gd : CVE-2016-10167, CVE-2016-10168

The gdImageCreateFromGd2Ctx function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted image file. Integer overflow in gd_io.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to have unspecified impact via vectors involving the number of horizontal and vertical chunks in an image. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10167 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10168 Upstream patches: https://github.com/libgd/libgd/commit/fe9ed49dafa993e3af96b6a5a589efeea9bfb36f https://github.com/libgd/libgd/commit/69d2fd2c597ffc0c217de1238b9bf4d4bceba8e6 Signed-off-by: Catalin Enache <catalin.enache@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
author: Catalin Enache <catalin.enache@windriver.com> 2017-04-07 13:10:53 +0300
committer: Martin Jansa <Martin.Jansa@gmail.com> 2017-04-18 14:21:39 +0200
commit: f66465d4d52a7a0df208a0701e3cb034e9c47bd3 (patch)
tree: c686eb28c0386b941dadccf5b28099ad8ee01059
parent: dcd6d5b2405e0be18694696dfb0221fc59e6d107 (diff)
download: meta-openembedded-f66465d4d52a7a0df208a0701e3cb034e9c47bd3.tar.gz
3 files changed, 89 insertions, 1 deletions
diff --git a/meta-oe/recipes-support/gd/gd/CVE-2016-10167.patch b/meta-oe/recipes-support/gd/gd/CVE-2016-10167.patch
new file mode 100644
index 000000000..54ef22cb6
--- /dev/null
+++ b/meta-oe/recipes-support/gd/gd/CVE-2016-10167.patch
@@ -0,0 +1,48 @@
+From 6ab531ef0d82efb9e00236ee5ea23928335d221f Mon Sep 17 00:00:00 2001
+From: Catalin Enache <catalin.enache@windriver.com>
+Date: Fri, 7 Apr 2017 12:30:22 +0300
+Subject: [PATCH] Fix DOS vulnerability in gdImageCreateFromGd2Ctx()
+We must not pretend that there are image data if there are none. Instead
+we fail reading the image file gracefully.
+Upstream-Status: Backport
+CVE: CVE-2016-10167
+Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
+---
+ src/gd_gd2.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+diff --git a/src/gd_gd2.c b/src/gd_gd2.c
+index 8df93c1..bae65ea 100644
+--- a/src/gd_gd2.c
+++ b/src/gd_gd2.c
+@@ -445,18 +445,16 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGd2Ctx (gdIOCtxPtr in)
+ 
+                                                if (im->trueColor) {
+                                                        if (!gdGetInt (&im->tpixels[y][x], in)) {
+-                                                               /*printf("EOF while reading\n"); */
+-                                                               /*gdImageDestroy(im); */
+-                                                               /*return 0; */
+-                                                               im->tpixels[y][x] = 0;
+                                                               gd_error("gd2: EOF while reading\n");
+                                                               gdImageDestroy(im);
+                                                               return NULL;
+                                                        }
+                                                } else {
+                                                        int ch;
+                                                        if (!gdGetByte (&ch, in)) {
+-                                                               /*printf("EOF while reading\n"); */
+-                                                               /*gdImageDestroy(im); */
+-                                                               /*return 0; */
+-                                                               ch = 0;
+                                                               gd_error("gd2: EOF while reading\n");
+                                                               gdImageDestroy(im);
+                                                               return NULL;
+                                                        }
+                                                        im->pixels[y][x] = ch;
+                                                }
+-- 
+2.10.2
diff --git a/meta-oe/recipes-support/gd/gd/CVE-2016-10168.patch b/meta-oe/recipes-support/gd/gd/CVE-2016-10168.patch
new file mode 100644
index 000000000..aef1060c4
--- /dev/null
+++ b/meta-oe/recipes-support/gd/gd/CVE-2016-10168.patch
@@ -0,0 +1,38 @@
+From 2d37bdc03a6e2b820fe380016f22592a7733e0be Mon Sep 17 00:00:00 2001
+From: Catalin Enache <catalin.enache@windriver.com>
+Date: Fri, 7 Apr 2017 12:32:49 +0300
+Subject: [PATCH] Fix #354: Signed Integer Overflow gd_io.c
+GD2 stores the number of horizontal and vertical chunks as words (i.e. 2
+byte unsigned). These values are multiplied and assigned to an int when
+reading the image, what can cause integer overflows. We have to avoid
+that, and also make sure that either chunk count is actually greater
+than zero. If illegal chunk counts are detected, we bail out from
+reading the image.
