Bug#552534: marked as done (libgd2: CVE-2009-3546: possible buffer overflow or buffer over-read attacks via crafted files)

Debian Bug Tracking System Mon, 09 Nov 2009 13:40:34 -0800

Your message dated Mon, 09 Nov 2009 21:37:19 +0000
with message-id <e1n7bvl-0005hi...@ries.debian.org>
and subject line Bug#552534: fixed in libgd2 2.0.36~rc1~dfsg-3.1
has caused the Debian Bug report #552534,
regarding libgd2: CVE-2009-3546: possible buffer overflow or buffer over-read 
attacks via crafted files
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
552534: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552534
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: libgd2
Version: 2.0.36~rc1~dfsg-3
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libgd2.

CVE-2009-3546[0]:
| The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.0, and the
| GD Graphics Library 2.x, does not properly verify a certain
| colorsTotal structure member, which might allow remote attackers to
| conduct buffer overflow or buffer over-read attacks via a crafted GD
| file, a different vulnerability than CVE-2009-3293.  NOTE: some of
| these details are obtained from third party information.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3546
    http://security-tracker.debian.org/tracker/CVE-2009-3546

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

--- End Message ---

--- Begin Message ---

Source: libgd2
Source-Version: 2.0.36~rc1~dfsg-3.1

We believe that the bug you reported is fixed in the latest version of
libgd2, which is due to be installed in the Debian FTP archive:

