Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 679702 (CVE-2018-5711, CVE-2019-6977, CVE-2019-6978) - <media-libs/gd-2.2.5-r2: multiple vulnerabilities (CVE-{2018-5711,2019-6977,2019-6978})
Summary: <media-libs/gd-2.2.5-r2: multiple vulnerabilities (CVE-{2018-5711,2019-6977,2...
Alias: CVE-2018-5711, CVE-2019-6977, CVE-2019-6978
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa+ cve]
Depends on:
Reported: 2019-03-07 19:41 UTC by GLSAMaker/CVETool Bot
Modified: 2019-08-02 00:48 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-03-07 19:41:12 UTC
CVE-2018-5711 (
  gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before
  5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1,
  has an integer signedness error that leads to an infinite loop via a crafted
  GIF file, as demonstrated by a call to the imagecreatefromgif or
  imagecreatefromstring PHP function. This is related to GetCode_ and

CVE-2019-6977 (
  gdImageColorMatch in gd_color_match.c in the GD Graphics Library (aka LibGD)
  2.2.5, as used in the imagecolormatch function in PHP before 5.6.40, 7.x
  before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1, has a heap-based
  buffer overflow. This can be exploited by an attacker who is able to trigger
  imagecolormatch calls with crafted image data.

CVE-2019-6978 (
  The GD Graphics Library (aka LibGD) 2.2.5 has a double free in the
  gdImage*Ptr() functions in gd_gif_out.c, gd_jpeg.c, and gd_wbmp.c. NOTE: PHP
  is unaffected.
Comment 2 Rolf Eike Beer archtester 2019-03-08 20:39:40 UTC
sparc done
Comment 3 Mart Raudsepp gentoo-dev 2019-03-09 11:51:29 UTC
Looks like security stabilizations are the only stabilizations happening to media-libs/gd, thus I will draw a line in the sand here on test failures and will NOT stabilize this on arm64 before bug 632076 and bug 608730 are fixed.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2019-03-09 16:11:50 UTC
leio, security vulnerabilities are not the place where you draw the line for stabilizations. You are not hurting anyone other then the arm64 users by not stabilizing security bugs.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2019-03-09 19:19:39 UTC
x86 stable
Comment 6 Mart Raudsepp gentoo-dev 2019-03-09 20:03:20 UTC
The line is where I say it is, as far as my work is concerned. It is my volunteer work, and I am tired of wasting my time on test failures that have been lingering for years.
Comment 7 Mart Raudsepp gentoo-dev 2019-03-11 16:16:33 UTC
arm64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-03-14 21:15:16 UTC
amd64 stable
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-03-15 23:24:01 UTC
s390 stable
Comment 10 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-03-16 14:12:58 UTC
arm stable
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2019-03-28 02:10:23 UTC
This issue was resolved and addressed in
 GLSA 201903-18 at
by GLSA coordinator Aaron Bauman (b-man).
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2019-03-28 02:10:52 UTC
re-opened for final arches.
Comment 13 Rolf Eike Beer archtester 2019-04-02 19:32:42 UTC
hppa stable
Comment 14 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-04-06 13:35:39 UTC
alpha stable
Comment 15 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-28 13:10:41 UTC
ppc64 stable
Comment 16 Agostino Sarubbo gentoo-dev 2019-06-05 07:15:42 UTC
ppc stable
Comment 17 Agostino Sarubbo gentoo-dev 2019-06-05 07:28:52 UTC
ia64 stable.

Maintainer(s), please cleanup.
Comment 18 Aaron Bauman (RETIRED) gentoo-dev 2019-08-02 00:48:23 UTC
tree is clean