lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060721161908.GB6316@galadriel.inutil.org>
Date: Fri, 21 Jul 2006 18:19:08 +0200
From: Moritz Muehlenhoff <jmm@...ian.org>
To: debian-security-announce@...ts.debian.org
Cc: 
Subject: [SECURITY] [DSA 1117-1] New libgd2 packages fix
	denial of service

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1117-1                    security@...ian.org
http://www.debian.org/security/                         Moritz Muehlenhoff
July 21st, 2006                         http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : libgd2
Vulnerability  : insufficient input sanitising
Problem-Type   : local(remote)
Debian-specific: no
CVE ID         : CVE-2006-2906
Debian Bug     : 372912

It was discoverd that the GD graphics library performs insufficient checks
of the validity of GIF images, which might lead to denial of service by
tricking the application into an infinite loop.

For the stable distribution (sarge) this problem has been fixed in
version 2.0.33-1.1sarge1.

For the unstable distribution (sid) this problem has been fixed in
version 2.0.33-5.

We recommend that you upgrade your libgd2 packages.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2_2.0.33-1.1sarge1.dsc
      Size/MD5 checksum:      885 e389163781898504ec6e8e0018cd1fdd
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2_2.0.33-1.1sarge1.diff.gz
      Size/MD5 checksum:   260955 50e0aa54bda19f06041d78a5771c7fd1
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2_2.0.33.orig.tar.gz
      Size/MD5 checksum:   587617 be0a6d326cd8567e736fbc75df0a5c45

  Architecture independent components:

    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-dev_2.0.33-1.1sarge1_all.deb
      Size/MD5 checksum:   128526 bcaaacf60733a35002b999f8851ce3a7
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2_2.0.33-1.1sarge1_all.deb
      Size/MD5 checksum:   128500 4ef28350291c173754332cc61cb54ba1

  Alpha architecture:

    http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-1.1sarge1_alpha.deb
      Size/MD5 checksum:   144914 65aa478f07315cb7e62ac6d91177b96d
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-1.1sarge1_alpha.deb
      Size/MD5 checksum:   206668 8cded1b036579ebc7c62f1ac37824ac6
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-1.1sarge1_alpha.deb
      Size/MD5 checksum:   357800 cc21def16f0e514da5d34c2f513b3daf
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-1.1sarge1_alpha.deb
      Size/MD5 checksum:   208490 fa17839a6953dbd709eda8783be6ead1
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-1.1sarge1_alpha.deb
      Size/MD5 checksum:   362160 0be347a2217d06fe7ef36b002ea7c9ca

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-1.1sarge1_amd64.deb
      Size/MD5 checksum:   141774 1f54d14b016a5ad132998ff669226244
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-1.1sarge1_amd64.deb
      Size/MD5 checksum:   196436 6ff8e6d85237e34ddd12c9aea85bd314
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-1.1sarge1_amd64.deb
      Size/MD5 checksum:   337310 bfd77a6cdc6aaa1c64d6c4be1a8acea8
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-1.1sarge1_amd64.deb
      Size/MD5 checksum:   198932 a084415f7c3dfc684569d626dd80aacb
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-1.1sarge1_amd64.deb
      Size/MD5 checksum:   340294 8fdc6f33e6253346c4f853db61501a21

  ARM architecture:

    http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-1.1sarge1_arm.deb
      Size/MD5 checksum:   141374 b157ca4d44fffd20740c162535ca9e3f
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-1.1sarge1_arm.deb
      Size/MD5 checksum:   188664 5b3a0e8dcb02e3fa83cb8a618a57c456
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-1.1sarge1_arm.deb
      Size/MD5 checksum:   334316 74999431b3008c7f4820d0405a236c0f
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-1.1sarge1_arm.deb
      Size/MD5 checksum:   191308 b29466e1a38e863dce0b1cdb535e3cfc
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-1.1sarge1_arm.deb
      Size/MD5 checksum:   337536 761e0550e4d9343d2056dba350c1cd1f

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-1.1sarge1_i386.deb
      Size/MD5 checksum:   141786 1cc957c1d1cb93e2d80c85d0c84dcfd1
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-1.1sarge1_i386.deb
      Size/MD5 checksum:   191932 f66bc591f047503e80d107458e938416
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-1.1sarge1_i386.deb
      Size/MD5 checksum:   328576 27953838b048aab48d4eee40fc630f6f
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-1.1sarge1_i386.deb
      Size/MD5 checksum:   193690 580d72764e8b331f9be599b45894497d
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-1.1sarge1_i386.deb
      Size/MD5 checksum:   330848 0c980ae4c5a0e93725175e69c7d8176f

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-1.1sarge1_ia64.deb
      Size/MD5 checksum:   146290 a07f3ae8f234ca3e3b5e81eebf3c446d
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-1.1sarge1_ia64.deb
      Size/MD5 checksum:   224272 c057fe07156af1945b9eab8909a28bec
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-1.1sarge1_ia64.deb
      Size/MD5 checksum:   370376 6f8485a4f4d916d75dc21b20a113ad98
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-1.1sarge1_ia64.deb
      Size/MD5 checksum:   227040 4983686be756f0fdd7ab03cf1cc9c195
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-1.1sarge1_ia64.deb
      Size/MD5 checksum:   373400 896aaaaec2747772779073c837fe2d84

