Bug#829014: marked as done (libgd2: CVE-2016-5766: Integer Overflow in _gd2GetHeader() resulting in heap overflow)

Debian Bug Tracking System Thu, 14 Jul 2016 03:09:51 -0700

Your message dated Thu, 14 Jul 2016 10:07:13 +0000
with message-id <[email protected]>
and subject line Bug#829014: fixed in libgd2 2.2.2-29-g3c2b605-1
has caused the Debian Bug report #829014,
regarding libgd2: CVE-2016-5766: Integer Overflow in _gd2GetHeader() resulting 
in heap overflow
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
829014: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829014
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Source: libgd2
Version: 2.1.0-5
Severity: important
Tags: security upstream patch
Forwarded: https://bugs.php.net/bug.php?id=72339

Hi,

the following vulnerability was published for libgd2.

CVE-2016-5766[0]:
Integer Overflow in _gd2GetHeader() resulting in heap overflow

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-5766
[1] 
https://git.php.net/?p=php-src.git;a=commitdiff;h=7722455726bec8c53458a32851d2a87982cf0eac
[2] https://bugs.php.net/bug.php?id=72339

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: libgd2
Source-Version: 2.2.2-29-g3c2b605-1

We believe that the bug you reported is fixed in the latest version of
libgd2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Surý <[email protected]> (supplier of updated libgd2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 14 Jul 2016 10:53:07 +0200
Source: libgd2
Binary: libgd-tools libgd-dev libgd3 libgd-dbg
Architecture: source amd64
Version: 2.2.2-29-g3c2b605-1
Distribution: unstable
Urgency: medium
Maintainer: GD team <[email protected]>
Changed-By: Ondřej Surý <[email protected]>
Description:
 libgd-dbg  - Debug symbols for GD Graphics Library
 libgd-dev  - GD Graphics Library (development version)
 libgd-tools - GD command line tools and example code
 libgd3     - GD Graphics Library
Closes: 829014 829062 829694
Changes:
 libgd2 (2.2.2-29-g3c2b605-1) unstable; urgency=medium
 .
   * Imported Upstream version 2.2.2-29-g3c2b605
    + [CVE-2016-5766]: Fix Integer Overflow in _gd2GetHeader() resulting in
      heap overflow (Closes: #829014)
    + [CVE-2016-6128]: Fix invalid color index not handled, can lead to
      crash (Closes: #829062)
    + [CVE-2016-6161]: Add upstream patch to fix gif: avoid out-of-bound
      reads of masks array
    + [CVE-2016-6132]: Fix out-of-bounds read in the parsing of TGA files
      (Closes: #829694)
    + [CVE-2016-6214]: Fix read out-of-bands was found in TGA
    + Fix another out-of-bounds read in read_image_tga (upstream #248)
   * Remove patches merged upstream
Checksums-Sha1:
 909ea3dabdf150dcefac7ea72142c14e216aa7d0 2410 libgd2_2.2.2-29-g3c2b605-1.dsc
 dcbb179ada29ff7d6b106042699550e94fef5dff 1831552 
libgd2_2.2.2-29-g3c2b605.orig.tar.xz
 c2c5ea2cc05491ba34588ec4edd53a2fed727e60 22728 
libgd2_2.2.2-29-g3c2b605-1.debian.tar.xz
