Bug 982176 (CVE-2016-5116)

Summary: VUL-0: CVE-2016-5116: gd: avoid stack overflow (read) with large names
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/169578/
Whiteboard: CVSSv2:RedHat:CVE-2016-5116:4.3:(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVSSv2:SUSE:CVE-2016-5116:4.3:(AV:N/AC:M/Au:N/C:P/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2016-05-30 08:49:55 UTC 
CVE-2016-5116

https://github.com/libgd/libgd/issues/211

length from the failed vsnprintf attempt to copy more than 8000 chars
on a 4096 buffer ... libgd returns this length as is and PHP prints
more information from memory than it should.

 xbm: avoid stack overflow (read) with large names #211

We use the name passed in to printf into a local stack buffer which is
limited to 4000 bytes.  So given a large enough value, lots of stack
data is leaked.  Rewrite the code to do simple memory copies with most
of the strings to avoid that issue, and only use stack buffer for small
numbers of constant size.

Upstream Patch:
https://github.com/libgd/libgd/commit/4dc1a2d7931017d3625f2d7cff70a17ce58b53b4


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5116
http://seclists.org/oss-sec/2016/q2/430
Comment 1 Alexander Bergmann 2016-05-30 08:50:33 UTC 
http://seclists.org/oss-sec/2016/q2/430

    PHP devs marked it as a "not a bug" because the bundled version of
    libgd with PHP 5.5 is not vulnerable, however using PHP with
    systemwide libgd is a common practice.

For purposes of CVE ID assignment, we do not feel that it's necessary
to suggest a decision about whether this must also be considered a
vulnerability in any PHP 5.5.x releases.
4dc1a2d7931017d3625f2d7cff70a17ce58b53b4 indicates that it's an
upstream bug, and the bug has plausible security relevance in some
contexts (which might be contexts involving integration of libgd and
PHP, or might be non-PHP contexts).
Comment 2 Petr Gajdos 2016-05-30 13:40:15 UTC 
Submitted for Tumbleweed, 13.2 and 12. Others are not affected.
Comment 3 Bernhard Wiedemann 2016-05-30 14:00:39 UTC 
This is an autogenerated message for OBS integration:
This bug (982176) was mentioned in
https://build.opensuse.org/request/show/398959 Factory / gd
https://build.opensuse.org/request/show/398962 13.2 / gd
Comment 5 Swamp Workflow Management 2016-05-30 22:00:14 UTC 
bugbot adjusting priority
Comment 6 Swamp Workflow Management 2016-06-07 18:13:59 UTC 
openSUSE-SU-2016:1516-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 982176
CVE References: CVE-2016-5116
Sources used:
openSUSE 13.2 (src):    gd-2.1.0-7.8.1
Comment 9 Swamp Workflow Management 2016-09-14 11:10:29 UTC 
SUSE-SU-2016:2303-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 982176,987577,988032,991436,991622,991710,995034
CVE References: CVE-2016-5116,CVE-2016-6128,CVE-2016-6132,CVE-2016-6161,CVE-2016-6207,CVE-2016-6214,CVE-2016-6905
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    gd-2.1.0-12.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    gd-2.1.0-12.1
SUSE Linux Enterprise Server 12-SP1 (src):    gd-2.1.0-12.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    gd-2.1.0-12.1
Comment 10 Swamp Workflow Management 2016-09-24 00:09:15 UTC 
openSUSE-SU-2016:2363-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 982176,987577,988032,991436,991622,991710,995034
CVE References: CVE-2016-5116,CVE-2016-6128,CVE-2016-6132,CVE-2016-6161,CVE-2016-6207,CVE-2016-6214,CVE-2016-6905
Sources used:
openSUSE Leap 42.1 (src):    gd-2.1.0-10.1
Comment 11 Marcus Meissner 2017-05-22 15:34:04 UTC 
released