Bug#930438: stretch-pu: package libgd2/2.2.4-2+deb9u5
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hello,
please accept libgd2 2.2.5-5.2 into stretch-proposed-updates.
libgd2 2.2.5-5.2 is a security upload that fixes CVE-2019-11038. Even
though the bug severity is only 'important', it would be nice to have
this security fix in Buster.
Here's the changelog:
libgd2 (2.2.4-2+deb9u5) stretch; urgency=high
* Fix CVE-2019-11038: Uninitialized read in gdImageCreateFromXbm
(Closes: #929821)
-- Jonas Meurer <jonas@freesources.org> Tue, 11 Jun 2019 17:33:42 +0200
Please find the debdiff attached to this mail.
Thanks a lot for your work.
Cheers
jonas
-- System Information:
Debian Release: 10.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru libgd2-2.2.4/debian/changelog libgd2-2.2.4/debian/changelog
--- libgd2-2.2.4/debian/changelog 2019-02-02 10:49:03.000000000 +0100
+++ libgd2-2.2.4/debian/changelog 2019-06-11 17:33:42.000000000 +0200
@@ -1,3 +1,10 @@
+libgd2 (2.2.4-2+deb9u5) stretch; urgency=high
+
+ * Fix CVE-2019-11038: Uninitialized read in gdImageCreateFromXbm
+ (Closes: #929821)
+
+ -- Jonas Meurer <jonas@freesources.org> Tue, 11 Jun 2019 17:33:42 +0200
+
libgd2 (2.2.4-2+deb9u4) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru libgd2-2.2.4/debian/patches/Fix-501-Uninitialized-read-in-gdImageCreateFromXbm.patch libgd2-2.2.4/debian/patches/Fix-501-Uninitialized-read-in-gdImageCreateFromXbm.patch
--- libgd2-2.2.4/debian/patches/Fix-501-Uninitialized-read-in-gdImageCreateFromXbm.patch 1970-01-01 01:00:00.000000000 +0100
+++ libgd2-2.2.4/debian/patches/Fix-501-Uninitialized-read-in-gdImageCreateFromXbm.patch 2019-06-11 17:33:42.000000000 +0200
@@ -0,0 +1,35 @@
+From: Jonas Meurer <jonas@freesources.org>
+Date: Tue, 11 Jun 2019 12:16:46 +0200
+Subject: Fix #501: Uninitialized read in gdImageCreateFromXbm
+ (CVE-2019-11038)
+
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11038
+Bug-Debian: https://bugs.debian.org/929821
+Bug: https://github.com/libgd/libgd/issues/501
+
+We have to ensure that `sscanf()` does indeed read a hex value here,
+and bail out otherwise.
+
+Original patch by Christoph M. Becker <cmbecker69@gmx.de> for PHP libgd ext.
+https://git.php.net/?p=php-src.git;a=commit;h=ed6dee9a198c904ad5e03113e58a2d2c200f5184
+---
+ src/gd_xbm.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/gd_xbm.c b/src/gd_xbm.c
+index 5f09b56..9d6dd20 100644
+--- a/src/gd_xbm.c
++++ b/src/gd_xbm.c
+@@ -166,7 +166,11 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm(FILE * fd)
+ }
+ h[3] = ch;
+ }
+- sscanf(h, "%x", &b);
++ if (sscanf(h, "%x", &b) != 1) {
++ gd_error("invalid XBM");
++ gdImageDestroy(im);
++ return 0;
++ }
+ for (bit = 1; bit <= max_bit; bit = bit << 1) {
+ gdImageSetPixel(im, x++, y, (b & bit) ? 1 : 0);
+ if (x == im->sx) {
diff -Nru libgd2-2.2.4/debian/patches/series libgd2-2.2.4/debian/patches/series
--- libgd2-2.2.4/debian/patches/series 2019-02-02 10:49:03.000000000 +0100
+++ libgd2-2.2.4/debian/patches/series 2019-06-11 17:33:42.000000000 +0200
@@ -9,3 +9,4 @@
0009-CVE-2018-5711.patch
CVE-2019-6977.patch
Fix-492-Potential-double-free-in-gdImage-Ptr.patch
+Fix-501-Uninitialized-read-in-gdImageCreateFromXbm.patch
Reply to: