Your message dated Thu, 18 Dec 2014 17:59:45 +0000
with message-id <1418925585.23220.6.ca...@adam-barratt.org.uk>
and subject line Re: Bug#773448: unblock: libgd2/2.1.0-5
has caused the Debian Bug report #773448,
regarding unblock: libgd2/2.1.0-5
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
773448: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773448
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Please unblock package libgd2
Hi,
new release with a upstream fix for buffer overflow found by ASAN by
Jan Bee.
Also removing seanius from Uploaders upon request of MIA team.
$ diffstat libgd2_2.1.0-5.debdiff
changelog | 8 ++++++++
control | 3 +--
patches/fix-buffer-overflow.patch | 38 ++++++++++++++++++++++++++++++++++++++
patches/series | 1 +
4 files changed, 48 insertions(+), 2 deletions(-)
unblock libgd2/2.1.0-5
- -- System Information:
Debian Release: 8.0
APT prefers testing
APT policy: (990, 'testing'), (700, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQJ8BAEBCgBmBQJUksqqXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzMEI5MzNEODBGQ0UzRDk4MUEyRDM4RkIw
Qzk5QjcwRUY0RkNCQjA3AAoJEAyZtw70/LsHTUwQAMTdgffZYhZed1Xc/hR6+asw
jaPGExy+03ueoiIoEIpwefCI2Apmw3hag/JIQt4SSEwdDhoE8Rzl7HKlnmftQ2Kr
cR6N/eJS7986F4FHFBhXDs0+782ls8bAK6dqV2cG63Xztm2b5+w0cBuvD37no57A
GuN82Y58R7TuecaWxGs189T/M1WTLLdV/ZT4LwDlJGxRqVdmrPFXC61yqes9u47D
fXBY/y3eR0oVbGnoD7ojZDcIB2gM+40qWpLpCAR10ja2k8EesSehnLVomfF1l2Iv
nEmQGeBlqOB1wiU9pGVVlD6TOmVt0DBhujJKYPDyPWw7plCi9TqQafvOTYcE+3yv
ribGcMYBWBAkX8c5XIypjm9fE2zXUqnBlAFpwoDvdfD635KOchZWwKN7ZgqVyTPO
/8HSLTDUeepegC5QapxfcDSQoFMWDLbqlSqE4m5RAdA5r+TzFEpiXNH3ln/GyU6I
p6MMX+6pTrsPnc6xUlxEtkqWeepIpY15t2XRR78jad2K21P+rDwTFc/Rzn8TN3un
De8NRBuk6azvaqO7wEm5qgoVEFcL9XvvOq9On9J4hl7SzzpBULLoiD9vIONqyW5t
xxq3EuamZQH/43TwdVq/Dm6YfNls+JRhQegzURe0UKn81nTRwYKX+JXV03vpWHzV
GIbl/K0iMkOUAnYVB0Ov
=UxWh
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 18 Dec 2014 13:30:57 +0100
Source: libgd2
Binary: libgd-tools libgd-dev libgd3 libgd-dbg libgd2-xpm-dev libgd2-noxpm-dev
Architecture: source amd64
Version: 2.1.0-5
Distribution: unstable
Urgency: high
Maintainer: GD team <pkg-gd-de...@lists.alioth.debian.org>
Changed-By: Ondřej Surý <ond...@debian.org>
Description:
libgd-dbg - Debug symbols for GD Graphics Library
libgd-dev - GD Graphics Library (development version)
libgd-tools - GD command line tools and example code
libgd2-noxpm-dev - GD Graphics Library (transitional package)
libgd2-xpm-dev - GD Graphics Library (transitional package)
libgd3 - GD Graphics Library
Closes: 773439
Changes:
libgd2 (2.1.0-5) unstable; urgency=high
.
* Remove seanius from Uploaders. So Long, and Thanks for All the Fish.
