Your message dated Wed, 06 Jul 2022 14:49:23 +0000
with message-id <[email protected]>
and subject line Bug#991912: fixed in libgd2 2.3.3-1
has caused the Debian Bug report #991912,
regarding libgd2: CVE-2021-38115
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
991912: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991912
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libgd2
Version: 2.3.0-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/libgd/libgd/issues/697
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libgd2.
CVE-2021-38115[0]:
| read_header_tga in gd_tga.c in the GD Graphics Library (aka LibGD)
| through 2.3.2 allows remote attackers to cause a denial of service
| (out-of-bounds read) via a crafted TGA file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-38115
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38115
[1] https://github.com/libgd/libgd/issues/697
[2]
https://github.com/libgd/libgd/commit/8b111b2b4a4842179be66db68d84dda91a246032
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libgd2
Source-Version: 2.3.3-1
Done: Ondřej Surý <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libgd2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ondřej Surý <[email protected]> (supplier of updated libgd2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 06 Jul 2022 16:33:08 +0200
Source: libgd2
Architecture: source
Version: 2.3.3-1
Distribution: unstable
Urgency: medium
Maintainer: GD Team <[email protected]>
Changed-By: Ondřej Surý <[email protected]>
Closes: 981208 991912 1004572
Changes:
libgd2 (2.3.3-1) unstable; urgency=medium
.
* Require debhelper >= 10
* New upstream version 2.3.3 (Closes: #1004572)
+ CVE-2021-38115: fix read out-of-bands in reading tga header file
(Closes: #991912)
* New upstream version 2.3.1
+ CVE-2019-11038: Using uninitialized variables.
+ CVE-2019-6977: Heap-based buffer overflow.
+ CVE-2019-6978: Double-free in gdImage*Ptr().
* Enable AVIF and HEIF support
* Update symbols file for libgd3_2.3.3
* Remove libxt-dev, html2text from build dependencies (Closes: #981208)
Checksums-Sha1:
5055d99c51d6e14ba6e62ab028749b5a217730ab 2306 libgd2_2.3.3-1.dsc
a275344fb56161df6a06679bf0bf29c30930d8eb 3593182 libgd2_2.3.3.orig.tar.gz
62efe2ac2b82ec47b8dbeb401b86f4451c43c337 30960 libgd2_2.3.3-1.debian.tar.xz
0d3895039ea7040971967345a1b566b01b54625b 9285 libgd2_2.3.3-1_amd64.buildinfo
Checksums-Sha256:
040bc84712498dc85a05add2f15b4a1181143fb2e5446d93543eecae338e2339 2306
libgd2_2.3.3-1.dsc
dd3f1f0bb016edcc0b2d082e8229c822ad1d02223511997c80461481759b1ed2 3593182
libgd2_2.3.3.orig.tar.gz
09c95083e31bb9af2a79c8dc24f86e4d62748edd87941b5ac6e228c08208a94b 30960
libgd2_2.3.3-1.debian.tar.xz
a53e5fb00e31c30ff963ac72ebcecb3029ccbc2e7502886c9b0d0b5065d8975d 9285
libgd2_2.3.3-1_amd64.buildinfo
Files:
6d9fb96d7a49b575adf9a34ff0bd21cd 2306 graphics optional libgd2_2.3.3-1.dsc
bf6d41ecb3148a6238a3058eb3d6224a 3593182 graphics optional
libgd2_2.3.3.orig.tar.gz
c4c3151c886230ca2df71a784c563a95 30960 graphics optional
libgd2_2.3.3-1.debian.tar.xz
aa5c9c546be2c8074213e8aade811001 9285 graphics optional
libgd2_2.3.3-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEw2Gx4wKVQ+vGJel9g3Kkd++uWcIFAmLFnZNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEMz
NjFCMUUzMDI5NTQzRUJDNjI1RTk3RDgzNzJBNDc3RUZBRTU5QzIACgkQg3Kkd++u
WcL9yxAAnly0XWTYwH2lU9jf8eGL/WAMfBPbQGTjqEVng7kjwvLe2XSrEezNOJg0
2qSHoHy5UQOHUbotF/VEMQboWXS9s4ywc01saX2pslobTDv3p6vMxXannWeLxzLF
H7VyH0ELgNw6uEUWflrmSG7AvFbUV4+Ai+4vLhM5FpEFQNHiLIFhVWbOHN0c2epd
hepDAGN2kc905zZj7+3U3JetKKzUxi3mTV1Ap7d0nfwXBSW7rXOgGL4WNjvyM0w7
S1AYpKOMBUyfZ0Xy0dfMnGMegeqDkPJk0D/CiKj3H9SdMtnSIi78qlKeNmuQYZmE
kw0pUxS/tPPzB3FwsU473u0gulN/P3giPJZ16yJDP/F3Nx469KZ6cSN4xvZDpvCj
jJVPtoTzyQ5Vt32bZrExM8w79iYR0i4kEQvOMXsWYOZpbb5RWtp9xbWjPcWBYHTf
D+LG5EdCgodEBaiLl2sqkHiB2xtSvpacgT1gEppH/BBh7c5kiadnHuQJhC5JsB7F
XZgtrMPHHbdte1KB4e6huXmZn4HPzTV+jaEgiVFupcps6Ddfjf/CW8pSoKaqoEZ1
hPB4iwrNqL+WwqUKvucKm8xY9ddJfWThp3wcKwibwREn/iCYGyF9ubIK98Ut9R6S
qmaVs2mDCxZi+TbbFGbhqkCSdyXNuVJL9kc9FYi+YrAwGfXdsEk=
=dYDH
-----END PGP SIGNATURE-----
--- End Message ---
