SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   GD Library Vendors:   Boutell.com
(Fedora Issues Fix for FC3) GD Library Integer Overflow May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1012202
SecurityTracker URL:  http://securitytracker.com/id/1012202
CVE Reference:   CVE-2004-0990   (Links to External Site)
Date:  Nov 12 2004
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.0.28
Description:   An integer overflow vulnerability was reported in the GD graphics library. A remote user may be able to execute arbitrary code on the target system.

sean reported that a remote user can create a specially crafted PNG image file to trigger the memory allocation error and subsequently overwrite the heap.

The flaw resides in the gdImageCreateFromPngCtx() function in 'gd_png.c', where user-supplied rowbytes and height values are multiplied and used to incorrectly allocate a pointer array.

The vendor has been notified.

Impact:   A remote user may be able to execute arbitrary code on the target system. The specific impact depends on the application using the library.
Solution:   Fedora has released a fix, available at:

http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

1c43a52dbccf6fc0f41a51177f68039c SRPMS/gd-2.0.28-1.30.1.src.rpm
2d5162b7b1ee9cc41f6e449317a35544 x86_64/gd-2.0.28-1.30.1.x86_64.rpm
fdf01ac8589f415447db35126fa9c21d x86_64/gd-progs-2.0.28-1.30.1.x86_64.rpm
bebd31faf06696a1a4118e72fccfdef0 x86_64/gd-devel-2.0.28-1.30.1.x86_64.rpm
2f9e1862d862b7137f303fa63511ba3f
x86_64/debug/gd-debuginfo-2.0.28-1.30.1.x86_64.rpm
43fdf0c898b78cb6524ce7238b134ab0 x86_64/gd-2.0.28-1.30.1.i386.rpm
43fdf0c898b78cb6524ce7238b134ab0 i386/gd-2.0.28-1.30.1.i386.rpm
1775b1c9061551b38bed8a0345e13daa i386/gd-progs-2.0.28-1.30.1.i386.rpm
9e73a389b07da7ceb7f4571852344a0c i386/gd-devel-2.0.28-1.30.1.i386.rpm
70e4cb5dad28af83ee4237569c8a244c
i386/debug/gd-debuginfo-2.0.28-1.30.1.i386.rpm

Vendor URL:  www.boutell.com/gd/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Red Hat Fedora)
Underlying OS Comments:  FC3

Message History:   This archive entry is a follow-up to the message listed below.
Oct 26 2004 GD Library Integer Overflow May Let Remote Users Execute Arbitrary Code



 Source Message Contents

Subject:  [SECURITY] Fedora Core 3 Update: gd-2.0.28-1.30.1


---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2004-412
2004-11-11
---------------------------------------------------------------------

Product     : Fedora Core 3
Name        : gd
Version     : 2.0.28
Release     : 1.30.1
Summary     : A graphics library for quick creation of PNG or JPEG images.
Description :
The gd graphics library allows your code to quickly draw images
complete with lines, arcs, text, multiple colors, cut and paste from
other images, and flood fills, and to write out the result as a PNG or
JPEG file. This is particularly useful in Web applications, where PNG
and JPEG are two of the formats accepted for inline images by most
browsers. Note that gd is not a paint program.

---------------------------------------------------------------------
Update Information:

Several buffer overflows were reported in various memory allocation calls.
An attacker could create a carefully crafted image file in such a
way that it could cause ImageMagick to execute arbitrary code when
processing the image. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0990 to these issues.

Whilst researching the fixes to these overflows, additional buffer
overflows were discovered in calls to gdMalloc. The Common Vulnerabilities
and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0941
to these issues.

Users of gd should upgrade to these updated packages, which contain a
backported security patch, and are not vulnerable to these issues.
---------------------------------------------------------------------
* Wed Nov 03 2004 Phil Knirsch <pknirsch@redhat.com> 2.0.28-1.30.1

- Fixed several buffer overflows for gdMalloc() calls


---------------------------------------------------------------------
This update can be downloaded from:
   http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

1c43a52dbccf6fc0f41a51177f68039c  SRPMS/gd-2.0.28-1.30.1.src.rpm
2d5162b7b1ee9cc41f6e449317a35544  x86_64/gd-2.0.28-1.30.1.x86_64.rpm
fdf01ac8589f415447db35126fa9c21d  x86_64/gd-progs-2.0.28-1.30.1.x86_64.rpm
bebd31faf06696a1a4118e72fccfdef0  x86_64/gd-devel-2.0.28-1.30.1.x86_64.rpm
2f9e1862d862b7137f303fa63511ba3f 
x86_64/debug/gd-debuginfo-2.0.28-1.30.1.x86_64.rpm
43fdf0c898b78cb6524ce7238b134ab0  x86_64/gd-2.0.28-1.30.1.i386.rpm
43fdf0c898b78cb6524ce7238b134ab0  i386/gd-2.0.28-1.30.1.i386.rpm
1775b1c9061551b38bed8a0345e13daa  i386/gd-progs-2.0.28-1.30.1.i386.rpm
9e73a389b07da7ceb7f4571852344a0c  i386/gd-devel-2.0.28-1.30.1.i386.rpm
70e4cb5dad28af83ee4237569c8a244c 
i386/debug/gd-debuginfo-2.0.28-1.30.1.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
---------------------------------------------------------------------

-- 
Philipp Knirsch      | Tel.:  +49-711-96437-470
Development          | Fax.:  +49-711-96437-111
Red Hat GmbH         | Email: Phil Knirsch <phil@redhat.de>
Hauptstaetterstr. 58 | Web:   http://www.redhat.de/
D-70178 Stuttgart
Motd:  You're only jealous cos the little penguins are talking to me.

--
fedora-announce-list mailing list
fedora-announce-list@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-announce-list

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC