Your message dated Thu, 18 Dec 2014 17:59:45 +0000 with message-id <1418925585.23220.6.ca...@adam-barratt.org.uk> and subject line Re: Bug#773448: unblock: libgd2/2.1.0-5 has caused the Debian Bug report #773448, regarding unblock: libgd2/2.1.0-5 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 773448: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773448 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Please unblock package libgd2 Hi, new release with a upstream fix for buffer overflow found by ASAN by Jan Bee. Also removing seanius from Uploaders upon request of MIA team. $ diffstat libgd2_2.1.0-5.debdiff changelog | 8 ++++++++ control | 3 +-- patches/fix-buffer-overflow.patch | 38 ++++++++++++++++++++++++++++++++++++++ patches/series | 1 + 4 files changed, 48 insertions(+), 2 deletions(-) unblock libgd2/2.1.0-5 - -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (990, 'testing'), (700, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQJ8BAEBCgBmBQJUksqqXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzMEI5MzNEODBGQ0UzRDk4MUEyRDM4RkIw Qzk5QjcwRUY0RkNCQjA3AAoJEAyZtw70/LsHTUwQAMTdgffZYhZed1Xc/hR6+asw jaPGExy+03ueoiIoEIpwefCI2Apmw3hag/JIQt4SSEwdDhoE8Rzl7HKlnmftQ2Kr cR6N/eJS7986F4FHFBhXDs0+782ls8bAK6dqV2cG63Xztm2b5+w0cBuvD37no57A GuN82Y58R7TuecaWxGs189T/M1WTLLdV/ZT4LwDlJGxRqVdmrPFXC61yqes9u47D fXBY/y3eR0oVbGnoD7ojZDcIB2gM+40qWpLpCAR10ja2k8EesSehnLVomfF1l2Iv nEmQGeBlqOB1wiU9pGVVlD6TOmVt0DBhujJKYPDyPWw7plCi9TqQafvOTYcE+3yv ribGcMYBWBAkX8c5XIypjm9fE2zXUqnBlAFpwoDvdfD635KOchZWwKN7ZgqVyTPO /8HSLTDUeepegC5QapxfcDSQoFMWDLbqlSqE4m5RAdA5r+TzFEpiXNH3ln/GyU6I p6MMX+6pTrsPnc6xUlxEtkqWeepIpY15t2XRR78jad2K21P+rDwTFc/Rzn8TN3un De8NRBuk6azvaqO7wEm5qgoVEFcL9XvvOq9On9J4hl7SzzpBULLoiD9vIONqyW5t xxq3EuamZQH/43TwdVq/Dm6YfNls+JRhQegzURe0UKn81nTRwYKX+JXV03vpWHzV GIbl/K0iMkOUAnYVB0Ov =UxWh -----END PGP SIGNATURE----------BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 18 Dec 2014 13:30:57 +0100 Source: libgd2 Binary: libgd-tools libgd-dev libgd3 libgd-dbg libgd2-xpm-dev libgd2-noxpm-dev Architecture: source amd64 Version: 2.1.0-5 Distribution: unstable Urgency: high Maintainer: GD team <pkg-gd-de...@lists.alioth.debian.org> Changed-By: Ondřej Surý <ond...@debian.org> Description: libgd-dbg - Debug symbols for GD Graphics Library libgd-dev - GD Graphics Library (development version) libgd-tools - GD command line tools and example code libgd2-noxpm-dev - GD Graphics Library (transitional package) libgd2-xpm-dev - GD Graphics Library (transitional package) libgd3 - GD Graphics Library Closes: 773439 Changes: libgd2 (2.1.0-5) unstable; urgency=high . * Remove seanius from Uploaders. So Long, and Thanks for All the Fish. (Closes: #773439) * Fix buffer overflow found by Jan Bee and fixed by Remi Collet Checksums-Sha1: 3e7783c3c415fd9e3fc225aa44ebaa69bb27fd86 2439 