Bug#552534: marked as done (libgd2: CVE-2009-3546: possible buffer overflow or buffer over-read attacks via crafted files)

Debian Bug Tracking System Sat, 05 Dec 2009 13:26:18 -0800

Your message dated Sat, 05 Dec 2009 21:23:08 +0000
with message-id <e1nh25s-0002tt...@ries.debian.org>
and subject line Bug#552534: fixed in libgd2 2.0.36~rc1~dfsg-3+lenny1
has caused the Debian Bug report #552534,
regarding libgd2: CVE-2009-3546: possible buffer overflow or buffer over-read 
attacks via crafted files
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
552534: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552534
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: libgd2
Version: 2.0.36~rc1~dfsg-3
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libgd2.

CVE-2009-3546[0]:
| The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.0, and the
| GD Graphics Library 2.x, does not properly verify a certain
| colorsTotal structure member, which might allow remote attackers to
| conduct buffer overflow or buffer over-read attacks via a crafted GD
| file, a different vulnerability than CVE-2009-3293.  NOTE: some of
| these details are obtained from third party information.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3546
    http://security-tracker.debian.org/tracker/CVE-2009-3546

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

--- End Message ---

--- Begin Message ---

Source: libgd2
Source-Version: 2.0.36~rc1~dfsg-3+lenny1

We believe that the bug you reported is fixed in the latest version of
libgd2, which is due to be installed in the Debian FTP archive:

