Bug 991710

Summary: VUL-1: CVE-2016-6128: gd: Invalid color index not properly handled
Product: [Novell Products] SUSE Security Incidents Reporter: Sebastian Krahmer <krahmer>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: astieger, security-team, smash_bz, vpereira
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/170569/
Whiteboard: CVSSv2:SUSE:CVE-2016-6128:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2016-6128:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) maint:running:62929:moderate
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 987580    
Bug Blocks:    

Description Sebastian Krahmer 2016-08-02 13:27:52 UTC 
+++ This bug was initially created as a clone of Bug #987580 +++

http://seclists.org/oss-sec/2016/q2/627

    There is currently PHP upstream bug which is still marked as private:

    https://bugs.php.net/bug.php?id=72494

    But the libgd project references the following set of commits to this
    bug report:

    https://github.com/libgd/libgd/compare/3fe0a71...6ff72ae

    indicating that libgd does not properly handle invalid color index,
    which could lead to a denial of service against applications using the
    libgd library (in particular thus PHP).


    https://github.com/libgd/libgd/commit/1ccfe21e14c4d18336f9da8515cd17db88c3de61
    gd_crop.c
    gdImageCropThreshold

    + if (color < 0 || (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im))) {
    + return NULL;
    + }

    https://github.com/libgd/libgd/commit/6ff72ae40c7c20ece939afb362d98cc37f4a1c96
    tests/gdimagecrop/php_bug_72494.c

    im = gdImageCreate(50, 50);
    gdImageCropThreshold(im, 1337, 0);
    gdImageDestroy(im);



https://github.com/libgd/libgd/compare/3fe0a7128bac5000fdcfab888bd2a75ec0c9447d...fd623025505e87bba7ec8555eeb72dae4fb0afd


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1351603
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6128
http://seclists.org/oss-sec/2016/q2/627
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6128.html
Comment 1 Petr Gajdos 2016-08-08 11:48:57 UTC 
Again, imho color can not be lower than zero.
Comment 2 Sebastian Krahmer 2016-08-08 11:54:59 UTC 
Maybe. But either case, having this patch wont hurt us and keeping us aligned
with upstream patchset.
(If color cant be < 0, I wonder why they are using signed ints anyway)
Comment 3 Petr Gajdos 2016-08-08 12:38:50 UTC 
No, color is unsigned int.

But they noticed it already:
https://github.com/libgd/libgd/commit/e29a140290a084b0aa590c5edbb596060aa44acb
Comment 4 Petr Gajdos 2016-08-08 12:44:33 UTC 
affected: 13.2/gd, 12/gd
not affected: 11/gd
Comment 5 Petr Gajdos 2016-08-08 13:37:38 UTC 
I believe all affected code streams are fixed.
Comment 6 Bernhard Wiedemann 2016-08-08 14:01:23 UTC 
This is an autogenerated message for OBS integration:
This bug (991710) was mentioned in
https://build.opensuse.org/request/show/417845 13.2 / gd
Comment 8 Swamp Workflow Management 2016-08-19 17:11:15 UTC 
openSUSE-SU-2016:2117-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 987577,988032,991436,991622,991710
CVE References: CVE-2016-6128,CVE-2016-6132,CVE-2016-6161,CVE-2016-6207,CVE-2016-6214
Sources used:
openSUSE 13.2 (src):    gd-2.1.0-7.11.1
Comment 10 Swamp Workflow Management 2016-09-14 11:11:20 UTC 
SUSE-SU-2016:2303-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 982176,987577,988032,991436,991622,991710,995034
CVE References: CVE-2016-5116,CVE-2016-6128,CVE-2016-6132,CVE-2016-6161,CVE-2016-6207,CVE-2016-6214,CVE-2016-6905
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    gd-2.1.0-12.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    gd-2.1.0-12.1
SUSE Linux Enterprise Server 12-SP1 (src):    gd-2.1.0-12.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    gd-2.1.0-12.1
Comment 11 Swamp Workflow Management 2016-09-24 00:10:05 UTC 
openSUSE-SU-2016:2363-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 982176,987577,988032,991436,991622,991710,995034
CVE References: CVE-2016-5116,CVE-2016-6128,CVE-2016-6132,CVE-2016-6161,CVE-2016-6207,CVE-2016-6214,CVE-2016-6905
Sources used:
openSUSE Leap 42.1 (src):    gd-2.1.0-10.1
Comment 12 Victor Pereira 2016-10-24 07:23:07 UTC 
all updates released