Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 711122 (CVE-2017-6363) - <media-libs/gd-2.3.0: heap-based buffer over-read in tiffWriter in gd_tiff.c (CVE-2017-6363)
Summary: <media-libs/gd-2.3.0: heap-based buffer over-read in tiffWriter in gd_tiff.c ...
Status: RESOLVED FIXED
Alias: CVE-2017-6363
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/libgd/libgd/issues...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: CVE-2018-14553, CVE-2019-11038
Blocks:
  Show dependency tree
 
Reported: 2020-03-01 01:05 UTC by Sam James
Modified: 2020-07-27 20:21 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-01 01:05:59 UTC
"In the GD Graphics Library (aka LibGD) through 2.2.5, there is a heap-based buffer over-read in tiffWriter in gd_tiff.c. 

NOTE: the vendor says "In my opinion this issue should not have a CVE, since the GD and GD2 formats are documented to be 'obsolete, and should only be used for development and testing purposes.'"

Upstream bug: https://github.com/libgd/libgd/issues/383
Affected versions: <= 2.2.5.

A fix does not seem likely.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-02 21:47:55 UTC
https://github.com/libgd/libgd/commit/0be86e1926939a98afbd2f3a23c673dfc4df2a7c
https://github.com/libgd/libgd/commit/2dbd8f6e66b73ed43d9b81a45350922b80f75397

There's a CVE dispute: The vendor says "In my opinion this issue should not have a CVE, since the GD and GD2 formats are documented to be 'obsolete, and should only be used for development and testing purposes.'"
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-15 11:56:48 UTC
Patch anyway: https://github.com/libgd/libgd/commit/2dbd8f6e66b73ed43d9b81a45350922b80f75397

included in 2.3.0.
Comment 3 Larry the Git Cow gentoo-dev 2020-06-25 11:27:54 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e7220615bbaa8ce9c101b5130b58f705425c11ea

commit e7220615bbaa8ce9c101b5130b58f705425c11ea
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2020-06-23 20:43:01 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2020-06-25 11:27:00 +0000

    media-libs/gd: Drop old (security cleanup)
    
    Bug: https://bugs.gentoo.org/711122
    Bug: https://bugs.gentoo.org/719464
    Package-Manager: Portage-2.3.102, Repoman-2.3.23
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/16387
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 media-libs/gd/Manifest           |  3 --
 media-libs/gd/gd-2.2.5-r2.ebuild | 98 ----------------------------------------
 2 files changed, 101 deletions(-)