Jonas Meurer wrote: > Salvatore Bonaccorso wrote: > > The following vulnerability was published for libgd2. > > > > CVE-2019-11038[0]: > > Uninitialized read in gdImageCreateFromXbm > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > While working on a libgd2 update for Jessie LTS, I prepared a patch that > fixes this bug for unstable as well. If nobody objects, I would go ahead > with an NMU to get this CVE fixed in time for Buster, ok? > > The patch (created with `git format-patch`) is attached. > > I also sent the patch upstream: https://github.com/libgd/libgd/pull/503
After uploading patched libgd2 to jessie and stretch, I also decided to go ahead with the NMU to unstable. I just uploaded libgd2 2.2.5-5.2 to the DELAYED-1 queue. Once it's been accepted into unstable, I'll file a unblock request to get it into Buster. I also pushed all three updates to the packaging Git repo at https://salsa.debian.org/debian/libgd2 Cheers jonas
signature.asc
Description: OpenPGP digital signature
