Bug 152838 - CAN-2004-0941,0990 GD Overflow Vulnerabilities
CAN-2004-0941,0990 GD Overflow Vulnerabilities
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: gd (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
1, LEGACY, rh73, rh90
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-11-08 16:57 EST by David Lawrence
Modified: 2007-04-18 13:22 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-07-15 22:13:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:29:13 EST
This vulnerability was reported to bugtraq.
http://marc.theaimsgroup.com/?l=bugtraq&m=109882489302099&w=2

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Summary:

There is an integer overflow when allocating memory in the routine that handles
loading PNG image files.  This later leads to heap data structures being
overwritten.  If an attacker tricked a user into loading a malicious PNG image,
they could leverage this into executing arbitrary code in the context of the
user opening image.  Many programs use GD, such as ImageMagick, and more
importantly it is also the image library used for PHP, and there is a Perl
module as well.  One possibile target would be PHP driven photo websites that
let users upload images.  Some of them will resize/compress the image when the
user uploads them.  If this is done using GD, this could be used to execute code
on the server.  There is a mitigating factor, in order to reach the vulnerable
code, a large amount of memory needs to be allocated.  My 128MB p2 crapped out
one allocation before it reached the overflow.  However, I think on a newer box
with lots of memory and swap space, that won't be a problem.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Details:

The vulnerable code occurs in the file gd_png.c, in the function
gdImageCreateFromPngCtx(), which is called by gdImageCreateFromPng().  The
function is used to load an image file into GD data structures.  The problem
occurs when allocating memory for the image rows, line 314 or so ( I added some
comments so line number might be off).  Two user supplied values are multiplied
together (rowbytes * height), and used to allocate memory for an array of
pointers.  This pointer array is then passed to the png_read_image() function,
which belongs to the libPNG library.  In that function, the pointers are passed
to the png_read_row() function.  The data for the rows is decompressed using
zLib function inflate(), and then passed to the png_combine_row() function,
where the deflated data is memcpy()'d into the heap buffer.  Exploitation would
require using zLib functions to compress the payload.  Successful exploitation
would lead to executing arbitrary code.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0990

Red Hat Bugzilla: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=137246



------- Additional Comments From fedora-legacy-bugzilla-2004@fumika.jp 2004-11-13 03:16:12 ----

New vulnerabilities has been reported as CVE-2004-0941.

http://secunia.com/advisories/13179/

Some vulnerabilities have been reported in GD Graphics Library, which
potentially can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to unspecified boundary errors in calls to the
"gdMalloc()" function and can be exploited to cause buffer overflows.

Successful exploitation may potentially allow execution of arbitrary code with
the privileges of an application linked to the vulnerable library.

CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0941

Red Hat Bugzilla: 
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=138808

Patch for CAN-2004-0990 and CAN-2004-0941:
https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=106484&action=view




------- Additional Comments From michal@harddata.com 2004-11-14 19:47:04 ----

Created an attachment (id=926)
patch for buffer overflows in gdMalloc()



This is backported from gd-2.0.21-5.20.1.src.rpm to gd-1.8.4 a patch
for CAN-2004-0990, CAN-2004-0941 buffer overflow vulnerablities.
It compiles and passes basic tests.



------- Additional Comments From pekkas@netcore.fi 2004-12-21 08:18:48 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I created RPMs for these two issues for RHL73, RHL9 and FC1.

The patches used differ a bit from Michal's -- I've used (without changes)
those in RHEL21 and RHEL3 for RHL73 and RHL9 (the patches are identical).

For FC1, I've taken FC2 update, and bumped the version number also from
2.0.15 to 2.0.21 because I didn't want to spend time merging the rejects.
After all, this is _Fedora_ where stability is not so important. If someone
else wants to build patches to 2.0.15, feel free.

http://www.netcore.fi/pekkas/linux/gd-1.8.4-4.1.legacy.src.rpm (RHL73)
http://www.netcore.fi/pekkas/linux/gd-1.8.4-11.1.legacy.src.rpm (RHL9)
http://www.netcore.fi/pekkas/linux/gd-2.0.21-1.1.legacy.src.rpm (FC1)

Sha1sum:

6e3dfb3748807733e9de6910e4471d7711737971  gd-1.8.4-11.1.legacy.src.rpm
d254d33fd2857199dc01c34080212b2418ae9544  gd-1.8.4-4.1.legacy.src.rpm
bb37a68368e0e4129bb34901f3e7c214cbb84930  gd-2.0.21-1.1.legacy.src.rpm

