Your message dated Mon, 11 Sep 2006 02:01:23 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Fixed in NMU of libgd2 2.0.33-5.1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: libgd2-xpm
Version: 2.0.33-1.1sarge1
Severity: grave
Tags: security patch
Justification: user security hole
libgd2 crashes on some corrupt GIFs [1] . This issue was found in PHP (php bug
#38112 [2]). With php4 + php4-gd the segfault can be triggered by executing the
PoC at [3]. The attached patch has been adapted from the bug report and seems to
fix the problem.
[1] http://people.debian.org/~seanius/security/php/poc/38112.gif
[2] http://bugs.php.net/bug.php?id=38112
[3] http://people.debian.org/~seanius/security/php/poc/38112.poc
Severity grave because this might lead to arbitrary code execution in php
(although I haven't tried to analyze the problem further).
--- libgd2-2.0.33/gd_gif_in.c 2006-08-27 10:34:02.021822968 +0200
+++ libgd2-2.0.33.patched/gd_gif_in.c 2006-08-27 01:01:05.050952000 +0200
@@ -208,6 +208,12 @@
if (!im) {
return 0;
}
+
+ if (!im->colorsTotal) {
+ gdImageDestroy(im);
+ return 0;
+ }
+
/* Check for open colors at the end, so
we can reduce colorsTotal and ultimately
BitsPerPixel */
@@ -497,6 +503,19 @@
int v;
int xpos = 0, ypos = 0, pass = 0;
int i;
+
+ /*
+ ** Initialize the Compression routines
+ */
+ if (! ReadOK(fd,&c,1)) {
+ return;
+ }
+
+ if (c > MAX_LWZ_BITS) {
+ return;
+ }
+
+
/* Stash the color map into the image */
for (i=0; (i<gdMaxColors); i++) {
im->red[i] = cmap[CM_RED][i];
@@ -506,12 +525,6 @@
}
/* Many (perhaps most) of these colors will remain marked open. */
im->colorsTotal = gdMaxColors;
- /*
- ** Initialize the Compression routines
- */
- if (! ReadOK(fd,&c,1)) {
- return;
- }
if (LWZReadByte(fd, TRUE, c, ZeroDataBlockP) < 0) {
return;
}
--- End Message ---
--- Begin Message ---
Version: 2.0.33-5.1
I've NMUed for this bug (fixing the bug to use versioning instead of the
"fixed" tag, to ease tracking through testing); here's the changelog:
> libgd2 (2.0.33-5.1) unstable; urgency=medium
> .
> * Non-maintainer upload.
> * 1008_segfault_invalid_gif.patch: New patch, adapted by Stefan Fritsch;
> fixes segfault (and possible security issue) when reading some forms
> of corrupted GIFs. (Closes: #384838)
/* Steinar */
--
Homepage: http://www.sesse.net/
--- End Message ---
