Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 20 Jan 2009 08:03:52 GMT
From:      "Stephan A. Rickauer" <stephan.rickauer@startek.ch>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   ports/130770: no update for php5-gd yet (CVE-2008-5498)
Message-ID:  <200901200803.n0K83qpN018328@www.freebsd.org>
Resent-Message-ID: <200901200810.n0K8A24h090458@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         130770
>Category:       ports
>Synopsis:       no update for php5-gd yet (CVE-2008-5498)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jan 20 08:10:02 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Stephan A. Rickauer
>Release:        7.1
>Organization:
StarTek
>Environment:
FreeBSD srv3.startek.ch 7.1-RELEASE FreeBSD 7.1-RELEASE #0: Thu Jan  1 08:58:24 UTC 2009     root@driscoll.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
>Description:
see CVE-2008-5498 and http://www.securiteam.com/unixfocus/6G00Y0ANFU.html

FreeBSD port not updated:

# portsnap fetch && portsnap update
..
# cd /usr/ports/graphics/php5-gd/
# make
===>  php5-gd-5.2.8 has known vulnerabilities:
=> php5-gd -- uninitialized memory information disclosure vulnerability.
   Reference: <http://www.FreeBSD.org/ports/portaudit/58a3c266-db01-11dd-ae30-001cc0377035.html>;
=> Please update your ports tree and try again.
*** Error code 1

Stop in /usr/ports/graphics/php5-gd.
*** Error code 1

Stop in /usr/ports/graphics/php5-gd.
>How-To-Repeat:
Install php5-gd port
>Fix:
According to http://www.milw0rm.com/exploits/7646 a correct fix could be:

file: php-x.y.z/ext/gd/libgd/gd.c

3129: gdImagePtr gdImageRotate (gdImagePtrsrc, double dAngle,
                                int clrBack, int ignoretransparent) 
3130:{ 
3131: gdImagePtrpMidImg; 
3132: gdImagePtrrotatedImg;
3133:
3134: if(src == NULL) { 
3135:       returnNULL; 
3136: }
3137:+
3137:+ // Index check
3137:+ if (!src->truecolor) 
3137:+ clrBack &= 0xff; // Just keep the first byte
3137:+
3138: if(!gdImageTrueColor(src) && clrBack>=gdImageColorsTotal(src)) { 
3139:       returnNULL; 
3140: }



>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200901200803.n0K83qpN018328>