libgd-tools_2.0.36~rc1~dfsg-3.1_i386.deb
  to main/libg/libgd2/libgd-tools_2.0.36~rc1~dfsg-3.1_i386.deb
libgd2-noxpm-dev_2.0.36~rc1~dfsg-3.1_i386.deb
  to main/libg/libgd2/libgd2-noxpm-dev_2.0.36~rc1~dfsg-3.1_i386.deb
libgd2-noxpm_2.0.36~rc1~dfsg-3.1_i386.deb
  to main/libg/libgd2/libgd2-noxpm_2.0.36~rc1~dfsg-3.1_i386.deb
libgd2-xpm-dev_2.0.36~rc1~dfsg-3.1_i386.deb
  to main/libg/libgd2/libgd2-xpm-dev_2.0.36~rc1~dfsg-3.1_i386.deb
libgd2-xpm_2.0.36~rc1~dfsg-3.1_i386.deb
  to main/libg/libgd2/libgd2-xpm_2.0.36~rc1~dfsg-3.1_i386.deb
libgd2_2.0.36~rc1~dfsg-3.1.diff.gz
  to main/libg/libgd2/libgd2_2.0.36~rc1~dfsg-3.1.diff.gz
libgd2_2.0.36~rc1~dfsg-3.1.dsc
  to main/libg/libgd2/libgd2_2.0.36~rc1~dfsg-3.1.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 552...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iucul...@debian.org> (supplier of updated libgd2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 09 Nov 2009 21:19:11 +0100
Source: libgd2
Binary: libgd-tools libgd2-xpm-dev libgd2-noxpm-dev libgd2-xpm libgd2-noxpm
Architecture: source i386
Version: 2.0.36~rc1~dfsg-3.1
Distribution: unstable
Urgency: high
Maintainer: GD team <pkg-gd-de...@lists.alioth.debian.org>
Changed-By: Giuseppe Iuculano <iucul...@debian.org>
Description: 
 libgd-tools - GD command line tools and example code
 libgd2-noxpm - GD Graphics Library version 2 (without XPM support)
 libgd2-noxpm-dev - GD Graphics Library version 2 (development version)
 libgd2-xpm - GD Graphics Library version 2
 libgd2-xpm-dev - GD Graphics Library version 2 (development version)
Closes: 552534
Changes: 
 libgd2 (2.0.36~rc1~dfsg-3.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed CVE-2009-3546: possible buffer overflow or buffer over-read attacks
     via crafted files (Closes: #552534)
Checksums-Sha1: 
 19eb59ff82bbd005f701253180024114dc127eb3 1592 libgd2_2.0.36~rc1~dfsg-3.1.dsc
 6bb0b2fe50a33bc64dd3a06b473413d9b3b71da4 29104 
libgd2_2.0.36~rc1~dfsg-3.1.diff.gz
 8e5aa0377a16768e144999160652c2a9611180ae 164508 
libgd-tools_2.0.36~rc1~dfsg-3.1_i386.deb
 89856737f0e969d54faed99d9571bfcb89629926 358442 
libgd2-xpm-dev_2.0.36~rc1~dfsg-3.1_i386.deb
 2bf80235dd474b530e12af1593af7e1f94b8acb9 356384 
libgd2-noxpm-dev_2.0.36~rc1~dfsg-3.1_i386.deb
 bba8129f31e4eea7eb0d6af7cc8c0a5ef09f97fc 222442 
libgd2-xpm_2.0.36~rc1~dfsg-3.1_i386.deb
 a055bb8a002f007791c24dd759070a9ec71db6f2 220700 
libgd2-noxpm_2.0.36~rc1~dfsg-3.1_i386.deb
Checksums-Sha256: 
 12cff083a2298d7587749a7c06e1613eb3d4be829e055a3c9558fe472de25527 1592 
libgd2_2.0.36~rc1~dfsg-3.1.dsc
 9e71012f64e0624e3a8a4d8220d1d61c97b70df27e0e4fdf0f946291493950b9 29104 
libgd2_2.0.36~rc1~dfsg-3.1.diff.gz
 7d29c74769252068931042037c4e093b792e625bf4db357cc3b8f3add862b280 164508 
libgd-tools_2.0.36~rc1~dfsg-3.1_i386.deb
 2fd2902d20de90625d9e1160e3228beb16f7c61cf123b53548b0fa8f0e93c911 358442 
libgd2-xpm-dev_2.0.36~rc1~dfsg-3.1_i386.deb
 ac194c8af3c322c8e3f12004dd7f3039fc47ceb80c4c506f8a6f31b69ff7526c 356384 
libgd2-noxpm-dev_2.0.36~rc1~dfsg-3.1_i386.deb
 2e2adbae4bfac4b62d384962801fb1e8332c9c12adaf23221c4f9db21061d765 222442 
libgd2-xpm_2.0.36~rc1~dfsg-3.1_i386.deb
 98aa03b730274d6f7dc2f0e73209c12149dbc618ca2127cf5245e8314073c96e 220700 
libgd2-noxpm_2.0.36~rc1~dfsg-3.1_i386.deb
Files: 
 dc598e56ecbdc05db936111a96c5b40f 1592 graphics optional 
libgd2_2.0.36~rc1~dfsg-3.1.dsc
 83c33309cf42f4b3cf00bbef9915b747 29104 graphics optional 
libgd2_2.0.36~rc1~dfsg-3.1.diff.gz
 b53e8db0a8e8942e026d82241b090a72 164508 graphics optional 
libgd-tools_2.0.36~rc1~dfsg-3.1_i386.deb
 264d2fb78e736d686dca8581be3793e3 358442 libdevel optional 
libgd2-xpm-dev_2.0.36~rc1~dfsg-3.1_i386.deb
 73ed45a0688886fc38926c67dd0368ff 356384 libdevel optional 
libgd2-noxpm-dev_2.0.36~rc1~dfsg-3.1_i386.deb
 d4dbdb01a86e870e9aa4e3a9be9fbc94 222442 libs optional 
libgd2-xpm_2.0.36~rc1~dfsg-3.1_i386.deb
 b0fca6d8ff696379ae2351354f40ffc6 220700 libs optional 
libgd2-noxpm_2.0.36~rc1~dfsg-3.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkr4faMACgkQNxpp46476aqIRgCcD/UxE1Ym6N8ZrJEnRRCa8o7t
CX4AoJGCTQQz7fgBeLcMkOab2wsjV93N
=7xfW
-----END PGP SIGNATURE-----

--- End Message ---

Bug#552534: marked as done (libgd2: CVE-2009-3546: possible buffer overflow or buffer over-read attacks via crafted files)

Reply via email to