Bug 276751 - (CVE-2007-3472) CVE-2007-3472 libgd Integer overflow in TrueColor code
CVE-2007-3472 libgd Integer overflow in TrueColor code
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
public=20070621,reported=20070628,sou...
: Reopened, Security
Depends On: 277411 277421 432784 432785 432786 432787 833899
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-04 13:16 EDT by Lubomir Kundrak
Modified: 2016-03-04 07:01 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-02-17 10:17:49 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Lubomir Kundrak 2007-09-04 13:16:54 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-3472 to the following vulnerability:

Integer overflow in gdImageCreateTrueColor function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers has unspecified attack vectors and impact.

References:

http://bugs.libgd.org/?do=details&task_id=89
Comment 1 Lubomir Kundrak 2007-09-04 16:34:07 EDT
This just leads to unsuccessful attempt to allocate huge amount of memory and a
NULL dereference in turn. Just a crash.
Comment 3 Tomas Hoger 2008-02-08 11:55:42 EST
(In reply to comment #1)
> This just leads to unsuccessful attempt to allocate huge amount of memory
> and a NULL dereference in turn. Just a crash.

What you refer to here is more likely:
http://bugs.libgd.org/?do=details&task_id=14
http://cvs.php.net/viewcvs.cgi/gd/libgd/src/gd.c?r1=1.44&r2=1.45

Return values of various *alloc functions were not properly checked.  In the
case described in gd bug 89 -- im->tpixels[i] -- possibly being NULL, it depends
on specific use.  If attacker may control index used as second array index, he
may possibly read / modify arbitrary memory address.  Looking into gd_png and
gd_jpeg (just a few places where gdImageCreateTrueColor is used), it seems that
im->tpixels[i][] is traversed from lower indexes, so likely leading to SEGV soon.

Upstream CVS commit for gd bug 89:
http://cvs.php.net/viewcvs.cgi/gd/libgd/src/gd.c?r1=1.57&r2=1.58

Additionally, this seems to be same as CVE-2007-3996, part (b) reported for
php-gd, described in:
http://www.secweb.se/en/advisories/php-imagecreatetruecolor-integer-overflow/

(Text does not seem to be correct in claim that gdImageCreate if affected by
overflow too, as char items are allocated.)
Comment 4 Tomas Hoger 2008-02-08 12:04:01 EST
SecWeb advisory equivalent for gd:

http://www.secweb.se/en/advisories/gd-gdimagecreatetruecolor-integer-overflow/
Comment 6 Tomas Hoger 2008-02-08 12:46:46 EST
SecWeb advisory is somewhat misleading, as it describes integer overflow in
gdImageCreateTrueColor, but in example PoC uses gdImageCreateFromXbm, which does
not use gdImageCreateTrueColor, but gdImageCreate.  Crash caused by that PoC
seems to be what is known as CVE-2007-3473 (see bug bug #276791).
Comment 7 Tomas Hoger 2008-02-13 12:44:12 EST
This issue does not affect versions of gd as shipped in Red Hat Enterprise Linux
2.1 and 3, as they do not provide affected gdImageCreateTrueColor() function.
Comment 10 Red Hat Product Security 2008-02-28 05:53:38 EST
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0146.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2007-2055

Comment 11 Vincent Danen 2015-02-17 10:17:49 EST
Statement:

Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates to libwmf on Red Hat Enterprise Linux 5 and 6. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Note You need to log in before you can comment on or make changes to this bug.