"A bug seems to affect the current (2.0.33) GD library version, located in the LZW decoding while loading GIF images. The problem is an infinite loop while decoding specifically crafted images ; for example when calling gdImageCreateFromGifPtr() with badly formed GIF data. The loop is causing 100% CPU consumption, and can be a problem when involving online server scripts." "3. Quick fix ------------ This quick-and-dirty fix just limits the number of loops in the LWZReadByte_() function. diff -r -c gd-2.0.33.orig/gd_gif_in.c gd-2.0.33/gd_gif_in.c *** gd-2.0.33.orig/gd_gif_in.c Mon Nov 1 19:28:56 2004 --- gd-2.0.33/gd_gif_in.c Fri Apr 7 09:04:10 2006 *************** *** 417,422 **** --- 417,423 ---- GetCode(fd, code_size, FALSE, ZeroDataBlockP); return firstcode; } else if (code == end_code) { + int maxcount = 1024; int count; unsigned char buf[260]; *************** *** 423,432 **** if (*ZeroDataBlockP) return -2; ! while ((count = GetDataBlock(fd, buf, ZeroDataBlockP)) > 0) ; ! if (count != 0) return -2; } --- 424,433 ---- if (*ZeroDataBlockP) return -2; ! while ((count = GetDataBlock(fd, buf, ZeroDataBlockP)) > 0 && --maxcount >= 0) ; ! if (count != 0 || maxcount < 0) return -2; } "
Created attachment 88576 [details] Complete posting (didn't see it anywhere else yet)
Guess we need to check a) if this is valid, b) if we're affected c) if gd-internal is affected.
Vapier please comment. Removed from CC since he's on the security alias.
> Guess we need to check a) if this is valid, b) if we're affected c) if > gd-internal is affected. > i can't reproduce the DoS with the supplied example with medias-libs/gd-2.0.33 x86 . It compiles, and runs, but doesn't crash.
Created attachment 88598 [details] gdbad.c this hung on my amd64 machine
Setting it to upstream until an official fix is available.
Might be even A3 if the bundled version is affected, too. Quite some php apps use gd.
Created attachment 88795 [details] gd-infinite-loops-2 A second bug exists in gd_gif_in.c:152, which can make corrupted (truncated) GIF files to generate an infinite loop in libgd. ... (bugtraq reply by Xavier Roche <rocheml@httrack.com>)
cc'ing php team as php includes a gd lib
Does any other package bundle the gd lib?
i dont know of any
CVE-2006-2906
PHP's bundled libgd was fixed wrt all the security problems the maintainer told us about in the just added dev-lang/php-4.4.2-r6 and dev-lang/php-5.1.4-r4. The infinite loop DoS should already be fixed in older dev-lang/php revisions of 4.4.2 and 5.1.4, this one further fixes a problem with bad colormaps and a problem with the size of GIF images. Stabling of those two PHP versions can be handled in bug 133524. Best regards, CHTEKK.
This one is ready for GLSA decision.
Phew. I think the impact is high enough to call for it, but the attack vector is not so interesting. But when in doubt, yes.
mhh tough one, but weak yes. having a possibly important webpage DoSed surely is no fun
Voting no. It's not very common to accept untrusted GIF images and process them. Even in that case, the infinite loop is not very impact-ish.
Voting NO and closing. Feel free to reopen if you disagree.
