277091 – (CVE-2007-3474) CVE-2007-3474 libgd Denial of service and reentrancy fixes in GIF code

Bug 277091 (CVE-2007-3474) - CVE-2007-3474 libgd Denial of service and reentrancy fixes in GIF code

Summary: CVE-2007-3474 libgd Denial of service and reentrancy fixes in GIF code

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2007-3474
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:	http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:
Depends On:	277411 277421
Blocks:
TreeView+	depends on / blocked

Reported:	2007-09-04 19:13 UTC by Lubomir Kundrak
Modified:	2021-11-12 19:41 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2008-02-13 16:15:05 UTC
Embargoed:

Attachments	(Terms of Use)

Description Lubomir Kundrak 2007-09-04 19:13:01 UTC

Common Vulnerabilities and Exposures assigned an identifier CVE-2007-3474 to the following vulnerability:

Multiple unspecified vulnerabilities in the GIF reader in the GD Graphics Library (libgd) before 2.0.35 have unspecified impact and user-assisted remote attack vectors.

References:

http://www.libgd.org/ReleaseNote020035
http://bugs.php.net/bug.php?id=37360
http://bugs.php.net/bug.php?id=37346
http://bugs.libgd.org/?do=details&task_id=52
http://bugs.libgd.org/?do=details&task_id=60

Comment 1 Lubomir Kundrak 2007-09-04 19:29:26 UTC

"Unspecified" most likely means on of changes that fixed low impact security flaws:

A memory-leak with triggerable with a corrupted image that would eventually
consume all available memory and cause the process using gd to die. This is
usually not a problem when available memory memory is limited with setrlimit(2)
(typical case of PHP).

Some GIF handling functions did use static local variables and therefore were
not thread safe. This could be potentially exploited under a time-dependent race
condition to crash an application, or leak information. Possibility of this
happening is very low and it can only have security implications in
multi-threaded server application.

Comment 2 Lubomir Kundrak 2007-09-04 19:34:16 UTC

http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd_gif_in.c?r1=1.13&r2=1.14
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd_gif_in.c?r1=1.14&r2=1.15

Comment 4 Tomas Hoger 2008-02-11 17:19:09 UTC

Patch against 2.0.33 as used by rPath:

http://conary.rpath.com/conary/getFile?path=gd-2.0.33_CVE-2007-3474.patch;pathId=c3c1406d628c1de7683ff37ef9769dca;fileId=a74e489b1c7d86200139cc7ede2775229b662853;fileV=/conary.rpath.com%40rpl%3Adevel//1/2.0.33-4.5

Comment 5 Tomas Hoger 2008-02-11 18:07:32 UTC

This issue does not affect versions of gd as shipped with Red Hat Enterprise
Linux 2.1 and 3, as those versions do not offer GIF image type support.

Comment 6 Tomas Hoger 2008-02-13 16:15:05 UTC

It's not really obvious what issues / fixes this CVE id should really refer to.
 Reentrancy / thread safety issues were tracked via:

http://bugs.libgd.org/?do=details&task_id=52

Fixes for other bugs were committed along with re-entrancy fix, but those issues
are not security sensitive:

http://bugs.libgd.org/?do=details&task_id=60
http://bugs.libgd.org/?do=details&task_id=66


We currently do not plan to backport a fix that makes GIF handling re-entrant as
security fix to gd packages in Red Hat Enterprise Linux 4, and 5 due to low
likelihood of application possibly affected by this problem being exposed in a
way that would allow trust boundary to be crossed.

Note You need to log in before you can comment on or make changes to this bug.