__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN gd Security Update [Red Hat RHSA-2008:0146-2] March 4, 2008 15:00 GMT Number S-218 [REVISED 18 Aug 2008] ______________________________________________________________________________ PROBLEM: Multiple issues were discovered in the gd GIF image-handling code. PLATFORM: RHEL Desktop Workstation (v. 5 client) Red Hat Desktop (v. 4) Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux AS, ES, WS (v. 4) Red Hat Enterprise Linux Desktop (v. 5 client) Debian GNU/Linux 4.0 DAMAGE: Execute code. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. A carefully-crafted GIF file could cause a ASSESSMENT: crash or possibly execute code with the privileges of the application using the gd library. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/s-218.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2008-0146.html ADDITIONAL LINK: http://www.debian.org/security/2008/dsa-1613-1 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2006-4484 CVE-2007-0455 CVE-2007-2756 CVE-2007-3472 CVE-2007-3473 CVE-2007-3475 CVE-2007-3476 ______________________________________________________________________________ REVISION HISTORY: 08/18/2008 - revised S-218 to add a link to Debian Security Advisory DSA-1613-1 for Debian GNU/Linux 4.0 (etch). [***** Start Red Hat RHSA-2008:0146-2 *****] Moderate: gd security update Advisory: RHSA-2008:0146-2 Type: Security Advisory Severity: Moderate Issued on: 2008-02-28 Last updated on: 2008-02-28 Affected Products: RHEL Desktop Workstation (v. 5 client) Red Hat Desktop (v. 4) Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux AS (v. 4) Red Hat Enterprise Linux Desktop (v. 5 client) Red Hat Enterprise Linux ES (v. 4) Red Hat Enterprise Linux WS (v. 4) OVAL: com.redhat.rhsa-20080146.xml CVEs (cve.mitre.org): CVE-2006-4484 CVE-2007-0455 CVE-2007-2756 CVE-2007-3472 CVE-2007-3473 CVE-2007-3475 CVE-2007-3476 Details Updated gd packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The gd package contains a graphics library used for the dynamic creation of images such as PNG and JPEG. Multiple issues were discovered in the gd GIF image-handling code. A carefully-crafted GIF file could cause a crash or possibly execute code with the privileges of the application using the gd library. (CVE-2006-4484, CVE-2007-3475, CVE-2007-3476) An integer overflow was discovered in the gdImageCreateTrueColor() function, leading to incorrect memory allocations. A carefully crafted image could cause a crash or possibly execute code with the privileges of the application using the gd library. (CVE-2007-3472) A buffer over-read flaw was discovered. This could cause a crash in an application using the gd library to render certain strings using a JIS-encoded font. (CVE-2007-0455) A flaw was discovered in the gd PNG image handling code. A truncated PNG image could cause an infinite loop in an application using the gd library. (CVE-2007-2756) A flaw was discovered in the gd X BitMap (XBM) image-handling code. A malformed or truncated XBM image could cause a crash in an application using the gd library. (CVE-2007-3473) Users of gd should upgrade to these updated packages, which contain backported patches which resolve these issues. Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 Updated packages RHEL Desktop Workstation (v. 5 client) -------------------------------------------------------------------------------- IA-32: gd-devel-2.0.33-9.4.el5_1.1.i386.rpm 03c19796060246a35b0a8915b0e1dae1 x86_64: gd-devel-2.0.33-9.4.el5_1.1.i386.rpm 03c19796060246a35b0a8915b0e1dae1 gd-devel-2.0.33-9.4.el5_1.1.x86_64.rpm 3267d2a709da99cc0052117aa656ea43 Red Hat Desktop (v. 4) -------------------------------------------------------------------------------- SRPMS: gd-2.0.28-5.4E.el4_6.1.src.rpm 65f4d62c6267d4de89098594de3f5261 IA-32: gd-2.0.28-5.4E.el4_6.1.i386.rpm a7d8042e7b7675c54a763f131eb35dd1 gd-devel-2.0.28-5.4E.el4_6.1.i386.rpm 9d4a4921efde0ddb590f8ae452df2c59 gd-progs-2.0.28-5.4E.el4_6.1.i386.rpm c28341562f9dd7dee598cf7c796d18f9 x86_64: gd-2.0.28-5.4E.el4_6.1.i386.rpm a7d8042e7b7675c54a763f131eb35dd1 gd-2.0.28-5.4E.el4_6.1.x86_64.rpm 0ac40952984f11cc0ffb81921f2aae57 gd-devel-2.0.28-5.4E.el4_6.1.x86_64.rpm e60c40b143af53e2f13a3dfefabc8723 gd-progs-2.0.28-5.4E.el4_6.1.x86_64.rpm 6971929444ad4555c175815bc411e644 Red Hat Enterprise Linux (v. 5 server) -------------------------------------------------------------------------------- SRPMS: gd-2.0.33-9.4.el5_1.1.src.rpm f0e4620cb91d56075202623e551a37f1 IA-32: gd-2.0.33-9.4.el5_1.1.i386.rpm f1c14f2f1a7ea602efd39903c002c903 gd-devel-2.0.33-9.4.el5_1.1.i386.rpm 03c19796060246a35b0a8915b0e1dae1 gd-progs-2.0.33-9.4.el5_1.1.i386.rpm bd2f2724e41950428851a33c1a55607e IA-64: gd-2.0.33-9.4.el5_1.1.ia64.rpm e9e19edfe3432ea76d43f32878b855c4 gd-devel-2.0.33-9.4.el5_1.1.ia64.rpm ba06995bdfc879861b70f2ba83301466 gd-progs-2.0.33-9.4.el5_1.1.ia64.rpm ec130a2b192fc32ec628415a41dc616d PPC: gd-2.0.33-9.4.el5_1.1.ppc.rpm 2c13ab92192e7082258d95831188ca96 gd-2.0.33-9.4.el5_1.1.ppc64.rpm bcd41d49699867591ed0d3bf68bbea49 gd-devel-2.0.33-9.4.el5_1.1.ppc.rpm 3dd4555de5a15842fd68f3708e522536 gd-devel-2.0.33-9.4.el5_1.1.ppc64.rpm 4bd72af55be1f020a0f7299150dfe2a0 gd-progs-2.0.33-9.4.el5_1.1.ppc.rpm 9c9cb9cf3d5ec0c411e3982e63a5be7c s390x: gd-2.0.33-9.4.el5_1.1.s390.rpm e73d4f92b28e77b47c04d14bbf00bb6f gd-2.0.33-9.4.el5_1.1.s390x.rpm 28175753e1bd00eb260accbbf182897c gd-devel-2.0.33-9.4.el5_1.1.s390.rpm 418fcf703269fa9b15403961daa5c810 gd-devel-2.0.33-9.4.el5_1.1.s390x.rpm 7385ca899291062f717e931cb328ab2c gd-progs-2.0.33-9.4.el5_1.1.s390x.rpm d68f3b530972c43f38f353de97cefaa3 x86_64: gd-2.0.33-9.4.el5_1.1.i386.rpm f1c14f2f1a7ea602efd39903c002c903 gd-2.0.33-9.4.el5_1.1.x86_64.rpm b29a4a24f2951063e8aa72b9a8d0bc26 gd-devel-2.0.33-9.4.el5_1.1.i386.rpm 03c19796060246a35b0a8915b0e1dae1 gd-devel-2.0.33-9.4.el5_1.1.x86_64.rpm 3267d2a709da99cc0052117aa656ea43 gd-progs-2.0.33-9.4.el5_1.1.x86_64.rpm cfe63951e06b7727312b87ec51fbcb44 Red Hat Enterprise Linux AS (v. 4) -------------------------------------------------------------------------------- SRPMS: gd-2.0.28-5.4E.el4_6.1.src.rpm 65f4d62c6267d4de89098594de3f5261 IA-32: gd-2.0.28-5.4E.el4_6.1.i386.rpm a7d8042e7b7675c54a763f131eb35dd1 gd-devel-2.0.28-5.4E.el4_6.1.i386.rpm 9d4a4921efde0ddb590f8ae452df2c59 gd-progs-2.0.28-5.4E.el4_6.1.i386.rpm c28341562f9dd7dee598cf7c796d18f9 IA-64: gd-2.0.28-5.4E.el4_6.1.i386.rpm a7d8042e7b7675c54a763f131eb35dd1 gd-2.0.28-5.4E.el4_6.1.ia64.rpm 3e0998804d6fa2971a7009e413fc1a62 gd-devel-2.0.28-5.4E.el4_6.1.ia64.rpm 00fee9a7f0d5fb3895b396aa405c3d6b gd-progs-2.0.28-5.4E.el4_6.1.ia64.rpm b86e088896fc611ce3b0b4ad45223c39 PPC: gd-2.0.28-5.4E.el4_6.1.ppc.rpm 1e19859bc14889fab2bd577bc45589e8 gd-2.0.28-5.4E.el4_6.1.ppc64.rpm cfa0156ab28bf250bdd1390606408832 gd-devel-2.0.28-5.4E.el4_6.1.ppc.rpm cd412c64b3efdf93a949a24d154755f0 gd-progs-2.0.28-5.4E.el4_6.1.ppc.rpm acce2b9744b4f54b586d1d39ecd5c24c s390: gd-2.0.28-5.4E.el4_6.1.s390.rpm 10d129a6edbde55da07e79b56971553f gd-devel-2.0.28-5.4E.el4_6.1.s390.rpm ef2f17e5d320e94ee6883da56605680d gd-progs-2.0.28-5.4E.el4_6.1.s390.rpm c83187d298875f1e713fb606ed70cc7d s390x: gd-2.0.28-5.4E.el4_6.1.s390.rpm 10d129a6edbde55da07e79b56971553f gd-2.0.28-5.4E.el4_6.1.s390x.rpm 249bf26e191eb3d06936da132a8c5b8c gd-devel-2.0.28-5.4E.el4_6.1.s390x.rpm 8a56a4101d266cb83d5bb468d6b9e309 gd-progs-2.0.28-5.4E.el4_6.1.s390x.rpm a753cba0d13a656d073406c45685dc22 x86_64: gd-2.0.28-5.4E.el4_6.1.i386.rpm a7d8042e7b7675c54a763f131eb35dd1 gd-2.0.28-5.4E.el4_6.1.x86_64.rpm 0ac40952984f11cc0ffb81921f2aae57 gd-devel-2.0.28-5.4E.el4_6.1.x86_64.rpm e60c40b143af53e2f13a3dfefabc8723 gd-progs-2.0.28-5.4E.el4_6.1.x86_64.rpm 6971929444ad4555c175815bc411e644 Red Hat Enterprise Linux Desktop (v. 5 client) -------------------------------------------------------------------------------- SRPMS: gd-2.0.33-9.4.el5_1.1.src.rpm f0e4620cb91d56075202623e551a37f1 IA-32: gd-2.0.33-9.4.el5_1.1.i386.rpm f1c14f2f1a7ea602efd39903c002c903 gd-progs-2.0.33-9.4.el5_1.1.i386.rpm bd2f2724e41950428851a33c1a55607e x86_64: gd-2.0.33-9.4.el5_1.1.i386.rpm f1c14f2f1a7ea602efd39903c002c903 gd-2.0.33-9.4.el5_1.1.x86_64.rpm b29a4a24f2951063e8aa72b9a8d0bc26 gd-progs-2.0.33-9.4.el5_1.1.x86_64.rpm cfe63951e06b7727312b87ec51fbcb44 Red Hat Enterprise Linux ES (v. 4) -------------------------------------------------------------------------------- SRPMS: gd-2.0.28-5.4E.el4_6.1.src.rpm 65f4d62c6267d4de89098594de3f5261 IA-32: gd-2.0.28-5.4E.el4_6.1.i386.rpm a7d8042e7b7675c54a763f131eb35dd1 gd-devel-2.0.28-5.4E.el4_6.1.i386.rpm 9d4a4921efde0ddb590f8ae452df2c59 gd-progs-2.0.28-5.4E.el4_6.1.i386.rpm c28341562f9dd7dee598cf7c796d18f9 IA-64: gd-2.0.28-5.4E.el4_6.1.i386.rpm a7d8042e7b7675c54a763f131eb35dd1 gd-2.0.28-5.4E.el4_6.1.ia64.rpm 3e0998804d6fa2971a7009e413fc1a62 gd-devel-2.0.28-5.4E.el4_6.1.ia64.rpm 00fee9a7f0d5fb3895b396aa405c3d6b gd-progs-2.0.28-5.4E.el4_6.1.ia64.rpm b86e088896fc611ce3b0b4ad45223c39 