Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 664732 (CVE-2018-1000222)

Summary: <media-libs/gd-2.2.5-r1: Double free in src/gd_bump.c:gdImageBmpPtr() via crafted JPEG (CVE-2018-1000222)
Product: Gentoo Security Reporter: Eddie Chapman <maracay>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: graphics+disabled
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000222
Whiteboard: B2 [glsa+ cve]
Package list:
media-libs/gd-2.2.5-r1
 Runtime testing required: ---

Description Eddie Chapman 2018-08-28 10:56:46 UTC 
From MITRE CVE entry:

"Libgd version 2.2.5 contains a Double Free Vulnerability vulnerability in gdImageBmpPtr Function that can result in Remote Code Execution . This attack appear to be exploitable via Specially Crafted Jpeg Image can trigger double free. This vulnerability appears to have been fixed in after commit ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5."

Fixed upstream by:
https://github.com/libgd/libgd/commit/ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5

No new release with the fix upstream yet, not sure if any plans to.

There have been a lot of commits to master upstream since 2.2.5 was released Aug 2017, so not sure how safe cherry picking this one fix is.

FWIW I tried anyway, saved the fix as a patch into /etc/portage/patches/media-libs/gd-2.2.5, it was applied without any apparent problems when rebuilding the current stable media-libs/gd-2.2.5:

>>> Emerging (1 of 1) media-libs/gd-2.2.5::gentoo
 * libgd-2.2.5.tar.xz BLAKE2B SHA512 size ;-) ...                                                                                                                                                           [ ok ]
>>> Unpacking source...
>>> Unpacking libgd-2.2.5.tar.xz to /build/portage/media-libs/gd-2.2.5/work
>>> Source unpacked in /build/portage/media-libs/gd-2.2.5/work
>>> Preparing source in /build/portage/media-libs/gd-2.2.5/work/libgd-2.2.5 ...
 * Applying CVE-2018-1000222.patch ...                                                                                                                                                                      [ ok ]
 * User patches applied.
 * Running elibtoolize in: libgd-2.2.5/
 *   Applying ppc64le/2.4.4 patch ...
 * Running elibtoolize in: libgd-2.2.5/config/
 *   Applying portage/1.2.0 patch ...
 *   Applying sed/1.5.6 patch ...
 *   Applying as-needed/2.4.3 patch ...
>>> Source prepared.

No warnings or errors at all appeared in the build output.

I then ran a rudimentary test as follows:

pngtogd existing_image.png output.gd
gdtopng output.gd new_image.png 

The resultant new_image.png was a perfect reproduction of the original. But it's not a comprehensive test of course.

Reproducible: Didn't try
Comment 1 Larry the Git Cow gentoo-dev 2018-09-14 19:16:00 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=04cf9aa3bf7e0746e85461c3c56d9f9a95ce6fba

commit 04cf9aa3bf7e0746e85461c3c56d9f9a95ce6fba
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-09-14 19:11:20 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-09-14 19:15:47 +0000

    media-libs/gd: Fix CVE-2018-1000222
    
    Thanks-to: Eddie Chapman <maracay@ehuk.net>
    Bug: https://bugs.gentoo.org/664732
    Package-Manager: Portage-2.3.49, Repoman-2.3.10

 .../gd/files/gd-2.2.5-CVE-2018-1000222.patch       | 73 ++++++++++++++++++++++
 media-libs/gd/gd-2.2.5-r1.ebuild                   | 64 +++++++++++++++++++
 2 files changed, 137 insertions(+)
Comment 2 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-09-19 07:44:41 UTC 
amd64 stable
Comment 3 Rolf Eike Beer archtester 2018-09-19 16:18:01 UTC 
sparc done.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2018-09-19 17:36:08 UTC 
x86 stable
Comment 5 Markus Meier gentoo-dev 2018-09-24 18:16:07 UTC 
arm stable
Comment 6 Mart Raudsepp gentoo-dev 2018-09-30 22:30:37 UTC 
arm64 stable. Bug 608730 and bug 632076 still a problem - very annoying.
Comment 7 Matt Turner gentoo-dev 2018-10-06 16:17:42 UTC 
ppc/ppc64 stable
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2018-10-11 12:46:11 UTC 
Stable on alpha.
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2018-10-15 07:08:06 UTC 
ia64 stable
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2018-12-04 23:11:54 UTC 
@maintainer(s), please drop vulnerable.
Comment 11 Matt Turner gentoo-dev 2018-12-30 19:40:18 UTC 
hppa stable
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2019-03-28 02:10:13 UTC 
This issue was resolved and addressed in
 GLSA 201903-18 at https://security.gentoo.org/glsa/201903-18
by GLSA coordinator Aaron Bauman (b-man).