lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1KLBs7-0005Om-Nv@klecker.debian.org>
Date: Tue, 22 Jul 2008 07:01:19 +0000
From: Devin Carraway <devin@...ian.org>
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 1613-1] new libgd2 packages fix multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1613-1                  security@...ian.org
http://www.debian.org/security/                           Devin Carraway
July 22, 2008                         http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : libgd2
Vulnerability  : multiple vulnerabilities
Problem type   : local (remote)
Debian-specific: no
CVE Id(s)      : CVE-2007-3476 CVE-2007-3477 CVE-2007-3996 CVE-2007-2445
Debian Bug     : 443456

Multiple vulnerabilities have been identified in libgd2, a library
for programmatic graphics creation and manipulation.  The Common
Vulnerabilities and Exposures project identifies the following three
issues:

CVE-2007-2445

    Grayscale PNG files containing invalid tRNS chunk CRC values
    could cause a denial of service (crash), if a maliciously
    crafted image is loaded into an application using libgd.

CVE-2007-3476

    An array indexing error in libgd's GIF handling could induce a
    denial of service (crash with heap corruption) if exceptionally
    large color index values are supplied in a maliciously crafted
    GIF image file.

CVE-2007-3477

    The imagearc() and imagefilledarc() routines in libgd allow
    an attacker in control of the parameters used to specify
    the degrees of arc for those drawing functions to perform
    a denial of service attack (excessive CPU consumption).

CVE-2007-3996

    Multiple integer overflows exist in libgd's image resizing and
    creation routines; these weaknesses allow an attacker in control
    of the parameters passed to those routines to induce a crash or
    execute arbitrary code with the privileges of the user running
    an application or interpreter linked against libgd2.

For the stable distribution (etch), these problems have been fixed in
version 2.0.33-5.2etch1.  For the unstable distribution (sid), the
problem has been fixed in version 2.0.35.dfsg-1.

We recommend that you upgrade your libgd2 packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2_2.0.33-5.2etch1.diff.gz
    Size/MD5 checksum:   299546 bbcc9e441bb47f54eb6627a79aef95c8
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2_2.0.33-5.2etch1.dsc
    Size/MD5 checksum:      987 026ab752f6c09db61257eadc2dc7495f
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2_2.0.33.orig.tar.gz
    Size/MD5 checksum:   587617 be0a6d326cd8567e736fbc75df0a5c45

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-5.2etch1_alpha.deb
    Size/MD5 checksum:   366896 2d69e2c1ba03065236cb1269ede5f1a3
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-5.2etch1_alpha.deb
    Size/MD5 checksum:   147510 afd6328854cd0a783a49c8e2a317ab86
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-5.2etch1_alpha.deb
    Size/MD5 checksum:   211288 3791111d9461d64acdebefd36bd094b9
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-5.2etch1_alpha.deb
    Size/MD5 checksum:   209562 84fbf1d0314582e2423b91ab9fabc26d
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-5.2etch1_alpha.deb
    Size/MD5 checksum:   363162 c63aa212712903d47c6cba7f208b6eff

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-5.2etch1_amd64.deb
    Size/MD5 checksum:   342788 fb2ede45cc40b4f5028cb771897a9a91
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-5.2etch1_amd64.deb
    Size/MD5 checksum:   145242 f56629274f27b7f1db09ec669ba3c1ce
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-5.2etch1_amd64.deb
    Size/MD5 checksum:   200460 24620eba0b8767f0e8df185ca262dda0
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-5.2etch1_amd64.deb
    Size/MD5 checksum:   340868 8e2c86769cf213d5810297310e176888
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-5.2etch1_amd64.deb
    Size/MD5 checksum:   203322 006e39d79be19c437ebd9b88aabbc46e

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-5.2etch1_arm.deb
    Size/MD5 checksum:   195610 cffd7f5c304168483d4a9fd8e8bf4cac
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-5.2etch1_arm.deb
    Size/MD5 checksum:   337472 8b306ec0ff60c785ef728680a1bcbc9c
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-5.2etch1_arm.deb
    Size/MD5 checksum:   145138 da2dc662fb65c79e3be4f4316cd1c475
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-5.2etch1_arm.deb
    Size/MD5 checksum:   197640 de10de2a6a604ca0219415d90240922a
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-5.2etch1_arm.deb
    Size/MD5 checksum:   334880 7eaa4ca8ec2f1929171d353a7dca70ea

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-5.2etch1_hppa.deb
    Size/MD5 checksum:   206646 a4076e4cd5b1a2e77208d2f4c9d6fd72
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-5.2etch1_hppa.deb
    Size/MD5 checksum:   147620 5a3eb7577e071214a10915d2a12ff050
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-5.2etch1_hppa.deb
    Size/MD5 checksum:   352034 117102f8ab98a933ba5e08257298c302
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-5.2etch1_hppa.deb
    Size/MD5 checksum:   209222 b2425804bd51a60d8a4325db84605450
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-5.2etch1_hppa.deb
    Size/MD5 checksum:   349162 979723a81f62d6c2dbdac56d66fde6dc

