This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 431568 - (CVE-2006-4484) CVE-2006-4484 gd: GIF handling buffer overflow
CVE-2006-4484 gd: GIF handling buffer overflow
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
source=upstream,reported=20060918,pub...
: Security
Depends On: 206956 207090 432784 432785 432786 432787 444872 833899
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-05 10:00 EST by Tomas Hoger
Modified: 2012-06-20 10:08 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-28 05:58:28 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-02-05 10:00:23 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2006-4484 to the following vulnerability:

Buffer overflow in the LWZReadByte_ function in ext/gd/libgd/gd_gif_in.c in the GD extension in PHP before 5.1.5 allows remote attackers to have an unknown impact via a GIF file with input_code_size greater than MAX_LWZ_BITS, which triggers an overflow when initializing the table array.

References:
http://bugs.php.net/bug.php?id=38112
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd_gif_in.c?r1=1.10&r2=1.11
http://www.php.net/ChangeLog-5.php#5.1.5
Comment 1 Tomas Hoger 2008-02-05 10:06:49 EST
This issue was addressed in php packages in following advisories:

Red Hat Enterprise Linux: 	
  http://rhn.redhat.com/errata/RHSA-2006-0669.html

Red Hat Application Stack:  	
  http://rhn.redhat.com/errata/RHSA-2006-0688.html


Fix is included in upstream gd version 2.0.34.  Versions of gd currently shipped
in Fedora are not affected.

Related issue affecting other packages that use derivate of the same GIF
handling code: CVE-2007-6697 (SDL_image), CVE-2008-0553 (tk), CVE-2008-0554 (netpbm)
Comment 2 Tomas Hoger 2008-02-05 10:43:08 EST
graphviz includes and seems to use local copy of gd code.  I haven't
investigated whether graphiz has any way to load GIF images, so I can't tell if
it's really affected by this problem.  Patrick, Alex, any thoughts?  Can graphiz
packages be modified to use system gd library instead of local copy?

If graphviz is affected, only F7 version (2.12) needs to be fixed, as it ships
with embedded gd 2.0.33.  F8 version (2.14.1) embeds fixed gd 2.0.34.
Comment 3 Jima 2008-02-05 11:38:22 EST
Actually, I'm pretty sure the version of graphviz-gd in F8 uses the system gd,
or so the package's dependency on libgd.so.2 would suggest to me.

So what I would immediately consider is pushing 2.14.1 to F7.  Any objections to
that?

Cc'ing John Ellson (graphviz upstream) and Debarshi Ray (graphviz downstream,
anjuta maintainer).  Debarshi, anjuta will need a rebuild if I bump graphviz. 
Just a heads-up.
Comment 4 Tomas Hoger 2008-02-05 11:57:24 EST
(In reply to comment #3)
> Actually, I'm pretty sure the version of graphviz-gd in F8 uses the system gd,
> or so the package's dependency on libgd.so.2 would suggest to me.

Thanks for clarification.  I haven't investigated F8 version closely once I've
notices gd version there is fixed.  I've seen gd being build on F7 (according to
build.log from latest F7 package).

> So what I would immediately consider is pushing 2.14.1 to F7.  Any objections 
> to that?

If rebase is not practical, patch linked in the initial comment (in PHP CVS
repo) should trivial to adjust for graphviz.
Comment 5 John Ellson 2008-02-05 17:38:09 EST
Your risk is causing problems with anjuta and doxygen by going from 2.12 to 2.14

Graphviz is happy with a system gd >= 2.0.34, and fc7 has 2.0.35, so a more
conservative change would be to just rebuild graphviz-2.12.

Check that --with-mylibgd is *not* set in the spec file


The upstream sources already contain this patch, for anyone using graphviz on
systems with older versions of gd.
Comment 6 Debarshi Ray 2008-02-05 17:53:18 EST
(In reply to comment #3)

> Cc'ing John Ellson (graphviz upstream) and Debarshi Ray (graphviz downstream,
> anjuta maintainer).

Thank you for the heads up.

>  Debarshi, anjuta will need a rebuild if I bump graphviz. 

In fact the Anjuta package and a few of its dependencies -- libgdl (formerly
anjuta-gdl), gnome-build and autogen -- in Fedora are seriously outdated. I
inherited some of them sometime ago (yet to get autogen), and am gradually
freshening them up. I am going to submit a fresh Anjuta package for F-7, F-8 and
Rawhide sometime soon, so the re-builds will anyway happen one way or the other.
Comment 7 Fedora Update System 2008-02-08 09:15:26 EST
graphviz-2.12-10.fc7 has been submitted as an update for Fedora 7
Comment 8 Fedora Update System 2008-02-13 00:18:21 EST
graphviz-2.12-10.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Red Hat Product Security 2008-02-28 05:58:28 EST
This issue was addressed in:

Red Hat Application Stack:
  php:
    http://rhn.redhat.com/errata/RHSA-2006-0688.html

Red Hat Enterprise Linux:
  php:
    http://rhn.redhat.com/errata/RHSA-2006-0669.html
  gd:
    http://rhn.redhat.com/errata/RHSA-2008-0146.html

Fedora:
  graphviz:
    https://admin.fedoraproject.org/updates/F7/FEDORA-2008-1643


Note You need to log in before you can comment on or make changes to this bug.