Bugzilla – Bug 988032
VUL-1: CVE-2016-6161: php: global out of bounds read when encoding gif from malformed input withgd2togif
Last modified: 2016-11-01 15:22:02 UTC
http://seclists.org/oss-sec/2016/q3/14 The following (older) issue in libgd's issue tracker can be found, with possible security impact for applications using the libgd library. If I see it correctly this is not an issue in the gd2togif utility but in the library. It was reported upstream as: https://github.com/libgd/libgd/issues/209 with the fix https://github.com/libgd/libgd/commit/82b80dcb70a7ca8986125ff412bceddafc896842 (gd-2.2.0) a global out of bounds read error in the function output (gd_gif_out.c), called by compress/GifEncode. AddressSanitizer: global-buffer-overflow READ of size 8 gif: avoid out-of-bound reads of masks array #209 When given invalid inputs, we might be fed the EOF marker before it is actually the EOF. The gif logic assumes once it sees the EOF marker, there won't be any more data, so it leaves the cur_bits index possibly negative. So when we get more data, we underflow the masks array. Use CVE-2016-6161. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6161 http://seclists.org/oss-sec/2016/q3/14 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6161.html
bugbot adjusting priority
Perhaps this one: https://bugs.php.net/bug.php?id=72519 http://git.php.net/?p=php-src.git;a=commit;h=2fbce5f51f4ba01e4d0de3b8592bb14773a98d4d Do not forgot on php7 and PLEASE, file a new bug report for gd, thanks!
11sp3/php53 and older is not affected.
There is a testcase in the php bug, but I do not know how to reproduce the problem without address sanitizer.
Warning, this bug is still not reported against libgd.
I believe all affected code streams fixed.
This is an autogenerated message for OBS integration: This bug (988032) was mentioned in https://build.opensuse.org/request/show/416889 13.2 / php5
This is an autogenerated message for OBS integration: This bug (988032) was mentioned in https://build.opensuse.org/request/show/417845 13.2 / gd
openSUSE-SU-2016:2071-1: An update that fixes 12 vulnerabilities is now available. Category: security (moderate) Bug References: 987580,988032,991422,991424,991426,991427,991428,991429,991430,991433,991434,991437 CVE References: CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297 Sources used: openSUSE 13.2 (src): php5-5.6.1-72.1
openSUSE-SU-2016:2117-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 987577,988032,991436,991622,991710 CVE References: CVE-2016-6128,CVE-2016-6132,CVE-2016-6161,CVE-2016-6207,CVE-2016-6214 Sources used: openSUSE 13.2 (src): gd-2.1.0-7.11.1
SUSE-SU-2016:2302-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 988032 CVE References: CVE-2016-6161 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): gd-2.0.36.RC1-52.22.1 SUSE Linux Enterprise Server 11-SP4 (src): gd-2.0.36.RC1-52.22.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): gd-2.0.36.RC1-52.22.1
SUSE-SU-2016:2303-1: An update that fixes 7 vulnerabilities is now available. Category: security (moderate) Bug References: 982176,987577,988032,991436,991622,991710,995034 CVE References: CVE-2016-5116,CVE-2016-6128,CVE-2016-6132,CVE-2016-6161,CVE-2016-6207,CVE-2016-6214,CVE-2016-6905 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP1 (src): gd-2.1.0-12.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): gd-2.1.0-12.1 SUSE Linux Enterprise Server 12-SP1 (src): gd-2.1.0-12.1 SUSE Linux Enterprise Desktop 12-SP1 (src): gd-2.1.0-12.1
openSUSE-SU-2016:2363-1: An update that fixes 7 vulnerabilities is now available. Category: security (moderate) Bug References: 982176,987577,988032,991436,991622,991710,995034 CVE References: CVE-2016-5116,CVE-2016-6128,CVE-2016-6132,CVE-2016-6161,CVE-2016-6207,CVE-2016-6214,CVE-2016-6905 Sources used: openSUSE Leap 42.1 (src): gd-2.1.0-10.1
SUSE-SU-2016:2408-1: An update that fixes 24 vulnerabilities is now available. Category: security (important) Bug References: 987530,987580,988032,991422,991424,991426,991427,991428,991429,991430,991433,991434,991437,997206,997207,997208,997210,997211,997220,997225,997230,997248,997257 CVE References: CVE-2014-3587,CVE-2016-3587,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7134 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): php5-5.5.14-73.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php5-5.5.14-73.1
openSUSE-SU-2016:2451-1: An update that fixes 24 vulnerabilities is now available. Category: security (important) Bug References: 987530,987580,988032,991422,991424,991426,991427,991428,991429,991430,991433,991434,991437,997206,997207,997208,997210,997211,997220,997225,997230,997248,997257 CVE References: CVE-2014-3587,CVE-2016-3587,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7134 Sources used: openSUSE Leap 42.1 (src): php5-5.5.14-59.1
done
SUSE-SU-2016:2460-1: An update that solves 29 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1001950,987580,988032,991422,991424,991426,991427,991428,991429,991430,991434,991437,995512,997206,997207,997208,997210,997211,997220,997225,997230,997247,997248,997257,999313,999679,999680,999684,999685,999819,999820 CVE References: CVE-2016-4473,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7133,CVE-2016-7134,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): php7-7.0.7-15.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php7-7.0.7-15.1
SUSE-SU-2016:2460-2: An update that solves 29 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1001950,987580,988032,991422,991424,991426,991427,991428,991429,991430,991434,991437,995512,997206,997207,997208,997210,997211,997220,997225,997230,997247,997248,997257,999313,999679,999680,999684,999685,999819,999820 CVE References: CVE-2016-4473,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7133,CVE-2016-7134,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418 Sources used: SUSE Linux Enterprise Module for Web Scripting 12 (src): php7-7.0.7-15.1