Bug 1418983 (CVE-2016-10166)

Summary: CVE-2016-10166 gd: Unsigned integer underflow _gdContributionsAlloc()
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, caolanm, databases-maint, dmcphers, fedora, hhorak, jialiu, jmlich83, jokerman, jorton, kseifried, lmeyer, mmccomas, mskalick, panovotn, rcollet, slawomir, tiwillia, trepik, varekova, webstack-team
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: gd 2.2.4, php 5.6.40, php 7.1.26, php 7.2.14, php 7.3.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-19 08:47:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1418991, 1418992, 1709345, 1709346, 1709347    
Bug Blocks: 1417990    

Description Adam Mariš 2017-02-03 10:57:04 UTC 
An unsigned integer overflow vulnerability was found in _gdContributionsAlloc function.

Upstream patch:

https://github.com/libgd/libgd/commit/60bfb401ad5a4a8ae995dcd36372fe15c71e1a35

CVE assignment:

http://www.openwall.com/lists/oss-security/2017/01/28/6
Comment 1 Adam Mariš 2017-02-03 11:32:40 UTC 
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1418991]
Comment 2 Adam Mariš 2017-02-03 11:32:55 UTC 
Created libwmf tracking bugs for this issue:

Affects: fedora-all [bug 1418992]
Comment 3 Huzaifa S. Sidhpurwala 2018-04-01 03:02:15 UTC 
Analysis:

The code affects the _gdContributionsAlloc() function, which first appeared in gd-2.2.5. Red Hat Enterprise Linux 5, 6 and 7 does not ship with this gd version (or higher) either in an independent package or embedded with PHP, hence they are not affected.
Comment 4 Tomas Hoger 2019-05-13 12:34:39 UTC 
(In reply to Huzaifa S. Sidhpurwala from comment #3)
> The code affects the _gdContributionsAlloc() function, which first appeared
> in gd-2.2.5.

_gdContributionsAlloc() first appeared in gd 2.1.0:

https://github.com/libgd/libgd/commit/423c9393917a9d1233fe163a45a0791da306b109

The problem was actually fixed in gd 2.2.4.

> Red Hat Enterprise Linux 5, 6 and 7 does not ship with this gd version
> (or higher) either in an independent package

Red Hat Enterprise Linux 7 and earlier do not contain the affected code.  The gd packages in Red Hat Enterprise Linux 8 are based on upstream version 2.2.5, and hence include this fix.

> or embedded with PHP, hence they are not affected.

While PHP versions did not embed newer upstream gd version, it did contain many backports of the newer functionality.  The vulnerable _gdContributionsAlloc() code was added in PHP 5.5.0:

https://github.com/php/php-src/commit/a7a53d369bfcf3208b445b9aa12aa8a6e114c5fd

I.e. the vulnerable code was added to php and libgd at approximately the same time.

However, this problem only got fixed in the gd version bundled in PHP in Jan 2019 in versions 5.6.40, 7.1.26, 7.2.14, and 7.3.1.  PHP upstream bug and commit:

https://bugs.php.net/bug.php?id=77269
https://github.com/php/php-src/commit/a918020c03880e12ac9f38e11a4a3789491a5f85

The php:7.2 module packages in Red Hat Enterprise Linux 8 are not affected by this issue even though they are currently based on the upstream version 7.2.11, as they use fixed system libgd instead of using bundled gd.
Comment 6 errata-xmlrpc 2019-08-19 08:40:56 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:2519 https://access.redhat.com/errata/RHSA-2019:2519
Comment 7 Product Security DevOps Team 2019-08-19 08:47:02 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2016-10166
Comment 8 errata-xmlrpc 2019-11-01 13:01:14 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:3299 https://access.redhat.com/errata/RHSA-2019:3299