Bug#930438: marked as done (stretch-pu: package libgd2/2.2.4-2+deb9u5)

Debian Bug Tracking System Sat, 07 Sep 2019 06:56:36 -0700

Your message dated Sat, 07 Sep 2019 14:37:11 +0100
with message-id 
<17351b82f829eb6917f78885cb849c4060b0a4a6.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 9.10 point release
has caused the Debian Bug report #930438,
regarding stretch-pu: package libgd2/2.2.4-2+deb9u5
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
930438: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930438
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: stretch
User: [email protected]
Usertags: pu

Hello,

please accept libgd2 2.2.5-5.2 into stretch-proposed-updates. 


libgd2 2.2.5-5.2 is a security upload that fixes CVE-2019-11038. Even
though the bug severity is only 'important', it would be nice to have
this security fix in Buster.

Here's the changelog:

libgd2 (2.2.4-2+deb9u5) stretch; urgency=high

  * Fix CVE-2019-11038: Uninitialized read in gdImageCreateFromXbm
    (Closes: #929821)

 -- Jonas Meurer <[email protected]>  Tue, 11 Jun 2019 17:33:42 +0200

Please find the debdiff attached to this mail.

Thanks a lot for your work.

Cheers
 jonas

-- System Information:
Debian Release: 10.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set 
to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru libgd2-2.2.4/debian/changelog libgd2-2.2.4/debian/changelog
--- libgd2-2.2.4/debian/changelog       2019-02-02 10:49:03.000000000 +0100
+++ libgd2-2.2.4/debian/changelog       2019-06-11 17:33:42.000000000 +0200
@@ -1,3 +1,10 @@
+libgd2 (2.2.4-2+deb9u5) stretch; urgency=high
+
+  * Fix CVE-2019-11038: Uninitialized read in gdImageCreateFromXbm
+    (Closes: #929821)
+
+ -- Jonas Meurer <[email protected]>  Tue, 11 Jun 2019 17:33:42 +0200
+
 libgd2 (2.2.4-2+deb9u4) stretch-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru 
libgd2-2.2.4/debian/patches/Fix-501-Uninitialized-read-in-gdImageCreateFromXbm.patch
 
libgd2-2.2.4/debian/patches/Fix-501-Uninitialized-read-in-gdImageCreateFromXbm.patch
--- 
libgd2-2.2.4/debian/patches/Fix-501-Uninitialized-read-in-gdImageCreateFromXbm.patch
        1970-01-01 01:00:00.000000000 +0100
+++ 
libgd2-2.2.4/debian/patches/Fix-501-Uninitialized-read-in-gdImageCreateFromXbm.patch
        2019-06-11 17:33:42.000000000 +0200
@@ -0,0 +1,35 @@
+From: Jonas Meurer <[email protected]>
+Date: Tue, 11 Jun 2019 12:16:46 +0200
+Subject: Fix #501: Uninitialized read in gdImageCreateFromXbm
+ (CVE-2019-11038)
+
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11038
+Bug-Debian: https://bugs.debian.org/929821
+Bug: https://github.com/libgd/libgd/issues/501
+
+We have to ensure that `sscanf()` does indeed read a hex value here,
+and bail out otherwise.
+
+Original patch by Christoph M. Becker <[email protected]> for PHP libgd ext.
+https://git.php.net/?p=php-src.git;a=commit;h=ed6dee9a198c904ad5e03113e58a2d2c200f5184
+---
+ src/gd_xbm.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/gd_xbm.c b/src/gd_xbm.c
+index 5f09b56..9d6dd20 100644
+--- a/src/gd_xbm.c
++++ b/src/gd_xbm.c
+@@ -166,7 +166,11 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm(FILE * fd)
+                       }
+                       h[3] = ch;
+               }
+-              sscanf(h, "%x", &b);
++              if (sscanf(h, "%x", &b) != 1) {
++                      gd_error("invalid XBM");
++                      gdImageDestroy(im);
++                      return 0;
++              }
+               for (bit = 1; bit <= max_bit; bit = bit << 1) {
+                       gdImageSetPixel(im, x++, y, (b & bit) ? 1 : 0);
+                       if (x == im->sx) {
diff -Nru libgd2-2.2.4/debian/patches/series libgd2-2.2.4/debian/patches/series
--- libgd2-2.2.4/debian/patches/series  2019-02-02 10:49:03.000000000 +0100
+++ libgd2-2.2.4/debian/patches/series  2019-06-11 17:33:42.000000000 +0200
@@ -9,3 +9,4 @@
 0009-CVE-2018-5711.patch
 CVE-2019-6977.patch
 Fix-492-Potential-double-free-in-gdImage-Ptr.patch
+Fix-501-Uninitialized-read-in-gdImageCreateFromXbm.patch

--- End Message ---

--- Begin Message ---

Version: 9.10

Hi,

The fixes referenced by each of these bugs were included in today's
stretch point release (9.10).

Regards,

Adam

--- End Message ---

Bug#930438: marked as done (stretch-pu: package libgd2/2.2.4-2+deb9u5)

Reply via email to