Debian Bug report logs -
#887485
libgd2: CVE-2018-5711 Inifinite loop via crafted gif file
Reported by: Guido Günther <agx@sigxcpu.org>
Date: Wed, 17 Jan 2018 08:54:01 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in versions 2.2.5-4, 2.1.0-5
Fixed in versions libgd2/2.2.5-4.1, libgd2/2.2.4-2+deb9u3
Done: Moritz Mühlenhoff <jmm@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://github.com/libgd/libgd/issues/420
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, GD team <pkg-gd-devel@lists.alioth.debian.org>:
Bug#887485; Package libgd2.
(Wed, 17 Jan 2018 08:54:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Guido Günther <agx@sigxcpu.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, GD team <pkg-gd-devel@lists.alioth.debian.org>.
(Wed, 17 Jan 2018 08:54:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libgd2
X-Debbugs-CC: team@security.debian.org secure-testing-team@lists.alioth.debian.org
Severity: important
Tags: security
Hi,
the following vulnerability was published for libgd2.
CVE-2018-5711[0]:
| gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP
| before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x
| before 7.2.1, has an integer signedness error that leads to an infinite
| loop via a crafted GIF file, as demonstrated by a call to the
| imagecreatefromgif or imagecreatefromstring PHP function. This is
| related to GetCode_ and gdImageCreateFromGifCtx.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-5711
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5711
Please adjust the affected versions in the BTS as needed.
Changed Bug title to 'libgd2: CVE-2018-5711 Inifinite loop via crafted gif file' from 'libgd2: CVE-2018-5711 Inifinite loop vi crafted gif file'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 17 Jan 2018 09:15:46 GMT) (full text, mbox, link).
Marked as found in versions 2.2.5-4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 17 Jan 2018 09:30:06 GMT) (full text, mbox, link).
Marked as found in versions 2.1.0-5.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 17 Jan 2018 09:33:05 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Mon, 12 Feb 2018 17:37:34 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 05 Oct 2018 21:06:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, GD team <pkg-gd-devel@lists.alioth.debian.org>:
Bug#887485; Package libgd2.
(Fri, 05 Oct 2018 22:36:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to GD team <pkg-gd-devel@lists.alioth.debian.org>.
(Fri, 05 Oct 2018 22:36:02 GMT) (full text, mbox, link).
Message #22 received at 887485@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 887485 + patch
Control: tags 887485 + pending
Control: tags 906840 + pending
Control: tags 906886 + pending
Dear maintainer,
I've prepared an NMU for libgd2 (versioned as 2.2.5-4.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.
I'm aware though that this upload will not allow the fixes go to
testing, as there are two more RC bugs (#899928, needing decision for
maintainer address, and a second one #883760).
The main purpose for this still incomplete NMU is to allow #910396
("stretch-pu: package libgd2/2.2.4-2+deb9u3") to be possible to be
included for 9.6.
Regards,
Salvatore
[libgd2-2.2.5-4.1-nmu.diff (text/x-diff, attachment)]
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 887485-submit@bugs.debian.org.
(Fri, 05 Oct 2018 22:36:02 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 887485-submit@bugs.debian.org.
(Fri, 05 Oct 2018 22:36:03 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Wed, 10 Oct 2018 23:12:03 GMT) (full text, mbox, link).
Notification sent
to Guido Günther <agx@sigxcpu.org>:
Bug acknowledged by developer.
(Wed, 10 Oct 2018 23:12:04 GMT) (full text, mbox, link).
Message #31 received at 887485-close@bugs.debian.org (full text, mbox, reply):
Source: libgd2
Source-Version: 2.2.5-4.1
We believe that the bug you reported is fixed in the latest version of
libgd2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 887485@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libgd2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 06 Oct 2018 00:22:59 +0200
Source: libgd2
Binary: libgd-tools libgd-dev libgd3
Architecture: source
Version: 2.2.5-4.1
Distribution: unstable
Urgency: medium
Maintainer: GD team <pkg-gd-devel@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 887485 906840 906886
Description:
libgd-dev - GD Graphics Library (development version)
libgd-tools - GD command line tools and example code
libgd3 - GD Graphics Library
Changes:
libgd2 (2.2.5-4.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Potential infinite loop in gdImageCreateFromGifCtx (CVE-2018-5711)
(Closes: #887485)
* bmp: check return value in gdImageBmpPtr (CVE-2018-1000222)
(Closes: #906886)
* Remove src/Makefile.am patching in
tests-make-a-little-change-for-autopkgtest.patch. Fixes "libgd2 FTBFS:
cannot find -lgd".
