Bug#822242: libgd2: CVE-2016-3074: Signedness vulnerability causing heap overflow

Salvatore Bonaccorso Sat, 23 Apr 2016 07:33:28 -0700

Hi Ondrej and GD team,

On Fri, Apr 22, 2016 at 02:32:54PM +0200, Salvatore Bonaccorso wrote:
> Source: libgd2
> Version: 2.1.1-4
> Severity: grave
> Tags: security upstream patch fixed-upstream
> 
> Hi,
> 
> the following vulnerability was published for libgd2.
> 
> CVE-2016-3074[0]:
> Signedness vulnerability causing heap overflow
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2016-3074
> [1] 
> https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19


I prepared an upload for wheezy- and jessie-security, and attached is
a debdiff for sid as well.

I can upload to unstable with a NMU if needed as well.

Regards,
Salvatore

diff -Nru libgd2-2.0.36~rc1~dfsg/debian/changelog 
libgd2-2.0.36~rc1~dfsg/debian/changelog
--- libgd2-2.0.36~rc1~dfsg/debian/changelog     2015-04-06 15:44:00.000000000 
+0200
+++ libgd2-2.0.36~rc1~dfsg/debian/changelog     2016-04-23 16:14:32.000000000 
+0200
@@ -1,3 +1,11 @@
+libgd2 (2.0.36~rc1~dfsg-6.1+deb7u2) wheezy-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * CVE-2016-3074: Signedness vulnerability causing heap overflow
+    (Closes: #822242)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Sat, 23 Apr 2016 11:39:20 +0200
+
 libgd2 (2.0.36~rc1~dfsg-6.1+deb7u1) wheezy-security; urgency=high
 
   * Fix NULL pointer dereference when reading XPM files with a
diff -Nru 
libgd2-2.0.36~rc1~dfsg/debian/patches/0007_gd2-handle-corrupt-images-better-CVE-2016-3074.patch
 
libgd2-2.0.36~rc1~dfsg/debian/patches/0007_gd2-handle-corrupt-images-better-CVE-2016-3074.patch
--- 
libgd2-2.0.36~rc1~dfsg/debian/patches/0007_gd2-handle-corrupt-images-better-CVE-2016-3074.patch
     1970-01-01 01:00:00.000000000 +0100
+++ 
libgd2-2.0.36~rc1~dfsg/debian/patches/0007_gd2-handle-corrupt-images-better-CVE-2016-3074.patch
     2016-04-23 16:14:32.000000000 +0200
@@ -0,0 +1,38 @@
+Description: gd2: handle corrupt images better (CVE-2016-3074)
+Origin: backport, 
https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19
+Bug-Debian: https://bugs.debian.org/822242
+Forwarded: not-needed
+Author: Mike Frysinger <vap...@gentoo.org>
+Reviewed-by: Salvatore Bonaccorso <car...@debian.org>
+Last-Update: 2016-04-23
+
+---
+
+--- a/gd_gd2.c
++++ b/gd_gd2.c
+@@ -178,12 +178,14 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, i
+       {
+         if (gdGetInt (&cidx[i].offset, in) != 1)
+           {
+-            goto fail1;
++            goto fail2;
+           };
+         if (gdGetInt (&cidx[i].size, in) != 1)
+           {
+-            goto fail1;
++            goto fail2;
+           };
++        if (cidx[i].offset < 0 || cidx[i].size < 0)
++            goto fail2;
+       };
+       *chunkIdx = cidx;
+     };
+@@ -192,6 +194,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, i
+ 
+   return 1;
+ 
++fail2:
++  gdFree(cidx);
+ fail1:
+   return 0;
+ }
diff -Nru libgd2-2.0.36~rc1~dfsg/debian/patches/series 
libgd2-2.0.36~rc1~dfsg/debian/patches/series
--- libgd2-2.0.36~rc1~dfsg/debian/patches/series        2015-04-06 
15:44:00.000000000 +0200
+++ libgd2-2.0.36~rc1~dfsg/debian/patches/series        2016-04-23 
16:14:32.000000000 +0200
@@ -4,3 +4,4 @@
 0004_fix_fprint_string_formatting.patch
 0005_CVE-2014-2497.patch
 0006_CVE-2014-9709.patch
+0007_gd2-handle-corrupt-images-better-CVE-2016-3074.patch

diff -Nru libgd2-2.1.0/debian/changelog libgd2-2.1.0/debian/changelog
--- libgd2-2.1.0/debian/changelog       2014-12-18 13:31:20.000000000 +0100
+++ libgd2-2.1.0/debian/changelog       2016-04-23 11:19:39.000000000 +0200
@@ -1,3 +1,11 @@
+libgd2 (2.1.0-5+deb8u1) jessie-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * CVE-2016-3074: Signedness vulnerability causing heap overflow
+    (Closes: #822242)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Sat, 23 Apr 2016 11:19:01 +0200
+
 libgd2 (2.1.0-5) unstable; urgency=high
 