Changelog:
* Tue Dec 21 2004 Pekka Savola <pekkas@netcore.fi>: 1.8.4-11.1.legacy
- - Fix CAN-2004-0941,CAN-2004-0990, from RHEL.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFByGjrGHbTkzxSL7QRAttFAKCikfsVDgoQj8mohgRzy3fZOMI96QCdFWmm
CuoUBGsQA6hhVMYNHwtboVo=
=99Ic
-----END PGP SIGNATURE-----




------- Additional Comments From michal@harddata.com 2004-12-28 08:27:06 ----

For a reference - an annoucement about fixed RHEL packages is here
https://rhn.redhat.com/errata/RHSA-2004-638.html



------- Additional Comments From marcdeslauriers@videotron.ca 2005-03-04 13:46:36 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the rh73 and rh9 packages in comment 3:

6e3dfb3748807733e9de6910e4471d7711737971  gd-1.8.4-11.1.legacy.src.rpm
d254d33fd2857199dc01c34080212b2418ae9544  gd-1.8.4-4.1.legacy.src.rpm

- - Source files match previous version
- - Patch file matches RHEL update
- - Spec file changes good

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCKPNTLMAs/0C4zNoRAlDjAJ9PcTx6fSXnWxEQT+RuY+kaOSc3rgCfT/G9
E6ksJUlwP6Tcg1U5XhYHcWM=
=VACq
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2005-03-04 13:48:29 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are packages for FC1 to QA with a backported patch:

48447ff8a7dbcc170d94cd60c303b6d5008766de  gd-2.0.15-1.1.legacy.i386.rpm
e92f6546d9fd2ff3cdb2f76998c33c9199f476e3  gd-2.0.15-1.1.legacy.src.rpm
fc0e8a79833d261ded88eb81c01c537ea9b80b7d  gd-devel-2.0.15-1.1.legacy.i386.rpm
5a9f146d315d26cd1127be8bdb807f33901c3ffa  gd-progs-2.0.15-1.1.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/1/gd-2.0.15-1.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/gd-2.0.15-1.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/gd-devel-2.0.15-1.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/gd-progs-2.0.15-1.1.legacy.i386.rpm



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCKPPGLMAs/0C4zNoRApt+AJ41fnodowLOkamM+o5sQnFM2GvkqACfVDUv
e/RdnALinzPbTvd33C8G45A=
=hjdi
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas@netcore.fi 2005-03-04 20:23:53 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for FC1:
 - source integrity ok
 - spec file changes minimal
 - patch was a PITA to verify because the chunks were in different order,
but it is OK.

+PUBLISH FC1

e92f6546d9fd2ff3cdb2f76998c33c9199f476e3  gd-2.0.15-1.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCKVBjGHbTkzxSL7QRAnIBAKC+6iQ37hdBQohkO3AUOQEJhhYnvgCePP6O
f6K2JtILPXUKrxON7KuvxhY=
=O+WG
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2005-03-05 06:37:29 ----

These are ready to be built



------- Additional Comments From marcdeslauriers@videotron.ca 2005-03-05 08:49:39 ----

packages were pushed to updates-testing



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:29 -------

This bug previously known as bug 2254 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2254
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
patch for buffer overflows in gdMalloc()


https://bugzilla.fedora.us/attachment.cgi?action=view&id=926

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl@redhat.com.
   Previous reporter was fedora-legacy-bugzilla-2004@fumika.jp.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Pekka Savola 2005-06-29 05:06:15 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Quick test on RHL73 and RHL9.  After the upgrade,
gnuplot (which uses gd) still worked as normal.
 
+VERIFY RHL73, RHL9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFCwmRyGHbTkzxSL7QRAiYgAJwIsG0ljLslob94/UPLEpEDbGwxwgCgv2QX
v8K36+bUiOZ3PSPSlilyM38=
=vEGk
-----END PGP SIGNATURE-----
Comment 2 Jim Popovitch 2005-07-10 18:52:09 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

++VERIFY RHL 7.3

094e683de916db07104de9f735a0773db3a89d25  gd-1.8.4-4.1.legacy.i386.rpm

Runs fine on test and production systems (mrtg uses gd)

- -Jim P.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC0abRMyG7U7lo69MRAudDAKCKxG2Uppozt66RP8NsZemdbKMwCACfU6Zx
vCKRPJDZi8RkON64ea0OtP8=
=c3Iv
-----END PGP SIGNATURE-----
Comment 3 Pekka Savola 2005-07-14 03:11:24 EDT
Timeout over.
Comment 4 Marc Deslauriers 2005-07-15 22:13:20 EDT
Packages were released to updates.

Note You need to log in before you can comment on or make changes to this bug.