(Closes: #773439)
* Fix buffer overflow found by Jan Bee and fixed by Remi Collet
Checksums-Sha1:
3e7783c3c415fd9e3fc225aa44ebaa69bb27fd86 2439 libgd2_2.1.0-5.dsc
46a45d7f61a6375ac34b7c967f998922fa1dbf95 36820 libgd2_2.1.0-5.debian.tar.xz
f757087c7dd6204de235076e9c35a1ea9073ccab 41716 libgd-tools_2.1.0-5_amd64.deb
dbf86be429fe55073e91f3f4897268893afcde07 285312 libgd-dev_2.1.0-5_amd64.deb
b8e57c25ae73604b058f79dcf6c9bc451c482b1f 146902 libgd3_2.1.0-5_amd64.deb
4e129d8093e173ea2a0df984ca5caef1b08c88ce 315548 libgd-dbg_2.1.0-5_amd64.deb
5957ddc97272900a00464e39637c17793866c3f0 1236 libgd2-xpm-dev_2.1.0-5_amd64.deb
00d39cea35291eeee4ffa97d4d343f8578c72f1d 1240
libgd2-noxpm-dev_2.1.0-5_amd64.deb
Checksums-Sha256:
edf0dfeb711bcfabd94c8b1c90e7d46c1a0dc24dbfdf3fd68235a536dc186d5a 2439
libgd2_2.1.0-5.dsc
f63bfe4c0cbdad6c127b3822bd6d0beff2237ab9ea4fe75d4ce67fe64036f37d 36820
libgd2_2.1.0-5.debian.tar.xz
d39942e7f6ad3c18105e0ce99aa0d0af3ce00f01c344bdd0fde80913c5f0639d 41716
libgd-tools_2.1.0-5_amd64.deb
4cdb3cc3df245b643f00847621134447e19ad26e4c34beaa5539e419fcd93704 285312
libgd-dev_2.1.0-5_amd64.deb
69f5851edc0a453107c3d390ad6242907979e7cf4a1ee4a5c9fa6b13bf44cc2e 146902
libgd3_2.1.0-5_amd64.deb
e194085036fd857e1e8c84d1d9a319c14189735d522bcef54c327cd27bfdc54c 315548
libgd-dbg_2.1.0-5_amd64.deb
97562a41fc56bcfab819b53c100129af42717b1c1bb271f07fd5f3da1448a9d5 1236
libgd2-xpm-dev_2.1.0-5_amd64.deb
ae2e3326d46fb352bf5705d690f0ab6deb01aa1f24b5fc7df695bf6323b310b2 1240
libgd2-noxpm-dev_2.1.0-5_amd64.deb
Files:
3d195b697d31c38cd3383d0c986a83a7 2439 graphics optional libgd2_2.1.0-5.dsc
fb6f59a130bf43b666fc52231fb06e0b 36820 graphics optional
libgd2_2.1.0-5.debian.tar.xz
0c679f15a1f71dcd55ea8312524ecb39 41716 graphics optional
libgd-tools_2.1.0-5_amd64.deb
6ac993c3f160fbd9f587bf08a8fc82f9 285312 libdevel optional
libgd-dev_2.1.0-5_amd64.deb
aac0c0f311bbcdfcf400e9d7f2680d20 146902 libs optional libgd3_2.1.0-5_amd64.deb
0279d739914618c55def9acddff81497 315548 debug extra libgd-dbg_2.1.0-5_amd64.deb
75ae1acfc20612e91924a525b24037b8 1236 oldlibs extra
libgd2-xpm-dev_2.1.0-5_amd64.deb
ca3c261ace2f9cb1ec656dbbcb14b91a 1240 oldlibs extra
libgd2-noxpm-dev_2.1.0-5_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQJ8BAEBCgBmBQJUksoYXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzMEI5MzNEODBGQ0UzRDk4MUEyRDM4RkIw
Qzk5QjcwRUY0RkNCQjA3AAoJEAyZtw70/LsH79kP/RBPB9zbySiGhrxPwJoCd76h
fFyd0tLxxKClSDgCQHi1TjrExnry7RuWZtZE+I9KCLE/M6atgf4gnP+UjOtRXZsE
C9x3CHk8LUmoOUGUriTO6vH7F7gQGN+qkIook66iR21AfABuSQB1oa/uaMMwjIah
0LqW723v9rUVMbrUG3zI3FtUG2uXjWIeMk5ehSmZ9Z36MeHARkBp+nZE7XY6XdEG
3jw1EM4QlU0/bBd766PcoaJhXxKVTGwCd6ShBpLDvMb/p5KSA2RGgyrEU78O+wTO
NOZ4iE7BHB+0soggRsT5Jpa59y7udpADUiEVL6RvGo0hm1f5RXh72qT55HOhQTa2
vJ2OA82Z1RnBBhtNM4mWS/QdUUXFiCg4Q6mI3blRl60yKUEjoAVyWCbfrflbitxe
x8MtnzMN7WGablxC78JSwGSOTTlM0FtdPO2W78SBks23undNVSHDNbKzaiNUcSmI
wxST6VrpK8f5PG5dilMjdWxt1ArR81ejlwhGjHd4tmGeFFRA/rwc5MjKS6kYQNXI
