Bug 1022265 (CVE-2016-10168) - VUL-0: CVE-2016-10168: gd,php5,php53,php7: Signed Integer Overflow gd_io.c
Summary: VUL-0: CVE-2016-10168: gd,php5,php53,php7: Signed Integer Overflow gd_io.c
Status: RESOLVED FIXED
Alias: CVE-2016-10168
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2017-02-16
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:running:63366:moderate CVSSv2:S...
Keywords:
Depends on: 1022069
Blocks:
  Show dependency treegraph
 
Reported: 2017-01-27 12:56 UTC by Andreas Stieger
Modified: 2018-10-07 06:38 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
ext_gd_tests_bug73869a.gd2 (92 bytes, application/octet-stream)
2017-02-14 09:30 UTC, Marcus Meissner 		Details
ext_gd_tests_bug73869b.gd2 (18 bytes, application/octet-stream)
2017-02-14 09:30 UTC, Marcus Meissner 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2017-01-27 12:56:46 UTC 
+++ This bug was initially created as a clone of Bug #1022069 +++

Ref: http://seclists.org/oss-sec/2017/q1/202
===============================================

3/ Fix #354: Signed Integer Overflow gd_io.c
Commit: https://github.com/libgd/libgd/commit/69d2fd2c597ffc0c217de1238b9bf4d4bceba8e6
Issue: https://github.com/libgd/libgd/issues/354
Comment 1 Swamp Workflow Management 2017-01-27 23:01:45 UTC 
bugbot adjusting priority
Comment 2 Mikhail Kasimov 2017-01-28 21:33:48 UTC 
CVE Assignment Team: "Use CVE-2016-10168.

(This CVE is for all of 69d2fd2c597ffc0c217de1238b9bf4d4bceba8e6.
In other words, "make sure that either chunk count is actually greater
than zero" does not have a separate CVE.)" (ref: http://seclists.org/oss-sec/2017/q1/218)
Comment 3 Andreas Stieger 2017-01-30 12:15:58 UTC 
All versions seem affected
Comment 4 Swamp Workflow Management 2017-01-30 13:08:55 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2017-02-13.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63366
Comment 5 Swamp Workflow Management 2017-01-30 13:23:51 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2017-02-13.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63367
Comment 7 Petr Gajdos 2017-01-31 14:41:30 UTC 
all php versions

BEFORE

$ php test.php
PHP Warning:  imagecreatefromgd2(): gd warning: one parameter to a memory allocation multiplication is negative or zero, failing operation gracefully
 in /022265/test.php on line 2
PHP Warning:  imagecreatefromgd2(): 'bug73869a.gd2' is not a valid GD2 file in /022265/test.php on line 2
bool(false)
PHP Warning:  imagecreatefromgd2(): gd warning: one parameter to a memory allocation multiplication is negative or zero, failing operation gracefully
 in /022265/test.php on line 3
PHP Warning:  imagecreatefromgd2(): 'bug73869b.gd2' is not a valid GD2 file in /022265/test.php on line 3
bool(false)
$

AFTER

$ php test.php
PHP Warning:  imagecreatefromgd2(): 'bug73869a.gd2' is not a valid GD2 file in /022265/test.php on line 2
bool(false)
PHP Warning:  imagecreatefromgd2(): 'bug73869b.gd2' is not a valid GD2 file in /022265/test.php on line 3
bool(false)
$
Comment 9 Petr Gajdos 2017-02-01 13:27:24 UTC 
All versions of gd affected.
Comment 10 Petr Gajdos 2017-02-01 14:54:54 UTC 
I believe all fixed.
Comment 12 Swamp Workflow Management 2017-02-02 16:15:52 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2017-02-16.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63376
Comment 13 Marcus Meissner 2017-02-14 09:30:01 UTC 
Created attachment 713960 [details]
ext_gd_tests_bug73869a.gd2

QA REPRODUCER (gd):

gd2togif ext_gd_tests_bug73869a.gd2 foo.gif

should not report "GD Warning: one parameter to a memory allocation multiplication is negative or zero, failing operation gracefully", but only

"Input is not in GD2 format!"
Comment 14 Marcus Meissner 2017-02-14 09:30:44 UTC 
Created attachment 713961 [details]
ext_gd_tests_bug73869b.gd2