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-5.2etch1_i386.deb
    Size/MD5 checksum:   144040 a19b726c38ae5b760d12f002dc26386b
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-5.2etch1_i386.deb
    Size/MD5 checksum:   338582 837a0b4917dd5a9ea44894d1c86dac20
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-5.2etch1_i386.deb
    Size/MD5 checksum:   335902 e03aba661c8c802c405c1c5caaf7e2fc
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-5.2etch1_i386.deb
    Size/MD5 checksum:   199410 1dcc174038ee43b0c3f896255c08da8b
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-5.2etch1_i386.deb
    Size/MD5 checksum:   196760 9c41f2bcaf00e296a8f753bc89b042bf

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-5.2etch1_ia64.deb
    Size/MD5 checksum:   233692 237f0cf48ab28f55de21165882949929
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-5.2etch1_ia64.deb
    Size/MD5 checksum:   381794 b7f95b4d44a908ef0a957fce2445d042
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-5.2etch1_ia64.deb
    Size/MD5 checksum:   379680 a67cc374d45b934e8f129b375c3c2b90
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-5.2etch1_ia64.deb
    Size/MD5 checksum:   149758 3ec3577b790136172e618afdd0ffc396
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-5.2etch1_ia64.deb
    Size/MD5 checksum:   236256 f1153b75a2411e99de161ff3aae1ee4b

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-5.2etch1_mips.deb
    Size/MD5 checksum:   197818 16ccf2325098ba8445b20cf9334f44a5
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-5.2etch1_mips.deb
    Size/MD5 checksum:   200208 63fd7dc16cc9387bf51248a668320887
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-5.2etch1_mips.deb
    Size/MD5 checksum:   145086 fe0c795d4a004fb18182d5f390219a3c
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-5.2etch1_mips.deb
    Size/MD5 checksum:   349902 888522b2d61e05efa52b2f58d13d4a30
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-5.2etch1_mips.deb
    Size/MD5 checksum:   347360 558ce7647ccf4d20278208a3d46d51d3

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-5.2etch1_mipsel.deb
    Size/MD5 checksum:   348768 938cff5e66d4cf7894e5b33f2c7cc934
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-5.2etch1_mipsel.deb
    Size/MD5 checksum:   199920 67023552469fc4a30487009147866458
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-5.2etch1_mipsel.deb
    Size/MD5 checksum:   351440 f5a690e113e800c2583344c77746d521
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-5.2etch1_mipsel.deb
    Size/MD5 checksum:   144500 a8247e6bb2fbbcf7bba9fc756ec92e88
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-5.2etch1_mipsel.deb
    Size/MD5 checksum:   202396 b5bbcb8b61ca28f8e85ef6cf54d02644

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-5.2etch1_powerpc.deb
    Size/MD5 checksum:   204266 332c8482ea4f9af50183e8be4f59e9ea
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-5.2etch1_powerpc.deb
    Size/MD5 checksum:   202356 047679dee0a8d17815a905dab7ec8c0c
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-5.2etch1_powerpc.deb
    Size/MD5 checksum:   347384 9508cff125f5e547be56895ac6e41a4c
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-5.2etch1_powerpc.deb
    Size/MD5 checksum:   152934 51080a4fc09ddbae6e0b809169008f53
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-5.2etch1_powerpc.deb
    Size/MD5 checksum:   344726 393b4d213d0be6908e7c0c206cb57c39

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-5.2etch1_s390.deb
    Size/MD5 checksum:   145158 1dfae9aa0d59be8fbbbbcaa310d508c4
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-5.2etch1_s390.deb
    Size/MD5 checksum:   344760 ceadabf4a6895ccb33d615132d05cdc9
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-5.2etch1_s390.deb
    Size/MD5 checksum:   341418 c41f6ad2a4563d45fa17a09dc92f347e
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-5.2etch1_s390.deb
    Size/MD5 checksum:   206184 8a1c0ab32b20b7debf4beba96be1f7ef
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-5.2etch1_s390.deb
    Size/MD5 checksum:   203650 04beedd2705136d9bc12fdfc9c3744ae

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-5.2etch1_sparc.deb
    Size/MD5 checksum:   199146 2ac9e88e993bd74e3bb09c0bb71a6d5d
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-5.2etch1_sparc.deb
    Size/MD5 checksum:   144180 5631f2908055df679f94bc305b951dd8
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-5.2etch1_sparc.deb
    Size/MD5 checksum:   338830 d4946419e41d3ad04303201e3d2a15ac
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-5.2etch1_sparc.deb
    Size/MD5 checksum:   196570 fe461b1cfac5b156544d3beb349d1d01
  http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-5.2etch1_sparc.deb
    Size/MD5 checksum:   336322 07433fa292e875eabcbd43562a5184ee


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFIhYT1U5XKDemr/NIRAoGzAJ9SC+vUJUadS/NfGkHPoXPhERjJTQCcCRMH
lC9tP4+VSxveh0KAjUvtPvQ=
=+nPm
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