Bug 1671390 (CVE-2019-6978) - CVE-2019-6978 gd: double free in the gdImage*Ptr in gd_gif_out.c, gd_jpeg.c, and gd_wbmp.c
Summary: CVE-2019-6978 gd: double free in the gdImage*Ptr in gd_gif_out.c, gd_jpeg.c, ...
Status: NEW
Alias: CVE-2019-6978
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20190115,reported=2...
Keywords: Security
Depends On: 1671391 1679002 1679003 1679005 1679006 1717799 1671392
Blocks: 1671394
TreeView+ depends on / blocked
 
Reported: 2019-01-31 14:12 UTC by Laura Pardo
Modified: 2019-06-08 23:51 UTC (History)
4 users (show)

(edit)
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)

Description Laura Pardo 2019-01-31 14:12:57 UTC
The GD Graphics Library (aka LibGD) 2.2.5 has a double free in the gdImage*Ptr() functions in gd_gif_out.c, gd_jpeg.c, and gd_wbmp.c. NOTE: PHP is unaffected.


References:
https://github.com/libgd/libgd/issues/492

Upstream Patch:
https://github.com/libgd/libgd/commit/553702980ae89c83f2d6e254d62cf82e204956d0
https://github.com/php/php-src/commit/089f7c0bc28d399b0420aa6ef058e4c1c120b2ae

Comment 1 Laura Pardo 2019-01-31 14:13:12 UTC
Created gd tracking bugs for this issue:

Affects: fedora-all [bug 1671391]


Created libwmf tracking bugs for this issue:

Affects: fedora-all [bug 1671392]

Comment 2 Huzaifa S. Sidhpurwala 2019-02-20 04:54:55 UTC
Analysis:

Basically a double-free in the gd library when handling gdImage Pointers. Can result in application crash. However you need need the gdImage*Ctx (where * is git, Jpeg or Wbmp) to fail.


Note You need to log in before you can comment on or make changes to this bug.