Bug 995034 (CVE-2016-6905)

Summary: VUL-0: CVE-2016-6905: gd: Out-of-bounds read in function read_image_tga in gd_tga.c
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: astieger, krahmer, meissner, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/172101/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 1 Marcus Meissner 2016-08-23 09:49:44 UTC
    as far as I see our sle11 gd does not have TGA support.

    sle12 and opensuse affected.

    embedded libgd in php* is older, seems not to contain TGA support.
Comment 2 Petr Gajdos 2016-08-23 11:25:13 UTC
(In reply to Marcus Meissner from comment #1)
>     as far as I see our sle11 gd does not have TGA support.
> 
>     sle12 and opensuse affected.

Yes.

>     embedded libgd in php* is older, seems not to contain TGA support.

Yes (even for php7).
Comment 3 Bernhard Wiedemann 2016-08-23 12:00:33 UTC
This is an autogenerated message for OBS integration:
This bug (995034) was mentioned in
https://build.opensuse.org/request/show/421247 Factory / gd
Comment 4 Petr Gajdos 2016-08-23 12:29:51 UTC
Guys, 

I am little bit confused. We have three bugs in regard of gd tga support):

     bug 987577 (CVE-2016-6132)
     bug 991436 (CVE-2016-6214)
this bug 995034 (CVE-2016-6905)

It seems that I failed to find correct commits for them. I will write down what I think now which commits are assigned to each bug/CVE, please confirm I am correct.

(A) bug 987577 (CVE-2016-6132)
https://github.com/libgd/libgd/commit/921e590565deb033acafcfa9063b4563200b14b5
referenced from https://github.com/libgd/libgd/issues/247

(B) bug 991436 (CVE-2016-6214)
https://github.com/libgd/libgd/commit/10ef1dca63d62433fda13309b4a228782db823f7
referenced from https://github.com/libgd/libgd/issues/247
and             http://seclists.org/oss-sec/2016/q3/62
                

(C) bug 995034 (CVE-2016-6905)
https://github.com/libgd/libgd/commit/3c2b605d72e8b080dace1d98a6e50b46c1d12186
https://github.com/libgd/libgd/commit/01c61f8ab110a77ae64b5ca67c244c728c506f03
referenced from https://github.com/libgd/libgd/issues/248

Am I now correct? 

Currently we have these commits from (C) assigned to CVE-2016-6214 and the commit from (B) assigned to CVE-2016-6132, if I am still not completely lost.
Comment 6 Petr Gajdos 2016-08-23 13:07:47 UTC
Okay, thanks.

See new submissions for sle12 and 13.2.
Comment 7 Bernhard Wiedemann 2016-08-23 14:01:09 UTC
This is an autogenerated message for OBS integration:
This bug (995034) was mentioned in
https://build.opensuse.org/request/show/421269 Factory / gd
https://build.opensuse.org/request/show/421283 13.2 / gd
Comment 9 Swamp Workflow Management 2016-08-23 22:00:15 UTC
bugbot adjusting priority
Comment 10 Swamp Workflow Management 2016-08-31 18:09:00 UTC
openSUSE-SU-2016:2203-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 995034
CVE References: CVE-2016-6905
Sources used:
openSUSE 13.2 (src):    gd-2.1.0-7.14.1
Comment 11 Petr Gajdos 2016-09-05 08:42:36 UTC
Requests got accepted.
Comment 12 Swamp Workflow Management 2016-09-14 11:11:29 UTC
SUSE-SU-2016:2303-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 982176,987577,988032,991436,991622,991710,995034
CVE References: CVE-2016-5116,CVE-2016-6128,CVE-2016-6132,CVE-2016-6161,CVE-2016-6207,CVE-2016-6214,CVE-2016-6905
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    gd-2.1.0-12.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    gd-2.1.0-12.1
SUSE Linux Enterprise Server 12-SP1 (src):    gd-2.1.0-12.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    gd-2.1.0-12.1
Comment 13 Swamp Workflow Management 2016-09-24 00:10:15 UTC
openSUSE-SU-2016:2363-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 982176,987577,988032,991436,991622,991710,995034
CVE References: CVE-2016-5116,CVE-2016-6128,CVE-2016-6132,CVE-2016-6161,CVE-2016-6207,CVE-2016-6214,CVE-2016-6905
Sources used:
openSUSE Leap 42.1 (src):    gd-2.1.0-10.1
Comment 14 Marcus Meissner 2017-05-22 15:34:36 UTC
released