Bug 1418983 (CVE-2016-10166) - CVE-2016-10166 gd: Unsigned integer underflow _gdContributionsAlloc()
Summary: CVE-2016-10166 gd: Unsigned integer underflow _gdContributionsAlloc()
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-10166
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1418991 1418992 1709345 1709346 1709347
Blocks: 1417990
TreeView+ depends on / blocked
 
Reported: 2017-02-03 10:57 UTC by Adam Mariš
Modified: 2019-11-06 10:12 UTC (History)
21 users (show)

Fixed In Version: gd 2.2.4, php 5.6.40, php 7.1.26, php 7.2.14, php 7.3.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-19 08:47:02 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3727 0 None None None 2019-11-06 10:12:27 UTC
Red Hat Product Errata RHSA-2019:2519 0 None None None 2019-08-19 08:40:58 UTC
Red Hat Product Errata RHSA-2019:3299 0 None None None 2019-11-01 13:01:16 UTC

Description Adam Mariš 2017-02-03 10:57:04 UTC
An unsigned integer overflow vulnerability was found in _gdContributionsAlloc function.

Upstream patch:

https://github.com/libgd/libgd/commit/60bfb401ad5a4a8ae995dcd36372fe15c71e1a35

CVE assignment:

http://www.openwall.com/lists/oss-security/2017/01/28/6

Comment 1 Adam Mariš 2017-02-03 11:32:40 UTC
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1418991]

Comment 2 Adam Mariš 2017-02-03 11:32:55 UTC
Created libwmf tracking bugs for this issue:

Affects: fedora-all [bug 1418992]

Comment 3 Huzaifa S. Sidhpurwala 2018-04-01 03:02:15 UTC
Analysis:

The code affects the _gdContributionsAlloc() function, which first appeared in gd-2.2.5. Red Hat Enterprise Linux 5, 6 and 7 does not ship with this gd version (or higher) either in an independent package or embedded with PHP, hence they are not affected.

Comment 4 Tomas Hoger 2019-05-13 12:34:39 UTC
(In reply to Huzaifa S. Sidhpurwala from comment #3)
> The code affects the _gdContributionsAlloc() function, which first appeared
> in gd-2.2.5.

_gdContributionsAlloc() first appeared in gd 2.1.0:

https://github.com/libgd/libgd/commit/423c9393917a9d1233fe163a45a0791da306b109

The problem was actually fixed in gd 2.2.4.

> Red Hat Enterprise Linux 5, 6 and 7 does not ship with this gd version
> (or higher) either in an independent package

Red Hat Enterprise Linux 7 and earlier do not contain the affected code.  The gd packages in Red Hat Enterprise Linux 8 are based on upstream version 2.2.5, and hence include this fix.

> or embedded with PHP, hence they are not affected.

While PHP versions did not embed newer upstream gd version, it did contain many backports of the newer functionality.  The vulnerable _gdContributionsAlloc() code was added in PHP 5.5.0:

https://github.com/php/php-src/commit/a7a53d369bfcf3208b445b9aa12aa8a6e114c5fd

I.e. the vulnerable code was added to php and libgd at approximately the same time.

However, this problem only got fixed in the gd version bundled in PHP in Jan 2019 in versions 5.6.40, 7.1.26, 7.2.14, and 7.3.1.  PHP upstream bug and commit:

https://bugs.php.net/bug.php?id=77269
https://github.com/php/php-src/commit/a918020c03880e12ac9f38e11a4a3789491a5f85

The php:7.2 module packages in Red Hat Enterprise Linux 8 are not affected by this issue even though they are currently based on the upstream version 7.2.11, as they use fixed system libgd instead of using bundled gd.

Comment 6 errata-xmlrpc 2019-08-19 08:40:56 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:2519 https://access.redhat.com/errata/RHSA-2019:2519

Comment 7 Product Security DevOps Team 2019-08-19 08:47:02 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2016-10166

Comment 8 errata-xmlrpc 2019-11-01 13:01:14 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:3299 https://access.redhat.com/errata/RHSA-2019:3299


Note You need to log in before you can comment on or make changes to this bug.