+Upstream-Status: Backport
+CVE: CVE-2016-10168
+Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
+---
+ src/gd_gd2.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/src/gd_gd2.c b/src/gd_gd2.c
+index bae65ea..9006bd2 100644
+--- a/src/gd_gd2.c
+++ b/src/gd_gd2.c
+@@ -151,6 +151,10 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
+        GD2_DBG (printf ("%d Chunks vertically\n", *ncy));
+ 
+        if (gd2_compressed (*fmt)) {
+               if (*ncx <= 0 || *ncy <= 0 || *ncx > INT_MAX / *ncy) {
+                       GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy));
+                       goto fail1;
+               }
+                nc = (*ncx) * (*ncy);
+ 
+                GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
+-- 
+2.10.2
diff --git a/meta-oe/recipes-support/gd/gd_2.2.3.bb b/meta-oe/recipes-support/gd/gd_2.2.3.bb
index 4ff6b756a..4e21d532d 100644
--- a/meta-oe/recipes-support/gd/gd_2.2.3.bb
+++ b/meta-oe/recipes-support/gd/gd_2.2.3.bb
@@ -14,7 +14,9 @@ DEPENDS = "freetype libpng jpeg zlib tiff"
 SRC_URI = "git://github.com/libgd/libgd.git;branch=GD-2.2 \
           file://fix-gcc-unused-functions.patch \
-           file://CVE-2016-10166.patch"
+           file://CVE-2016-10166.patch \
+           file://CVE-2016-10167.patch \
+           file://CVE-2016-10168.patch"
 SRCREV = "46ceef5970bf3a847ff61d1bdde7501d66c11d0c"
author	Catalin Enache <catalin.enache@windriver.com>	2017-04-07 13:10:53 +0300
committer	Martin Jansa <Martin.Jansa@gmail.com>	2017-04-18 14:21:39 +0200
commit	f66465d4d52a7a0df208a0701e3cb034e9c47bd3 (patch)
tree	c686eb28c0386b941dadccf5b28099ad8ee01059
parent	dcd6d5b2405e0be18694696dfb0221fc59e6d107 (diff)
download	meta-openembedded-f66465d4d52a7a0df208a0701e3cb034e9c47bd3.tar.gz

diff --git a/meta-oe/recipes-support/gd/gd/CVE-2016-10167.patch b/meta-oe/recipes-support/gd/gd/CVE-2016-10167.patch new file mode 100644 index 000000000..54ef22cb6 --- /dev/null +++ b/meta-oe/recipes-support/gd/gd/CVE-2016-10167.patch
@@ -0,0 +1,48 @@
		1	From 6ab531ef0d82efb9e00236ee5ea23928335d221f Mon Sep 17 00:00:00 2001
		2	From: Catalin Enache <catalin.enache@windriver.com>
		3	Date: Fri, 7 Apr 2017 12:30:22 +0300
		4	Subject: [PATCH] Fix DOS vulnerability in gdImageCreateFromGd2Ctx()
		5
		6	We must not pretend that there are image data if there are none. Instead
		7	we fail reading the image file gracefully.
