Bug 277091 (CVE-2007-3474)
Summary: | CVE-2007-3474 libgd Denial of service and reentrancy fixes in GIF code | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Lubomir Kundrak <lkundrak> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | varekova |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3474 | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-02-13 16:15:05 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 277411, 277421 | ||
Bug Blocks: |
Description
Lubomir Kundrak
2007-09-04 19:13:01 UTC
"Unspecified" most likely means on of changes that fixed low impact security flaws: A memory-leak with triggerable with a corrupted image that would eventually consume all available memory and cause the process using gd to die. This is usually not a problem when available memory memory is limited with setrlimit(2) (typical case of PHP). Some GIF handling functions did use static local variables and therefore were not thread safe. This could be potentially exploited under a time-dependent race condition to crash an application, or leak information. Possibility of this happening is very low and it can only have security implications in multi-threaded server application. http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd_gif_in.c?r1=1.13&r2=1.14 http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd_gif_in.c?r1=1.14&r2=1.15 Patch against 2.0.33 as used by rPath: http://conary.rpath.com/conary/getFile?path=gd-2.0.33_CVE-2007-3474.patch;pathId=c3c1406d628c1de7683ff37ef9769dca;fileId=a74e489b1c7d86200139cc7ede2775229b662853;fileV=/conary.rpath.com%40rpl%3Adevel//1/2.0.33-4.5 This issue does not affect versions of gd as shipped with Red Hat Enterprise Linux 2.1 and 3, as those versions do not offer GIF image type support. It's not really obvious what issues / fixes this CVE id should really refer to. Reentrancy / thread safety issues were tracked via: http://bugs.libgd.org/?do=details&task_id=52 Fixes for other bugs were committed along with re-entrancy fix, but those issues are not security sensitive: http://bugs.libgd.org/?do=details&task_id=60 http://bugs.libgd.org/?do=details&task_id=66 We currently do not plan to backport a fix that makes GIF handling re-entrant as security fix to gd packages in Red Hat Enterprise Linux 4, and 5 due to low likelihood of application possibly affected by this problem being exposed in a way that would allow trust boundary to be crossed. |