Bug 991710 - VUL-1: CVE-2016-6128: gd: Invalid color index not properly handled
VUL-1: CVE-2016-6128: gd: Invalid color index not properly handled
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/170569/
CVSSv2:SUSE:CVE-2016-6128:4.3:(AV:N/A...
:
Depends on: CVE-2016-6128
Blocks:
  Show dependency treegraph
 
Reported: 2016-08-02 13:27 UTC by Sebastian Krahmer
Modified: 2016-10-24 08:22 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2016-08-02 13:27:52 UTC
+++ This bug was initially created as a clone of Bug #987580 +++

http://seclists.org/oss-sec/2016/q2/627

    There is currently PHP upstream bug which is still marked as private:

    https://bugs.php.net/bug.php?id=72494

    But the libgd project references the following set of commits to this
    bug report:

    https://github.com/libgd/libgd/compare/3fe0a71...6ff72ae

    indicating that libgd does not properly handle invalid color index,
    which could lead to a denial of service against applications using the
    libgd library (in particular thus PHP).


    https://github.com/libgd/libgd/commit/1ccfe21e14c4d18336f9da8515cd17db88c3de61
    gd_crop.c
    gdImageCropThreshold

    + if (color < 0 || (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im))) {
    + return NULL;
    + }

    https://github.com/libgd/libgd/commit/6ff72ae40c7c20ece939afb362d98cc37f4a1c96
    tests/gdimagecrop/php_bug_72494.c

    im = gdImageCreate(50, 50);
    gdImageCropThreshold(im, 1337, 0);
    gdImageDestroy(im);



https://github.com/libgd/libgd/compare/3fe0a7128bac5000fdcfab888bd2a75ec0c9447d...fd623025505e87bba7ec8555eeb72dae4fb0afd


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1351603
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6128
http://seclists.org/oss-sec/2016/q2/627
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6128.html
Comment 1 Petr Gajdos 2016-08-08 11:48:57 UTC
Again, imho color can not be lower than zero.
Comment 2 Sebastian Krahmer 2016-08-08 11:54:59 UTC
Maybe. But either case, having this patch wont hurt us and keeping us aligned
with upstream patchset.
(If color cant be < 0, I wonder why they are using signed ints anyway)
Comment 3 Petr Gajdos 2016-08-08 12:38:50 UTC
No, color is unsigned int.

But they noticed it already:
https://github.com/libgd/libgd/commit/e29a140290a084b0aa590c5edbb596060aa44acb
Comment 4 Petr Gajdos 2016-08-08 12:44:33 UTC
affected: 13.2/gd, 12/gd
not affected: 11/gd
Comment 5 Petr Gajdos 2016-08-08 13:37:38 UTC
I believe all affected code streams are fixed.
Comment 6 Bernhard Wiedemann 2016-08-08 14:01:23 UTC
This is an autogenerated message for OBS integration:
This bug (991710) was mentioned in
https://build.opensuse.org/request/show/417845 13.2 / gd
Comment 8 Swamp Workflow Management 2016-08-19 17:11:15 UTC
openSUSE-SU-2016:2117-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 987577,988032,991436,991622,991710
CVE References: CVE-2016-6128,CVE-2016-6132,CVE-2016-6161,CVE-2016-6207,CVE-2016-6214
Sources used:
openSUSE 13.2 (src):    gd-2.1.0-7.11.1
Comment 10 Swamp Workflow Management 2016-09-14 11:11:20 UTC
SUSE-SU-2016:2303-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 982176,987577,988032,991436,991622,991710,995034
CVE References: CVE-2016-5116,CVE-2016-6128,CVE-2016-6132,CVE-2016-6161,CVE-2016-6207,CVE-2016-6214,CVE-2016-6905
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    gd-2.1.0-12.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    gd-2.1.0-12.1
SUSE Linux Enterprise Server 12-SP1 (src):    gd-2.1.0-12.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    gd-2.1.0-12.1
Comment 11 Swamp Workflow Management 2016-09-24 00:10:05 UTC
openSUSE-SU-2016:2363-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 982176,987577,988032,991436,991622,991710,995034
CVE References: CVE-2016-5116,CVE-2016-6128,CVE-2016-6132,CVE-2016-6161,CVE-2016-6207,CVE-2016-6214,CVE-2016-6905
Sources used:
openSUSE Leap 42.1 (src):    gd-2.1.0-10.1
Comment 12 Victor Pereira 2016-10-24 07:23:07 UTC
all updates released