Your message dated Mon, 01 Jan 2007 20:32:09 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#384838: fixed in libgd2 2.0.33-6
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: libgd2-xpm
Version: 2.0.33-1.1sarge1
Severity: grave
Tags: security patch
Justification: user security hole
libgd2 crashes on some corrupt GIFs [1] . This issue was found in PHP (php bug
#38112 [2]). With php4 + php4-gd the segfault can be triggered by executing the
PoC at [3]. The attached patch has been adapted from the bug report and seems to
fix the problem.
[1] http://people.debian.org/~seanius/security/php/poc/38112.gif
[2] http://bugs.php.net/bug.php?id=38112
[3] http://people.debian.org/~seanius/security/php/poc/38112.poc
Severity grave because this might lead to arbitrary code execution in php
(although I haven't tried to analyze the problem further).
--- libgd2-2.0.33/gd_gif_in.c 2006-08-27 10:34:02.021822968 +0200
+++ libgd2-2.0.33.patched/gd_gif_in.c 2006-08-27 01:01:05.050952000 +0200
@@ -208,6 +208,12 @@
if (!im) {
return 0;
}
+
+ if (!im->colorsTotal) {
+ gdImageDestroy(im);
+ return 0;
+ }
+
/* Check for open colors at the end, so
we can reduce colorsTotal and ultimately
BitsPerPixel */
@@ -497,6 +503,19 @@
int v;
int xpos = 0, ypos = 0, pass = 0;
int i;
+
+ /*
+ ** Initialize the Compression routines
+ */
+ if (! ReadOK(fd,&c,1)) {
+ return;
+ }
+
+ if (c > MAX_LWZ_BITS) {
+ return;
+ }
+
+
/* Stash the color map into the image */
for (i=0; (i<gdMaxColors); i++) {
im->red[i] = cmap[CM_RED][i];
@@ -506,12 +525,6 @@
}
/* Many (perhaps most) of these colors will remain marked open. */
im->colorsTotal = gdMaxColors;
- /*
- ** Initialize the Compression routines
- */
- if (! ReadOK(fd,&c,1)) {
- return;
- }
if (LWZReadByte(fd, TRUE, c, ZeroDataBlockP) < 0) {
return;
}
--- End Message ---
--- Begin Message ---
Source: libgd2
Source-Version: 2.0.33-6
We believe that the bug you reported is fixed in the latest version of
libgd2, which is due to be installed in the Debian FTP archive:
libgd-tools_2.0.33-6_powerpc.deb
to pool/main/libg/libgd2/libgd-tools_2.0.33-6_powerpc.deb
libgd2-noxpm-dev_2.0.33-6_powerpc.deb
to pool/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-6_powerpc.deb
libgd2-noxpm_2.0.33-6_powerpc.deb
to pool/main/libg/libgd2/libgd2-noxpm_2.0.33-6_powerpc.deb
libgd2-xpm-dev_2.0.33-6_powerpc.deb
to pool/main/libg/libgd2/libgd2-xpm-dev_2.0.33-6_powerpc.deb
libgd2-xpm_2.0.33-6_powerpc.deb
to pool/main/libg/libgd2/libgd2-xpm_2.0.33-6_powerpc.deb
libgd2_2.0.33-6.diff.gz
to pool/main/libg/libgd2/libgd2_2.0.33-6.diff.gz
libgd2_2.0.33-6.dsc
to pool/main/libg/libgd2/libgd2_2.0.33-6.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Smedegaard <[EMAIL PROTECTED]> (supplier of updated libgd2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 1 Jan 2007 20:18:13 +0100
Source: libgd2
Binary: libgd2-noxpm-dev libgd2-noxpm libgd2-xpm libgd2-xpm-dev libgd-tools
Architecture: source powerpc
Version: 2.0.33-6
Distribution: unstable
Urgency: high
Maintainer: Jonas Smedegaard <[EMAIL PROTECTED]>
Changed-By: Jonas Smedegaard <[EMAIL PROTECTED]>
Description:
libgd-tools - GD command line tools and example code
libgd2-noxpm - GD Graphics Library version 2 (without XPM support)
libgd2-noxpm-dev - GD Graphics Library version 2 (development version)
libgd2-xpm - GD Graphics Library version 2
libgd2-xpm-dev - GD Graphics Library version 2 (development version)
Closes: 383747 384838 396174 404774
Changes:
libgd2 (2.0.33-6) unstable; urgency=high
.
* Acknowledge NMUs. Closes: bug#384838, #383747. Thanks to Paul and
MartÃn Ferrari, and to Andreas Barth and Steinar H. Gunderson for
watching my back.
* Update local cdbs snippets (and add debian/README.cdbs-tweaks to
source, documenting their purpose), fixing a FTBFS. Closes:
bug#396174, thanks to Martin Pitt.
* Semi-autoupdate debian/control to have the above take effect:
$ DEB_BUILD_OPTIONS=cdbs-autoupdate fakeroot debian/rules clean
* Add patch 1009 to fix segfaults due to lack of boundary checks for
anti-aliasing. Closes: bug#404774, thanks (again!) to Paul.
* Set urgency=high as the above is important to include with etch.
Files:
8a6058e3ab39a91b2579bd870f0899b0 965 libs optional libgd2_2.0.33-6.dsc
3083b7451a198f1e984d305212c3443c 300498 libs optional libgd2_2.0.33-6.diff.gz
d58e24ea1d144ebc517b3ef629f4e85f 152864 graphics optional
libgd-tools_2.0.33-6_powerpc.deb
c3b1a190aa4ce2048f8ff08096d0fce9 346710 libdevel optional
libgd2-xpm-dev_2.0.33-6_powerpc.deb
3fd88f5cef124f5ec660257b443f1e3f 343874 libdevel optional
libgd2-noxpm-dev_2.0.33-6_powerpc.deb
e14f0e94295f4cf157fcfd2dbb47abf3 203962 libs optional
libgd2-xpm_2.0.33-6_powerpc.deb
85379b435c489410952a6a660da55b6c 201924 libs optional
libgd2-noxpm_2.0.33-6_powerpc.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFFmWYwn7DbMsAkQLgRAkCzAKCT+GE7l7FuwJfKvATGpLl30nuRsQCgm4xY
LGJ/Cc0c7egbAWXknFIlNXk=
=Sjo8
-----END PGP SIGNATURE-----
--- End Message ---
