Bug#930436: marked as done (unblock: libgd2/2.2.5-5.2)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 14 Jun 2019 12:49:55 +0000
with message-id <E1hbleV-0007gu-78@respighi.debian.org>
and subject line unblock libgd2
has caused the Debian Bug report #930436,
regarding unblock: libgd2/2.2.5-5.2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
930436: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930436
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: libgd2/2.2.5-5.2
• From: Jonas Meurer <jonas@freesources.org>
• Date: Wed, 12 Jun 2019 18:58:33 +0200
• Message-id: <[🔎] E1hb6a4-0006ks-Gw@mx3.freesources.org>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package libgd2

libgd2 2.2.5-5.2 is a security upload that fixes CVE-2019-11038. Even
though the bug severity is only 'important', it would be nice to have
this security fix in Buster.

Here's the changelog:

libgd2 (2.2.5-5.2) unstable; urgency=high

  * Non-maintainer upload.
  * Fix CVE-2019-11038: Uninitialized read in gdImageCreateFromXbm
    (Closes: #929821)

 -- Jonas Meurer <jonas@freesources.org>  Tue, 11 Jun 2019 16:21:57 +0200

Please find the debdiff attached to this mail.

unblock libgd2/2.2.5-5.2

Thanks a lot for your work.

Cheers
 jonas

-- System Information:
Debian Release: 10.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru libgd2-2.2.5/debian/changelog libgd2-2.2.5/debian/changelog
--- libgd2-2.2.5/debian/changelog	2019-02-02 10:55:00.000000000 +0100
+++ libgd2-2.2.5/debian/changelog	2019-06-11 16:21:57.000000000 +0200
@@ -1,3 +1,11 @@
+libgd2 (2.2.5-5.2) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Fix CVE-2019-11038: Uninitialized read in gdImageCreateFromXbm
+    (Closes: #929821)
+
+ -- Jonas Meurer <jonas@freesources.org>  Tue, 11 Jun 2019 16:21:57 +0200
+
 libgd2 (2.2.5-5.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru libgd2-2.2.5/debian/patches/Fix-501-Uninitialized-read-in-gdImageCreateFromXbm.patch libgd2-2.2.5/debian/patches/Fix-501-Uninitialized-read-in-gdImageCreateFromXbm.patch
--- libgd2-2.2.5/debian/patches/Fix-501-Uninitialized-read-in-gdImageCreateFromXbm.patch	1970-01-01 01:00:00.000000000 +0100
+++ libgd2-2.2.5/debian/patches/Fix-501-Uninitialized-read-in-gdImageCreateFromXbm.patch	2019-06-11 16:21:57.000000000 +0200
@@ -0,0 +1,35 @@
+From: Jonas Meurer <jonas@freesources.org>
+Date: Tue, 11 Jun 2019 12:16:46 +0200
+Subject: Fix #501: Uninitialized read in gdImageCreateFromXbm
+ (CVE-2019-11038)
+
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11038
+Bug-Debian: https://bugs.debian.org/929821
+Bug: https://github.com/libgd/libgd/issues/501
+
+We have to ensure that `sscanf()` does indeed read a hex value here,
+and bail out otherwise.
+
+Original patch by Christoph M. Becker <cmbecker69@gmx.de> for PHP libgd ext.
+https://git.php.net/?p=php-src.git;a=commit;h=ed6dee9a198c904ad5e03113e58a2d2c200f5184
+---
+ src/gd_xbm.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/gd_xbm.c b/src/gd_xbm.c
+index 29bc5c2..1aad2ff 100755
+--- a/src/gd_xbm.c
++++ b/src/gd_xbm.c
+@@ -169,7 +169,11 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm(FILE * fd)
+ 			}
+ 			h[3] = ch;
+ 		}
+-		sscanf(h, "%x", &b);
++		if (sscanf(h, "%x", &b) != 1) {
++			gd_error("invalid XBM");
++			gdImageDestroy(im);
++			return 0;
++		}
+ 		for (bit = 1; bit <= max_bit; bit = bit << 1) {
+ 			gdImageSetPixel(im, x++, y, (b & bit) ? 1 : 0);
+ 			if (x == im->sx) {
diff -Nru libgd2-2.2.5/debian/patches/series libgd2-2.2.5/debian/patches/series
--- libgd2-2.2.5/debian/patches/series	2019-02-02 10:55:00.000000000 +0100
+++ libgd2-2.2.5/debian/patches/series	2019-06-11 16:21:57.000000000 +0200
@@ -9,3 +9,4 @@
 bmp-check-return-value-in-gdImageBmpPtr.patch
 CVE-2019-6977.patch
 Fix-492-Potential-double-free-in-gdImage-Ptr.patch
+Fix-501-Uninitialized-read-in-gdImageCreateFromXbm.patch

--- End Message ---

--- Begin Message ---

• To: 930436-done@bugs.debian.org
• Subject: unblock libgd2
• From: Ivo De Decker <ivodd@respighi.debian.org>
• Date: Fri, 14 Jun 2019 12:49:55 +0000
• Message-id: <E1hbleV-0007gu-78@respighi.debian.org>

Unblocked libgd2.

--- End Message ---