Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 69070 - media-libs/gd: Integer overflows
Summary: media-libs/gd: Integer overflows
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal
Assignee: Gentoo Security
URL: http://www.securityfocus.com/archive/...
Whiteboard: C2 [glsa] lewk
Keywords:
: 69156 69850 (view as bug list)
Depends on:
Blocks:
 
Reported: 2004-10-26 14:30 UTC by Luke Macken (RETIRED)
Modified: 2004-11-10 21:53 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
gd-1.8.4-security.patch (gd-1.8.4-security.patch,8.31 KB, patch)
2004-11-10 21:53 UTC, solar (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Luke Macken (RETIRED) gentoo-dev 2004-10-26 14:30:00 UTC
Subject:

GD Graphics Library integer overflow leading to heap overflow.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Product Description:

An ANSI C library for the dynamic creation of images. GD creates PNG, JPEG and
GIF images, among other formats.  It is the library used by PHP to manipulate
images.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Vulnerable:

Only the latest version was tested, gd-2.0.28.  I would venture a guess that old
versions are vulnerable as well, as I found no checking anywhere for the type of
bugs found.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Summary:

There is an integer overflow when allocating memory in the routine that handles
loading PNG image files.  This later leads to heap data structures being
overwritten.  If an attacker tricked a user into loading a malicious PNG image,
they could leverage this into executing arbitrary code in the context of the
user opening image.  Many programs use GD, such as ImageMagick, and more
importantly it is also the image library used for PHP, and there is a Perl
module as well.  One possibile target would be PHP driven photo websites that
let users upload images.  Some of them will resize/compress the image when the
user uploads them.  If this is done using GD, this could be used to execute code
on the server.  There is a mitigating factor, in order to reach the vulnerable
code, a large amount of memory needs to be allocated.  My 128MB p2 crapped out
one allocation before it reached the overflow.  However, I think on a newer box
with lots of memory and swap space, that won't be a problem.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Details:

The vulnerable code occurs in the file gd_png.c, in the function
gdImageCreateFromPngCtx(), which is called by gdImageCreateFromPng().  The
function is used to load an image file into GD data structures.  The problem
occurs when allocating memory for the image rows, line 314 or so ( I added some
comments so line number might be off).  Two user supplied values are multiplied
together (rowbytes * height), and used to allocate memory for an array of
pointers.  This pointer array is then passed to the png_read_image() function,
which belongs to the libPNG library.  In that function, the pointers are passed
to the png_read_row() function.  The data for the rows is decompressed using
zLib function inflate(), and then passed to the png_combine_row() function,
where the deflated data is memcpy()'d into the heap buffer.  Exploitation would
require using zLib functions to compress the payload.  Successful exploitation
would lead to executing arbitrary code.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Vendor:

I spoke with author about a month ago, he told me that updates would be out
within a couple weeks.  I'm assuming they are.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Exploit:

The start of my exploit is attached.  I didn't pursue further b/c my box sucks
ass, and doesn't have enough memory/swap.
Comment 1 Luke Macken (RETIRED) gentoo-dev 2004-10-26 14:43:17 UTC
I don't see any new version or fix for this issue anywhere.

I sent an email upstream regarding this issue, and awaiting a response.
Comment 2 Luke Macken (RETIRED) gentoo-dev 2004-10-26 15:11:02 UTC
Reply from upstream:

"2.0.29 will be out in the next few days. I apologize for the delay.
(The bug, for what it's worth, is quite challenging to exploit.)"
Comment 3 SpanKY gentoo-dev 2004-10-26 16:02:43 UTC
depending on what the exploit is, php may be at risk also
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-10-27 13:07:53 UTC
*** Bug 69156 has been marked as a duplicate of this bug. ***
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2004-10-30 09:35:50 UTC
2.0.30 is out at boutell.com.
vapier: please bump
Comment 6 SpanKY gentoo-dev 2004-10-30 14:58:16 UTC
looking at php-5.0.2's ext/gd/libgd/gd_png.c, i would venture to say that the exploit exists there too

sample from the gd patch:
--- gd-2.0.28/gd_png.c  2004-05-24 10:42:18.000000000 -0400
+++ gd-2.0.30/gd_png.c  2004-10-28 14:09:52.000000000 -0400
@@ -312,12 +312,21 @@