Thanks to Helmut Grohne and Adrian Bunk (Closes: #906840)
Checksums-Sha1:
c06f8e9cfb8f728a08b46f62a2b3ea81b90af416 2397 libgd2_2.2.5-4.1.dsc
8dcc3f62e0435cc08d56da84587152b88b39917c 33172 libgd2_2.2.5-4.1.debian.tar.xz
Checksums-Sha256:
8092f42b63fb30fdc84a35dca5a0b2d5b5ee3b67520a83b484dd18e7ca2dd48c 2397 libgd2_2.2.5-4.1.dsc
0227d8d78d338c2bbd70b784870ea88e386584136f0cf2446410d9c6c4216ee0 33172 libgd2_2.2.5-4.1.debian.tar.xz
Files:
6d4108e5c40c3883f6e24bf0f96b6134 2397 graphics optional libgd2_2.2.5-4.1.dsc
cb26d94f2a44a8005b314489fcf5ea9f 33172 graphics optional libgd2_2.2.5-4.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlu35SZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EATYP/imvCOjKgdDswRkWvYRoFgI6LuGaXX8V
nOqaZ/rnXMv4QiYhx8bPavLCAxU2/sWFYMLfIcVt0++zcWVatWDxgfvICz0Hlniv
TrE+VkPBY/W1LibPBK50lOpz4BowG+Un3HjhMmshDzKPrVVR/D/Wp7uaD1cXyINj
f/vQeuPll+t8cw+4ft8f5D9290VpDT95jch/NOGPzd5Xs0tIDEEBx+xzDs6P1t8X
e8jv7s3RntvjMhy4PYEhseX0O+w+3HCJ96LCKXe06DtaTfv60pj9cO/JM+Vi9k04
/XWJ4G+AWHziOOg2gHqzgH2H2yi/Or4Cu0vh0vos/zbs+TJXAFXNz+fnMgBMDlIE
U3TBiTJLwCRvsugyb0VScT8PrACvFZp4hccbiqrD1yHf7po/QWVMb936Qo3ZPImu
n3/R5NLXtY0r10hEpl8D+F7tuD4NtyBXvh4Wwwp98tSHBEoIxkYC1wIdwF6L/JZ2
JuBeg/gC8gLA+Khih5MwYSvHVmPfj/NTwp8VxC1MiNVG6SoFZZLrXSDbVtC92qoy
BsLr6DI+MIviJWadBQDYK9gZhTSOGPB40Ljdov+GjjlTOQkji/SSxjhhvERyZtYM
qokXEM3JmnvTDKME0FZFNSko/Db8WWN8pzVSM6ct0YajV5DbpJd3VgS9dLN/v2ri
KrFW+DWu8VKa
=pAts
-----END PGP SIGNATURE-----
Reply sent
to Moritz Mühlenhoff <jmm@debian.org>:
You have taken responsibility.
(Sat, 20 Oct 2018 09:48:43 GMT) (full text, mbox, link).
Notification sent
to Guido Günther <agx@sigxcpu.org>:
Bug acknowledged by developer.
(Sat, 20 Oct 2018 09:48:43 GMT) (full text, mbox, link).
Message #36 received at 887485-close@bugs.debian.org (full text, mbox, reply):
Source: libgd2
Source-Version: 2.2.4-2+deb9u3
We believe that the bug you reported is fixed in the latest version of
libgd2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 887485@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Mühlenhoff <jmm@debian.org> (supplier of updated libgd2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 07 Sep 2018 19:29:19 +0200
Source: libgd2
Binary: libgd-tools libgd-dev libgd3
Architecture: source amd64
Version: 2.2.4-2+deb9u3
Distribution: stretch
Urgency: medium
Maintainer: GD team <pkg-gd-devel@lists.alioth.debian.org>
Changed-By: Moritz Mühlenhoff <jmm@debian.org>
Description:
libgd-dev - GD Graphics Library (development version)
libgd-tools - GD command line tools and example code
libgd3 - GD Graphics Library
Closes: 887485 906886
Changes:
libgd2 (2.2.4-2+deb9u3) stretch; urgency=medium
.
