libgd2 project, new maintainership, new CVS, new issue tracker

Following a short discusion I had on #ubuntu-bugs. I like to point you to some possible security fixes I made in the last days.
You can see them here:

http://bugs.libgd.org/index.php?tasks=&project=2&due=2&status[]=

The ids are #4, #7, #14, #33 and #11. The GIF related issues are certainly already in your packages as I fixed them as soon as the initial report was reported (in php gd).

The other like the alloc sanity checks and the alloc returned values tests are not present in the latest package from ubuntu. They are in my opinion critical (DoS).

I do not have the time now to provide all separate patches, but I tried to always use the bug #id in my cvs message. It should be easy to get them back. In any case, feel free to contact me if you have any questions or need help.

--Pierre

Hi! Thanks for the update. We sync from Debian, so if 2.0.34 goes into Debian soon, we'll be able to sync it for the Feisty release. I'll take a look through your updates shortly.

Since you're using CVS instead of SVN or BZR, it's actually pretty difficult to extract your patches. :)

As you say, #7 is already applied in Ubuntu. From the looks of it, every other fix are NULL-deref fixes, which unless it can be demonstrated how a service can be DoS'd with this, they don't look like security issues to me.

If I've overlooked something, please let me know. For now, I'll turn off the security bit on this report.

Thanks again!

Hello,

On 1/9/07, Kees Cook <email address hidden> wrote:
> Since you're using CVS instead of SVN or BZR, it's actually pretty
> difficult to extract your patches. :)

Better than no RCS :)

I can try to provide some or at least point you to the right commit.
Many of them are only a couple of lines.

> As you say, #7 is already applied in Ubuntu. From the looks of it,
> every other fix are NULL-deref fixes, which unless it can be
> demonstrated how a service can be DoS'd with this, they don't look like
> security issues to me.

#11 crashes, when you pass an empty file as PNG.

#14 and the related id in my commit messages (it was before the
tracker was in place) can end to DoS. Try to allocate very large image
for example. It includes many overflow checks.

#7 always crashes as well.

By the way, I include local users as possible source of troubles (esp.
in web env).

> If I've overlooked something, please let me know. For now, I'll turn
> off the security bit on this report.

I will add the full tests suite this week, it may help to test against
your version and catches which tests crash.

> Thanks again!

You too, I'm a happy ubuntu user :-)

--Pierre

I added the tests to CVS as well as the tools to run them against a custom library. It uses cmake, the documentation to run can be found here:

http://cvs.php.net/viewvc.cgi/gd/libgd/README.TESTING?view=markup

I already tried to run the tests against the latest gd2-noxpm in ubuntu (edgy), there is quite a lot of failures and many are segfaults. I do not test yet all cases where integer overflows were possible.

I attached a list of the failing tests. Please note that "bug00005" is actually an infinite loop while loading a gif image (have to figure out how to make the timeout works with a non debug build), this bug is one of the critical bug not fixed in ubuntu.

Let me know if you meet any problems or have any requests or questions,

Regards,
--Pierre

Edgy is not supported anymore. Is this still an issue anyway?