L77V+cStGaMn/B3tmSAOj66CqNcass2BLMhTTMVlIiHXruf8n3NTj/3+rugnf8dQ
sfoHv6PbYWQghXCFv4ZbSKSVn+24Cklut+0c3RCU9fIJnwC86ax0hx76zBs16QSy
DpfGC5C2Xdp31Z9Jmlr/
=VibN
-----END PGP SIGNATURE-----
libgd2_2.1.0-5.debian.tar.xz
Description: application/xz
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 3.0 (quilt)
Source: libgd2
Binary: libgd-tools, libgd-dev, libgd3, libgd-dbg, libgd2-xpm-dev,
libgd2-noxpm-dev
Architecture: any
Version: 2.1.0-5
Maintainer: GD team <pkg-gd-de...@lists.alioth.debian.org>
Uploaders: Ondřej Surý <ond...@debian.org>
Homepage: http://www.libgd.org/
Standards-Version: 3.9.3
Vcs-Browser: http://anonscm.debian.org/?p=collab-maint/libgd.git;a=summary
Vcs-Git: git://anonscm.debian.org/git/collab-maint/libgd
Build-Depends: autotools-dev, debhelper (>= 9), libpng-dev, libz-dev,
libjpeg-dev, libfreetype6-dev, libxpm-dev, libx11-dev, libxt-dev,
libfontconfig-dev, libvpx-dev, libtiff-dev, dh-autoreconf, html2text
Package-List:
libgd-dbg deb debug extra arch=any
libgd-dev deb libdevel optional arch=any
libgd-tools deb graphics optional arch=any
libgd2-noxpm-dev deb oldlibs extra arch=any
libgd2-xpm-dev deb oldlibs extra arch=any
libgd3 deb libs optional arch=any
Checksums-Sha1:
66c56fc07246b66ba649c83e996fd2085ea2f9e2 2004304 libgd2_2.1.0.orig.tar.xz
46a45d7f61a6375ac34b7c967f998922fa1dbf95 36820 libgd2_2.1.0-5.debian.tar.xz
Checksums-Sha256:
fa6665dfe3d898019671293c84d77067a3d2ede50884dbcb6df899d508370e5a 2004304
libgd2_2.1.0.orig.tar.xz
f63bfe4c0cbdad6c127b3822bd6d0beff2237ab9ea4fe75d4ce67fe64036f37d 36820
libgd2_2.1.0-5.debian.tar.xz
Files:
03588159bf4faab9079849c8d709acc6 2004304 libgd2_2.1.0.orig.tar.xz
fb6f59a130bf43b666fc52231fb06e0b 36820 libgd2_2.1.0-5.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQJ8BAEBCgBmBQJUksoYXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzMEI5MzNEODBGQ0UzRDk4MUEyRDM4RkIw
Qzk5QjcwRUY0RkNCQjA3AAoJEAyZtw70/LsHQZcQAIu1Eit4mQ1JcimzlClsrNrc
TlABKjs7jMeqbPKONmtqLBz1xGfsEaPliQJYX6Vw5ehnsCHuK0ifTffePw/0VzEJ
hzLzO9zKfWvrBKXb50aDznUKOJKEteyn5JERuyLArMmEyyjgZflfkKyPJEHh9kWm
uNKxuPe1Jj3dvGtZCI5hcxK4ZSMA/As6a9uaPDSBMbmYcgPGGkdh0r2xlW8UQr60
yiFkVru002M580SeLCjNqCeGE1TDeMuRPh/L+Bh1KZXnpUSvfAFuxyEZt8l1pNyq
C7hVyHXaOv71fhp++bAQqOSeVF/ck6FbkYDmKu/Pck6TWQx1zJzOF+8IvoWfxNEb
IpW/oSiGJPq2+BzkOCtCwoILMPEuCOeysduHbLieykKhmAyKJbz6Rp4XcMID/BHJ
sTB1uXRnwuMiNkzhrQdt5ToJmSVsNqeq9x4ve5Qdvl9avBs9xSRF5DsjhEAAv1IQ
QCySR/4gPX9wo07I5bPQHgJAUeDfyoWW3U69gBsEki3Ix07S76rND5ULkbMFQLOI
tWRT0PgBbc0CyjvFplRcEPAxWFvhATnYCfR+uM6hUmXuAoHATcRJ1iOgcMxHsrSB
8b3l0Cf2DCRvMPs9NQngsoiZh9WZr4ejfoGCPiSo4BWM0vpkHGWAofbXYFkH+R2/
TKkewbrgiD58OyAfqDDP
=Eal/
-----END PGP SIGNATURE-----
diff -Nru libgd2-2.1.0/debian/changelog libgd2-2.1.0/debian/changelog
--- libgd2-2.1.0/debian/changelog 2014-09-28 14:01:34.000000000 +0200
+++ libgd2-2.1.0/debian/changelog 2014-12-18 13:31:20.000000000 +0100
@@ -1,3 +1,11 @@
+libgd2 (2.1.0-5) unstable; urgency=high
+
+ * Remove seanius from Uploaders. So Long, and Thanks for All the Fish.
