From MITRE CVE entry:
"Libgd version 2.2.5 contains a Double Free Vulnerability vulnerability in gdImageBmpPtr Function that can result in Remote Code Execution . This attack appear to be exploitable via Specially Crafted Jpeg Image can trigger double free. This vulnerability appears to have been fixed in after commit ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5."
Fixed upstream by:
No new release with the fix upstream yet, not sure if any plans to.
There have been a lot of commits to master upstream since 2.2.5 was released Aug 2017, so not sure how safe cherry picking this one fix is.
FWIW I tried anyway, saved the fix as a patch into /etc/portage/patches/media-libs/gd-2.2.5, it was applied without any apparent problems when rebuilding the current stable media-libs/gd-2.2.5:
>>> Emerging (1 of 1) media-libs/gd-2.2.5::gentoo
* libgd-2.2.5.tar.xz BLAKE2B SHA512 size ;-) ... [ ok ]
>>> Unpacking source...
>>> Unpacking libgd-2.2.5.tar.xz to /build/portage/media-libs/gd-2.2.5/work
>>> Source unpacked in /build/portage/media-libs/gd-2.2.5/work
>>> Preparing source in /build/portage/media-libs/gd-2.2.5/work/libgd-2.2.5 ...
* Applying CVE-2018-1000222.patch ... [ ok ]
* User patches applied.
* Running elibtoolize in: libgd-2.2.5/
* Applying ppc64le/2.4.4 patch ...
* Running elibtoolize in: libgd-2.2.5/config/
* Applying portage/1.2.0 patch ...
* Applying sed/1.5.6 patch ...
* Applying as-needed/2.4.3 patch ...
>>> Source prepared.
No warnings or errors at all appeared in the build output.
I then ran a rudimentary test as follows:
pngtogd existing_image.png output.gd
gdtopng output.gd new_image.png
The resultant new_image.png was a perfect reproduction of the original. But it's not a comprehensive test of course.
Reproducible: Didn't try
The bug has been referenced in the following commit(s):
Author: Andreas Sturmlechner <firstname.lastname@example.org>
AuthorDate: 2018-09-14 19:11:20 +0000
Commit: Andreas Sturmlechner <email@example.com>
CommitDate: 2018-09-14 19:15:47 +0000
media-libs/gd: Fix CVE-2018-1000222
Thanks-to: Eddie Chapman <firstname.lastname@example.org>
Package-Manager: Portage-2.3.49, Repoman-2.3.10
.../gd/files/gd-2.2.5-CVE-2018-1000222.patch | 73 ++++++++++++++++++++++
media-libs/gd/gd-2.2.5-r1.ebuild | 64 +++++++++++++++++++
2 files changed, 137 insertions(+)
arm64 stable. Bug 608730 and bug 632076 still a problem - very annoying.
Stable on alpha.
@maintainer(s), please drop vulnerable.
This issue was resolved and addressed in
GLSA 201903-18 at https://security.gentoo.org/glsa/201903-18
by GLSA coordinator Aaron Bauman (b-man).