Related Vulnerabilities: CVE-2018-1000222 CVE-2018-5711

Source

Debian Bug report logs - #906886
libgd2: CVE-2018-1000222: double-free vulnerability in gdImageBmpPtr function

Package: src:libgd2; Maintainer for src:libgd2 is GD Team <team+gd@tracker.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 21 Aug 2018 20:03:02 UTC

Severity: important

Tags: fixed-upstream, patch, security, upstream

Found in version libgd2/2.2.4-1

Fixed in versions libgd2/2.2.5-4.1, libgd2/2.2.4-2+deb9u3

Done: Moritz Mühlenhoff <jmm@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/libgd/libgd/issues/447

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, GD team <pkg-gd-devel@lists.alioth.debian.org>:
Bug#906886; Package src:libgd2. (Tue, 21 Aug 2018 20:03:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, GD team <pkg-gd-devel@lists.alioth.debian.org>. (Tue, 21 Aug 2018 20:03:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: libgd2
Version: 2.2.4-1
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/libgd/libgd/issues/447

Hi,

The following vulnerability was published for libgd2.

CVE-2018-1000222[0]:
| Libgd version 2.2.5 contains a Double Free Vulnerability vulnerability
| in gdImageBmpPtr Function that can result in Remote Code Execution .
| This attack appear to be exploitable via Specially Crafted Jpeg Image
| can trigger double free. This vulnerability appears to have been fixed
| in after commit ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-1000222
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000222
[1] https://github.com/libgd/libgd/issues/447
[2] https://github.com/libgd/libgd/commit/ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, GD team <pkg-gd-devel@lists.alioth.debian.org>:
Bug#906886; Package src:libgd2. (Sat, 25 Aug 2018 11:12:04 GMT) (full text, mbox, link).

Acknowledgement sent to Chris Lamb <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to GD team <pkg-gd-devel@lists.alioth.debian.org>. (Sat, 25 Aug 2018 11:12:04 GMT) (full text, mbox, link).

Message #10 received at 906886@bugs.debian.org (full text, mbox, reply):

Dear security team,

> libgd2: CVE-2018-1000222: double-free vulnerability in gdImageBmpPtr function

Am planning on preparing parallel updates to jessie & wheezy, would you
like a package for stretch too...?


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to GD team <pkg-gd-devel@lists.alioth.debian.org>. (Sat, 25 Aug 2018 14:36:04 GMT) (full text, mbox, link).

Message #15 received at 906886@bugs.debian.org (full text, mbox, reply):

On Sat, Aug 25, 2018 at 12:08:52PM +0100, Chris Lamb wrote:
> Dear security team,
> 
> > libgd2: CVE-2018-1000222: double-free vulnerability in gdImageBmpPtr function
> 
> Am planning on preparing parallel updates to jessie & wheezy, would you
> like a package for stretch too...?

No, on glibc this is a harmless crash bug and doesn't warrant a DSA. I'll
mark it as <postponed> for a future update.

Cheers,
        Moritz

Message #20 received at 906886@bugs.debian.org (full text, mbox, reply):

Dear Moritz,

> > Am planning on preparing parallel updates to jessie & wheezy, would you
> > like a package for stretch too...?
> 
> No, on glibc this is a harmless crash bug and doesn't warrant a DSA. I'll
> mark it as <postponed> for a future update.

Thanks. For my own edification/education, how does one determine the
difference?


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Added tag(s) fixed-upstream. Request was from debian-bts-link@lists.debian.org to control@bugs.debian.org. (Mon, 27 Aug 2018 17:15:07 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Salvatore Bonaccorso <carnil@debian.org> to 887485-submit@bugs.debian.org. (Fri, 05 Oct 2018 22:36:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, GD team <pkg-gd-devel@lists.alioth.debian.org>:
Bug#906886; Package src:libgd2. (Fri, 05 Oct 2018 22:36:08 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to GD team <pkg-gd-devel@lists.alioth.debian.org>. (Fri, 05 Oct 2018 22:36:08 GMT) (full text, mbox, link).

Message #29 received at 906886@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Control: tags 887485 + patch
Control: tags 887485 + pending
Control: tags 906840 + pending
Control: tags 906886 + pending


Dear maintainer,

I've prepared an NMU for libgd2 (versioned as 2.2.5-4.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.

I'm aware though that this upload will not allow the fixes go to
testing, as there are two more RC bugs (#899928, needing decision for
maintainer address, and a second one #883760).

The main purpose for this still incomplete NMU is to allow #910396
("stretch-pu: package libgd2/2.2.4-2+deb9u3") to be possible to be
included for 9.6.

Regards,
Salvatore

[libgd2-2.2.5-4.1-nmu.diff (text/x-diff, attachment)]

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Wed, 10 Oct 2018 23:12:07 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 10 Oct 2018 23:12:08 GMT) (full text, mbox, link).

Message #34 received at 906886-close@bugs.debian.org (full text, mbox, reply):

Source: libgd2
Source-Version: 2.2.5-4.1

We believe that the bug you reported is fixed in the latest version of
libgd2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 906886@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libgd2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 06 Oct 2018 00:22:59 +0200
Source: libgd2
Binary: libgd-tools libgd-dev libgd3
Architecture: source
Version: 2.2.5-4.1
Distribution: unstable
Urgency: medium
Maintainer: GD team <pkg-gd-devel@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 887485 906840 906886
Description: 
 libgd-dev  - GD Graphics Library (development version)
 libgd-tools - GD command line tools and example code
 libgd3     - GD Graphics Library
Changes:
 libgd2 (2.2.5-4.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Potential infinite loop in gdImageCreateFromGifCtx (CVE-2018-5711)
     (Closes: #887485)
   * bmp: check return value in gdImageBmpPtr (CVE-2018-1000222)
     (Closes: #906886)
   * Remove src/Makefile.am patching in
     tests-make-a-little-change-for-autopkgtest.patch.  Fixes "libgd2 FTBFS:
     cannot find -lgd".
     Thanks to Helmut Grohne and Adrian Bunk (Closes: #906840)
Checksums-Sha1: 
 c06f8e9cfb8f728a08b46f62a2b3ea81b90af416 2397 libgd2_2.2.5-4.1.dsc
 8dcc3f62e0435cc08d56da84587152b88b39917c 33172 libgd2_2.2.5-4.1.debian.tar.xz
Checksums-Sha256: 
 8092f42b63fb30fdc84a35dca5a0b2d5b5ee3b67520a83b484dd18e7ca2dd48c 2397 libgd2_2.2.5-4.1.dsc
 0227d8d78d338c2bbd70b784870ea88e386584136f0cf2446410d9c6c4216ee0 33172 libgd2_2.2.5-4.1.debian.tar.xz
Files: 
 6d4108e5c40c3883f6e24bf0f96b6134 2397 graphics optional libgd2_2.2.5-4.1.dsc
 cb26d94f2a44a8005b314489fcf5ea9f 33172 graphics optional libgd2_2.2.5-4.1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlu35SZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EATYP/imvCOjKgdDswRkWvYRoFgI6LuGaXX8V
nOqaZ/rnXMv4QiYhx8bPavLCAxU2/sWFYMLfIcVt0++zcWVatWDxgfvICz0Hlniv
TrE+VkPBY/W1LibPBK50lOpz4BowG+Un3HjhMmshDzKPrVVR/D/Wp7uaD1cXyINj
f/vQeuPll+t8cw+4ft8f5D9290VpDT95jch/NOGPzd5Xs0tIDEEBx+xzDs6P1t8X
e8jv7s3RntvjMhy4PYEhseX0O+w+3HCJ96LCKXe06DtaTfv60pj9cO/JM+Vi9k04
/XWJ4G+AWHziOOg2gHqzgH2H2yi/Or4Cu0vh0vos/zbs+TJXAFXNz+fnMgBMDlIE
U3TBiTJLwCRvsugyb0VScT8PrACvFZp4hccbiqrD1yHf7po/QWVMb936Qo3ZPImu
n3/R5NLXtY0r10hEpl8D+F7tuD4NtyBXvh4Wwwp98tSHBEoIxkYC1wIdwF6L/JZ2
JuBeg/gC8gLA+Khih5MwYSvHVmPfj/NTwp8VxC1MiNVG6SoFZZLrXSDbVtC92qoy
BsLr6DI+MIviJWadBQDYK9gZhTSOGPB40Ljdov+GjjlTOQkji/SSxjhhvERyZtYM
qokXEM3JmnvTDKME0FZFNSko/Db8WWN8pzVSM6ct0YajV5DbpJd3VgS9dLN/v2ri
KrFW+DWu8VKa
=pAts
-----END PGP SIGNATURE-----

Reply sent to Moritz Mühlenhoff <jmm@debian.org>:
You have taken responsibility. (Sat, 20 Oct 2018 09:48:48 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 20 Oct 2018 09:48:48 GMT) (full text, mbox, link).

Message #39 received at 906886-close@bugs.debian.org (full text, mbox, reply):

Source: libgd2
Source-Version: 2.2.4-2+deb9u3

We believe that the bug you reported is fixed in the latest version of
libgd2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 906886@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Moritz Mühlenhoff <jmm@debian.org> (supplier of updated libgd2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 07 Sep 2018 19:29:19 +0200
Source: libgd2
Binary: libgd-tools libgd-dev libgd3
Architecture: source amd64
Version: 2.2.4-2+deb9u3
Distribution: stretch
Urgency: medium
Maintainer: GD team <pkg-gd-devel@lists.alioth.debian.org>
Changed-By: Moritz Mühlenhoff <jmm@debian.org>
Description:
 libgd-dev  - GD Graphics Library (development version)
 libgd-tools - GD command line tools and example code
 libgd3     - GD Graphics Library
Closes: 887485 906886
Changes:
 libgd2 (2.2.4-2+deb9u3) stretch; urgency=medium
 .
   * CVE-2018-1000222 (Closes: #906886)
   * CVE-2018-5711 (Closes: #887485)
Checksums-Sha1:
 3ff932a214313d26bfee5d0740123a9ec7e69d2f 2191 libgd2_2.2.4-2+deb9u3.dsc
 8c61029a889d6c3dd7fc56c92df2a2b18dcad4b5 28228 libgd2_2.2.4-2+deb9u3.debian.tar.xz
 7917f59601d3dfbb642777f437fab5c989eb82e1 271048 libgd-dev_2.2.4-2+deb9u3_amd64.deb
 851574497b94f42974526c05332513fdd5da68a4 46300 libgd-tools-dbgsym_2.2.4-2+deb9u3_amd64.deb
 cc46bf6ee7b9769e1e281b3da0165d5c29e5881b 34718 libgd-tools_2.2.4-2+deb9u3_amd64.deb
 a220368d039e6aafe808831fed7879f1740ce834 8359 libgd2_2.2.4-2+deb9u3_amd64.buildinfo
 95a0d0b2314b4c3cbdfa8d4965aac337dc75312c 245260 libgd3-dbgsym_2.2.4-2+deb9u3_amd64.deb
 1d770541f25650bda44331f3a6cb104008b6ccc3 132162 libgd3_2.2.4-2+deb9u3_amd64.deb
Checksums-Sha256:
 4ebd725cf172ad2763c4ba941222d52e4964ef01798f63f1c796ac4bbf4a5133 2191 libgd2_2.2.4-2+deb9u3.dsc
 f8b7476962a8f41b3fb837ece03544895dac86a44aae3a8c614ef2948d05528f 28228 libgd2_2.2.4-2+deb9u3.debian.tar.xz
 17b95f858674b2bcf0fbc02dfcf08778c816cfcffc6c9d63fbff0c4ba180841f 271048 libgd-dev_2.2.4-2+deb9u3_amd64.deb
 9a2ded7dcc94b11f76b19d0dc6eae52052cb6c313a0667eb19a43c619377526a 46300 libgd-tools-dbgsym_2.2.4-2+deb9u3_amd64.deb
 c5b27513ab6ce2f1d8ef526c2976e51490ad19d5f07e8c6393727df0614fe09e 34718 libgd-tools_2.2.4-2+deb9u3_amd64.deb
 badc8628f4b96add7848cb9b44fe4f0003163b168ef0cf74a68ead1a0373e5e8 8359 libgd2_2.2.4-2+deb9u3_amd64.buildinfo