* CVE-2018-1000222 (Closes: #906886)
* CVE-2018-5711 (Closes: #887485)
Checksums-Sha1:
3ff932a214313d26bfee5d0740123a9ec7e69d2f 2191 libgd2_2.2.4-2+deb9u3.dsc
8c61029a889d6c3dd7fc56c92df2a2b18dcad4b5 28228 libgd2_2.2.4-2+deb9u3.debian.tar.xz
7917f59601d3dfbb642777f437fab5c989eb82e1 271048 libgd-dev_2.2.4-2+deb9u3_amd64.deb
851574497b94f42974526c05332513fdd5da68a4 46300 libgd-tools-dbgsym_2.2.4-2+deb9u3_amd64.deb
cc46bf6ee7b9769e1e281b3da0165d5c29e5881b 34718 libgd-tools_2.2.4-2+deb9u3_amd64.deb
a220368d039e6aafe808831fed7879f1740ce834 8359 libgd2_2.2.4-2+deb9u3_amd64.buildinfo
95a0d0b2314b4c3cbdfa8d4965aac337dc75312c 245260 libgd3-dbgsym_2.2.4-2+deb9u3_amd64.deb
1d770541f25650bda44331f3a6cb104008b6ccc3 132162 libgd3_2.2.4-2+deb9u3_amd64.deb
Checksums-Sha256:
4ebd725cf172ad2763c4ba941222d52e4964ef01798f63f1c796ac4bbf4a5133 2191 libgd2_2.2.4-2+deb9u3.dsc
f8b7476962a8f41b3fb837ece03544895dac86a44aae3a8c614ef2948d05528f 28228 libgd2_2.2.4-2+deb9u3.debian.tar.xz
17b95f858674b2bcf0fbc02dfcf08778c816cfcffc6c9d63fbff0c4ba180841f 271048 libgd-dev_2.2.4-2+deb9u3_amd64.deb
9a2ded7dcc94b11f76b19d0dc6eae52052cb6c313a0667eb19a43c619377526a 46300 libgd-tools-dbgsym_2.2.4-2+deb9u3_amd64.deb
c5b27513ab6ce2f1d8ef526c2976e51490ad19d5f07e8c6393727df0614fe09e 34718 libgd-tools_2.2.4-2+deb9u3_amd64.deb
badc8628f4b96add7848cb9b44fe4f0003163b168ef0cf74a68ead1a0373e5e8 8359 libgd2_2.2.4-2+deb9u3_amd64.buildinfo
183904c62893e0d2011481db8c5662e2f97bfb9dcb144f878b714ba65c1c09f9 245260 libgd3-dbgsym_2.2.4-2+deb9u3_amd64.deb
8c4c84696b654d56cf598df911cf4100938344ed7004ddde36fe619d39c630b1 132162 libgd3_2.2.4-2+deb9u3_amd64.deb
Files:
297dab72e7d946a900c426a7b8eb3079 2191 graphics optional libgd2_2.2.4-2+deb9u3.dsc
4afb6fb1209954dcf9d94c35b3aeb5f7 28228 graphics optional libgd2_2.2.4-2+deb9u3.debian.tar.xz
ca16ddae862d1a9f73eb5b972ffd9d61 271048 libdevel optional libgd-dev_2.2.4-2+deb9u3_amd64.deb
49f19229697c432c43931db0dc985233 46300 debug extra libgd-tools-dbgsym_2.2.4-2+deb9u3_amd64.deb
c1295bfaf8e0e3b2219abb3a7d4673fd 34718 graphics optional libgd-tools_2.2.4-2+deb9u3_amd64.deb
7b84eccf7f99d17442858eda67f502ab 8359 graphics optional libgd2_2.2.4-2+deb9u3_amd64.buildinfo
550289b9275bee535d3d2c2b20aceb8d 245260 debug extra libgd3-dbgsym_2.2.4-2+deb9u3_amd64.deb
dc23e357937a1eb826b7051c16a15ad0 132162 libs optional libgd3_2.2.4-2+deb9u3_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlu3ztEACgkQEMKTtsN8
TjYtcA/+MH0/kqY9hLZy8N6V0Xna4U9YH+UAwIEVQelQqckrJvrOcubf5pvTfpYB
ZNKT7MyZBpPmwxg/QcQhjXb9kO3xE2Uk4UZA1qrkW15fSWLZohpHotlO0TpoRoeR
49zm49v0BdSXv/CNfe1WEHkiZuF8JvanRh6VSkwJuyMIBI/BVs/84uc56TZd7KgV
XiIhVhBDbrx4D1X+mdsXzNLL7Jk3DjpKBHW5bLgMei+fFsr2mMZf3GgKllkgkjAn
Mxbxf6kAsPu65I9WveUr+wwHb5JNhrrDiRUwnIfz7osSPvc8Y/9+2ODMNAdlOc/9
mvllxO3mqUeQWA5wUMr6x/+4VvUiFJlKKFdqKbPbAsTldNaXPOc6v7w071z6QmpY
f+nJXxXZlAE7CxXB6PUyazuRdQGJmBlqm9YLjUUlmHPQZ77HYEunT/XTp7/HFT2i
lQTQRg4+7DviGANL17+OJFULB7lYvLBFFujnJ77Aitv7ZLTtppbEfCTrZEM6L2fI
BPvP12tvnT/BurhPcp/3YHbc+5ty0qZ1PA7gAD0q7nfnC06dRikAXMh4vXY186Pp
NtJL7rxLVBPE9gAx1HtQPkbYxkG6wwhVEGQmyxQbWrJuneiVQWjQ8aestMYYfELV
3UZcjXvGofysPQa44h+AeFhW0hhdJF+650Cw4apRXedwdMaVKd0=
=qSzY
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 01 Dec 2018 07:31:52 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:07:57 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon