Bug 1353550 (CVE-2016-6161) - CVE-2016-6161 gd: Global out-of-bounds read when encoding gif from malformed gd2 input
Summary: CVE-2016-6161 gd: Global out-of-bounds read when encoding gif from malformed ...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2016-6161
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1353551 1354356 1354357 1354358 1354359 1354360 1354361 1354362 1354363 1354364 1354365 1354366 1354367 1354368 1354369 1354370 1354710
Blocks: 1353553
TreeView+ depends on / blocked
 
Reported: 2016-07-07 12:36 UTC by Adam Mariš
Modified: 2019-09-29 13:52 UTC (History)
22 users (show)

Fixed In Version: gd 2.2.2, gd 2.2.1, gd 2.2.0
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read flaw was found in gd. A maliciously crafted .gd2 file when converted to .gif could result in information disclosure from the process linking libgd.
Clone Of:
Environment:
Last Closed: 2016-08-25 04:28:59 UTC


Attachments (Terms of Use)

Description Adam Mariš 2016-07-07 12:36:18 UTC
An out-of-bounds read vulnerability in gd was found when encoding gif from malformed input with gd2togif utility.

Upstream bug:

https://github.com/libgd/libgd/issues/209

Upstream patch:

https://github.com/libgd/libgd/commit/82b80dcb70a7ca8986125ff412bceddafc896842

CVE assignment:

http://seclists.org/oss-sec/2016/q3/14

Comment 1 Adam Mariš 2016-07-07 12:36:53 UTC
Created gd tracking bugs for this issue:

Affects: fedora-23 [bug 1353551]

Comment 2 Doran Moppert 2016-07-11 07:36:26 UTC
CVSSv3 score adjusted based on the following reasoning:

- the flaw makes it possible for a crafted .gd2 file to read arbitrary amounts of memory when converted to .gif

- the library is often exposed (in php) to web services that process untrusted images

- such services often restrict the file types they accept, and gd2 is normally not whitelisted

- libgd uses gd2 as an intermediate format for conversions, so the code can still be reached.

- in this case, exploitation relies on chaining another vulnerability that allows (semi-controlled) the attacker to trigger creation of an incorrect intermediate .gd2 image

This lies between AC:L and AC:H; I think the overall score fairly well represents the risk exposure.

Comment 9 Doran Moppert 2016-07-12 02:07:36 UTC
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1354710]

Comment 10 Doran Moppert 2016-08-25 04:28:34 UTC
Statement:

Red Hat Product Security has rated this issue as having Moderate security
impact. This issue is not currently planned to be addressed in future
updates. For additional information, refer to the Issue Severity
Classification: https://access.redhat.com/security/updates/classification/.


Note You need to log in before you can comment on or make changes to this bug.