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-1.1sarge1_hppa.deb
      Size/MD5 checksum:   143562 c4223c693e1a24336ddab5a92e3d019b
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-1.1sarge1_hppa.deb
      Size/MD5 checksum:   204504 371343c96979ae3b6688a9471333dd20
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-1.1sarge1_hppa.deb
      Size/MD5 checksum:   345608 267ea3ea2dedc6b7d1b991821eff0327
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-1.1sarge1_hppa.deb
      Size/MD5 checksum:   207026 ad942c88f11286a44e9aac850fb10a3a
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-1.1sarge1_hppa.deb
      Size/MD5 checksum:   348272 926ac97ade522d92be98fd0035536c45

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-1.1sarge1_m68k.deb
      Size/MD5 checksum:   141456 1477bf288e99fa9bdf1640c828d7f1a5
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-1.1sarge1_m68k.deb
      Size/MD5 checksum:   184864 9cde2fe10257ecaf581300e024dd7f0c
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-1.1sarge1_m68k.deb
      Size/MD5 checksum:   323520 634a13523c02c7b831228c128fe320c8
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-1.1sarge1_m68k.deb
      Size/MD5 checksum:   187018 b6fcadf304e52fa9e57ceb168e495156
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-1.1sarge1_m68k.deb
      Size/MD5 checksum:   325634 44468789f4014425c7c84c62fdb07914

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-1.1sarge1_mips.deb
      Size/MD5 checksum:   155774 5af80762b00f46f1f9fdc46a78941191
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-1.1sarge1_mips.deb
      Size/MD5 checksum:   195396 c10d28c9f999639745c04889c0581516
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-1.1sarge1_mips.deb
      Size/MD5 checksum:   344960 0b3bc47908a4f25ebb58b27c5e6fa730
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-1.1sarge1_mips.deb
      Size/MD5 checksum:   198016 9fe5be1930a8f9ff4ab15b09aff626fb
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-1.1sarge1_mips.deb
      Size/MD5 checksum:   347410 da9fb9aeb4c9891cb5dec62ca9263aaa

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-1.1sarge1_mipsel.deb
      Size/MD5 checksum:   155772 58c478bc430bd49cece6e748218e6200
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-1.1sarge1_mipsel.deb
      Size/MD5 checksum:   195330 ca975af25d3362ce4a4c9e19b1d27b50
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-1.1sarge1_mipsel.deb
      Size/MD5 checksum:   344992 096e665346647e297e943684e7222e5f
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-1.1sarge1_mipsel.deb
      Size/MD5 checksum:   197846 660f0ba2f884e249d5ffd7302f398a01
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-1.1sarge1_mipsel.deb
      Size/MD5 checksum:   347270 69c4a6744e74455997a8228566a47f00

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-1.1sarge1_powerpc.deb
      Size/MD5 checksum:   150276 46c99b85b1faf609147cc111b747841d
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-1.1sarge1_powerpc.deb
      Size/MD5 checksum:   198830 c8168aa92f4008e2943893fa5ccae820
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-1.1sarge1_powerpc.deb
      Size/MD5 checksum:   341538 505e633e80f425c8b9422e83997ac07c
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-1.1sarge1_powerpc.deb
      Size/MD5 checksum:   200916 16d8a96a3fc3b28a7355680fedaef3e8
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-1.1sarge1_powerpc.deb
      Size/MD5 checksum:   344206 47c92a9a5bbc22637f5fee0223034a97

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-1.1sarge1_s390.deb
      Size/MD5 checksum:   142414 a30ad94d6ca809d519a088771b31fc1d
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-1.1sarge1_s390.deb
      Size/MD5 checksum:   199456 c99ca505a026d2b7b01dea1eaeebc4a5
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-1.1sarge1_s390.deb
      Size/MD5 checksum:   337702 c45bca23bef2f03a03a6e07e37757281
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-1.1sarge1_s390.deb
      Size/MD5 checksum:   202030 34639f38ecfed22b1b1887a918516dce
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-1.1sarge1_s390.deb
      Size/MD5 checksum:   341264 c510662e0889b70e73b8e76c568009e6

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-1.1sarge1_sparc.deb
      Size/MD5 checksum:   141382 71ccad065f8a4a21ee8337537e732b90
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-1.1sarge1_sparc.deb
      Size/MD5 checksum:   191428 aa0a6d650fb2eb6322d2582f7489ed73
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-1.1sarge1_sparc.deb
      Size/MD5 checksum:   332436 26d15a5c68f2a47a5eccf4ba3b4980fb
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-1.1sarge1_sparc.deb
      Size/MD5 checksum:   194072 95aa9e357d5dd4f0105e1f7888b9bb4f
    http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-1.1sarge1_sparc.deb
      Size/MD5 checksum:   334118 a6d05fae692cd60c72b231a78230a38a


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEwP4VXm3vHE4uyloRAmsZAKDNNtLkk8pu74ItZ+FiwvNBCh8XtgCgodBY
aDbnxJJl5wHK/XslepqaJa0=
=vPD4
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