+ (Closes: #773439)
+ * Fix buffer overflow found by Jan Bee and fixed by Remi Collet
+
+ -- Ondřej Surý <ond...@debian.org> Thu, 18 Dec 2014 13:30:57 +0100
+
libgd2 (2.1.0-4.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru libgd2-2.1.0/debian/control libgd2-2.1.0/debian/control
--- libgd2-2.1.0/debian/control 2014-09-28 13:58:48.000000000 +0200
+++ libgd2-2.1.0/debian/control 2014-12-18 13:31:20.000000000 +0100
@@ -2,8 +2,7 @@
Section: graphics
Priority: optional
Maintainer: GD team <pkg-gd-de...@lists.alioth.debian.org>
-Uploaders: Ondřej Surý <ond...@debian.org>,
- Sean Finney <sean...@debian.org>
+Uploaders: Ondřej Surý <ond...@debian.org>
Build-Depends: autotools-dev,
debhelper (>= 9),
libpng-dev,
diff -Nru libgd2-2.1.0/debian/patches/fix-buffer-overflow.patch libgd2-2.1.0/debian/patches/fix-buffer-overflow.patch
--- libgd2-2.1.0/debian/patches/fix-buffer-overflow.patch 1970-01-01 01:00:00.000000000 +0100
+++ libgd2-2.1.0/debian/patches/fix-buffer-overflow.patch 2014-12-18 13:31:20.000000000 +0100
@@ -0,0 +1,38 @@
+From 47eb44b2e90ca88a08dca9f9a1aa9041e9587f43 Mon Sep 17 00:00:00 2001
+From: Remi Collet <fed...@famillecollet.com>
+Date: Sat, 13 Dec 2014 08:48:18 +0100
+Subject: [PATCH] Fix possible buffer read overflow detected by
+ -fsanitize=address, thanks to Jan Bee
+
+---
+ src/gd_gif_in.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- libgd2.orig/src/gd_gif_in.c
++++ libgd2/src/gd_gif_in.c
+@@ -75,8 +75,10 @@ static struct {
+
+ #define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2)
+
++#define CSD_BUF_SIZE 280
++
+ typedef struct {
+- unsigned char buf[280];
++ unsigned char buf[CSD_BUF_SIZE];
+ int curbit;
+ int lastbit;
+ int done;
+@@ -410,7 +412,12 @@ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *
+
+ ret = 0;
+ for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) {
+- ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j;
++ if (i < CSD_BUF_SIZE * 8) {
++ ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j;
++ } else {
++ ret = -1;
++ break;
++ }
+ }
+
+ scd->curbit += code_size;
diff -Nru libgd2-2.1.0/debian/patches/series libgd2-2.1.0/debian/patches/series
--- libgd2-2.1.0/debian/patches/series 2014-08-04 11:07:32.000000000 +0200
+++ libgd2-2.1.0/debian/patches/series 2014-12-18 13:31:20.000000000 +0100
@@ -1,3 +1,4 @@
+fix-buffer-overflow.patch
gdlib-config-uses-pkgconfig.patch
fix-compiled-in-version.patch
subdir-objects.patch
--- End Message ---
--- Begin Message ---
On Thu, 2014-12-18 at 13:38 +0100, Ondřej Surý wrote:
> Please unblock package libgd2
>
> Hi,
>
> new release with a upstream fix for buffer overflow found by ASAN by
> Jan Bee.
Unblocked.
Regards,
Adam
--- End Message ---
