112937 2005-11-18 10:40 0000 media-libs/gd: gd-2.0.32 integer overflows in gdImageCreate(), gdImageCreateTrueColor() 2005-12-28 02:24:43 0000 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0941 B3 [noglsa] P2 minor --- 1 adobriyan@gmail.com security@gentoo.org mips@gentoo.org adobriyan@gmail.com 2005-11-18 10:40:12 0000 gd.c: 70 BGD_DECLARE(gdImagePtr) gdImageCreate (int sx, int sy) 71 { 72 int i; 73 gdImagePtr im; 74 im = (gdImage *) gdMalloc (sizeof (gdImage)); 75 memset (im, 0, sizeof (gdImage)); 76 /* Row-major ever since gd 1.3 */ 77 im->pixels = (unsigned char **) gdMalloc (sizeof (unsigned char *) * sy); gdImageCreate() is called from gdImageCreateFromXbm() with "sy" directly from .xbm file. 111 BGD_DECLARE(gdImagePtr) gdImageCreateTrueColor (int sx, int sy) 112 { 113 int i; 114 gdImagePtr im; 115 im = (gdImage *) gdMalloc (sizeof (gdImage)); 116 memset (im, 0, sizeof (gdImage)); 117 im->tpixels = (int **) gdMalloc (sizeof (int *) * sy); ----------------------------------------------------------------------- Steps to reproduce: 1.c: ----------------------------------------- #include <stdio.h> #include <gd.h> int main(void) { FILE *f; f = fopen("1.xbm", "rb"); gdImageCreateFromXbm(f); return 0; } ----------------------------------------- gcc -o 1 1.c -lgd 1.xbm: (3 lines) ----------------------------------------- #define a 1 #define b 1073741824 ----------------------------------------- ./1 taviso@gentoo.org 2005-12-05 13:36:19 0000 There's definitely a heap overflow there, but it looks very difficult (impossible?) to exploit, the allocated chunk is filled up with pointers returned from more calls to malloc so no direct control over what's written there. Nevertheless, it's a bug, and you could cause a linked application to crash (mod_php?), so this needs to be fixed. handing it over to vulnerabilities. adobriyan@gmail.com 2005-12-05 16:07:53 0000 Created an attachment (id=74122) Fix integer overflow Ohhh... something is missing. The patch. ;-) Thorough check of gdImageCreateTrueColor() return values will be done tomorrow, sorry. vapier@gentoo.org 2005-12-05 17:06:48 0000 patch looks good to me ... if someone else wants to peek at it real quick, i'll hold adding gd-2.0.33 until they do ... koon@gentoo.org 2005-12-09 07:01:26 0000 Reporter : you should push this to vendor-sec@lst.de, they might be interested. We can do it if you prefer, the idea being to set a public disclosure