Bug 130770

Summary: no update for graphics/php5-gd yet (CVE-2008-5498)
Product: Ports & Packages Reporter: Stephan A. Rickauer <stephan.rickauer>
Component: Individual Port(s)Assignee: Alex Dupre <ale>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description Stephan A. Rickauer 2009-01-20 08:10:02 UTC 
see CVE-2008-5498 and http://www.securiteam.com/unixfocus/6G00Y0ANFU.html

FreeBSD port not updated:

# portsnap fetch && portsnap update
..
# cd /usr/ports/graphics/php5-gd/
# make
===>  php5-gd-5.2.8 has known vulnerabilities:
=> php5-gd -- uninitialized memory information disclosure vulnerability.
   Reference: <http://www.FreeBSD.org/ports/portaudit/58a3c266-db01-11dd-ae30-001cc0377035.html>
=> Please update your ports tree and try again.
*** Error code 1

Stop in /usr/ports/graphics/php5-gd.
*** Error code 1

Stop in /usr/ports/graphics/php5-gd.

Fix: 

According to http://www.milw0rm.com/exploits/7646 a correct fix could be:

file: php-x.y.z/ext/gd/libgd/gd.c

3129: gdImagePtr gdImageRotate (gdImagePtrsrc, double dAngle,
                                int clrBack, int ignoretransparent) 
3130:{ 
3131: gdImagePtrpMidImg; 
3132: gdImagePtrrotatedImg;
3133:
3134: if(src == NULL) { 
3135:       returnNULL; 
3136: }
3137:+
3137:+ // Index check
3137:+ if (!src->truecolor) 
3137:+ clrBack &= 0xff; // Just keep the first byte
3137:+
3138: if(!gdImageTrueColor(src) && clrBack>=gdImageColorsTotal(src)) { 
3139:       returnNULL; 
3140: }
How-To-Repeat: Install php5-gd port
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2009-01-20 09:02:34 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->ale

Fix synopsis and assign.
Comment 2 Alex Dupre freebsd_committer freebsd_triage 2009-02-04 06:47:36 UTC 
State Changed
From-To: open->closed

The official fix has been committed, thanks.