Re: CVE Request: A read out-of-bands was found in the parsing of TGA files using libgd

[Gustavo Grieco <gustavo.grieco () gmail com>]

Another read out-of-bounds was found in the process of fixing
CVE-2016-6132. Details are here:

https://github.com/libgd/libgd/issues/247#issuecomment-232084241

In fact, the libgd developers confirmed that this issue is not the
same as CVE-2016-6132. Please assign a CVE if suitable.
Fortunately, both issues are fixed now.

Thanks!

2016-06-30 17:48 GMT+02:00  <cve-assign () mitre org>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> > A read out-of-bands was found in the parsing of TGA files using the
> > last revision of libgd (a6a0e7f) but older versions can be affected. A
> > reproducer and some technical details are available here:
> >
> > https://github.com/libgd/libgd/issues/247
>
> > > AddressSanitizer: heap-buffer-overflow ...
> > > READ of size 4
> > > ... in gdImageCreateFromTgaCtx
>
> Use CVE-2016-6132 for this buffer over-read issue.
>
> - --
> CVE Assignment Team
> M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
> [ A PGP key is available for encrypted communications at
>   http://cve.mitre.org/cve/request_id.html ]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQIcBAEBCAAGBQJXdT8ZAAoJEHb/MwWLVhi2SjkQAIges7jISzaEMV4SPSu9Di8B
> 4re9gzln2m8wIKQ3c9NLFGp5lR8fWCx73vSguwBUWVPBFCJZntup5rZlX/rq9P3+
> fFmMhM8g+lsDczm5bNhqUp3lQbSGzts/gPMUbEWlKYKX4sNRdwzlIoxiHq2NxwcB
> ue/Ci1nNDkL2ykvfJA8z3twOm9kFu/qMY+CG6oZ5wA6HSRiRb7kxYCmUd1HMlDKb
> JOhjyJ+qMKwAaQbQKMERSOz03tvzCzCgZvmUOjtd0lsk7a/E1Q3wwPWJ8+wyBbdw
> DZalq2JBQyFNkQ/sy9NGWpya1OSLiuly7xwH+qOGuFmxlXpB87UWq1Mkq6+Hfib5
> 0pq4cKvdM3gBe1k1lXMAVxikTamvnLizMmRz+tcwHFoGCQoSTwuIegBst3vx9yIJ
> 7QEiq1ergZTJEpMoG6EtxBSsOejSfhWmRYkcGkaCusYrDdT2WXFly7zWAQtnL5qT
> 7X5QcpuYs/in7C0rY3UoJqOsDX7cO8b21g16Ya3pGyFjX5DIUr/ZPqSF2GcB6jXn
> /rPyeSvv1py40HWsvx8ZUQND9rgGn2g5CPIfEkYapp6IAYtJgA96jIORfuui4lEp
> +PAKIvn5LVsdAMcoq50RdOpCqD9VRjA1B6EgtZsjUs1bDsdB7qujm+wBIsu9vkGo
> qhxbyEP0bA9VFaM6jxMO
> =BZV9
> -----END PGP SIGNATURE-----