date for all security releases, like +7 days. koon@gentoo.org 2005-12-11 09:19:59 0000 OK this is an old one that never made it upstream (CVE-2004-0941). Probably better to check the old complete patches to see nothing else slipped through ? vapier@gentoo.org 2005-12-11 19:33:57 0000 err, i dont think it's those issues ... we've had overflows in the png routines before, but i dont think anyone has mentioned xbm before also, if we fix up the core create functions, we might be able to back out some of the sanity checks in the png layers ... but i'd have to review the code again to be sure ... koon@gentoo.org 2005-12-14 07:39:53 0000 It's been fixed under that name on Debian : http://ftp.debian.org/debian/pool/main/libg/libgd2/libgd2_2.0.33-1.1.diff.gz Maybe extract the fixorz from their patchset ? adobriyan@gmail.com 2005-12-14 09:22:43 0000 Looks like they open-coded overflow2(). Attaching interesting part FYI. adobriyan@gmail.com 2005-12-14 09:24:21 0000 Created an attachment (id=74735) Part of libgd2_2.0.33-1.1.diff.gz from Debian gd.c | 11 ++++++++++- gd_gd.c | 4 ++++ gd_io_dp.c | 4 +++- gd_png.c | 5 +++++ gdxpm.c | 5 +++++ wbmp.c | 12 ++++++++---- 6 files changed, 35 insertions(+), 6 deletions(-) koon@gentoo.org 2005-12-20 04:11:02 0000 vapier: please check and bump vapier@gentoo.org 2005-12-20 06:26:48 0000 read my comment #3 :P ive had this done locally, i just asked for feedback a while ago koon@gentoo.org 2005-12-20 08:06:00 0000 Apparently nobody wants to doublecheck your patch. Looks good to me but I'm pointer-impaired. So commit it :) vapier@gentoo.org 2005-12-20 17:55:16 0000 added 2.0.33 to cvs dercorny@gentoo.org 2005-12-20 22:17:22 0000 arches, please test and mark stable - thx dercorny@gentoo.org 2005-12-20 22:18:59 0000 ... note to self: don't fight bugs without your morning coffee, sorry. corsair@gentoo.org 2005-12-20 22:29:51 0000 stable on ppc64 halcy0n@gentoo.org 2005-12-20 23:04:17 0000 x86 done ferdy@gentoo.org 2005-12-21 02:06:32 0000 alpha'lized Cheers, Ferdy gustavoz@gentoo.org 2005-12-21 05:05:26 0000 sparc stable. cryos@gentoo.org 2005-12-21 06:20:09 0000 Stable on amd64. hansmi@gentoo.org 2005-12-22 11:39:35 0000 Stable on ppc. dercorny@gentoo.org 2005-12-22 11:43:37 0000 ready for glsa. tend to say no here because taviso said that it's probably not exploitable. koon@gentoo.org 2005-12-23 00:27:17 0000 Half yes, for the crash possibility (mod_php and other webapps). jaervosz@gentoo.org 2005-12-28 01:38:15 0000 jaervosz@gentoo.org 2005-12-28 01:38:15 0000 ½ NO from me. koon@gentoo.org 2005-12-28 02:24:43 0000 Reverting to no and closing. 