From MITRE CVE entry: "Libgd version 2.2.5 contains a Double Free Vulnerability vulnerability in gdImageBmpPtr Function that can result in Remote Code Execution . This attack appear to be exploitable via Specially Crafted Jpeg Image can trigger double free. This vulnerability appears to have been fixed in after commit ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5." Fixed upstream by: https://github.com/libgd/libgd/commit/ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5 No new release with the fix upstream yet, not sure if any plans to. There have been a lot of commits to master upstream since 2.2.5 was released Aug 2017, so not sure how safe cherry picking this one fix is. FWIW I tried anyway, saved the fix as a patch into /etc/portage/patches/media-libs/gd-2.2.5, it was applied without any apparent problems when rebuilding the current stable media-libs/gd-2.2.5: >>> Emerging (1 of 1) media-libs/gd-2.2.5::gentoo * libgd-2.2.5.tar.xz BLAKE2B SHA512 size ;-) ... [ ok ] >>> Unpacking source... >>> Unpacking libgd-2.2.5.tar.xz to /build/portage/media-libs/gd-2.2.5/work >>> Source unpacked in /build/portage/media-libs/gd-2.2.5/work >>> Preparing source in /build/portage/media-libs/gd-2.2.5/work/libgd-2.2.5 ... * Applying CVE-2018-1000222.patch ... [ ok ] * User patches applied. * Running elibtoolize in: libgd-2.2.5/ * Applying ppc64le/2.4.4 patch ... * Running elibtoolize in: libgd-2.2.5/config/ * Applying portage/1.2.0 patch ... * Applying sed/1.5.6 patch ... * Applying as-needed/2.4.3 patch ... >>> Source prepared. No warnings or errors at all appeared in the build output. I then ran a rudimentary test as follows: pngtogd existing_image.png output.gd gdtopng output.gd new_image.png The resultant new_image.png was a perfect reproduction of the original. But it's not a comprehensive test of course. Reproducible: Didn't try
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=04cf9aa3bf7e0746e85461c3c56d9f9a95ce6fba commit 04cf9aa3bf7e0746e85461c3c56d9f9a95ce6fba Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2018-09-14 19:11:20 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2018-09-14 19:15:47 +0000 media-libs/gd: Fix CVE-2018-1000222 Thanks-to: Eddie Chapman <maracay@ehuk.net> Bug: https://bugs.gentoo.org/664732 Package-Manager: Portage-2.3.49, Repoman-2.3.10 .../gd/files/gd-2.2.5-CVE-2018-1000222.patch | 73 ++++++++++++++++++++++ media-libs/gd/gd-2.2.5-r1.ebuild | 64 +++++++++++++++++++ 2 files changed, 137 insertions(+)
amd64 stable
sparc done.
x86 stable
arm stable
arm64 stable. Bug 608730 and bug 632076 still a problem - very annoying.
ppc/ppc64 stable
Stable on alpha.
ia64 stable
@maintainer(s), please drop vulnerable.
hppa stable
This issue was resolved and addressed in GLSA 201903-18 at https://security.gentoo.org/glsa/201903-18 by GLSA coordinator Aaron Bauman (b-man).