libgd2_2.1.0-5.dsc 46a45d7f61a6375ac34b7c967f998922fa1dbf95 36820 libgd2_2.1.0-5.debian.tar.xz f757087c7dd6204de235076e9c35a1ea9073ccab 41716 libgd-tools_2.1.0-5_amd64.deb dbf86be429fe55073e91f3f4897268893afcde07 285312 libgd-dev_2.1.0-5_amd64.deb b8e57c25ae73604b058f79dcf6c9bc451c482b1f 146902 libgd3_2.1.0-5_amd64.deb 4e129d8093e173ea2a0df984ca5caef1b08c88ce 315548 libgd-dbg_2.1.0-5_amd64.deb 5957ddc97272900a00464e39637c17793866c3f0 1236 libgd2-xpm-dev_2.1.0-5_amd64.deb 00d39cea35291eeee4ffa97d4d343f8578c72f1d 1240 libgd2-noxpm-dev_2.1.0-5_amd64.deb Checksums-Sha256: edf0dfeb711bcfabd94c8b1c90e7d46c1a0dc24dbfdf3fd68235a536dc186d5a 2439 libgd2_2.1.0-5.dsc f63bfe4c0cbdad6c127b3822bd6d0beff2237ab9ea4fe75d4ce67fe64036f37d 36820 libgd2_2.1.0-5.debian.tar.xz d39942e7f6ad3c18105e0ce99aa0d0af3ce00f01c344bdd0fde80913c5f0639d 41716 libgd-tools_2.1.0-5_amd64.deb 4cdb3cc3df245b643f00847621134447e19ad26e4c34beaa5539e419fcd93704 285312 libgd-dev_2.1.0-5_amd64.deb 69f5851edc0a453107c3d390ad6242907979e7cf4a1ee4a5c9fa6b13bf44cc2e 146902 libgd3_2.1.0-5_amd64.deb e194085036fd857e1e8c84d1d9a319c14189735d522bcef54c327cd27bfdc54c 315548 libgd-dbg_2.1.0-5_amd64.deb 97562a41fc56bcfab819b53c100129af42717b1c1bb271f07fd5f3da1448a9d5 1236 libgd2-xpm-dev_2.1.0-5_amd64.deb ae2e3326d46fb352bf5705d690f0ab6deb01aa1f24b5fc7df695bf6323b310b2 1240 libgd2-noxpm-dev_2.1.0-5_amd64.deb Files: 3d195b697d31c38cd3383d0c986a83a7 2439 graphics optional libgd2_2.1.0-5.dsc fb6f59a130bf43b666fc52231fb06e0b 36820 graphics optional libgd2_2.1.0-5.debian.tar.xz 0c679f15a1f71dcd55ea8312524ecb39 41716 graphics optional libgd-tools_2.1.0-5_amd64.deb 6ac993c3f160fbd9f587bf08a8fc82f9 285312 libdevel optional libgd-dev_2.1.0-5_amd64.deb aac0c0f311bbcdfcf400e9d7f2680d20 146902 libs optional libgd3_2.1.0-5_amd64.deb 0279d739914618c55def9acddff81497 315548 debug extra libgd-dbg_2.1.0-5_amd64.deb 75ae1acfc20612e91924a525b24037b8 1236 oldlibs extra libgd2-xpm-dev_2.1.0-5_amd64.deb ca3c261ace2f9cb1ec656dbbcb14b91a 1240 oldlibs extra libgd2-noxpm-dev_2.1.0-5_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQJ8BAEBCgBmBQJUksoYXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzMEI5MzNEODBGQ0UzRDk4MUEyRDM4RkIw Qzk5QjcwRUY0RkNCQjA3AAoJEAyZtw70/LsH79kP/RBPB9zbySiGhrxPwJoCd76h fFyd0tLxxKClSDgCQHi1TjrExnry7RuWZtZE+I9KCLE/M6atgf4gnP+UjOtRXZsE C9x3CHk8LUmoOUGUriTO6vH7F7gQGN+qkIook66iR21AfABuSQB1oa/uaMMwjIah 0LqW723v9rUVMbrUG3zI3FtUG2uXjWIeMk5ehSmZ9Z36MeHARkBp+nZE7XY6XdEG 3jw1EM4QlU0/bBd766PcoaJhXxKVTGwCd6ShBpLDvMb/p5KSA2RGgyrEU78O+wTO NOZ4iE7BHB+0soggRsT5Jpa59y7udpADUiEVL6RvGo0hm1f5RXh72qT55HOhQTa2 vJ2OA82Z1RnBBhtNM4mWS/QdUUXFiCg4Q6mI3blRl60yKUEjoAVyWCbfrflbitxe x8MtnzMN7WGablxC78JSwGSOTTlM0FtdPO2W78SBks23undNVSHDNbKzaiNUcSmI wxST6VrpK8f5PG5dilMjdWxt1ArR81ejlwhGjHd4tmGeFFRA/rwc5MjKS6kYQNXI L77V+cStGaMn/B3tmSAOj66CqNcass2BLMhTTMVlIiHXruf8n3NTj/3+rugnf8dQ sfoHv6PbYWQghXCFv4ZbSKSVn+24Cklut+0c3RCU9fIJnwC86ax0hx76zBs16QSy DpfGC5C2Xdp31Z9Jmlr/ =VibN -----END PGP SIGNATURE-----libgd2_2.1.0-5.debian.tar.xz
