGetInt (&cidx[i].size, in) != 1) {
+ 				goto fail2;
+ 			};
++			if (cidx[i].offset < 0 || cidx[i].size < 0)
++				goto fail2;
+ 		};
+ 		*chunkIdx = cidx;
+ 	};
diff -Nru libgd2-2.1.0/debian/patches/series libgd2-2.1.0/debian/patches/series
--- libgd2-2.1.0/debian/patches/series	2014-12-18 13:31:20.000000000 +0100
+++ libgd2-2.1.0/debian/patches/series	2016-04-23 11:19:39.000000000 +0200
@@ -3,3 +3,4 @@
 fix-compiled-in-version.patch
 subdir-objects.patch
 CVE-2014-2497.patch
+gd2-handle-corrupt-images-better-CVE-2016-3074.patch
-------------- next part --------------
diff -Nru libgd2-2.1.1/debian/changelog libgd2-2.1.1/debian/changelog
--- libgd2-2.1.1/debian/changelog	2015-07-07 13:09:41.000000000 +0200
+++ libgd2-2.1.1/debian/changelog	2016-04-23 10:50:10.000000000 +0200
@@ -1,3 +1,11 @@
+libgd2 (2.1.1-4.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2016-3074: Signedness vulnerability causing heap overflow
+    (Closes: #822242)
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Sat, 23 Apr 2016 10:49:43 +0200
+
 libgd2 (2.1.1-4) unstable; urgency=medium
 
   * Fix xmp vs xpm typo in Provides (Closes: #791435)
diff -Nru libgd2-2.1.1/debian/patches/gd2-handle-corrupt-images-better-CVE-2016-3074.patch libgd2-2.1.1/debian/patches/gd2-handle-corrupt-images-better-CVE-2016-3074.patch
--- libgd2-2.1.1/debian/patches/gd2-handle-corrupt-images-better-CVE-2016-3074.patch	1970-01-01 01:00:00.000000000 +0100
+++ libgd2-2.1.1/debian/patches/gd2-handle-corrupt-images-better-CVE-2016-3074.patch	2016-04-23 10:50:10.000000000 +0200
@@ -0,0 +1,21 @@
+Description: gd2: handle corrupt images better (CVE-2016-3074)
+Origin: upstream, https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19
+Bug-Debian: https://bugs.debian.org/822242
+Forwarded: not-needed
+Author: Mike Frysinger <vapier at gentoo.org>
+Reviewed-by: Salvatore Bonaccorso <carnil at debian.org>
+Last-Update: 2016-04-23
+
+---
+
+--- a/src/gd_gd2.c
++++ b/src/gd_gd2.c
+@@ -167,6 +167,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, i
+ 			if (gdGetInt (&cidx[i].size, in) != 1) {
+ 				goto fail2;
+ 			};
++			if (cidx[i].offset < 0 || cidx[i].size < 0)
++				goto fail2;
+ 		};
+ 		*chunkIdx = cidx;
+ 	};
diff -Nru libgd2-2.1.1/debian/patches/series libgd2-2.1.1/debian/patches/series
--- libgd2-2.1.1/debian/patches/series	2015-07-07 13:09:41.000000000 +0200
+++ libgd2-2.1.1/debian/patches/series	2016-04-23 10:50:10.000000000 +0200
@@ -1,2 +1,3 @@
 gdlib-config-uses-pkgconfig.patch
 libvpx-1.4.patch
+gd2-handle-corrupt-images-better-CVE-2016-3074.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gd-devel/attachments/20160423/d17d4be5/attachment.sig>

More information about the pkg-GD-devel mailing list