[pkg-GD-devel] Bug#869263: libgd2: CVE-2017-7890: Buffer over-read into uninitialized memory

Salvatore Bonaccorso carnil at debian.org
Sat Aug 12 05:59:20 UTC 2017 

Control: severity -1 grave
Control: tags -1 + patch

Hi Ondrej,

I uploaded the attached two debdiffs to security-master for jessie-
and stretch-security.

I wanted to propose as well a NMU unstable, so it's not unfixed there,
but currently libgd2 FTBFS.

Would it be possible to import those in the packaging repository? I
was not entirly sure how you want the respective branches created
(guess just branch upstream-stretch and master-stretch from respective
tags).

Regards,
Salvatore
-------------- next part --------------
diff -Nru libgd2-2.1.0/debian/changelog libgd2-2.1.0/debian/changelog
--- libgd2-2.1.0/debian/changelog	2017-01-18 13:35:12.000000000 +0100
+++ libgd2-2.1.0/debian/changelog	2017-08-12 06:15:41.000000000 +0200
@@ -1,3 +1,11 @@
+libgd2 (2.1.0-5+deb8u10) jessie-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * CVE-2017-7890: Fix unitialized memory read vulnerability in GIF reading
+    (Closes: #869263)
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Sat, 12 Aug 2017 06:15:41 +0200
+
 libgd2 (2.1.0-5+deb8u9) jessie-security; urgency=high
 
   * [CVE-2016-6906]: Fix OOB reads of the TGA decompression buffer
diff -Nru libgd2-2.1.0/debian/patches/0030-Close-339-Fix-unitialized-memory-read-vulnerability-.patch libgd2-2.1.0/debian/patches/0030-Close-339-Fix-unitialized-memory-read-vulnerability-.patch
--- libgd2-2.1.0/debian/patches/0030-Close-339-Fix-unitialized-memory-read-vulnerability-.patch	1970-01-01 01:00:00.000000000 +0100
+++ libgd2-2.1.0/debian/patches/0030-Close-339-Fix-unitialized-memory-read-vulnerability-.patch	2017-08-12 06:15:41.000000000 +0200
@@ -0,0 +1,26 @@
+From: "Christoph M. Becker" <cmbecker69 at gmx.de>
+Date: Thu, 10 Aug 2017 18:31:29 +0200
+Subject: Close #339: Fix unitialized memory read vulnerability in GIF reading
+Origin: https://github.com/libgd/libgd/commit/c613bc169802bb4b639ee2e15c61b25b80a88424
+Bug-Debian: https://bugs.debian.org/869263
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7890
+
+The stack allocated color map buffers were not zeroed before usage, and
+so undefined palette indexes could cause information leakage.
+
+This issue has been reported by Matviy Kotoniy to security at libgd.org in
+<CAKm_7a-AO++B6cXYWM_DtycPENG5WNWK7NSEvQ5OmZziMY_JyA at mail.gmail.com>.
+---
+
+--- a/src/gd_gif_in.c
++++ b/src/gd_gif_in.c
+@@ -152,6 +152,9 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFro
+ 
+ 	gdImagePtr im = 0;
+ 
++	memset(ColorMap, 0, 3 * MAXCOLORMAPSIZE);
++	memset(localColorMap, 0, 3 * MAXCOLORMAPSIZE);
++
+ 	if(!ReadOK(fd, buf, 6)) {
+ 		return 0;
+ 	}
diff -Nru libgd2-2.1.0/debian/patches/series libgd2-2.1.0/debian/patches/series
--- libgd2-2.1.0/debian/patches/series	2017-01-18 13:35:12.000000000 +0100
+++ libgd2-2.1.0/debian/patches/series	2017-08-12 06:15:41.000000000 +0200
@@ -27,3 +27,4 @@
 0027-Fix-OOB-reads-of-the-TGA-decompression-buffer.patch
 0028-Fix-340-System-frozen.patch
 0029-Fix-354-Signed-Integer-Overflow-gd_io.c.patch
+0030-Close-339-Fix-unitialized-memory-read-vulnerability-.patch
-------------- next part --------------
diff -Nru libgd2-2.2.4/debian/changelog libgd2-2.2.4/debian/changelog
--- libgd2-2.2.4/debian/changelog	2017-01-18 21:06:46.000000000 +0100
+++ libgd2-2.2.4/debian/changelog	2017-08-12 07:14:26.000000000 +0200
@@ -1,3 +1,11 @@
+libgd2 (2.2.4-2+deb9u1) stretch-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * CVE-2017-7890: Fix unitialized memory read vulnerability in GIF reading
+    (Closes: #869263)
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Sat, 12 Aug 2017 07:14:26 +0200
+
 libgd2 (2.2.4-2) unstable; urgency=medium
 
   * Apply correct patch on tiff_invalid_read
diff -Nru libgd2-2.2.4/debian/patches/0006-Close-339-Fix-unitialized-memory-read-vulnerability-.patch libgd2-2.2.4/debian/patches/0006-Close-339-Fix-unitialized-memory-read-vulnerability-.patch
--- libgd2-2.2.4/debian/patches/0006-Close-339-Fix-unitialized-memory-read-vulnerability-.patch	1970-01-01 01:00:00.000000000 +0100
+++ libgd2-2.2.4/debian/patches/0006-Close-339-Fix-unitialized-memory-read-vulnerability-.patch	2017-08-12 07:14:26.000000000 +0200
@@ -0,0 +1,28 @@
+From: "Christoph M. Becker" <cmbecker69 at gmx.de>
+Date: Thu, 10 Aug 2017 18:31:29 +0200
+Subject: Close #339: Fix unitialized memory read vulnerability in GIF reading
+Origin: https://github.com/libgd/libgd/commit/c613bc169802bb4b639ee2e15c61b25b80a88424
+Bug-Debian: https://bugs.debian.org/869263
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7890
+
+The stack allocated color map buffers were not zeroed before usage, and
+so undefined palette indexes could cause information leakage.
+
+This issue has been reported by Matviy Kotoniy to security at libgd.org in
+<CAKm_7a-AO++B6cXYWM_DtycPENG5WNWK7NSEvQ5OmZziMY_JyA at mail.gmail.com>.
+---
+
+diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c
+index 008d1ec..c195448 100644
+--- a/src/gd_gif_in.c
++++ b/src/gd_gif_in.c
+@@ -216,6 +216,9 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd)
+ 
+ 	gdImagePtr im = 0;
+ 
++	memset(ColorMap, 0, 3 * MAXCOLORMAPSIZE);
++	memset(localColorMap, 0, 3 * MAXCOLORMAPSIZE);
++
+ 	if(!ReadOK(fd, buf, 6)) {
+ 		return 0;
+ 	}
diff -Nru libgd2-2.2.4/debian/patches/series libgd2-2.2.4/debian/patches/series
--- libgd2-2.2.4/debian/patches/series	2017-01-18 21:06:46.000000000 +0100
+++ libgd2-2.2.4/debian/patches/series	2017-08-12 07:14:26.000000000 +0200
@@ -3,3 +3,4 @@
 0004-Fix-error-ISO-C99-requires-at-least-one-argument-for.patch
 disable-tests-gdimagegrayscale-as-it-breaks-on-32-bit.patch
 0005-Fix-tiff_invalid_read-check.patch
+0006-Close-339-Fix-unitialized-memory-read-vulnerability-.patch

More information about the pkg-GD-devel mailing list