Bug 1621953 (CVE-2018-1000222)

Summary:	CVE-2018-1000222 gd: Double free in src/gd_bump.c:gdImageBmpPtr() via crafted JPEG
Product:	[Other] Security Response	Reporter:	Sam Fowler <sfowler>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED NOTABUG	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	alexl, caillon+fedoraproject, caolanm, databases-maint, fedora, hhorak, jmlich83, jmoskovc, john.j5live, jorton, rcollet, rhughes, rstrode, sandmann, webstack-team
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2019-06-10 10:36:51 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1621956, 1621961, 1621962, 1621964, 1621965, 1621966
Bug Blocks:	1621959

Description Sam Fowler 2018-08-24 03:57:13 UTC

libgd through version 2.2.5 is vulnerable to a double free in the src/gd_bump.c:gdImageBmpPtr() function when parsing a crafted JPEG. An attacker could exploit this to cause a crash or potentially execute arbitrary code.


Upstream Issue:

https://github.com/libgd/libgd/issues/447


Upstream Patch:

https://github.com/libgd/libgd/commit/ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5

Comment 1 Sam Fowler 2018-08-24 04:00:50 UTC

Created gd tracking bugs for this issue:

Affects: fedora-all [bug 1621961]


Created libwmf tracking bugs for this issue:

Affects: fedora-all [bug 1621962]


Created php tracking bugs for this issue:

Affects: fedora-all [bug 1621966]

Comment 3 Scott Gayou 2018-08-27 17:33:20 UTC

RHEL7 is using gd-2.0.35, which is a release before BMP support was merged in. RHEL7 and before not affected.

Comment 4 Scott Gayou 2018-08-27 18:19:10 UTC

RHSCL packages not affected as well.