 183904c62893e0d2011481db8c5662e2f97bfb9dcb144f878b714ba65c1c09f9 245260 libgd3-dbgsym_2.2.4-2+deb9u3_amd64.deb
 8c4c84696b654d56cf598df911cf4100938344ed7004ddde36fe619d39c630b1 132162 libgd3_2.2.4-2+deb9u3_amd64.deb
Files:
 297dab72e7d946a900c426a7b8eb3079 2191 graphics optional libgd2_2.2.4-2+deb9u3.dsc
 4afb6fb1209954dcf9d94c35b3aeb5f7 28228 graphics optional libgd2_2.2.4-2+deb9u3.debian.tar.xz
 ca16ddae862d1a9f73eb5b972ffd9d61 271048 libdevel optional libgd-dev_2.2.4-2+deb9u3_amd64.deb
 49f19229697c432c43931db0dc985233 46300 debug extra libgd-tools-dbgsym_2.2.4-2+deb9u3_amd64.deb
 c1295bfaf8e0e3b2219abb3a7d4673fd 34718 graphics optional libgd-tools_2.2.4-2+deb9u3_amd64.deb
 7b84eccf7f99d17442858eda67f502ab 8359 graphics optional libgd2_2.2.4-2+deb9u3_amd64.buildinfo
 550289b9275bee535d3d2c2b20aceb8d 245260 debug extra libgd3-dbgsym_2.2.4-2+deb9u3_amd64.deb
 dc23e357937a1eb826b7051c16a15ad0 132162 libs optional libgd3_2.2.4-2+deb9u3_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlu3ztEACgkQEMKTtsN8
TjYtcA/+MH0/kqY9hLZy8N6V0Xna4U9YH+UAwIEVQelQqckrJvrOcubf5pvTfpYB
ZNKT7MyZBpPmwxg/QcQhjXb9kO3xE2Uk4UZA1qrkW15fSWLZohpHotlO0TpoRoeR
49zm49v0BdSXv/CNfe1WEHkiZuF8JvanRh6VSkwJuyMIBI/BVs/84uc56TZd7KgV
XiIhVhBDbrx4D1X+mdsXzNLL7Jk3DjpKBHW5bLgMei+fFsr2mMZf3GgKllkgkjAn
Mxbxf6kAsPu65I9WveUr+wwHb5JNhrrDiRUwnIfz7osSPvc8Y/9+2ODMNAdlOc/9
mvllxO3mqUeQWA5wUMr6x/+4VvUiFJlKKFdqKbPbAsTldNaXPOc6v7w071z6QmpY
f+nJXxXZlAE7CxXB6PUyazuRdQGJmBlqm9YLjUUlmHPQZ77HYEunT/XTp7/HFT2i
lQTQRg4+7DviGANL17+OJFULB7lYvLBFFujnJ77Aitv7ZLTtppbEfCTrZEM6L2fI
BPvP12tvnT/BurhPcp/3YHbc+5ty0qZ1PA7gAD0q7nfnC06dRikAXMh4vXY186Pp
NtJL7rxLVBPE9gAx1HtQPkbYxkG6wwhVEGQmyxQbWrJuneiVQWjQ8aestMYYfELV
3UZcjXvGofysPQa44h+AeFhW0hhdJF+650Cw4apRXedwdMaVKd0=
=qSzY
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 01 Dec 2018 07:31:57 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:25:10 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

libgd2: CVE-2018-1000222: double-free vulnerability in gdImageBmpPtr function

Debian Bug report logs - #906886
libgd2: CVE-2018-1000222: double-free vulnerability in gdImageBmpPtr function

Vulmon Search

About

Products

Connect

libgd2: CVE-2018-1000222: double-free vulnerability in gdImageBmpPtr function

Debian Bug report logs - #906886 libgd2: CVE-2018-1000222: double-free vulnerability in gdImageBmpPtr function

Vulmon Search

About

Products

Connect

Debian Bug report logs - #906886
libgd2: CVE-2018-1000222: double-free vulnerability in gdImageBmpPtr function