x86_64: gd-2.0.28-5.4E.el4_6.1.i386.rpm a7d8042e7b7675c54a763f131eb35dd1 gd-2.0.28-5.4E.el4_6.1.x86_64.rpm 0ac40952984f11cc0ffb81921f2aae57 gd-devel-2.0.28-5.4E.el4_6.1.x86_64.rpm e60c40b143af53e2f13a3dfefabc8723 gd-progs-2.0.28-5.4E.el4_6.1.x86_64.rpm 6971929444ad4555c175815bc411e644 Red Hat Enterprise Linux WS (v. 4) -------------------------------------------------------------------------------- SRPMS: gd-2.0.28-5.4E.el4_6.1.src.rpm 65f4d62c6267d4de89098594de3f5261 IA-32: gd-2.0.28-5.4E.el4_6.1.i386.rpm a7d8042e7b7675c54a763f131eb35dd1 gd-devel-2.0.28-5.4E.el4_6.1.i386.rpm 9d4a4921efde0ddb590f8ae452df2c59 gd-progs-2.0.28-5.4E.el4_6.1.i386.rpm c28341562f9dd7dee598cf7c796d18f9 IA-64: gd-2.0.28-5.4E.el4_6.1.i386.rpm a7d8042e7b7675c54a763f131eb35dd1 gd-2.0.28-5.4E.el4_6.1.ia64.rpm 3e0998804d6fa2971a7009e413fc1a62 gd-devel-2.0.28-5.4E.el4_6.1.ia64.rpm 00fee9a7f0d5fb3895b396aa405c3d6b gd-progs-2.0.28-5.4E.el4_6.1.ia64.rpm b86e088896fc611ce3b0b4ad45223c39 x86_64: gd-2.0.28-5.4E.el4_6.1.i386.rpm a7d8042e7b7675c54a763f131eb35dd1 gd-2.0.28-5.4E.el4_6.1.x86_64.rpm 0ac40952984f11cc0ffb81921f2aae57 gd-devel-2.0.28-5.4E.el4_6.1.x86_64.rpm e60c40b143af53e2f13a3dfefabc8723 gd-progs-2.0.28-5.4E.el4_6.1.x86_64.rpm 6971929444ad4555c175815bc411e644 (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 224607 - CVE-2007-0455 gd buffer overrun 242033 - CVE-2007-2756 gd / php-gd ImageCreateFromPng infinite loop caused by truncated PNG 276751 - CVE-2007-3472 libgd Integer overflow in TrueColor code 276791 - CVE-2007-3473 libgd NULL pointer dereference when reading a corrupt X bitmap 277181 - CVE-2007-3475 libgd Denial of service by GIF images without a global color map 277201 - CVE-2007-3476 libgd Denial of service by corrupted GIF images 431568 - CVE-2006-4484 gd: GIF handling buffer overflow References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4484 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0455 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2756 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3472 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3473 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3475 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3476 http://www.redhat.com/security/updates/classification/#moderate -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat RHSA-2008:0146-2 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) S-208: Ghostscript Vulnerability S-209: activePDF Server Packet Processing Vulnerability S-210: Rising Web Scan Object 'OL2005.dll' ActiveX Control Vulnerability S-211: Move Media Player Quantum Streaming Vulnerability S-212: Mozilla Vulnerability in BMP Decoder S-213: Nukedit 'email' Parameter Vulnerability S-214: SurgeMail and WebMail 'Page' Command Vulnerability S-215: Symantec Backup Exec Scheduler ActiveX Control Multiple Vulnerabilities S-216: Juniper Networks Secure Access 2000 'rdremediate.cgi' Vulnerability S-217: Drupal Multiple HTML Vulnerabilities