SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   GD Library Vendors:   Boutell.com
(Fedora Issues Fix for FC2) GD Library Integer Overflow May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1012204
SecurityTracker URL:  http://securitytracker.com/id/1012204
CVE Reference:   CVE-2004-0990   (Links to External Site)
Date:  Nov 12 2004
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.0.28
Description:   An integer overflow vulnerability was reported in the GD graphics library. A remote user may be able to execute arbitrary code on the target system.

sean reported that a remote user can create a specially crafted PNG image file to trigger the memory allocation error and subsequently overwrite the heap.

The flaw resides in the gdImageCreateFromPngCtx() function in 'gd_png.c', where user-supplied rowbytes and height values are multiplied and used to incorrectly allocate a pointer array.

The vendor has been notified.

Impact:   A remote user may be able to execute arbitrary code on the target system. The specific impact depends on the application using the library.
Solution:   Fedora has released a fix, available at:

http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

860ef179fc02b24faeb9c7ad6d3dd2c5 SRPMS/gd-2.0.21-5.20.1.src.rpm
cc924e3a5eb622f8729a8940472bc19f x86_64/gd-2.0.21-5.20.1.x86_64.rpm
cbfe3743fb6ed1d11e562af6617dd6cf x86_64/gd-progs-2.0.21-5.20.1.x86_64.rpm
899927fad1d49a55bedd96f12d308a81 x86_64/gd-devel-2.0.21-5.20.1.x86_64.rpm
4f034123d7a07054a2284fd1aef02e2e
x86_64/debug/gd-debuginfo-2.0.21-5.20.1.x86_64.rpm
32203e8cff61a2a6799426b695f35650 i386/gd-2.0.21-5.20.1.i386.rpm
2812f648f8f6570b51b326fb400e985f i386/gd-progs-2.0.21-5.20.1.i386.rpm
7e48d961b951212bc44372b489da9917 i386/gd-devel-2.0.21-5.20.1.i386.rpm
6dd526e9a1a3cbf79b36671335328224
i386/debug/gd-debuginfo-2.0.21-5.20.1.i386.rpm

Vendor URL:  www.boutell.com/gd/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Red Hat Fedora)
Underlying OS Comments:  FC2

Message History:   This archive entry is a follow-up to the message listed below.
Oct 26 2004 GD Library Integer Overflow May Let Remote Users Execute Arbitrary Code



 Source Message Contents

Subject:  [SECURITY] Fedora Core 2 Update: gd-2.0.21-5.20.1


---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2004-411
2004-11-11
---------------------------------------------------------------------

Product     : Fedora Core 2
Name        : gd
Version     : 2.0.21
Release     : 5.20.1
Summary     : A graphics library for quick creation of PNG or JPEG images.
Description :
The gd graphics library allows your code to quickly draw images
complete with lines, arcs, text, multiple colors, cut and paste from
other images, and flood fills, and to write out the result as a PNG or
JPEG file. This is particularly useful in Web applications, where PNG
and JPEG are two of the formats accepted for inline images by most
browsers. Note that gd is not a paint program.

---------------------------------------------------------------------
Update Information:

Several buffer overflows were reported in various memory allocation calls.
An attacker could create a carefully crafted image file in such a
way that it could cause ImageMagick to execute arbitrary code when
processing the image. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0990 to these issues.

Whilst researching the fixes to these overflows, additional buffer
overflows were discovered in calls to gdMalloc. The Common Vulnerabilities
and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0941
to these issues.

Users of gd should upgrade to these updated packages, which contain a
backported security patch, and are not vulnerable to these issues.
---------------------------------------------------------------------
* Thu Nov 04 2004 Phil Knirsch <pknirsch@redhat.com> 2.0.21-5.20.1

- Backport of fix for several buffer overflows in gdMalloc() calls


---------------------------------------------------------------------
This update can be downloaded from:
   http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

860ef179fc02b24faeb9c7ad6d3dd2c5  SRPMS/gd-2.0.21-5.20.1.src.rpm
cc924e3a5eb622f8729a8940472bc19f  x86_64/gd-2.0.21-5.20.1.x86_64.rpm
cbfe3743fb6ed1d11e562af6617dd6cf  x86_64/gd-progs-2.0.21-5.20.1.x86_64.rpm
899927fad1d49a55bedd96f12d308a81  x86_64/gd-devel-2.0.21-5.20.1.x86_64.rpm
4f034123d7a07054a2284fd1aef02e2e 
x86_64/debug/gd-debuginfo-2.0.21-5.20.1.x86_64.rpm
32203e8cff61a2a6799426b695f35650  i386/gd-2.0.21-5.20.1.i386.rpm
2812f648f8f6570b51b326fb400e985f  i386/gd-progs-2.0.21-5.20.1.i386.rpm
7e48d961b951212bc44372b489da9917  i386/gd-devel-2.0.21-5.20.1.i386.rpm
6dd526e9a1a3cbf79b36671335328224 
i386/debug/gd-debuginfo-2.0.21-5.20.1.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
---------------------------------------------------------------------

-- 
Philipp Knirsch      | Tel.:  +49-711-96437-470
Development          | Fax.:  +49-711-96437-111
Red Hat GmbH         | Email: Phil Knirsch <phil@redhat.de>
Hauptstaetterstr. 58 | Web:   http://www.redhat.de/
D-70178 Stuttgart
Motd:  You're only jealous cos the little penguins are talking to me.

--
fedora-announce-list mailing list
fedora-announce-list@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-announce-list

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC