Bug 1004924 – VUL-0: CVE-2016-8670: libgd, php5, php53, php7: Stack Buffer Overflow in GD dynamicGetbuf

Bug 1004924 - (CVE-2016-8670) VUL-0: CVE-2016-8670: libgd, php5, php53, php7: Stack Buffer Overflow in GD dynamicGetbuf

(CVE-2016-8670)
Summary:	VUL-0: CVE-2016-8670: libgd, php5, php53, php7: Stack Buffer Overflow in GD d...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/173617/
Whiteboard:	CVSSv2:SUSE:CVE-2016-8670:6.8:(AV:N/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-10-15 09:38 UTC by Mikhail Kasimov
Modified:	2019-06-05 06:38 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
CVE-2016-8670.php (253 bytes, text/plain) 2016-10-31 15:57 UTC, Marcus Meissner	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mikhail Kasimov 2016-10-15 09:38:33 UTC

Reference: http://seclists.org/oss-sec/2016/q4/133
==================================================
Hi

On the PHP bug tracker Emmanuel Law reported a flaw in the libgd
library in dynamicGetbuf. The PHP bug report is at (cannot quote the
full report for the list archive, sinc a bit long):

https://bugs.php.net/bug.php?id=73280

It has been reported upstream apparently (not via the issue tracker)
and fixed in upstream as with commit:

https://github.com/libgd/libgd/commit/53110871935244816bbb9d131da0bccff734bfe9

Debian has issued a DSA containing this fix as well in DSA-3693-1,
https://lists.debian.org/debian-security-announce/2016/msg00274.html

Could you please assign a CVE for this issue?

Regards,
Salvatore
==================================================

Comment 1 Johannes Segitz 2016-10-17 09:17:00 UTC

We can fix the wrong return value while we're at it

Comment 2 Swamp Workflow Management 2016-10-17 22:00:39 UTC

bugbot adjusting priority

Comment 3 Johannes Segitz 2016-10-18 09:49:15 UTC

(In reply to Johannes Segitz from comment #1)
This is tracked in bsc#1005274

Comment 4 Mikhail Kasimov 2016-10-18 09:56:27 UTC

(In reply to Johannes Segitz from comment #3)
> (In reply to Johannes Segitz from comment #1)
> This is tracked in bsc#1005274

Sense of such cloning/duplicating?

Comment 5 Johannes Segitz 2016-10-18 11:39:53 UTC

(In reply to Mikhail Kasimov from comment #4)
Most of the time we open one bug for one CVE (sometimes we use tracker bugs, but that is rather seldom). In this case the other CVE showed up a day later, otherwise I probably would have merged them before and used only one bug.

Comment 6 Petr Gajdos 2016-10-18 12:03:29 UTC

(In reply to Johannes Segitz from comment #5)
> (In reply to Mikhail Kasimov from comment #4)
> Most of the time we open one bug for one CVE (sometimes we use tracker bugs,

That works for me.

I think there was misunderstanding in comment 4 because in comment 3 you cut off what actually is tracked in bug 1005274. One had to notice that there is a different CVE.

Comment 7 Mikhail Kasimov 2016-10-18 12:09:38 UTC

(In reply to Johannes Segitz from comment #5)
> (In reply to Mikhail Kasimov from comment #4)
> Most of the time we open one bug for one CVE (sometimes we use tracker bugs,
> but that is rather seldom). In this case the other CVE showed up a day
> later, otherwise I probably would have merged them before and used only one
> bug.

Ok, thanks! :)

> That works for me.
>
> I think there was misunderstanding in comment 4 because in comment 3 you cut >off what actually is tracked in bug 1005274. One had to notice that there is a > different CVE.

Quite so. :) No problem.

Comment 8 Petr Gajdos 2016-10-20 09:30:15 UTC

All versions of gd appears to be affected.

Comment 10 Bernhard Wiedemann 2016-10-20 10:02:41 UTC

This is an autogenerated message for OBS integration:
This bug (1004924) was mentioned in
https://build.opensuse.org/request/show/436506 13.2 / gd

Comment 11 Petr Gajdos 2016-10-20 11:29:46 UTC

All versions of php-gd are affected.

Packages submitted.