libgd-tools_2.0.36~rc1~dfsg-3+lenny1_i386.deb
  to main/libg/libgd2/libgd-tools_2.0.36~rc1~dfsg-3+lenny1_i386.deb
libgd2-noxpm-dev_2.0.36~rc1~dfsg-3+lenny1_i386.deb
  to main/libg/libgd2/libgd2-noxpm-dev_2.0.36~rc1~dfsg-3+lenny1_i386.deb
libgd2-noxpm_2.0.36~rc1~dfsg-3+lenny1_i386.deb
  to main/libg/libgd2/libgd2-noxpm_2.0.36~rc1~dfsg-3+lenny1_i386.deb
libgd2-xpm-dev_2.0.36~rc1~dfsg-3+lenny1_i386.deb
  to main/libg/libgd2/libgd2-xpm-dev_2.0.36~rc1~dfsg-3+lenny1_i386.deb
libgd2-xpm_2.0.36~rc1~dfsg-3+lenny1_i386.deb
  to main/libg/libgd2/libgd2-xpm_2.0.36~rc1~dfsg-3+lenny1_i386.deb
libgd2_2.0.36~rc1~dfsg-3+lenny1.diff.gz
  to main/libg/libgd2/libgd2_2.0.36~rc1~dfsg-3+lenny1.diff.gz
libgd2_2.0.36~rc1~dfsg-3+lenny1.dsc
  to main/libg/libgd2/libgd2_2.0.36~rc1~dfsg-3+lenny1.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 552...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iucul...@debian.org> (supplier of updated libgd2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 09 Nov 2009 21:46:06 +0100
Source: libgd2
Binary: libgd-tools libgd2-xpm-dev libgd2-noxpm-dev libgd2-xpm libgd2-noxpm
Architecture: source i386
Version: 2.0.36~rc1~dfsg-3+lenny1
Distribution: stable-security
Urgency: high
Maintainer: GD team <pkg-gd-de...@lists.alioth.debian.org>
Changed-By: Giuseppe Iuculano <iucul...@debian.org>
Description: 
 libgd-tools - GD command line tools and example code
 libgd2-noxpm - GD Graphics Library version 2 (without XPM support)
 libgd2-noxpm-dev - GD Graphics Library version 2 (development version)
 libgd2-xpm - GD Graphics Library version 2
 libgd2-xpm-dev - GD Graphics Library version 2 (development version)
Closes: 552534
Changes: 
 libgd2 (2.0.36~rc1~dfsg-3+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed CVE-2009-3546: possible buffer overflow or buffer over-read attacks
     via crafted files (Closes: #552534)
Checksums-Sha1: 
 b304076e9dc66bb1c483c5053ca9dabe0cc7b59a 1612 
libgd2_2.0.36~rc1~dfsg-3+lenny1.dsc
 e93c43f3c2283c6fe09793ac06a4a106374e0cb3 761899 
libgd2_2.0.36~rc1~dfsg.orig.tar.gz
 1dbaca4148dda1fd4e5b04b25bfcc0c4d31c954b 29122 
libgd2_2.0.36~rc1~dfsg-3+lenny1.diff.gz
 8322a46c9db5cbd8e393a295cd21081acdf249f4 164292 
libgd-tools_2.0.36~rc1~dfsg-3+lenny1_i386.deb
 0eabed6cf9ef00d24f62c6f9b1ff141ba70bfa7f 358974 
libgd2-xpm-dev_2.0.36~rc1~dfsg-3+lenny1_i386.deb
 8b69116523ccbc31bb86fe14f0fad492f62db49a 356634 
libgd2-noxpm-dev_2.0.36~rc1~dfsg-3+lenny1_i386.deb
 745d8e1f9d3f5d595855f5fba94f5cf75c12ed28 222606 
libgd2-xpm_2.0.36~rc1~dfsg-3+lenny1_i386.deb
 c0975cfc501d94f39fb287c23ea13360ffe21783 220836 
libgd2-noxpm_2.0.36~rc1~dfsg-3+lenny1_i386.deb
Checksums-Sha256: 
 6b728d921082dc0efadc1040cc696780fe39204ea2815a43bcb6ed14fbcabd59 1612 
libgd2_2.0.36~rc1~dfsg-3+lenny1.dsc
 919df21310ad4a8b6155df01411138110589cc6c50b1bc414dc62aebb0a7f41a 761899 
libgd2_2.0.36~rc1~dfsg.orig.tar.gz
 402d759a1c2206e90c020cbf41772d698b0939b66840db02bbdb9754f41bbdab 29122 
libgd2_2.0.36~rc1~dfsg-3+lenny1.diff.gz
 941251938f949b045ecbd69361a7652031b338c82647cd3c573d17bbc7e16ce4 164292 
libgd-tools_2.0.36~rc1~dfsg-3+lenny1_i386.deb
 26757caf8f27caa834202e8f4a7073eb4cade81a1570ce28d85a78e27d87a223 358974 
libgd2-xpm-dev_2.0.36~rc1~dfsg-3+lenny1_i386.deb
 10bc73ddbee03658c9838285e80ace656f8a731851b415f7f1fbd33838e7ef6d 356634 
libgd2-noxpm-dev_2.0.36~rc1~dfsg-3+lenny1_i386.deb
 02da0effba81c872e0868d3a42a163dd923e68a6a17930d226d927906ca4a9f0 222606 
libgd2-xpm_2.0.36~rc1~dfsg-3+lenny1_i386.deb
 5b8a16d4e924577c860596aad9cbf3fe214b016541686d4d9b287baad0a78b7f 220836 
libgd2-noxpm_2.0.36~rc1~dfsg-3+lenny1_i386.deb
Files: 
 861ee81768001cad3679f7e6b4c16268 1612 graphics optional 
libgd2_2.0.36~rc1~dfsg-3+lenny1.dsc
 0f4d2fa45627af0e87fcb74f653b66dd 761899 graphics optional 
libgd2_2.0.36~rc1~dfsg.orig.tar.gz
 ba98bcc559da7cfaf6af0269e6d6c973 29122 graphics optional 
libgd2_2.0.36~rc1~dfsg-3+lenny1.diff.gz
 877bc158847f598be3175fcf1caca555 164292 graphics optional 
libgd-tools_2.0.36~rc1~dfsg-3+lenny1_i386.deb
 797889cfec6a71fbc8dea99014a22d5d 358974 libdevel optional 
libgd2-xpm-dev_2.0.36~rc1~dfsg-3+lenny1_i386.deb
 8687049dc7503710e7b9798818ec10a0 356634 libdevel optional 
libgd2-noxpm-dev_2.0.36~rc1~dfsg-3+lenny1_i386.deb
 640114552f4d79220a99ed754bc8b149 222606 libs optional 
libgd2-xpm_2.0.36~rc1~dfsg-3+lenny1_i386.deb
 7fe4a8f4404f923bb3c2753c8801b945 220836 libs optional 
libgd2-noxpm_2.0.36~rc1~dfsg-3+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkr5NTkACgkQNxpp46476aqXXQCglkGCEvrYDFgZn/+Yu7i+j4Oc
CMgAnAjkgnjqjtccm3Da2XtyrbBxnyER
=di+e
-----END PGP SIGNATURE-----

--- End Message ---

Bug#552534: marked as done (libgd2: CVE-2009-3546: possible buffer overflow or buffer over-read attacks via crafted files)

Reply via email to