		8
		9	Upstream-Status: Backport
		10	CVE: CVE-2016-10167
		11
		12	Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
		13	---
		14	src/gd_gd2.c \| 14 ++++++--------
		15	1 file changed, 6 insertions(+), 8 deletions(-)
		16
		17	diff --git a/src/gd_gd2.c b/src/gd_gd2.c
		18	index 8df93c1..bae65ea 100644
		19	--- a/src/gd_gd2.c
		20	+++ b/src/gd_gd2.c
		21	@@ -445,18 +445,16 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGd2Ctx (gdIOCtxPtr in)
		22
		23	if (im->trueColor) {
		24	if (!gdGetInt (&im->tpixels[y][x], in)) {
		25	- /printf("EOF while reading\n"); /
		26	- /gdImageDestroy(im); /
		27	- /return 0; /
		28	- im->tpixels[y][x] = 0;
		29	+ gd_error("gd2: EOF while reading\n");
		30	+ gdImageDestroy(im);
		31	+ return NULL;
		32	}
		33	} else {
		34	int ch;
		35	if (!gdGetByte (&ch, in)) {
		36	- /printf("EOF while reading\n"); /
		37	- /gdImageDestroy(im); /
		38	- /return 0; /
		39	- ch = 0;
		40	+ gd_error("gd2: EOF while reading\n");
		41	+ gdImageDestroy(im);
		42	+ return NULL;
		43	}
		44	im->pixels[y][x] = ch;
		45	}
		46	--
		47	2.10.2
		48


diff --git a/meta-oe/recipes-support/gd/gd/CVE-2016-10168.patch b/meta-oe/recipes-support/gd/gd/CVE-2016-10168.patch new file mode 100644 index 000000000..aef1060c4 --- /dev/null +++ b/meta-oe/recipes-support/gd/gd/CVE-2016-10168.patch
@@ -0,0 +1,38 @@
		1	From 2d37bdc03a6e2b820fe380016f22592a7733e0be Mon Sep 17 00:00:00 2001
		2	From: Catalin Enache <catalin.enache@windriver.com>
		3	Date: Fri, 7 Apr 2017 12:32:49 +0300
		4	Subject: [PATCH] Fix #354: Signed Integer Overflow gd_io.c
		5
		6	GD2 stores the number of horizontal and vertical chunks as words (i.e. 2
		7	byte unsigned). These values are multiplied and assigned to an int when
		8	reading the image, what can cause integer overflows. We have to avoid
		9	that, and also make sure that either chunk count is actually greater
		10	than zero. If illegal chunk counts are detected, we bail out from
		11	reading the image.
		12
		13	Upstream-Status: Backport
		14	CVE: CVE-2016-10168
		15
		16	Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
		17	---
		18	src/gd_gd2.c \| 4 ++++
		19	1 file changed, 4 insertions(+)
		20
		21	diff --git a/src/gd_gd2.c b/src/gd_gd2.c
		22	index bae65ea..9006bd2 100644
		23	--- a/src/gd_gd2.c
		24	+++ b/src/gd_gd2.c
		25	@@ -151,6 +151,10 @@ _gd2GetHeader (gdIOCtxPtr in, int sx, int sy,
		26	GD2_DBG (printf ("%d Chunks vertically\n", *ncy));
		27
		28	if (gd2_compressed (*fmt)) {
		29	+ if (ncx <= 0 \|\| ncy <= 0 \|\| ncx > INT_MAX / ncy) {
		30	+ GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", ncx, ncy));
		31	+ goto fail1;
		32	+ }
		33	nc = (ncx) (*ncy);
		34
		35	GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
		36	--
		37	2.10.2
		38


diff --git a/meta-oe/recipes-support/gd/gd_2.2.3.bb b/meta-oe/recipes-support/gd/gd_2.2.3.bb index 4ff6b756a..4e21d532d 100644 --- a/meta-oe/recipes-support/gd/gd_2.2.3.bb +++ b/meta-oe/recipes-support/gd/gd_2.2.3.bb
@@ -14,7 +14,9 @@ DEPENDS = "freetype libpng jpeg zlib tiff"
14		14
15	SRC_URI = "git://github.com/libgd/libgd.git;branch=GD-2.2 \	15	SRC_URI = "git://github.com/libgd/libgd.git;branch=GD-2.2 \
16	file://fix-gcc-unused-functions.patch \	16	file://fix-gcc-unused-functions.patch \
17	file://CVE-2016-10166.patch"	17	file://CVE-2016-10166.patch \
		18	file://CVE-2016-10167.patch \
		19	file://CVE-2016-10168.patch"
18		20
19	SRCREV = "46ceef5970bf3a847ff61d1bdde7501d66c11d0c"	21	SRCREV = "46ceef5970bf3a847ff61d1bdde7501d66c11d0c"
20		22