Bug 431568 (CVE-2006-4484)

Summary: CVE-2006-4484 gd: GIF handling buffer overflow
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alex, debarshir, jima, jmoskovc, john.ellson, kreilly
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4484
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-02-28 10:58:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 206956, 207090, 432784, 432785, 432786, 432787, 444872, 833899    
Bug Blocks:    

Description Tomas Hoger 2008-02-05 15:00:23 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2006-4484 to the following vulnerability:

Buffer overflow in the LWZReadByte_ function in ext/gd/libgd/gd_gif_in.c in the GD extension in PHP before 5.1.5 allows remote attackers to have an unknown impact via a GIF file with input_code_size greater than MAX_LWZ_BITS, which triggers an overflow when initializing the table array.

References:
http://bugs.php.net/bug.php?id=38112
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd_gif_in.c?r1=1.10&r2=1.11
http://www.php.net/ChangeLog-5.php#5.1.5
Comment 1 Tomas Hoger 2008-02-05 15:06:49 UTC 
This issue was addressed in php packages in following advisories:

Red Hat Enterprise Linux: 	
  http://rhn.redhat.com/errata/RHSA-2006-0669.html

Red Hat Application Stack:  	
  http://rhn.redhat.com/errata/RHSA-2006-0688.html


Fix is included in upstream gd version 2.0.34.  Versions of gd currently shipped
in Fedora are not affected.

Related issue affecting other packages that use derivate of the same GIF
handling code: CVE-2007-6697 (SDL_image), CVE-2008-0553 (tk), CVE-2008-0554 (netpbm)
Comment 2 Tomas Hoger 2008-02-05 15:43:08 UTC 
graphviz includes and seems to use local copy of gd code.  I haven't
investigated whether graphiz has any way to load GIF images, so I can't tell if
it's really affected by this problem.  Patrick, Alex, any thoughts?  Can graphiz
packages be modified to use system gd library instead of local copy?

If graphviz is affected, only F7 version (2.12) needs to be fixed, as it ships
with embedded gd 2.0.33.  F8 version (2.14.1) embeds fixed gd 2.0.34.
Comment 3 Jima 2008-02-05 16:38:22 UTC 
Actually, I'm pretty sure the version of graphviz-gd in F8 uses the system gd,
or so the package's dependency on libgd.so.2 would suggest to me.

So what I would immediately consider is pushing 2.14.1 to F7.  Any objections to
that?

Cc'ing John Ellson (graphviz upstream) and Debarshi Ray (graphviz downstream,
anjuta maintainer).  Debarshi, anjuta will need a rebuild if I bump graphviz. 
Just a heads-up.
Comment 4 Tomas Hoger 2008-02-05 16:57:24 UTC 
(In reply to comment #3)
> Actually, I'm pretty sure the version of graphviz-gd in F8 uses the system gd,
> or so the package's dependency on libgd.so.2 would suggest to me.

Thanks for clarification.  I haven't investigated F8 version closely once I've
notices gd version there is fixed.  I've seen gd being build on F7 (according to
build.log from latest F7 package).

> So what I would immediately consider is pushing 2.14.1 to F7.  Any objections 
> to that?

If rebase is not practical, patch linked in the initial comment (in PHP CVS
repo) should trivial to adjust for graphviz.
Comment 5 John Ellson 2008-02-05 22:38:09 UTC 
Your risk is causing problems with anjuta and doxygen by going from 2.12 to 2.14

Graphviz is happy with a system gd >= 2.0.34, and fc7 has 2.0.35, so a more
conservative change would be to just rebuild graphviz-2.12.

Check that --with-mylibgd is *not* set in the spec file


The upstream sources already contain this patch, for anyone using graphviz on
systems with older versions of gd.
Comment 6 Debarshi Ray 2008-02-05 22:53:18 UTC 
(In reply to comment #3)

> Cc'ing John Ellson (graphviz upstream) and Debarshi Ray (graphviz downstream,
> anjuta maintainer).

Thank you for the heads up.

>  Debarshi, anjuta will need a rebuild if I bump graphviz. 

In fact the Anjuta package and a few of its dependencies -- libgdl (formerly
anjuta-gdl), gnome-build and autogen -- in Fedora are seriously outdated. I
inherited some of them sometime ago (yet to get autogen), and am gradually
freshening them up. I am going to submit a fresh Anjuta package for F-7, F-8 and
Rawhide sometime soon, so the re-builds will anyway happen one way or the other.
Comment 7 Fedora Update System 2008-02-08 14:15:26 UTC 
graphviz-2.12-10.fc7 has been submitted as an update for Fedora 7
Comment 8 Fedora Update System 2008-02-13 05:18:21 UTC 
graphviz-2.12-10.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Red Hat Product Security 2008-02-28 10:58:28 UTC 
This issue was addressed in:

Red Hat Application Stack:
  php:
    http://rhn.redhat.com/errata/RHSA-2006-0688.html

Red Hat Enterprise Linux:
  php:
    http://rhn.redhat.com/errata/RHSA-2006-0669.html
  gd:
    http://rhn.redhat.com/errata/RHSA-2008-0146.html

Fedora:
  graphviz:
    https://admin.fedoraproject.org/updates/F7/FEDORA-2008-1643
Comment 11 Tomas Hoger 2011-08-01 07:55:10 UTC 
(In reply to comment #0)
> http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd_gif_in.c?r1=1.10&r2=1.11

This is now:
http://svn.php.net/viewvc?view=revision&revision=216488
http://svn.php.net/viewvc?view=revision&revision=216545