Your message dated Sat, 05 Dec 2009 22:15:03 +0000
with message-id <e1nh2u7-0001n3...@ries.debian.org>
and subject line Bug#552534: fixed in libgd2 2.0.33-5.2etch2
has caused the Debian Bug report #552534,
regarding libgd2: CVE-2009-3546: possible buffer overflow or buffer over-read
attacks via crafted files
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
552534: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552534
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libgd2
Version: 2.0.36~rc1~dfsg-3
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libgd2.
CVE-2009-3546[0]:
| The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.0, and the
| GD Graphics Library 2.x, does not properly verify a certain
| colorsTotal structure member, which might allow remote attackers to
| conduct buffer overflow or buffer over-read attacks via a crafted GD
| file, a different vulnerability than CVE-2009-3293. NOTE: some of
| these details are obtained from third party information.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3546
http://security-tracker.debian.org/tracker/CVE-2009-3546
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
--- End Message ---
--- Begin Message ---
Source: libgd2
Source-Version: 2.0.33-5.2etch2
We believe that the bug you reported is fixed in the latest version of
libgd2, which is due to be installed in the Debian FTP archive:
libgd-tools_2.0.33-5.2etch2_i386.deb
to main/libg/libgd2/libgd-tools_2.0.33-5.2etch2_i386.deb
libgd2-noxpm-dev_2.0.33-5.2etch2_i386.deb
to main/libg/libgd2/libgd2-noxpm-dev_2.0.33-5.2etch2_i386.deb
libgd2-noxpm_2.0.33-5.2etch2_i386.deb
to main/libg/libgd2/libgd2-noxpm_2.0.33-5.2etch2_i386.deb
libgd2-xpm-dev_2.0.33-5.2etch2_i386.deb
to main/libg/libgd2/libgd2-xpm-dev_2.0.33-5.2etch2_i386.deb
libgd2-xpm_2.0.33-5.2etch2_i386.deb
to main/libg/libgd2/libgd2-xpm_2.0.33-5.2etch2_i386.deb
libgd2_2.0.33-5.2etch2.diff.gz
to main/libg/libgd2/libgd2_2.0.33-5.2etch2.diff.gz
libgd2_2.0.33-5.2etch2.dsc
to main/libg/libgd2/libgd2_2.0.33-5.2etch2.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 552...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Giuseppe Iuculano <iucul...@debian.org> (supplier of updated libgd2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 10 Nov 2009 10:15:53 +0100
Source: libgd2
Binary: libgd2-noxpm-dev libgd2-noxpm libgd2-xpm libgd2-xpm-dev libgd-tools
Architecture: source i386
Version: 2.0.33-5.2etch2
Distribution: oldstable-security
Urgency: high
Maintainer: Jonas Smedegaard <d...@jones.dk>
Changed-By: Giuseppe Iuculano <iucul...@debian.org>
Description:
libgd-tools - GD command line tools and example code
libgd2-noxpm - GD Graphics Library version 2 (without XPM support)
libgd2-noxpm-dev - GD Graphics Library version 2 (development version)
libgd2-xpm - GD Graphics Library version 2
libgd2-xpm-dev - GD Graphics Library version 2 (development version)
Closes: 408982 552534
Changes:
libgd2 (2.0.33-5.2etch2) oldstable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fixed CVE-2009-3546: possible buffer overflow or buffer over-read attacks
via crafted files (Closes: #552534)
* Fixed CVE-2007-0455: Buffer overflow in the gdImageStringFTEx function in
gdft.c (Closes: #408982)
Files:
c143f788dec8bc93ba7d80532600e09c 988 libs optional libgd2_2.0.33-5.2etch2.dsc
d2f4b2221cb0e05063f85157711638c7 301479 libs optional
libgd2_2.0.33-5.2etch2.diff.gz
be7a5db664baec27428b8092acd942a9 143160 graphics optional
libgd-tools_2.0.33-5.2etch2_i386.deb
c6374428f8f2fc3c56cca141fda12267 335496 libdevel optional
libgd2-xpm-dev_2.0.33-5.2etch2_i386.deb
16b228575857c08de542a1679bcde839 333956 libdevel optional
libgd2-noxpm-dev_2.0.33-5.2etch2_i386.deb
faa4e27f258d87a2d6716a1c7522ae96 198922 libs optional
libgd2-xpm_2.0.33-5.2etch2_i386.deb
70de99f091a5ca73c3a9e14735a7f715 197048 libs optional
libgd2-noxpm_2.0.33-5.2etch2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkr5MsYACgkQNxpp46476aqq6wCaAl5wT78dAZwx3hpBD7SrY2pJ
IuoAnA4gD0PWKDsmW3xLehwzm9CMT+Iz
=FrTS
-----END PGP SIGNATURE-----
--- End Message ---