QA REOPRODUCER(gd):

gd2togif ext_gd_tests_bug73869b.gd2 foo.gif

should only report that this is not a valid GD2 input file.
Comment 15 Swamp Workflow Management 2017-02-14 17:08:48 UTC 
SUSE-SU-2017:0459-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1022264,1022265,1022283
CVE References: CVE-2016-10167,CVE-2016-10168,CVE-2016-9317
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    gd-2.0.36.RC1-52.32.1
SUSE Linux Enterprise Server 11-SP4 (src):    gd-2.0.36.RC1-52.32.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    gd-2.0.36.RC1-52.32.1
Comment 16 Swamp Workflow Management 2017-02-15 11:10:21 UTC 
SUSE-SU-2017:0468-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1022263,1022264,1022265,1022283,1022284,1022553
CVE References: CVE-2016-10166,CVE-2016-10167,CVE-2016-10168,CVE-2016-6906,CVE-2016-6912,CVE-2016-9317
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    gd-2.1.0-23.1
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    gd-2.1.0-23.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    gd-2.1.0-23.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    gd-2.1.0-23.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    gd-2.1.0-23.1
SUSE Linux Enterprise Server 12-SP2 (src):    gd-2.1.0-23.1
SUSE Linux Enterprise Server 12-SP1 (src):    gd-2.1.0-23.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    gd-2.1.0-23.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    gd-2.1.0-23.1
Comment 18 Swamp Workflow Management 2017-02-22 14:10:27 UTC 
SUSE-SU-2017:0534-1: An update that fixes 13 vulnerabilities is now available.

Category: security (important)
Bug References: 1008026,1019547,1019550,1019568,1019570,1022219,1022255,1022257,1022260,1022262,1022263,1022264,1022265
CVE References: CVE-2016-10158,CVE-2016-10159,CVE-2016-10160,CVE-2016-10161,CVE-2016-10162,CVE-2016-10166,CVE-2016-10167,CVE-2016-10168,CVE-2016-7478,CVE-2016-7479,CVE-2016-7480,CVE-2016-9138,CVE-2017-5340
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    php7-7.0.7-35.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php7-7.0.7-35.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-35.1
Comment 19 Swamp Workflow Management 2017-02-22 20:32:16 UTC 
openSUSE-SU-2017:0548-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1022263,1022264,1022265,1022283,1022284,1022553
CVE References: CVE-2016-10166,CVE-2016-10167,CVE-2016-10168,CVE-2016-6906,CVE-2016-6912,CVE-2016-9317
Sources used:
openSUSE Leap 42.2 (src):    gd-2.1.0-16.1
openSUSE Leap 42.1 (src):    gd-2.1.0-19.1
Comment 20 Swamp Workflow Management 2017-02-23 14:09:34 UTC 
SUSE-SU-2017:0556-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1019550,1022219,1022255,1022257,1022260,1022263,1022264,1022265
CVE References: CVE-2016-10158,CVE-2016-10159,CVE-2016-10160,CVE-2016-10161,CVE-2016-10166,CVE-2016-10167,CVE-2016-10168,CVE-2016-7478
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    php5-5.5.14-96.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php5-5.5.14-96.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-96.1
Comment 21 Swamp Workflow Management 2017-02-27 17:10:07 UTC 
SUSE-SU-2017:0568-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1019550,1022219,1022255,1022257,1022260,1022263,1022264,1022265
CVE References: CVE-2016-10158,CVE-2016-10159,CVE-2016-10160,CVE-2016-10161,CVE-2016-10166,CVE-2016-10167,CVE-2016-10168,CVE-2016-7478
Sources used:
SUSE OpenStack Cloud 5 (src):    php53-5.3.17-101.1
SUSE Manager Proxy 2.1 (src):    php53-5.3.17-101.1
SUSE Manager 2.1 (src):    php53-5.3.17-101.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    php53-5.3.17-101.1
SUSE Linux Enterprise Server 11-SP4 (src):    php53-5.3.17-101.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    php53-5.3.17-101.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    php53-5.3.17-101.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-101.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    php53-5.3.17-101.1
Comment 22 Swamp Workflow Management 2017-03-02 14:14:13 UTC 
openSUSE-SU-2017:0588-1: An update that fixes 13 vulnerabilities is now available.

Category: security (important)
Bug References: 1008026,1019547,1019550,1019568,1019570,1022219,1022255,1022257,1022260,1022262,1022263,1022264,1022265
CVE References: CVE-2016-10158,CVE-2016-10159,CVE-2016-10160,CVE-2016-10161,CVE-2016-10162,CVE-2016-10166,CVE-2016-10167,CVE-2016-10168,CVE-2016-7478,CVE-2016-7479,CVE-2016-7480,CVE-2016-9138,CVE-2017-5340
Sources used:
openSUSE Leap 42.2 (src):    php7-7.0.7-12.1
Comment 24 Marcus Meissner 2017-05-22 15:35:12 UTC 
released
Comment 25 Bernhard Wiedemann 2017-07-17 10:00:44 UTC 
This is an autogenerated message for OBS integration:
This bug (1022265) was mentioned in
https://build.opensuse.org/request/show/510888 Factory / gd