Description: application/xz-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 3.0 (quilt) Source: libgd2 Binary: libgd-tools, libgd-dev, libgd3, libgd-dbg, libgd2-xpm-dev, libgd2-noxpm-dev Architecture: any Version: 2.1.0-5 Maintainer: GD team <pkg-gd-de...@lists.alioth.debian.org> Uploaders: Ondřej Surý <ond...@debian.org> Homepage: http://www.libgd.org/ Standards-Version: 3.9.3 Vcs-Browser: http://anonscm.debian.org/?p=collab-maint/libgd.git;a=summary Vcs-Git: git://anonscm.debian.org/git/collab-maint/libgd Build-Depends: autotools-dev, debhelper (>= 9), libpng-dev, libz-dev, libjpeg-dev, libfreetype6-dev, libxpm-dev, libx11-dev, libxt-dev, libfontconfig-dev, libvpx-dev, libtiff-dev, dh-autoreconf, html2text Package-List: libgd-dbg deb debug extra arch=any libgd-dev deb libdevel optional arch=any libgd-tools deb graphics optional arch=any libgd2-noxpm-dev deb oldlibs extra arch=any libgd2-xpm-dev deb oldlibs extra arch=any libgd3 deb libs optional arch=any Checksums-Sha1: 66c56fc07246b66ba649c83e996fd2085ea2f9e2 2004304 libgd2_2.1.0.orig.tar.xz 46a45d7f61a6375ac34b7c967f998922fa1dbf95 36820 libgd2_2.1.0-5.debian.tar.xz Checksums-Sha256: fa6665dfe3d898019671293c84d77067a3d2ede50884dbcb6df899d508370e5a 2004304 libgd2_2.1.0.orig.tar.xz f63bfe4c0cbdad6c127b3822bd6d0beff2237ab9ea4fe75d4ce67fe64036f37d 36820 libgd2_2.1.0-5.debian.tar.xz Files: 03588159bf4faab9079849c8d709acc6 2004304 libgd2_2.1.0.orig.tar.xz fb6f59a130bf43b666fc52231fb06e0b 36820 libgd2_2.1.0-5.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQJ8BAEBCgBmBQJUksoYXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzMEI5MzNEODBGQ0UzRDk4MUEyRDM4RkIw Qzk5QjcwRUY0RkNCQjA3AAoJEAyZtw70/LsHQZcQAIu1Eit4mQ1JcimzlClsrNrc TlABKjs7jMeqbPKONmtqLBz1xGfsEaPliQJYX6Vw5ehnsCHuK0ifTffePw/0VzEJ hzLzO9zKfWvrBKXb50aDznUKOJKEteyn5JERuyLArMmEyyjgZflfkKyPJEHh9kWm uNKxuPe1Jj3dvGtZCI5hcxK4ZSMA/As6a9uaPDSBMbmYcgPGGkdh0r2xlW8UQr60 yiFkVru002M580SeLCjNqCeGE1TDeMuRPh/L+Bh1KZXnpUSvfAFuxyEZt8l1pNyq C7hVyHXaOv71fhp++bAQqOSeVF/ck6FbkYDmKu/Pck6TWQx1zJzOF+8IvoWfxNEb IpW/oSiGJPq2+BzkOCtCwoILMPEuCOeysduHbLieykKhmAyKJbz6Rp4XcMID/BHJ sTB1uXRnwuMiNkzhrQdt5ToJmSVsNqeq9x4ve5Qdvl9avBs9xSRF5DsjhEAAv1IQ QCySR/4gPX9wo07I5bPQHgJAUeDfyoWW3U69gBsEki3Ix07S76rND5ULkbMFQLOI tWRT0PgBbc0CyjvFplRcEPAxWFvhATnYCfR+uM6hUmXuAoHATcRJ1iOgcMxHsrSB 8b3l0Cf2DCRvMPs9NQngsoiZh9WZr4ejfoGCPiSo4BWM0vpkHGWAofbXYFkH+R2/ TKkewbrgiD58OyAfqDDP =Eal/ -----END PGP SIGNATURE-----diff -Nru libgd2-2.1.0/debian/changelog libgd2-2.1.0/debian/changelog --- libgd2-2.1.0/debian/changelog 2014-09-28 14:01:34.000000000 +0200 +++ libgd2-2.1.0/debian/changelog 2014-12-18 13:31:20.000000000 +0100 @@ -1,3 +1,11 @@ +libgd2 (2.1.0-5) unstable; urgency=high + + * Remove seanius from Uploaders. So Long, and Thanks for All the Fish. + (Closes: #773439) + * Fix buffer overflow found by Jan Bee and fixed by Remi Collet + + -- Ondřej Surý <ond...@debian.org> Thu, 18 Dec 2014 13:30:57 +0100 + libgd2 (2.1.0-4.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru libgd2-2.1.0/debian/control libgd2-2.1.0/debian/control --- libgd2-2.1.0/debian/control 2014-09-28 13:58:48.000000000 +0200 +++ libgd2-2.1.0/debian/control 2014-12-18 13:31:20.000000000 +0100 @@ -2,8 +2,7 @@ Section: graphics Priority: optional Maintainer: GD team <pkg-gd-de...@lists.alioth.debian.org> -Uploaders: Ondřej Surý <ond...@debian.org>, - Sean Finney <sean...@debian.org> +Uploaders: Ondřej Surý <ond...@debian.org> Build-Depends: autotools-dev, debhelper (>= 9), libpng-dev, diff -Nru libgd2-2.1.0/debian/patches/fix-buffer-overflow.patch libgd2-2.1.0/debian/patches/fix-buffer-overflow.patch --- libgd2-2.1.0/debian/patches/fix-buffer-overflow.patch 1970-01-01 01:00:00.000000000 +0100 +++ libgd2-2.1.0/debian/patches/fix-buffer-overflow.patch 2014-12-18 13:31:20.000000000 +0100 @@ -0,0 +1,38 @@ +From 47eb44b2e90ca88a08dca9f9a1aa9041e9587f43 Mon Sep 17 00:00:00 2001 +From: Remi Collet <fed...@famillecollet.com> +Date: Sat, 13 Dec 2014 08:48:18 +0100 +Subject: [PATCH] Fix possible buffer read overflow detected by + -fsanitize=address, thanks to Jan Bee + +--- + src/gd_gif_in.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- libgd2.orig/src/gd_gif_in.c ++++ libgd2/src/gd_gif_in.c +@@ -75,8 +75,10 @@ static struct { + + #define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2) + ++#define CSD_BUF_SIZE 280 ++ + typedef struct { +- unsigned char buf[280]; ++ unsigned char buf[CSD_BUF_SIZE]; + int curbit; + int lastbit; + int done; +@@ -410,7 +412,12 @@ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA * + + ret = 0; + for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) { +- ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j; ++ if (i < CSD_BUF_SIZE * 8) { ++ ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j; ++ } else { ++ ret = -1; ++ break; ++ } + } + + scd->curbit += code_size; diff -Nru libgd2-2.1.0/debian/patches/series libgd2-2.1.0/debian/patches/series --- libgd2-2.1.0/debian/patches/series 2014-08-04 11:07:32.000000000 +0200 +++ libgd2-2.1.0/debian/patches/series 2014-12-18 13:31:20.000000000 +0100 @@ -1,3 +1,4 @@ +fix-buffer-overflow.patch gdlib-config-uses-pkgconfig.patch fix-compiled-in-version.patch subdir-objects.patch
--- End Message ---
--- Begin Message ---On Thu, 2014-12-18 at 13:38 +0100, Ondřej Surý wrote: > Please unblock package libgd2 > > Hi, > > new release with a upstream fix for buffer overflow found by ASAN by > Jan Bee. Unblocked. Regards, Adam
--- End Message ---