Bug 982176 - (CVE-2016-5116) VUL-0: CVE-2016-5116: gd: avoid stack overflow (read) with large names
(CVE-2016-5116)
VUL-0: CVE-2016-5116: gd: avoid stack overflow (read) with large names
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/169578/
CVSSv2:RedHat:CVE-2016-5116:4.3:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-05-30 08:49 UTC by Alexander Bergmann
Modified: 2017-05-22 15:34 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2016-05-30 08:49:55 UTC
CVE-2016-5116

https://github.com/libgd/libgd/issues/211

length from the failed vsnprintf attempt to copy more than 8000 chars
on a 4096 buffer ... libgd returns this length as is and PHP prints
more information from memory than it should.

 xbm: avoid stack overflow (read) with large names #211

We use the name passed in to printf into a local stack buffer which is
limited to 4000 bytes.  So given a large enough value, lots of stack
data is leaked.  Rewrite the code to do simple memory copies with most
of the strings to avoid that issue, and only use stack buffer for small
numbers of constant size.

Upstream Patch:
https://github.com/libgd/libgd/commit/4dc1a2d7931017d3625f2d7cff70a17ce58b53b4


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5116
http://seclists.org/oss-sec/2016/q2/430
Comment 1 Alexander Bergmann 2016-05-30 08:50:33 UTC
http://seclists.org/oss-sec/2016/q2/430

    PHP devs marked it as a "not a bug" because the bundled version of
    libgd with PHP 5.5 is not vulnerable, however using PHP with
    systemwide libgd is a common practice.

For purposes of CVE ID assignment, we do not feel that it's necessary
to suggest a decision about whether this must also be considered a
vulnerability in any PHP 5.5.x releases.
4dc1a2d7931017d3625f2d7cff70a17ce58b53b4 indicates that it's an
upstream bug, and the bug has plausible security relevance in some
contexts (which might be contexts involving integration of libgd and
PHP, or might be non-PHP contexts).
Comment 2 Petr Gajdos 2016-05-30 13:40:15 UTC
Submitted for Tumbleweed, 13.2 and 12. Others are not affected.
Comment 3 Bernhard Wiedemann 2016-05-30 14:00:39 UTC
This is an autogenerated message for OBS integration:
This bug (982176) was mentioned in
https://build.opensuse.org/request/show/398959 Factory / gd
https://build.opensuse.org/request/show/398962 13.2 / gd
Comment 5 Swamp Workflow Management 2016-05-30 22:00:14 UTC
bugbot adjusting priority
Comment 6 Swamp Workflow Management 2016-06-07 18:13:59 UTC
openSUSE-SU-2016:1516-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 982176
CVE References: CVE-2016-5116
Sources used:
openSUSE 13.2 (src):    gd-2.1.0-7.8.1
Comment 9 Swamp Workflow Management 2016-09-14 11:10:29 UTC
SUSE-SU-2016:2303-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 982176,987577,988032,991436,991622,991710,995034
CVE References: CVE-2016-5116,CVE-2016-6128,CVE-2016-6132,CVE-2016-6161,CVE-2016-6207,CVE-2016-6214,CVE-2016-6905
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    gd-2.1.0-12.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    gd-2.1.0-12.1
SUSE Linux Enterprise Server 12-SP1 (src):    gd-2.1.0-12.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    gd-2.1.0-12.1
Comment 10 Swamp Workflow Management 2016-09-24 00:09:15 UTC
openSUSE-SU-2016:2363-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 982176,987577,988032,991436,991622,991710,995034
CVE References: CVE-2016-5116,CVE-2016-6128,CVE-2016-6132,CVE-2016-6161,CVE-2016-6207,CVE-2016-6214,CVE-2016-6905
Sources used:
openSUSE Leap 42.1 (src):    gd-2.1.0-10.1
Comment 11 Marcus Meissner 2017-05-22 15:34:04 UTC
released