74122 2005-12-05 16:07 0000 Fix integer overflow gd.patch text/plain LS0tIGdkLTIuMC4zMi0wMDAvZ2QuYworKysgZ2QtMi4wLjMyLTAwMS9nZC5jCkBAIC03NCw2ICs3 NCwxMCBAQCBCR0RfREVDTEFSRShnZEltYWdlUHRyKSBnZEltYWdlQ3JlYXRlIChpCiAgIGltID0g KGdkSW1hZ2UgKikgZ2RNYWxsb2MgKHNpemVvZiAoZ2RJbWFnZSkpOwogICBtZW1zZXQgKGltLCAw LCBzaXplb2YgKGdkSW1hZ2UpKTsKICAgLyogUm93LW1ham9yIGV2ZXIgc2luY2UgZ2QgMS4zICov CisgIGlmIChvdmVyZmxvdzIoc2l6ZW9mICh1bnNpZ25lZCBjaGFyICopLCBzeSkpIHsKKyAgICBn ZEZyZWUoaW0pOworICAgIHJldHVybiBOVUxMOworICB9CiAgIGltLT5waXhlbHMgPSAodW5zaWdu ZWQgY2hhciAqKikgZ2RNYWxsb2MgKHNpemVvZiAodW5zaWduZWQgY2hhciAqKSAqIHN5KTsKICAg aW0tPnBvbHlJbnRzID0gMDsKICAgaW0tPnBvbHlBbGxvY2F0ZWQgPSAwOwpAQCAtMTE0LDYgKzEx OCwxMCBAQCBCR0RfREVDTEFSRShnZEltYWdlUHRyKSBnZEltYWdlQ3JlYXRlVHJ1CiAgIGdkSW1h Z2VQdHIgaW07CiAgIGltID0gKGdkSW1hZ2UgKikgZ2RNYWxsb2MgKHNpemVvZiAoZ2RJbWFnZSkp OwogICBtZW1zZXQgKGltLCAwLCBzaXplb2YgKGdkSW1hZ2UpKTsKKyAgaWYgKG92ZXJmbG93Mihz aXplb2YgKGludCAqKSwgc3kpKSB7CisgICAgZ2RGcmVlKGltKTsKKyAgICByZXR1cm4gTlVMTDsK KyAgfQogICBpbS0+dHBpeGVscyA9IChpbnQgKiopIGdkTWFsbG9jIChzaXplb2YgKGludCAqKSAq IHN5KTsKICAgaW0tPnBvbHlJbnRzID0gMDsKICAgaW0tPnBvbHlBbGxvY2F0ZWQgPSAwOwpAQCAt MjQ2Miw2ICsyNDcwLDggQEAgQkdEX0RFQ0xBUkUoZ2RJbWFnZVB0cikgZ2RJbWFnZUNyZWF0ZUZy bwogICAgIH0KICAgYnl0ZXMgPSAodyAqIGggLyA4KSArIDE7CiAgIGltID0gZ2RJbWFnZUNyZWF0 ZSAodywgaCk7CisgIGlmICghaW0pCisgICAgcmV0dXJuIE5VTEw7CiAgIGdkSW1hZ2VDb2xvckFs bG9jYXRlIChpbSwgMjU1LCAyNTUsIDI1NSk7CiAgIGdkSW1hZ2VDb2xvckFsbG9jYXRlIChpbSwg MCwgMCwgMCk7CiAgIHggPSAwOwotLS0gZ2QtMi4wLjMyLTAwMC9nZF9nZC5jCisrKyBnZC0yLjAu MzItMDAxL2dkX2dkLmMKQEAgLTE0OSw2ICsxNDksOCBAQCBfZ2RDcmVhdGVGcm9tRmlsZSAoZ2RJ T0N0eCAqIGluLCBpbnQgKnN4CiAgICAgewogICAgICAgaW0gPSBnZEltYWdlQ3JlYXRlICgqc3gs ICpzeSk7CiAgICAgfQorICBpZiAoIWltKQorICAgIGdvdG8gZmFpbDE7CiAgIGlmICghX2dkR2V0 Q29sb3JzIChpbiwgaW0sIGdkMnhGbGFnKSkKICAgICB7CiAgICAgICBnb3RvIGZhaWwyOwo= 74735 2005-12-14 09:24 0000 Part of libgd2_2.0.33-1.1.diff.gz from Debian libgd2_2.0.33-1.1.diff text/plain LS0tIGxpYmdkMi0yLjAuMzMub3JpZy9nZC5jCisrKyBsaWJnZDItMi4wLjMzL2dkLmMKQEAgLTcs NiArNyw3IEBACiAjaW5jbHVkZSA8c3RyaW5nLmg+CiAjaW5jbHVkZSA8c3RkbGliLmg+CiAvKiAy LjAzOiBkb24ndCBpbmNsdWRlIHpsaWIgaGVyZSBvciB3ZSBjYW4ndCBidWlsZCB3aXRob3V0IFBO RyAqLworI2luY2x1ZGUgPGxpbWl0cy5oPgogI2luY2x1ZGUgImdkLmgiCiAjaW5jbHVkZSAiZ2Ro