Control: tags 920645 + pending Control: tags 920728 + patch Control: tags 920728 + pending
Dear maintainer, I've prepared an NMU for libgd2 (versioned as 2.2.5-5.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru libgd2-2.2.5/debian/changelog libgd2-2.2.5/debian/changelog --- libgd2-2.2.5/debian/changelog 2018-10-28 23:20:23.000000000 +0100 +++ libgd2-2.2.5/debian/changelog 2019-02-02 10:55:00.000000000 +0100 @@ -1,3 +1,12 @@ +libgd2 (2.2.5-5.1) unstable; urgency=medium + + * Non-maintainer upload. + * Heap-based buffer overflow in gdImageColorMatch (CVE-2019-6977) + (Closes: #920645) + * Potential double-free in gdImage*Ptr() (CVE-2019-6978) (Closes: #920728) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 02 Feb 2019 10:55:00 +0100 + libgd2 (2.2.5-5) unstable; urgency=medium * Update Vcs-* links to salsa.d.o diff -Nru libgd2-2.2.5/debian/patches/CVE-2019-6977.patch libgd2-2.2.5/debian/patches/CVE-2019-6977.patch --- libgd2-2.2.5/debian/patches/CVE-2019-6977.patch 1970-01-01 01:00:00.000000000 +0100 +++ libgd2-2.2.5/debian/patches/CVE-2019-6977.patch 2019-02-02 10:55:00.000000000 +0100 @@ -0,0 +1,28 @@ +Description: Heap-based buffer overflow in gdImageColorMatch +Origin: other, https://gist.github.com/cmb69/1f36d285eb297ed326f5c821d7aafced +Bug-PHP: https://bugs.php.net/bug.php?id=77270 +Bug-Debian: https://bugs.debian.org/920645 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-6977 +Forwarded: no +Author: "Christoph M. Becker" <cmbecke...@gmx.de> +Last-Update: 2019-02-01 + +At least some of the image reading functions may return images which +use color indexes greater than or equal to im->colorsTotal. We cater +to this by always using a buffer size which is sufficient for +`gdMaxColors` in `gdImageColorMatch()`. +--- + +--- a/src/gd_color_match.c ++++ b/src/gd_color_match.c +@@ -31,8 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdIm + return -4; /* At least 1 color must be allocated */ + } + +- buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal); +- memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal ); ++ buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors); ++ memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors ); + + for (x=0; x < im1->sx; x++) { + for( y=0; y<im1->sy; y++ ) { diff -Nru libgd2-2.2.5/debian/patches/Fix-492-Potential-double-free-in-gdImage-Ptr.patch libgd2-2.2.5/debian/patches/Fix-492-Potential-double-free-in-gdImage-Ptr.patch --- libgd2-2.2.5/debian/patches/Fix-492-Potential-double-free-in-gdImage-Ptr.patch 1970-01-01 01:00:00.000000000 +0100 +++ libgd2-2.2.5/debian/patches/Fix-492-Potential-double-free-in-gdImage-Ptr.patch 2019-02-02 10:55:00.000000000 +0100 @@ -0,0 +1,259 @@ +From: "Christoph M. Becker" <cmbecke...@gmx.de> +Date: Thu, 17 Jan 2019 11:54:55 +0100 +Subject: Fix #492: Potential double-free in gdImage*Ptr() +Origin: https://github.com/libgd/libgd/commit/553702980ae89c83f2d6e254d62cf82e204956d0 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-6978 +Bug-Debian: https://bugs.debian.org/920728 +Bug: https://github.com/libgd/libgd/issues/492 + +Whenever `gdImage*Ptr()` calls `gdImage*Ctx()` and the latter fails, we +must not call `gdDPExtractData()`; otherwise a double-free would +happen. Since `gdImage*Ctx()` are void functions, and we can't