   * Remove seanius from Uploaders.  So Long, and Thanks for All the Fish.
diff -Nru 
libgd2-2.1.0/debian/patches/gd2-handle-corrupt-images-better-CVE-2016-3074.patch
 
libgd2-2.1.0/debian/patches/gd2-handle-corrupt-images-better-CVE-2016-3074.patch
--- 
libgd2-2.1.0/debian/patches/gd2-handle-corrupt-images-better-CVE-2016-3074.patch
    1970-01-01 01:00:00.000000000 +0100
+++ 
libgd2-2.1.0/debian/patches/gd2-handle-corrupt-images-better-CVE-2016-3074.patch
    2016-04-23 11:19:39.000000000 +0200
@@ -0,0 +1,21 @@
+Description: gd2: handle corrupt images better (CVE-2016-3074)
+Origin: upstream, 
https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19
+Bug-Debian: https://bugs.debian.org/822242
+Forwarded: not-needed
+Author: Mike Frysinger <vap...@gentoo.org>
+Reviewed-by: Salvatore Bonaccorso <car...@debian.org>
+Last-Update: 2016-04-23
+
+---
+
+--- a/src/gd_gd2.c
++++ b/src/gd_gd2.c
+@@ -167,6 +167,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, i
+                       if (gdGetInt (&cidx[i].size, in) != 1) {
+                               goto fail2;
+                       };
++                      if (cidx[i].offset < 0 || cidx[i].size < 0)
++                              goto fail2;
+               };
+               *chunkIdx = cidx;
+       };
diff -Nru libgd2-2.1.0/debian/patches/series libgd2-2.1.0/debian/patches/series
--- libgd2-2.1.0/debian/patches/series  2014-12-18 13:31:20.000000000 +0100
+++ libgd2-2.1.0/debian/patches/series  2016-04-23 11:19:39.000000000 +0200
@@ -3,3 +3,4 @@
 fix-compiled-in-version.patch
 subdir-objects.patch
 CVE-2014-2497.patch
+gd2-handle-corrupt-images-better-CVE-2016-3074.patch

diff -Nru libgd2-2.1.1/debian/changelog libgd2-2.1.1/debian/changelog
--- libgd2-2.1.1/debian/changelog       2015-07-07 13:09:41.000000000 +0200
+++ libgd2-2.1.1/debian/changelog       2016-04-23 10:50:10.000000000 +0200
@@ -1,3 +1,11 @@
+libgd2 (2.1.1-4.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2016-3074: Signedness vulnerability causing heap overflow
+    (Closes: #822242)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Sat, 23 Apr 2016 10:49:43 +0200
+
 libgd2 (2.1.1-4) unstable; urgency=medium
 
   * Fix xmp vs xpm typo in Provides (Closes: #791435)
diff -Nru 
libgd2-2.1.1/debian/patches/gd2-handle-corrupt-images-better-CVE-2016-3074.patch
 
libgd2-2.1.1/debian/patches/gd2-handle-corrupt-images-better-CVE-2016-3074.patch
--- 
libgd2-2.1.1/debian/patches/gd2-handle-corrupt-images-better-CVE-2016-3074.patch
    1970-01-01 01:00:00.000000000 +0100
+++ 
libgd2-2.1.1/debian/patches/gd2-handle-corrupt-images-better-CVE-2016-3074.patch
    2016-04-23 10:50:10.000000000 +0200
@@ -0,0 +1,21 @@
+Description: gd2: handle corrupt images better (CVE-2016-3074)
+Origin: upstream, 
https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19
+Bug-Debian: https://bugs.debian.org/822242
+Forwarded: not-needed
+Author: Mike Frysinger <vap...@gentoo.org>
+Reviewed-by: Salvatore Bonaccorso <car...@debian.org>
+Last-Update: 2016-04-23
+
+---
+
+--- a/src/gd_gd2.c
++++ b/src/gd_gd2.c
+@@ -167,6 +167,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, i
+                       if (gdGetInt (&cidx[i].size, in) != 1) {
+                               goto fail2;
+                       };
++                      if (cidx[i].offset < 0 || cidx[i].size < 0)
++                              goto fail2;
+               };
+               *chunkIdx = cidx;
+       };
diff -Nru libgd2-2.1.1/debian/patches/series libgd2-2.1.1/debian/patches/series
--- libgd2-2.1.1/debian/patches/series  2015-07-07 13:09:41.000000000 +0200
+++ libgd2-2.1.1/debian/patches/series  2016-04-23 10:50:10.000000000 +0200
@@ -1,2 +1,3 @@
 gdlib-config-uses-pkgconfig.patch
 libvpx-1.4.patch
+gd2-handle-corrupt-images-better-CVE-2016-3074.patch

signature.asc
Description: PGP signature

Bug#822242: libgd2: CVE-2016-3074: Signedness vulnerability causing heap overflow

Reply via email to