   /* allocate space for the PNG image data */
   rowbytes = png_get_rowbytes (png_ptr, info_ptr);
+  if (overflow2(rowbytes, height)) {
+    png_destroy_read_struct (&png_ptr, &info_ptr, NULL);
+    return NULL;
+  }
   if ((image_data = (png_bytep) gdMalloc (rowbytes * height)) == NULL)
     {

snippet from php-5.0.2's gd_png.c:
    /* allocate space for the PNG image data */
    rowbytes = png_get_rowbytes(png_ptr, info_ptr);
    image_data = (png_bytep) safe_emalloc(rowbytes, height, 0);
Comment 7 SpanKY gentoo-dev 2004-10-30 15:01:36 UTC
i'd suggest we fork php off to a sep bug so as to not hold back gd-2.0.30

i marked stable for the arches i maintain ... here's the current KEYWORDS:
KEYWORDS="~alpha ~amd64 arm hppa ia64 ~mips ~ppc ~ppc64 s390 ~sparc x86"
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2004-10-31 02:37:08 UTC
Arches, please mark stable
Comment 9 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2004-10-31 03:08:07 UTC
Stable on ppc.
Comment 10 Bryan Østergaard (RETIRED) gentoo-dev 2004-10-31 04:53:45 UTC
Stable on alpha.
Comment 11 Jason Wever (RETIRED) gentoo-dev 2004-10-31 08:18:12 UTC
Stable on sparc
Comment 12 SpanKY gentoo-dev 2004-10-31 18:38:11 UTC
ok, 1.8.4 also has this problem ... i forward ported a patch (1.8.4-png-overflows.patch) and added to cvs ...

i contacted upstream to see what their take is on 1.x ... if they dont plan on updating their 1.8.4, i might just remove it from the tree
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2004-11-02 05:58:47 UTC
amd64, ppc64, please mark stable
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2004-11-02 09:09:05 UTC
*** Bug 69850 has been marked as a duplicate of this bug. ***
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2004-11-02 09:10:32 UTC
That would be CAN-2004-0990
Comment 16 Jeremy Huddleston (RETIRED) gentoo-dev 2004-11-02 12:24:32 UTC
stable amd64
Comment 17 Markus Rothe (RETIRED) gentoo-dev 2004-11-02 13:42:15 UTC
stable on ppc64
Comment 18 SpanKY gentoo-dev 2004-11-02 16:39:36 UTC
i e-mailed upstream about two bugs ...
(1) he released 2.0.32 in response to a compile failure
(2) he removed 1.x completely :)  i'll do the same for us
Comment 19 Manuel McLure 2004-11-03 09:39:24 UTC
Ack! Please return 1.8.4 to the tree - otherwise www-apps/nut-2.0.0 breaks!
Comment 20 Manuel McLure 2004-11-03 11:01:57 UTC
It seems that the www-apps/nut ebuild breaks, but if you change the ebuild it will build against gd-2. I'll enter a bug for nut to make the ebuild work with gd-2.
Comment 21 Thierry Carrez (RETIRED) gentoo-dev 2004-11-03 13:41:01 UTC
GLSA 200411-08
mips: mark stable to benefit from GLSA
Comment 22 SpanKY gentoo-dev 2004-11-03 15:26:04 UTC
yeah, gd-1.x isnt coming back ;)

nut will have to be fixed/removed
Comment 23 Hardave Riar (RETIRED) gentoo-dev 2004-11-05 03:35:51 UTC
Stable on mips.
Comment 24 solar (RETIRED) gentoo-dev 2004-11-10 21:53:57 UTC
Created attachment 43704 [details, diff]
gd-1.8.4-security.patch

For those of you that need gd-1.8.4 still this patch resolves CAN-2004-0941 and
CAN-2004-0990