change +that for BC reasons, we're introducing static helpers which are used +internally. + +We're adding a regression test for `gdImageJpegPtr()`, but not for +`gdImageGifPtr()` and `gdImageWbmpPtr()` since we don't know how to +trigger failure of the respective `gdImage*Ctx()` calls. + +This potential security issue has been reported by Solmaz Salimi (aka. +Rooney). +--- + +--- a/src/gd_gif_out.c ++++ b/src/gd_gif_out.c +@@ -99,6 +99,7 @@ static void char_init(GifCtx *ctx); + static void char_out(int c, GifCtx *ctx); + static void flush_char(GifCtx *ctx); + ++static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out); + + + +@@ -131,8 +132,11 @@ BGD_DECLARE(void *) gdImageGifPtr(gdImag + void *rv; + gdIOCtx *out = gdNewDynamicCtx(2048, NULL); + if (out == NULL) return NULL; +- gdImageGifCtx(im, out); +- rv = gdDPExtractData(out, size); ++ if (!_gdImageGifCtx(im, out)) { ++ rv = gdDPExtractData(out, size); ++ } else { ++ rv = NULL; ++ } + out->gd_free(out); + return rv; + } +@@ -221,6 +225,12 @@ BGD_DECLARE(void) gdImageGif(gdImagePtr + */ + BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) + { ++ _gdImageGifCtx(im, out); ++} ++ ++/* returns 0 on success, 1 on failure */ ++static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) ++{ + gdImagePtr pim = 0, tim = im; + int interlace, BitsPerPixel; + interlace = im->interlace; +@@ -231,7 +241,7 @@ BGD_DECLARE(void) gdImageGifCtx(gdImageP + based temporary image. */ + pim = gdImageCreatePaletteFromTrueColor(im, 1, 256); + if(!pim) { +- return; ++ return 1; + } + tim = pim; + } +@@ -247,6 +257,8 @@ BGD_DECLARE(void) gdImageGifCtx(gdImageP + /* Destroy palette based temporary image. */ + gdImageDestroy( pim); + } ++ ++ return 0; + } + + +--- a/src/gd_jpeg.c ++++ b/src/gd_jpeg.c +@@ -123,6 +123,8 @@ static void fatal_jpeg_error(j_common_pt + exit(99); + } + ++static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality); ++ + /* + * Write IM to OUTFILE as a JFIF-formatted JPEG image, using quality + * QUALITY. If QUALITY is in the range 0-100, increasing values +@@ -237,8 +239,11 @@ BGD_DECLARE(void *) gdImageJpegPtr(gdIma + void *rv; + gdIOCtx *out = gdNewDynamicCtx(2048, NULL); + if (out == NULL) return NULL; +- gdImageJpegCtx(im, out, quality); +- rv = gdDPExtractData(out, size); ++ if (!_gdImageJpegCtx(im, out, quality)) { ++ rv = gdDPExtractData(out, size); ++ } else { ++ rv = NULL; ++ } + out->gd_free(out); + return rv; + } +@@ -260,6 +265,12 @@ void jpeg_gdIOCtx_dest(j_compress_ptr ci + */ + BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) + { ++ _gdImageJpegCtx(im, outfile, quality); ++} ++ ++/* returns 0 on success, 1 on failure */ ++static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) ++{ + struct jpeg_compress_struct cinfo; + struct jpeg_error_mgr jerr; + int i, j, jidx; +@@ -293,7 +304,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImage + if(row) { + gdFree(row); + } +- return; ++ return 1; + } + + cinfo.err->emit_message = jpeg_emit_message; +@@ -334,7 +345,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImage + if(row == 0) { + gd_error("gd-jpeg: error: unable to allocate JPEG row structure: gdCalloc returns NULL\n"); + jpeg_destroy_compress(&cinfo); +- return; ++ return 1; + } + + rowptr[0] = row; +@@ -411,6 +422,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImage + jpeg_finish_compress(&cinfo); + jpeg_destroy_compress(&cinfo); + gdFree(row); ++ return 0; + } + + +--- a/src/gd_wbmp.c ++++ b/src/gd_wbmp.c +@@ -88,6 +88,8 @@ int gd_getin(void *in) + return (gdGetC((gdIOCtx *)in)); + } + ++static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out); ++ + /* + Function: gdImageWBMPCtx + +@@ -101,13 +103,19 @@ int gd_getin(void *in) + */ + BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) + { ++ _gdImageWBMPCtx(image, fg, out); ++} ++ ++/* returns 0 on success, 1 on failure */ ++static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) ++{ + int x, y, pos; + Wbmp *wbmp; + + /* create the WBMP */ + if((wbmp = createwbmp(gdImageSX(image), gdImageSY(image), WBMP_WHITE)) == NULL) { + gd_error("Could not create WBMP\n"); +- return; ++ return 1; + } + + /* fill up the WBMP structure */ +@@ -123,11 +131,15 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImage + + /* write the WBMP to a gd file descriptor */ + if(writewbmp(wbmp, &gd_putout, out)) { ++ freewbmp(wbmp); + gd_error("Could not save WBMP\n"); ++ return 1; + } + + /* des submitted this bugfix: gdFree the memory. */ + freewbmp(wbmp); ++ ++ return 0; + } + + /* +@@ -271,8 +283,11 @@ BGD_DECLARE(void *) gdImageWBMPPtr(gdIma + void *rv; + gdIOCtx *out = gdNewDynamicCtx(2048, NULL); + if (out == NULL) return NULL; +- gdImageWBMPCtx(im, fg, out); +- rv = gdDPExtractData(out, size); ++ if (!_gdImageWBMPCtx(im, fg, out)) { ++ rv = gdDPExtractData(out, size); ++ } else { ++ rv = NULL; ++ } + out->gd_free(out); + return rv; + } +--- a/tests/jpeg/CMakeLists.txt ++++ b/tests/jpeg/CMakeLists.txt +@@ -2,6 +2,7 @@ IF(JPEG_FOUND) + LIST(APPEND TESTS_FILES + jpeg_empty_file + jpeg_im2im ++ jpeg_ptr_double_free + jpeg_null + ) + +--- a/tests/jpeg/Makemodule.am ++++ b/tests/jpeg/Makemodule.am +@@ -2,7 +2,8 @@ if HAVE_LIBJPEG + libgd_test_programs += \ + jpeg/jpeg_empty_file \ + jpeg/jpeg_im2im \ +- jpeg/jpeg_null ++ jpeg/jpeg_null \ ++ jpeg/jpeg_ptr_double_free + + if HAVE_LIBPNG + libgd_test_programs += \ +--- /dev/null ++++ b/tests/jpeg/jpeg_ptr_double_free.c +@@ -0,0 +1,31 @@ ++/** ++ * Test that failure to convert to JPEG returns NULL ++ * ++ * We are creating an image, set its width to zero, and pass this image to ++ * `gdImageJpegPtr()` which is supposed to fail, and as such should return NULL. ++ * ++ * See also <https://github.com/libgd/libgd/issues/381> ++ */ ++ ++ ++#include "gd.h" ++#include "gdtest.h" ++ ++ ++int main() ++{ ++ gdImagePtr src, dst; ++ int size; ++ ++ src = gdImageCreateTrueColor(1, 10); ++ gdTestAssert(src != NULL); ++ ++ src->sx = 0; /* this hack forces gdImageJpegPtr() to fail */ ++ ++ dst = gdImageJpegPtr(src, &size, 0); ++ gdTestAssert(dst == NULL); ++ ++ gdImageDestroy(src); ++ ++ return gdNumFailures(); ++} diff -Nru libgd2-2.2.5/debian/patches/series libgd2-2.2.5/debian/patches/series --- libgd2-2.2.5/debian/patches/series 2018-10-28 23:20:23.000000000 +0100 +++ libgd2-2.2.5/debian/patches/series 2019-02-02 10:55:00.000000000 +0100 @@ -7,3 +7,5 @@ tests-make-a-little-change-for-autopkgtest.patch Fix-420-Potential-infinite-loop-in-gdImageCreateFrom.patch bmp-check-return-value-in-gdImageBmpPtr.patch +CVE-2019-6977.patch +Fix-492-Potential-double-free-in-gdImage-Ptr.patch