Bug 1123361

Summary: VUL-0: CVE-2019-6977: gd: A heap based buffer overflow is discovered in GD Graphics library
Product: [Novell Products] SUSE Security Incidents Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: atoptsoglou, pgajdos, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/223820/
Whiteboard: CVSSv3:SUSE:CVE-2019-6977:6.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L) CVSSv2:NVD:CVE-2019-6977:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv3:NVD:CVE-2019-6977:8.8:(AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSSv3:RedHat:CVE-2019-6977:6.3:(AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexandros Toptsoglou 2019-01-28 13:36:04 UTC
+++ This bug was initially created as a clone of Bug #1123354 +++

CVE-2019-6977

gdImageColorMatch in gd_color_match.c in the GD Graphics Library (aka LibGD)
2.2.5, as used in the imagecolormatch function in PHP before 5.6.40, 7.x before
7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1, has a heap-based buffer
overflow. This can be exploited by an attacker who is able to trigger
imagecolormatch calls with crafted image data.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6977
https://bugs.php.net/bug.php?id=77270
http://php.net/ChangeLog-7.php
http://php.net/ChangeLog-5.php
Comment 1 Alexandros Toptsoglou 2019-01-28 13:38:37 UTC
SUSE:SLE-12:Update and SUSE:SLE-15:Update are affected. Please refer to the corresponding php bug[1] for more information 

[1] https://bugzilla.suse.com/show_bug.cgi?id=1123354
Comment 2 Petr Gajdos 2019-01-31 12:45:08 UTC
$ cat 77270.c
#include <gd.h>

int main()
{
    FILE *fp;
    gdImagePtr im1, im2;

    fp = fopen("77270.png", "r");
    im1 = gdImageCreateFromPng(fp);
    im2 = gdImageCreateFromPng(fp);
    fclose(fp);

    gdImagePaletteToTrueColor(im1);
    gdImageColorMatch(im1, im2);

    gdImageDestroy(im1);
    gdImageDestroy(im2);
}
$ gcc -o 77270 77270.c -lgd
$

BEFORE

TW,15,12/gd

$ ./77270
Segmentation fault (core dumped)
$

Testcase does not work for 11,10sp3/gd as gdImagePaletteToTrueColor() and gdImageColorMatch() is not available there.

PATCH

$ ./77270
Segmentation fault (core dumped)
$

So the patch itself does not work. Perhaps integer overflow?
Comment 3 Petr Gajdos 2019-01-31 13:01:39 UTC
No. The testcase was probably wrong.

$ cat 77270.c
#include <gd.h>

int main()
{
    FILE *fp;
    gdImagePtr im1, im2;

    fp = fopen("77270.png", "r");
    im1 = gdImageCreateFromPng(fp);
    fseek(fp, 0, SEEK_SET);
    im2 = gdImageCreateFromPng(fp);
    fclose(fp);

    gdImagePaletteToTrueColor(im1);
    gdImageColorMatch(im1, im2);

    gdImageDestroy(im1);
    gdImageDestroy(im2);
}
$ gcc -o 77270 77270.c -lgd
$

BEFORE

TW,15,12/gd

$ ./77270
free(): invalid pointer
Aborted (core dumped)
$

PATCH

TW,15,12:
http://git.php.net/?p=php-src.git;a=commit;h=a15af81b5f0058e020eda0f109f51a3c863f5212

11,10sp3:
code not found

AFTER

TW/gd

$ ./77270
$
Comment 4 Petr Gajdos 2019-01-31 13:02:14 UTC
Will submit for: TW,15,12/gd
Comment 5 Petr Gajdos 2019-02-04 09:32:14 UTC
I believe all fixed.
Comment 6 Swamp Workflow Management 2019-02-04 10:00:06 UTC
This is an autogenerated message for OBS integration:
This bug (1123361) was mentioned in
https://build.opensuse.org/request/show/671007 Factory / gd
Comment 12 Swamp Workflow Management 2019-03-26 17:13:36 UTC
SUSE-SU-2019:0747-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1123361,1123522
CVE References: CVE-2019-6977,CVE-2019-6978
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    gd-2.1.0-24.12.1
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    gd-2.1.0-24.12.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    gd-2.1.0-24.12.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    gd-2.1.0-24.12.1
SUSE Linux Enterprise Server 12-SP4 (src):    gd-2.1.0-24.12.1
SUSE Linux Enterprise Server 12-SP3 (src):    gd-2.1.0-24.12.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    gd-2.1.0-24.12.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    gd-2.1.0-24.12.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2019-03-27 14:22:07 UTC
SUSE-SU-2019:0771-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1123361,1123522
CVE References: CVE-2019-6977,CVE-2019-6978
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    gd-2.2.5-4.6.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    gd-2.2.5-4.6.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2019-04-04 19:10:03 UTC
openSUSE-SU-2019:1148-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1123361,1123522
CVE References: CVE-2019-6977,CVE-2019-6978
Sources used:
openSUSE Leap 15.0 (src):    gd-2.2.5-lp150.8.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2019-04-04 22:25:57 UTC
openSUSE-SU-2019:1140-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1123361,1123522
CVE References: CVE-2019-6977,CVE-2019-6978
Sources used:
openSUSE Leap 42.3 (src):    gd-2.1.0-30.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 16 Marcus Meissner 2019-09-04 06:23:36 UTC
done