ZWxwZXJzLmgiCiAKQEAgLTc0LDcgKzc1LDExIEBACiAgIGltID0gKGdkSW1hZ2UgKikgZ2RNYWxs b2MgKHNpemVvZiAoZ2RJbWFnZSkpOwogICBtZW1zZXQgKGltLCAwLCBzaXplb2YgKGdkSW1hZ2Up KTsKICAgLyogUm93LW1ham9yIGV2ZXIgc2luY2UgZ2QgMS4zICovCi0gIGltLT5waXhlbHMgPSAo dW5zaWduZWQgY2hhciAqKikgZ2RNYWxsb2MgKHNpemVvZiAodW5zaWduZWQgY2hhciAqKSAqIHN5 KTsKKyAgaWYgKHN5ID49IElOVF9NQVgvc2l6ZW9mICh1bnNpZ25lZCBjaGFyICopIHx8CisgICAg ICAoaW0tPnBpeGVscyA9ICh1bnNpZ25lZCBjaGFyICoqKSBnZE1hbGxvYyAoc2l6ZW9mICh1bnNp Z25lZCBjaGFyICopICogc3kpKSA9PSBOVUxMKSB7CisgICAgZ2RGcmVlKGltKTsKKyAgICByZXR1 cm4gTlVMTDsKKyAgfQogICBpbS0+cG9seUludHMgPSAwOwogICBpbS0+cG9seUFsbG9jYXRlZCA9 IDA7CiAgIGltLT5icnVzaCA9IDA7CkBAIC0yNDYyLDYgKzI0NjcsOCBAQAogICAgIH0KICAgYnl0 ZXMgPSAodyAqIGggLyA4KSArIDE7CiAgIGltID0gZ2RJbWFnZUNyZWF0ZSAodywgaCk7CisgIGlm ICghaW0pCisgICAgcmV0dXJuIDA7CiAgIGdkSW1hZ2VDb2xvckFsbG9jYXRlIChpbSwgMjU1LCAy NTUsIDI1NSk7CiAgIGdkSW1hZ2VDb2xvckFsbG9jYXRlIChpbSwgMCwgMCwgMCk7CiAgIHggPSAw OwpAQCAtMjYwMCw2ICsyNjA3LDggQEAKIAl7CiAJICBpbS0+cG9seUFsbG9jYXRlZCAqPSAyOwog CX0KKyAgICAgIGlmIChpbS0+cG9seUFsbG9jYXRlZCA+PSBJTlRfTUFYL3NpemVvZiAoaW50KSkK KwlyZXR1cm47CiAgICAgICBpbS0+cG9seUludHMgPSAoaW50ICopIGdkUmVhbGxvYyAoaW0tPnBv bHlJbnRzLAogCQkJCQlzaXplb2YgKGludCkgKiBpbS0+cG9seUFsbG9jYXRlZCk7CiAgICAgfQot LS0gbGliZ2QyLTIuMC4zMy5vcmlnL2dkX2dkLmMKKysrIGxpYmdkMi0yLjAuMzMvZ2RfZ2QuYwpA QCAtMTQ5LDYgKzE0OSwxMCBAQAogICAgIHsKICAgICAgIGltID0gZ2RJbWFnZUNyZWF0ZSAoKnN4 LCAqc3kpOwogICAgIH0KKworICBpZiAoIWltKQorICAgIGdvdG8gZmFpbDE7CisKICAgaWYgKCFf Z2RHZXRDb2xvcnMgKGluLCBpbSwgZ2QyeEZsYWcpKQogICAgIHsKICAgICAgIGdvdG8gZmFpbDI7 Ci0tLSBsaWJnZDItMi4wLjMzLm9yaWcvZ2RfaW9fZHAuYworKysgbGliZ2QyLTIuMC4zMy9nZF9p b19kcC5jCkBAIC0yMyw2ICsyMyw3IEBACiAjaW5jbHVkZSA8bWF0aC5oPgogI2luY2x1ZGUgPHN0 cmluZy5oPgogI2luY2x1ZGUgPHN0ZGxpYi5oPgorI2luY2x1ZGUgPGxpbWl0cy5oPgogI2luY2x1 ZGUgImdkLmgiCiAjaW5jbHVkZSAiZ2RoZWxwZXJzLmgiCiAKQEAgLTIwMiw3ICsyMDMsOCBAQAog ICAgICAgaWYgKG92ZXJmbG93MihkcC0+cmVhbFNpemUsIDIpKSB7CiAgICAgICAgIHJldHVybiBG QUxTRTsKICAgICAgIH0KLSAgICAgIGlmICghZ2RSZWFsbG9jRHluYW1pYyAoZHAsIGRwLT5yZWFs U2l6ZSAqIDIpKQorICAgICAgaWYgKGJ5dGVzTmVlZGVkID49IElOVF9NQVgvMiB8fAorCSAgIWdk UmVhbGxvY0R5bmFtaWMgKGRwLCBieXRlc05lZWRlZCAqIDIpKQogCXsKIAkgIGRwLT5kYXRhR29v ZCA9IEZBTFNFOwogCSAgcmV0dXJuIEZBTFNFOwotLS0gbGliZ2QyLTIuMC4zMy5vcmlnL2dkX3Bu Zy5jCisrKyBsaWJnZDItMi4wLjMzL2dkX3BuZy5jCkBAIC02LDYgKzYsOCBAQAogI2luY2x1ZGUg PG1hdGguaD4KICNpbmNsdWRlIDxzdHJpbmcuaD4KICNpbmNsdWRlIDxzdGRsaWIuaD4KKyNpbmNs dWRlIDxsaW1pdHMuaD4KKwogI2luY2x1ZGUgImdkLmgiCiAKIC8qIEpDRTogQXJyYW5nZSBIQVZF