Comment 12 Bernhard Wiedemann 2016-10-20 12:01:20 UTC

This is an autogenerated message for OBS integration:
This bug (1004924) was mentioned in
https://build.opensuse.org/request/show/436512 13.2 / php5

Comment 14 Swamp Workflow Management 2016-10-24 12:13:29 UTC

openSUSE-SU-2016:2606-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1001900,1004924,1005274
CVE References: CVE-2016-6911,CVE-2016-7568,CVE-2016-8670
Sources used:
openSUSE 13.2 (src):    php5-5.6.1-83.1

Comment 15 Swamp Workflow Management 2016-10-28 16:13:58 UTC

SUSE-SU-2016:2668-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1001900,1004924,1005274
CVE References: CVE-2016-6911,CVE-2016-7568,CVE-2016-8670
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    gd-2.1.0-17.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    gd-2.1.0-17.1
SUSE Linux Enterprise Server 12-SP1 (src):    gd-2.1.0-17.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    gd-2.1.0-17.1

Comment 16 Swamp Workflow Management 2016-10-28 16:21:35 UTC

SUSE-SU-2016:2670-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1004924,1005274
CVE References: CVE-2016-6911,CVE-2016-8670
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    gd-2.0.36.RC1-52.25.1
SUSE Linux Enterprise Server 11-SP4 (src):    gd-2.0.36.RC1-52.25.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    gd-2.0.36.RC1-52.25.1

Comment 17 Swamp Workflow Management 2016-10-31 11:08:14 UTC

SUSE-SU-2016:2681-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1004924,1005274
CVE References: CVE-2016-6911,CVE-2016-8670
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    php53-5.3.17-87.1
SUSE Linux Enterprise Server 11-SP4 (src):    php53-5.3.17-87.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-87.1

Comment 18 Swamp Workflow Management 2016-10-31 11:09:56 UTC

SUSE-SU-2016:2683-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1001900,1004924,1005274
CVE References: CVE-2016-6911,CVE-2016-7568,CVE-2016-8670
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php7-7.0.7-20.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-20.1

Comment 19 Marcus Meissner 2016-10-31 15:57:08 UTC

Created attachment 700044 [details]
CVE-2016-8670.php

QA REPRODUCER:

php CVE-2016-8670.php

should not crash

Comment 20 Swamp Workflow Management 2016-11-01 15:32:39 UTC

SUSE-SU-2016:2683-2: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1001900,1004924,1005274
CVE References: CVE-2016-6911,CVE-2016-7568,CVE-2016-8670
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-20.1

Comment 21 Swamp Workflow Management 2016-11-02 07:46:37 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2016-11-16.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63166

Comment 22 Swamp Workflow Management 2016-11-02 07:50:03 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2016-11-16.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63168

Comment 24 Swamp Workflow Management 2016-11-09 21:10:22 UTC

SUSE-SU-2016:2766-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1001900,1004924,1005274
CVE References: CVE-2016-6911,CVE-2016-7568,CVE-2016-8670
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php5-5.5.14-83.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-83.1

Comment 25 Swamp Workflow Management 2016-11-10 16:21:46 UTC

openSUSE-SU-2016:2772-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1001900,1004924,1005274
CVE References: CVE-2016-6911,CVE-2016-7568,CVE-2016-8670
Sources used:
openSUSE Leap 42.1 (src):    gd-2.1.0-13.1

Comment 26 Sebastian Krahmer 2016-11-14 13:01:36 UTC

released

Comment 27 Swamp Workflow Management 2016-11-17 19:07:07 UTC

openSUSE-SU-2016:2831-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1001900,1004924,1005274
CVE References: CVE-2016-6911,CVE-2016-7568,CVE-2016-8670
Sources used:
openSUSE Leap 42.1 (src):    php5-5.5.14-65.2

Comment 28 Swamp Workflow Management 2016-11-17 19:12:11 UTC

openSUSE-SU-2016:2837-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1001900,1004924,1005274
CVE References: CVE-2016-6911,CVE-2016-7568,CVE-2016-8670
Sources used:
openSUSE Leap 42.2 (src):    php5-5.5.14-65.1

Comment 31 Swamp Workflow Management 2017-01-30 13:09:04 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2017-02-13.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63366

Comment 32 Swamp Workflow Management 2017-01-30 13:26:49 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2017-02-13.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63367