Kees Cook from Ubuntu reported a "off-the-end-of-string increment", which could theoretically lead ot a buffer overflow. This flaw would only be exploitable if a JIS-encoded font is used when processing a special malicious string. The issue here is that the NULL terminator is incremented, which could lead to unknown results during the processing of the malicious string. Index: gdft.c =================================================================== RCS file: /repository/gd/libgd/gdft.c,v retrieving revision 1.28 diff -u -p -r1.28 gdft.c --- gdft.c 3 Jan 2007 21:21:21 -0000 1.28 +++ gdft.c 24 Jan 2007 23:00:55 -0000 @@ -1178,7 +1178,7 @@ fprintf(stderr,"dpi=%d,%d metric_res=%d { ch = c & 0xFF; /* don't extend sign */ } - next++; + if (*next) next++; } break; case gdFTEX_Big5:
This flaw does not affect gd as shipped in RHEL2.1 or RHEL3.
This flaw also affects RHEL5. Once we can assign bugs to that version, I'll move this from RHEL4.
This issue was addressed in: Red Hat Application Stack: php: http://rhn.redhat.com/errata/RHSA-2007-0162.html Red Hat Enterprise Linux: php: http://rhn.redhat.com/errata/RHSA-2007-0155.html http://rhn.redhat.com/errata/RHSA-2007-0153.html gd: http://rhn.redhat.com/errata/RHSA-2008-0146.html