Your message dated Wed, 30 Aug 2006 23:02:29 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#372912: fixed in libgd2 2.0.33-1.1sarge1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: libgd2
Severity: important
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2006-2906: "The LZW decoding in the gdImageCreateFromGifPtr function
in the Thomas Boutell graphics draw (GD) library (aka libgd) 2.0.33
allows remote attackers to cause a denial of service (CPU consumption)
via malformed GIF data that causes an infinite loop."
The original BugTraq posting [1] includes a test case and a crude
patch. I was unable to compile the test case; gcc complained about
something in the gif data and I was unable to track the error down.
Please include the CVE number in your changelog.
Thanks,
Alec
[1] http://www.securityfocus.com/archive/1/436132
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEjWWaAud/2YgchcQRArGqAKC1MuL7RB24bsofYGFRUAlBc/5n5wCgjLqe
/L6TaoW4CFDwDdn6sdhIHnA=
=QQ6t
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: libgd2
Source-Version: 2.0.33-1.1sarge1
We believe that the bug you reported is fixed in the latest version of
libgd2, which is due to be installed in the Debian FTP archive:
libgd-tools_2.0.33-1.1sarge1_powerpc.deb
to pool/main/libg/libgd2/libgd-tools_2.0.33-1.1sarge1_powerpc.deb
libgd2-dev_2.0.33-1.1sarge1_all.deb
to pool/main/libg/libgd2/libgd2-dev_2.0.33-1.1sarge1_all.deb
libgd2-noxpm-dev_2.0.33-1.1sarge1_powerpc.deb
to pool/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-1.1sarge1_powerpc.deb
libgd2-noxpm_2.0.33-1.1sarge1_powerpc.deb
to pool/main/libg/libgd2/libgd2-noxpm_2.0.33-1.1sarge1_powerpc.deb
libgd2-xpm-dev_2.0.33-1.1sarge1_powerpc.deb
to pool/main/libg/libgd2/libgd2-xpm-dev_2.0.33-1.1sarge1_powerpc.deb
libgd2-xpm_2.0.33-1.1sarge1_powerpc.deb
to pool/main/libg/libgd2/libgd2-xpm_2.0.33-1.1sarge1_powerpc.deb
libgd2_2.0.33-1.1sarge1.diff.gz
to pool/main/libg/libgd2/libgd2_2.0.33-1.1sarge1.diff.gz
libgd2_2.0.33-1.1sarge1.dsc
to pool/main/libg/libgd2/libgd2_2.0.33-1.1sarge1.dsc
libgd2_2.0.33-1.1sarge1_all.deb
to pool/main/libg/libgd2/libgd2_2.0.33-1.1sarge1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Smedegaard <[EMAIL PROTECTED]> (supplier of updated libgd2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 17 Jul 2006 01:06:53 +0200
Source: libgd2
Binary: libgd2-dev libgd2-noxpm-dev libgd2-noxpm libgd2-xpm libgd2
libgd2-xpm-dev libgd-tools
Architecture: source all powerpc
Version: 2.0.33-1.1sarge1
Distribution: stable-security
Urgency: high
Maintainer: Jonas Smedegaard <[EMAIL PROTECTED]>
Changed-By: Jonas Smedegaard <[EMAIL PROTECTED]>
Description:
libgd-tools - GD command line tools and example code
libgd2 - GD Graphics Library version 2
libgd2-dev - GD Graphics Library version 2 (development version)
libgd2-noxpm - GD Graphics Library version 2 (without XPM support)
libgd2-noxpm-dev - GD Graphics Library version 2 (development version)
libgd2-xpm - GD Graphics Library version 2
libgd2-xpm-dev - GD Graphics Library version 2 (development version)
Closes: 372912
Changes:
libgd2 (2.0.33-1.1sarge1) stable-security; urgency=high
.
* Apply patch to fix infinite loop in GIF code. Closes: bug#372912
(thanks to Alec Berryman <[EMAIL PROTECTED]> for reporting, and to
Martin Pitt <[EMAIL PROTECTED]> for providing a patch).
Reported as CVE-2006-2906.
* Include this and the earlier security fix as isolated patches in
the source:
+ 1001_CAN-2004-0941.patch
+ 1002_CVE-2006-2906.patch
Files:
e389163781898504ec6e8e0018cd1fdd 885 libs optional libgd2_2.0.33-1.1sarge1.dsc
be0a6d326cd8567e736fbc75df0a5c45 587617 libs optional libgd2_2.0.33.orig.tar.gz
50e0aa54bda19f06041d78a5771c7fd1 260955 libs optional
libgd2_2.0.33-1.1sarge1.diff.gz
4ef28350291c173754332cc61cb54ba1 128500 oldlibs optional
libgd2_2.0.33-1.1sarge1_all.deb
bcaaacf60733a35002b999f8851ce3a7 128526 oldlibs optional
libgd2-dev_2.0.33-1.1sarge1_all.deb
46c99b85b1faf609147cc111b747841d 150276 graphics optional
libgd-tools_2.0.33-1.1sarge1_powerpc.deb
47c92a9a5bbc22637f5fee0223034a97 344206 libdevel optional
libgd2-xpm-dev_2.0.33-1.1sarge1_powerpc.deb
505e633e80f425c8b9422e83997ac07c 341538 libdevel optional
libgd2-noxpm-dev_2.0.33-1.1sarge1_powerpc.deb
16d8a96a3fc3b28a7355680fedaef3e8 200916 libs optional
libgd2-xpm_2.0.33-1.1sarge1_powerpc.deb
c8168aa92f4008e2943893fa5ccae820 198830 libs optional
libgd2-noxpm_2.0.33-1.1sarge1_powerpc.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEutSqn7DbMsAkQLgRAtaAAKCCriWL5Y/0mJDgmIP5hYlUERpS6gCeI2Z2
mpANkBNFOAkWRvb3Vv0yRdE=
=jeaK
-----END PGP SIGNATURE-----
--- End Message ---