X0xJQlBORyBzbyB0aGF0IGl0IGNhbiBiZSBzZXQgaW4gZ2QuaCAqLwpAQCAtMTg4LDYgKzE5MCw5 IEBACiAKICAgcG5nX2dldF9JSERSIChwbmdfcHRyLCBpbmZvX3B0ciwgJndpZHRoLCAmaGVpZ2h0 LCAmYml0X2RlcHRoLCAmY29sb3JfdHlwZSwKIAkJJmludGVybGFjZV90eXBlLCBOVUxMLCBOVUxM KTsKKyAgaWYgKHdpZHRoID49IElOVF9NQVgvc2l6ZW9mIChpbnQpIHx8CisgICAgICB3aWR0aCpz aXplb2YgKGludCkgPj0gSU5UX01BWC9oZWlnaHQpCisgICAgcmV0dXJuIE5VTEw7CiAgIGlmICgo Y29sb3JfdHlwZSA9PSBQTkdfQ09MT1JfVFlQRV9SR0IpIHx8CiAgICAgICAoY29sb3JfdHlwZSA9 PSBQTkdfQ09MT1JfVFlQRV9SR0JfQUxQSEEpKQogICAgIHsKLS0tIGxpYmdkMi0yLjAuMzMub3Jp Zy9nZHhwbS5jCisrKyBsaWJnZDItMi4wLjMzL2dkeHBtLmMKQEAgLTEyLDYgKzEyLDcgQEAKIAog I2luY2x1ZGUgPHN0ZGlvLmg+CiAjaW5jbHVkZSA8c3RkbGliLmg+CisjaW5jbHVkZSA8bGltaXRz Lmg+CiAjaW5jbHVkZSA8c3RyaW5nLmg+CiAjaW5jbHVkZSAiZ2QuaCIKICNpbmNsdWRlICJnZGhl bHBlcnMuaCIKQEAgLTQ3LDYgKzQ4LDEwIEBACiAgICAgcmV0dXJuIDA7CiAKICAgbnVtYmVyID0g aW1hZ2UubmNvbG9yczsKKworICBpZiAobnVtYmVyID49IElOVF9NQVgvc2l6ZW9mIChpbnQpKQor ICAgIHJldHVybiAoMCk7CisKICAgY29sb3JzID0gKGludCAqKSBnZE1hbGxvYyAoc2l6ZW9mIChp bnQpICogbnVtYmVyKTsKICAgaWYgKGNvbG9ycyA9PSBOVUxMKQogICAgIHJldHVybiAoMCk7Ci0t LSBsaWJnZDItMi4wLjMzLm9yaWcvd2JtcC5jCisrKyBsaWJnZDItMi4wLjMzL3dibXAuYwpAQCAt MTcsNiArMTcsNyBAQAogI2luY2x1ZGUgPHN0ZGRlZi5oPgogI2luY2x1ZGUgPHN0ZGxpYi5oPgog I2luY2x1ZGUgPHN0cmluZy5oPgorI2luY2x1ZGUgPGxpbWl0cy5oPgogCiAjaW5jbHVkZSAid2Jt cC5oIgogI2luY2x1ZGUgImdkLmgiCkBAIC0xMjcsOCArMTI4LDEwIEBACiAgICAgZ2RGcmVlKHdi bXApOwogICAgIHJldHVybiBOVUxMOwogICB9Ci0gIGlmICgod2JtcC0+Yml0bWFwID0KLSAgICAg ICAoaW50ICopIGdkTWFsbG9jIChzaXplb2YgKGludCkgKiB3aWR0aCAqIGhlaWdodCkpID09IE5V TEwpCisKKyAgaWYgKHdpZHRoID49IElOVF9NQVgvc2l6ZW9mKGludCkgfHwKKyAgICAgIHdpZHRo KnNpemVvZihpbnQpID49IElOVF9NQVgvaGVpZ2h0IHx8CisgICAgICAod2JtcC0+Yml0bWFwID0g KGludCAqKSBnZE1hbGxvYyAoc2l6ZW9mIChpbnQpICogd2lkdGggKiBoZWlnaHQpKSA9PSBOVUxM KQogICAgIHsKICAgICAgIGdkRnJlZSAod2JtcCk7CiAgICAgICByZXR1cm4gKE5VTEwpOwpAQCAt MTk0LDggKzE5Nyw5IEBACiAgICAgICBnZEZyZWUod2JtcCk7CiAgICAgICByZXR1cm4gKC0xKTsK ICAgICB9Ci0gIGlmICgod2JtcC0+Yml0bWFwID0KLSAgICAgICAoaW50ICopIGdkTWFsbG9jIChz aXplb2YgKGludCkgKiB3Ym1wLT53aWR0aCAqIHdibXAtPmhlaWdodCkpID09IE5VTEwpCisgIGlm ICh3Ym1wLT53aWR0aCA+PSBJTlRfTUFYL3NpemVvZihpbnQpIHx8CisgICAgICB3Ym1wLT53aWR0 aCpzaXplb2YoaW50KSA+PSBJTlRfTUFYL3dibXAtPmhlaWdodCB8fAorICAgICAgKHdibXAtPmJp dG1hcCA9IChpbnQgKikgZ2RNYWxsb2MgKHNpemVvZiAoaW50KSAqIHdibXAtPndpZHRoICogd2Jt cC0+aGVpZ2h0KSkgPT0gTlVMTCkKICAgICB7CiAgICAgICBnZEZyZWUgKHdibXApOwogICAgICAg cmV0dXJuICgtMSk7Cg==