Your message dated Mon, 31 Oct 2016 10:19:03 +0000 with message-id <e1c19gf-0001ne...@fasolo.debian.org> and subject line Bug#839659: fixed in libgd2 2.2.3-87-gd0fec80-1 has caused the Debian Bug report #839659, regarding libgd2: CVE-2016-7568: Integer overflow in gdImageWebpCtx to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 839659: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=839659 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libgd2 Version: 2.2.3-3 Severity: grave Tags: security patch upstream fixed-upstream Justification: user security hole Forwarded: https://github.com/libgd/libgd/issues/308 Hi, the following vulnerability was published for libgd2. CVE-2016-7568[0]: | Integer overflow in the gdImageWebpCtx function in gd_webp.c in the GD | Graphics Library (aka libgd) through 2.2.3, as used in PHP through | 7.0.11, allows remote attackers to cause a denial of service | (heap-based buffer overflow) or possibly have unspecified other impact | via crafted imagewebp and imagedestroy calls. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-7568 [1] https://github.com/libgd/libgd/issues/308 [2] https://github.com/libgd/libgd/commit/40bec0f38f50e8510f5bb71a82f516d46facde03 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libgd2 Source-Version: 2.2.3-87-gd0fec80-1 We believe that the bug you reported is fixed in the latest version of libgd2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 839...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ondřej Surý <ond...@debian.org> (supplier of updated libgd2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 31 Oct 2016 09:56:49 +0100 Source: libgd2 Binary: libgd-tools libgd-dev libgd3 Architecture: source Version: 2.2.3-87-gd0fec80-1 Distribution: unstable Urgency: medium Maintainer: GD team <pkg-gd-de...@lists.alioth.debian.org> Changed-By: Ondřej Surý <ond...@debian.org> Description: libgd-dev - GD Graphics Library (development version) libgd-tools - GD command line tools and example code libgd3 - GD Graphics Library Closes: 839659 840805 840806 Changes: libgd2 (2.2.3-87-gd0fec80-1) unstable; urgency=medium . * Imported Upstream version 2.2.3-87-gd0fec80 + [CVE-2016-8670]: Stack Buffer Overflow in GD dynamicGetbuf + [CVE-2016-6911]: invalid read in gdImageCreateFromTiffPtr() + [CVE-2016-7568]: Integer overflow in gdImageWebpCtx (Closes: #840805, #840806, #839659) * Refresh patches on top of git snapshot 2.2.3-87-gd0fec80 * Replace -dbg with -dbgsym packages * Disable php_bug_72339 that has overflow constant * Fix error: ISO C99 requires at least one argument for the "..." in a variadic macro Checksums-Sha1: 52684e3622c645ed1a33ff42a6674b98cb841981 2363 libgd2_2.2.3-87-gd0fec80-1.dsc 7c748f98bf29fddd587dacb4fdca6866fd7cc6ba 2239856 libgd2_2.2.3-87-gd0fec80.orig.tar.xz 58744bc626bc9caea9d5a6c071f70f1158e08314 24476 libgd2_2.2.3-87-gd0fec80-1.debian.tar.xz Checksums-Sha256: 4feae7067a735787a258d64f26e08feca1feba4072217b7b2a8916ceda88387c 2363 libgd2_2.2.3-87-gd0fec80-1.dsc c4fbf0b4017aff89dc53ab08600baea78b2a9dab59af77da424a6979e5907d7e 2239856 libgd2_2.2.3-87-gd0fec80.orig.tar.xz fa0d5d80dcc7208b18e14d798fbf9d3fead24da1199dfacfa704460ed3943af2 24476 libgd2_2.2.3-87-gd0fec80-1.debian.tar.xz Files: 8c29c925806f53f87660a5a48e23efb5 2363 graphics optional libgd2_2.2.3-87-gd0fec80-1.dsc bb033924093aaf539ecb9c6034763f02 2239856 graphics optional libgd2_2.2.3-87-gd0fec80.orig.tar.xz cd865f5380d4990e62207e481fa4d881 24476 graphics optional libgd2_2.2.3-87-gd0fec80-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJYFxSOXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzMEI5MzNEODBGQ0UzRDk4MUEyRDM4RkIw Qzk5QjcwRUY0RkNCQjA3AAoJEAyZtw70/LsHAJMP/iXsHbutxJdJ+1bFPrjnTAHX /zD87H+bzv2j8hPkKkns4PhSQgdJXjDOnk4lccTr5rKDbK7LcxGjfyJIUQUwIhWP s/86g0R4QnntBAQ0cSZ8KCWnXOovhsndqW6RW1YER624aF2kXJ1cBlObOH4ExbNL F3sLYfRssK3iDrl84WdNJktxOoOXXBGHRTrj6bi4m8ogcC4PmZkp+bHV5kJpwHqJ MfCJk1NCwflCUPYsU2TwTfpUt9PEgPUSqp8x22PAVR65Nj16xFa6rI6qR605huvt MIWr/zokCUlNxdf9wSC2otsHOAMW+vHXM9g86d0PuzT58WV1gSI5Psv1DWAhzgZj RCzqJxo/N9r20MBNMD8R7fC+peClP388JvsFs3mZ2Xn8ZWRJlnpLQ2iuONmHSvUD sK8FMCzPclFZBhtbq+6XM9iWOmz22jBJ4HpduNGiqiwM3KMQAmJlWkjQr+x4U2CV u4AgGQG7RQKVC8Wx5p4+fS71s9neBvWm1cCdb3WDFVjQQu70r9rXdT7+VnqMmvKY oYOqzHLoz4w4mppP9d7+8Gh5uM5irsE7cTScXNJwJFbWpW1o90CUUal8/Rl1HDXZ t7aW/O7jf/Oy7pqXlBsU8EZ+lGGX6StsqqEsCEoZX8iWXODqvOBs2T22C1s5Q2oE nrEE32ko5B/epC88JtFq =J7pa -----END PGP SIGNATURE-----
--- End Message ---
