431568 – (CVE-2006-4484) CVE-2006-4484 gd: GIF handling buffer overflow

Bug 431568 (CVE-2006-4484) - CVE-2006-4484 gd: GIF handling buffer overflow

Summary: CVE-2006-4484 gd: GIF handling buffer overflow

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2006-4484
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:	http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:
Depends On:	206956 207090 432784 432785 432786 432787 444872 833899
Blocks:
TreeView+	depends on / blocked

Reported:	2008-02-05 15:00 UTC by Tomas Hoger
Modified:	2019-09-29 12:23 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-02-28 10:58:28 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2008:0146	0	normal	SHIPPED_LIVE	Moderate: gd security update	2008-02-28 09:59:17 UTC

Description Tomas Hoger 2008-02-05 15:00:23 UTC

Common Vulnerabilities and Exposures assigned an identifier CVE-2006-4484 to the following vulnerability:

Buffer overflow in the LWZReadByte_ function in ext/gd/libgd/gd_gif_in.c in the GD extension in PHP before 5.1.5 allows remote attackers to have an unknown impact via a GIF file with input_code_size greater than MAX_LWZ_BITS, which triggers an overflow when initializing the table array.

References:
http://bugs.php.net/bug.php?id=38112
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd_gif_in.c?r1=1.10&r2=1.11
http://www.php.net/ChangeLog-5.php#5.1.5

Comment 1 Tomas Hoger 2008-02-05 15:06:49 UTC

This issue was addressed in php packages in following advisories:

Red Hat Enterprise Linux: 	
  http://rhn.redhat.com/errata/RHSA-2006-0669.html

Red Hat Application Stack:  	
  http://rhn.redhat.com/errata/RHSA-2006-0688.html


Fix is included in upstream gd version 2.0.34.  Versions of gd currently shipped
in Fedora are not affected.

Related issue affecting other packages that use derivate of the same GIF
handling code: CVE-2007-6697 (SDL_image), CVE-2008-0553 (tk), CVE-2008-0554 (netpbm)

Comment 2 Tomas Hoger 2008-02-05 15:43:08 UTC

graphviz includes and seems to use local copy of gd code.  I haven't
investigated whether graphiz has any way to load GIF images, so I can't tell if
it's really affected by this problem.  Patrick, Alex, any thoughts?  Can graphiz
packages be modified to use system gd library instead of local copy?

If graphviz is affected, only F7 version (2.12) needs to be fixed, as it ships
with embedded gd 2.0.33.  F8 version (2.14.1) embeds fixed gd 2.0.34.

Comment 3 Jima 2008-02-05 16:38:22 UTC

Actually, I'm pretty sure the version of graphviz-gd in F8 uses the system gd,
or so the package's dependency on libgd.so.2 would suggest to me.

So what I would immediately consider is pushing 2.14.1 to F7.  Any objections to
that?

Cc'ing John Ellson (graphviz upstream) and Debarshi Ray (graphviz downstream,
anjuta maintainer).  Debarshi, anjuta will need a rebuild if I bump graphviz. 
Just a heads-up.

Comment 4 Tomas Hoger 2008-02-05 16:57:24 UTC

(In reply to comment #3)
> Actually, I'm pretty sure the version of graphviz-gd in F8 uses the system gd,
> or so the package's dependency on libgd.so.2 would suggest to me.

Thanks for clarification.  I haven't investigated F8 version closely once I've
notices gd version there is fixed.  I've seen gd being build on F7 (according to
build.log from latest F7 package).

> So what I would immediately consider is pushing 2.14.1 to F7.  Any objections 
> to that?

If rebase is not practical, patch linked in the initial comment (in PHP CVS
repo) should trivial to adjust for graphviz.

Comment 5 John Ellson 2008-02-05 22:38:09 UTC

Your risk is causing problems with anjuta and doxygen by going from 2.12 to 2.14

Graphviz is happy with a system gd >= 2.0.34, and fc7 has 2.0.35, so a more
conservative change would be to just rebuild graphviz-2.12.

Check that --with-mylibgd is *not* set in the spec file


The upstream sources already contain this patch, for anyone using graphviz on
systems with older versions of gd.

Comment 6 Debarshi Ray 2008-02-05 22:53:18 UTC

(In reply to comment #3)

> Cc'ing John Ellson (graphviz upstream) and Debarshi Ray (graphviz downstream,
> anjuta maintainer).

Thank you for the heads up.

>  Debarshi, anjuta will need a rebuild if I bump graphviz. 

In fact the Anjuta package and a few of its dependencies -- libgdl (formerly
anjuta-gdl), gnome-build and autogen -- in Fedora are seriously outdated. I
inherited some of them sometime ago (yet to get autogen), and am gradually
freshening them up. I am going to submit a fresh Anjuta package for F-7, F-8 and
Rawhide sometime soon, so the re-builds will anyway happen one way or the other.

Comment 7 Fedora Update System 2008-02-08 14:15:26 UTC

graphviz-2.12-10.fc7 has been submitted as an update for Fedora 7

Comment 8 Fedora Update System 2008-02-13 05:18:21 UTC

graphviz-2.12-10.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Red Hat Product Security 2008-02-28 10:58:28 UTC

This issue was addressed in:

Red Hat Application Stack:
  php:
    http://rhn.redhat.com/errata/RHSA-2006-0688.html

Red Hat Enterprise Linux:
  php:
    http://rhn.redhat.com/errata/RHSA-2006-0669.html
  gd:
    http://rhn.redhat.com/errata/RHSA-2008-0146.html

Fedora:
  graphviz:
    https://admin.fedoraproject.org/updates/F7/FEDORA-2008-1643

Comment 11 Tomas Hoger 2011-08-01 07:55:10 UTC

(In reply to comment #0)
> http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd_gif_in.c?r1=1.10&r2=1.11

This is now:
http://svn.php.net/viewvc?view=revision&revision=216488
http://svn.php.net/viewvc?view=revision&revision=216545

Note You need to log in before you can comment on or make changes to this bug.