Bug 1353550 (CVE-2016-6161)

Summary: CVE-2016-6161 gd: Global out-of-bounds read when encoding gif from malformed gd2 input
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, anemec, dmcphers, dmoppert, fedora, hhorak, jialiu, jmlich83, jokerman, jorton, jskarvad, kseifried, lmeyer, mmccomas, mskalick, rcollet, rvokal, slawomir, than, tiwillia, varekova, webstack-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: gd 2.2.2, gd 2.2.1, gd 2.2.0 Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read flaw was found in gd. A maliciously crafted .gd2 file when converted to .gif could result in information disclosure from the process linking libgd.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-25 04:28:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1353551, 1354356, 1354357, 1354358, 1354359, 1354360, 1354361, 1354362, 1354363, 1354364, 1354365, 1354366, 1354367, 1354368, 1354369, 1354370, 1354710    
Bug Blocks: 1353553    

Description Adam Mariš 2016-07-07 12:36:18 UTC 
An out-of-bounds read vulnerability in gd was found when encoding gif from malformed input with gd2togif utility.

Upstream bug:

https://github.com/libgd/libgd/issues/209

Upstream patch:

https://github.com/libgd/libgd/commit/82b80dcb70a7ca8986125ff412bceddafc896842

CVE assignment:

http://seclists.org/oss-sec/2016/q3/14
Comment 1 Adam Mariš 2016-07-07 12:36:53 UTC 
Created gd tracking bugs for this issue:

Affects: fedora-23 [bug 1353551]
Comment 2 Doran Moppert 2016-07-11 07:36:26 UTC 
CVSSv3 score adjusted based on the following reasoning:

- the flaw makes it possible for a crafted .gd2 file to read arbitrary amounts of memory when converted to .gif

- the library is often exposed (in php) to web services that process untrusted images

- such services often restrict the file types they accept, and gd2 is normally not whitelisted

- libgd uses gd2 as an intermediate format for conversions, so the code can still be reached.

- in this case, exploitation relies on chaining another vulnerability that allows (semi-controlled) the attacker to trigger creation of an incorrect intermediate .gd2 image

This lies between AC:L and AC:H; I think the overall score fairly well represents the risk exposure.
Comment 9 Doran Moppert 2016-07-12 02:07:36 UTC 
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1354710]
Comment 10 Doran Moppert 2016-08-25 04:28:34 UTC 
Statement:

Red Hat Product Security has rated this issue as having Moderate security
impact. This issue is not currently planned to be addressed in future
updates. For additional information, refer to the Issue Severity
Classification: https://access.redhat.com/security/updates/classification/.