Bug 276791 (CVE-2007-3473)

Summary: CVE-2007-3473 libgd NULL pointer dereference when reading a corrupt X bitmap
Product: [Other] Security Response Reporter: Red Hat Product Security <security-response-team>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: kreilly, varekova
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3473
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-17 15:18:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 277411, 277421, 432784, 432785, 432786, 432787, 833899    
Bug Blocks:    

Description Lubomir Kundrak 2007-09-04 17:49:40 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-3473 to the following vulnerability:

The gdImageCreateXbm function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via unspecified vectors involving a gdImageCreate failure.

References:

http://bugs.libgd.org/?do=details&task_id=94
http://www.libgd.org/ReleaseNote020035
http://news.php.net/php.gd.cvs/235

Comment 1 Lubomir Kundrak 2007-09-04 17:53:38 UTC
On failure, gdImageCreate() returns NULL which is in turn dereferenced by
gdImageCreateFromXbm() (gdImageCreateXbm doesn't exist at all).

Comment 2 Lubomir Kundrak 2007-09-04 19:34:48 UTC
http://news.php.net/php.gd.cvs/235

Comment 4 Tomas Hoger 2008-02-08 17:42:10 UTC
Upstream commit:
http://cvs.php.net/viewcvs.cgi/gd/libgd/src/gd.c?r1=1.62&r2=1.63

Following SecWeb advisory seems to provide reproducer for this issue:
http://www.secweb.se/en/advisories/gd-gdimagecreatetruecolor-integer-overflow/

Note that this advisory describes different issue in the text -- integer
overflow in gdImageCreateTrueColor, known as CVE-2007-3472.  I'm not sure why
gdImageCreateFromXbm was used as an example in PoC, as this function only calls
gdImageCreate (i.e. non-TrueColor version, not affected by the overflow).


Comment 9 Tomas Hoger 2008-02-28 10:50:27 UTC
Updated gd packages addressing this issue were released for Red Hat Enterprise
Linux 4 and 5:

  https://rhn.redhat.com/errata/RHSA-2008-0146.html

Comment 11 Jay Turner 2008-09-16 13:19:38 UTC
Closing this issue out as the errata shipped in February 2008.

Comment 12 Tomas Hoger 2008-09-29 08:10:47 UTC
Please do not close 'Security Response' bugs that may be left open intentionally. Thank you!

Comment 13 Red Hat Bugzilla 2009-10-23 19:04:00 UTC
Reporter changed to security-response-team by request of Jay Turner.

Comment 14 Vincent Danen 2015-02-17 15:18:49 UTC
Statement:

Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates to libwmf on Red Hat Enterprise Linux 5 and 6. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.