 02ec24d0b94201602fa73fe2a777cabdcb995645 301204 
libgd-dbg_2.2.2-29-g3c2b605-1_amd64.deb
 230e502983037a5030232e5e5ff0b87e9c016ae5 272240 
libgd-dev_2.2.2-29-g3c2b605-1_amd64.deb
 259d95c8ce6ae63f0763659919f7364c8a96b0c3 37730 
libgd-tools_2.2.2-29-g3c2b605-1_amd64.deb
 6af004c776465bd3692e31d850e3c9ca62ac8cbc 133338 
libgd3_2.2.2-29-g3c2b605-1_amd64.deb
Checksums-Sha256:
 7a137f4bc72a1e15cc71c2a6198d2961aff1ba99095f44bd51aa7cd34cdd8ce1 2410 
libgd2_2.2.2-29-g3c2b605-1.dsc
 f327ede0051ec08041211a418c059970cc2ec4d9ad4a27b21bc150a0ca1ebcb1 1831552 
libgd2_2.2.2-29-g3c2b605.orig.tar.xz
 25b52a9a81615721bf2939c6b6fcc497034f15aafb9d9c8b64364dbd35754dcf 22728 
libgd2_2.2.2-29-g3c2b605-1.debian.tar.xz
 fe69d6e5f5b857e45c72de8382cc3678754b97ab7a3e244eda5eafa5fe17842f 301204 
libgd-dbg_2.2.2-29-g3c2b605-1_amd64.deb
 003784884bf863b28ba040aeb62935626ce8d071c94b293adaa82d99b5cbe18c 272240 
libgd-dev_2.2.2-29-g3c2b605-1_amd64.deb
 07dbfeb58119419e43a974b53e4f7563cd7950b443260fc9dafeb415d8f8ad9a 37730 
libgd-tools_2.2.2-29-g3c2b605-1_amd64.deb
 c4d3b1f8e1929d0382ef4aa234c98622c0f3f3b42473bbfae4f9066b9cf844db 133338 
libgd3_2.2.2-29-g3c2b605-1_amd64.deb
Files:
 a9ee064f12c19bde0a1795473794c6de 2410 graphics optional 
libgd2_2.2.2-29-g3c2b605-1.dsc
 d2db003478d451b45886d9fa784aba62 1831552 graphics optional 
libgd2_2.2.2-29-g3c2b605.orig.tar.xz
 db9b25e23bff75d6f6065f0d5483183a 22728 graphics optional 
libgd2_2.2.2-29-g3c2b605-1.debian.tar.xz
 7275cc4972c01be8b2d67afa1c6c3664 301204 debug extra 
libgd-dbg_2.2.2-29-g3c2b605-1_amd64.deb
 040a58abc161a54396b3c3ef3895d790 272240 libdevel optional 
libgd-dev_2.2.2-29-g3c2b605-1_amd64.deb
 6b3b0d297458a536040e4e42dd324ef8 37730 graphics optional 
libgd-tools_2.2.2-29-g3c2b605-1_amd64.deb
 051ae20be3e6012d5659afc769144400 133338 libs optional 
libgd3_2.2.2-29-g3c2b605-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQJ8BAEBCgBmBQJXh1S6XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzMEI5MzNEODBGQ0UzRDk4MUEyRDM4RkIw
Qzk5QjcwRUY0RkNCQjA3AAoJEAyZtw70/LsH84EQAKDWSF7edJ9LTBGf3MdRcHN+
/P8CdzScEzCrZ8o0euA+tAa3V8XjBbcsfLmKYjoLbAd31Jf2fDFGQS+dVnJHTdM6
oOlpNF53HVGjy7bvbUQFj52fFTQpH9RvdkycNiSZmexxw9mrFxh0x+uAuGEoEK2i
/u3LG6mhmnYYYZaPmaOcO0nXojpduBu82ovMOdk4oL9NqXS9vfWoiWevla45KjZC
b4GMI9YAgVbhd8nhUh8LGrPHX2uGRtTKz6rILeF79p6/mTTIW00cHK54iIoQxxm1
ZYi7VoJYwINOq0tKY+AqoJL5iTJqGzRiYGXr1srUGbRzm0ZDbgcgKInStEgWzhSk
31Eg2m83ZTauleL2yfv+h/g8yeLS0CiwIx1EaIT0DtNr7SKjW2BCb34m0r3hdt1e
xOP69ljgHAzVbai6jwFJkUpBLZe28xm4Me/MyMo3ao5zr2CwiU6Wjozu3w3hLLrS
Jbh5aquK5nH7qc9mWd8V4ve+RNkIdsuohwmdaKK3dFSqFdfxN+6grv+QmL2NB/k0
iq7uzaAdiVO3kGnZDQ+1aTidT3I4GABC8bgdWo09NSQZDsDbFLwrCb07d9yC5GBN
MFGgcTksGrI3XepjVIeH6jlz3bGb3QkZZOCOkTravVyDWmzhaa/qOGrf76fw1COa
gX6xmgnAKx2tRMmjZ4l6
=hUh9
-----END PGP SIGNATURE-----

--- End Message ---

Bug#829014: marked as done (libgd2: CVE-2016-5766: Integer Overflow in _gd2GetHeader() resulting in heap overflow)

Reply via email to