Bug 276751 (CVE-2007-3472)
| Summary: | CVE-2007-3472 libgd Integer overflow in TrueColor code | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Lubomir Kundrak <lkundrak> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | jlieskov, kreilly, varekova |
| Target Milestone: | --- | Keywords: | Reopened, Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3472 | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-02-17 15:17:49 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 277411, 277421, 432784, 432785, 432786, 432787, 833899 | ||
| Bug Blocks: | |||
|
Description
Lubomir Kundrak
2007-09-04 17:16:54 UTC
This just leads to unsuccessful attempt to allocate huge amount of memory and a NULL dereference in turn. Just a crash. (In reply to comment #1) > This just leads to unsuccessful attempt to allocate huge amount of memory > and a NULL dereference in turn. Just a crash. What you refer to here is more likely: http://bugs.libgd.org/?do=details&task_id=14 http://cvs.php.net/viewcvs.cgi/gd/libgd/src/gd.c?r1=1.44&r2=1.45 Return values of various *alloc functions were not properly checked. In the case described in gd bug 89 -- im->tpixels[i] -- possibly being NULL, it depends on specific use. If attacker may control index used as second array index, he may possibly read / modify arbitrary memory address. Looking into gd_png and gd_jpeg (just a few places where gdImageCreateTrueColor is used), it seems that im->tpixels[i][] is traversed from lower indexes, so likely leading to SEGV soon. Upstream CVS commit for gd bug 89: http://cvs.php.net/viewcvs.cgi/gd/libgd/src/gd.c?r1=1.57&r2=1.58 Additionally, this seems to be same as CVE-2007-3996, part (b) reported for php-gd, described in: http://www.secweb.se/en/advisories/php-imagecreatetruecolor-integer-overflow/ (Text does not seem to be correct in claim that gdImageCreate if affected by overflow too, as char items are allocated.) SecWeb advisory equivalent for gd: http://www.secweb.se/en/advisories/gd-gdimagecreatetruecolor-integer-overflow/ SecWeb advisory is somewhat misleading, as it describes integer overflow in gdImageCreateTrueColor, but in example PoC uses gdImageCreateFromXbm, which does not use gdImageCreateTrueColor, but gdImageCreate. Crash caused by that PoC seems to be what is known as CVE-2007-3473 (see bug bug #276791). This issue does not affect versions of gd as shipped in Red Hat Enterprise Linux 2.1 and 3, as they do not provide affected gdImageCreateTrueColor() function. This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0146.html Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2007-2055 Statement: Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates to libwmf on Red Hat Enterprise Linux 5 and 6. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. |