Bugzilla – Bug 1056993
VUL-0: CVE-2017-6362: gd: Double-free in gdImagePngPtr()
Last modified: 2018-02-19 16:18:33 UTC
CVE-2017-6362 https://github.com/libgd/libgd/issues/381 https://github.com/libgd/libgd/commit/56ce6ef068b954ad28379e83cca04feefc51320c The problem is that gdImagePngPtr() calls gdImangePngCtxEx(), but the latter bails out because there are no colors in the palette. However, gdImagePngCtxEx() doesn't provide a meaningful return value, so gdImagePngPtr() can't check whether the operation succeeded. It seems that we need a fix analogous to commt a49feea. Other image output functions might be affected as well. References: http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-6362.html
the function is not called in the php embedded copy, so php* not affected.
Created attachment 739254 [details] xx.c QA REPRODUCER: gcc -O2 -Wall -g xx.c -o xx -lgd ./xx should not abort with memory corruption GD Warning: gd-png error: no colors in palette *** Error in `./xx': free(): invalid pointer: 0x000000d7d15f9c50 *** Aborted (core dumped)
not clear how reachable this is via data.
For Tumbleweed, solved by version update.
12/gd: $ ./xx GD Warning: gd-png error: no colors in palette *** Error in `./xx': free(): invalid pointer: 0x000000000164ac50 *** ======= Backtrace: ========= /lib64/libc.so.6(+0x7271f)[0x7ff5b63de71f] /lib64/libc.so.6(+0x77fc6)[0x7ff5b63e3fc6] ./xx[0x400704] /lib64/libc.so.6(__libc_start_main+0xf5)[0x7ff5b638dac5] ./xx[0x40073d] ======= Memory map: ======== Aborted (core dumped) $ As far as can be tested with the provided testcase, 11/gd and 10sp3/gd is not affected: $ ./xx gd-png: fatal libpng error: Invalid number of colors in palette gd-png error: setjmp returns error condition $
Indeed, 11/gd and 10sp3/gd seem not to be affected.
SUSE-SU-2018:0135-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1056993 CVE References: CVE-2017-6362 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP3 (src): gd-2.1.0-24.3.4 SUSE Linux Enterprise Workstation Extension 12-SP2 (src): gd-2.1.0-24.3.4 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): gd-2.1.0-24.3.4 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): gd-2.1.0-24.3.4 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): gd-2.1.0-24.3.4 SUSE Linux Enterprise Server 12-SP3 (src): gd-2.1.0-24.3.4 SUSE Linux Enterprise Server 12-SP2 (src): gd-2.1.0-24.3.4 SUSE Linux Enterprise Desktop 12-SP3 (src): gd-2.1.0-24.3.4 SUSE Linux Enterprise Desktop 12-SP2 (src): gd-2.1.0-24.3.4
openSUSE-SU-2018:0151-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1056993 CVE References: CVE-2017-6362 Sources used: openSUSE Leap 42.3 (src): gd-2.1.0-21.1 openSUSE Leap 42.2 (src): gd-2.1.0-18.3.1
released