Debian Bug report logs -
#869263
libgd2: CVE-2017-7890: Buffer over-read into uninitialized memory
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 22 Jul 2017 07:15:01 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in versions libgd2/2.1.0-5, libgd2/2.2.4-2
Fixed in versions libgd2/2.2.4-2+deb9u1, libgd2/2.1.0-5+deb8u10, libgd2/2.2.5-1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://github.com/libgd/libgd/issues/399
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, GD team <pkg-gd-devel@lists.alioth.debian.org>:
Bug#869263; Package src:libgd2.
(Sat, 22 Jul 2017 07:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, GD team <pkg-gd-devel@lists.alioth.debian.org>.
(Sat, 22 Jul 2017 07:15:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libgd2
Version: 2.2.4-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/libgd/libgd/issues/399
Hi,
the following vulnerability was published for libgd2.
CVE-2017-7890[0]:
Buffer over-read into uninitialized memory
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-7890
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7890
[1] https://github.com/libgd/libgd/issues/399
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions libgd2/2.1.0-5.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 22 Jul 2017 07:21:02 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Thu, 10 Aug 2017 17:33:26 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, GD team <pkg-gd-devel@lists.alioth.debian.org>:
Bug#869263; Package src:libgd2.
(Sat, 12 Aug 2017 06:03:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to GD team <pkg-gd-devel@lists.alioth.debian.org>.
(Sat, 12 Aug 2017 06:03:02 GMT) (full text, mbox, link).
Message #14 received at 869263@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: severity -1 grave
Control: tags -1 + patch
Hi Ondrej,
I uploaded the attached two debdiffs to security-master for jessie-
and stretch-security.
I wanted to propose as well a NMU unstable, so it's not unfixed there,
but currently libgd2 FTBFS.
Would it be possible to import those in the packaging repository? I
was not entirly sure how you want the respective branches created
(guess just branch upstream-stretch and master-stretch from respective
tags).
Regards,
Salvatore
[libgd2_2.1.0-5+deb8u10.debdiff (text/plain, attachment)]
[libgd2_2.2.4-2+deb9u1.debdiff (text/plain, attachment)]
Severity set to 'grave' from 'important'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 869263-submit@bugs.debian.org.
(Sat, 12 Aug 2017 06:03:02 GMT) (full text, mbox, link).
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 869263-submit@bugs.debian.org.
(Sat, 12 Aug 2017 06:03:03 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sat, 12 Aug 2017 15:03:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 12 Aug 2017 15:03:05 GMT) (full text, mbox, link).
Message #23 received at 869263-close@bugs.debian.org (full text, mbox, reply):
Source: libgd2
Source-Version: 2.2.4-2+deb9u1
We believe that the bug you reported is fixed in the latest version of
libgd2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 869263@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libgd2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 12 Aug 2017 07:14:26 +0200
Source: libgd2
Binary: libgd-tools libgd-dev libgd3
Architecture: source
Version: 2.2.4-2+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: GD team <pkg-gd-devel@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 869263
Description:
libgd-dev - GD Graphics Library (development version)
libgd-tools - GD command line tools and example code
libgd3 - GD Graphics Library
Changes:
libgd2 (2.2.4-2+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2017-7890: Fix unitialized memory read vulnerability in GIF reading
(Closes: #869263)
Checksums-Sha1:
792f19c28ea6175d1147a76bdb3438667a058b1f 2346 libgd2_2.2.4-2+deb9u1.dsc
67779817d7aecb94594c43ace949af350ca1df7f 2478528 libgd2_2.2.4.orig.tar.xz
fb9090605c55068b90699239a3f5ccd536a3989d 25408 libgd2_2.2.4-2+deb9u1.debian.tar.xz
Checksums-Sha256:
59270d7fd871175c1222a19e0a7444fed9c1724df7ceaf9ec817cd49bc51cc1a 2346 libgd2_2.2.4-2+deb9u1.dsc
137f13a7eb93ce72e32ccd7cebdab6874f8cf7ddf31d3a455a68e016ecd9e4e6 2478528 libgd2_2.2.4.orig.tar.xz
d7570a7365c923fb0b00966d1a937a9a63d5fce013bd05f427f3bcc48730c5b7 25408 libgd2_2.2.4-2+deb9u1.debian.tar.xz
Files:
0312a1c353520cfa53f569a1243687d6 2346 graphics optional libgd2_2.2.4-2+deb9u1.dsc
a244855a323a3ea1975d708eb1e12b7a 2478528 graphics optional libgd2_2.2.4.orig.tar.xz
d0fbe980f85008522df7b49ce6a70d49 25408 graphics optional libgd2_2.2.4-2+deb9u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlmOlY9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ETXYP+wbjvp57uRPB6fhFriFQ0uPfs3HlXtHp
j6Mav0Y1zokkXeVUgoZ+9s6sNqmSVB74cNHOxrNUUhKRhoA4nCDpExVM0Gy6qyiw
3tX3jQOXJPBQJPPEtgJpPch8Essu9bGlDiGmbBPvQJIr+7WxMosfmfrNwvbCA9Ij
shs7i1n3eIRinVfESHC8xJuQo84//dY+wV/cZjivbJxxf45aedzfknt7ugTYgKzI
2iXzKMVRtJQIIyxYIvEciX6scInsgepmevJP7Rf6ud5voGIMZ/bng5ovNeF+oZLK
93mcykoy2y++5rnTuplOKOvW8Zqoe6kZ+2pOe5Tcs1aSh74qRVr7UwWPncsoIQNB
x4FAuwXeORAIQ8A9CCXwihTRQEFAC/cymdQgmEq8XPKsL+iWd2lin8/etn0i0V+R
lSFM4k9r8Lsk4BZ6B3XJRqU3GGqXDTS0j3KBlDzykXr1aAA/PabQNvyMW2Q7QAJj
rpTBNWDNwVaatQ+Ev8EKNOCekxLmmzdQg8wUrS5USUJ+I2no3b8HjnkNHUAnafQk
ZIwTu90gdnE4pSrAOXp7jAi/w6FXkmU/CMqVOXSfTChqrAuXG/i1e14902oL8+jz
brWraN+zwiSl1lSCZXflL5/vltUvjOekHe5jXLpK6I+xBYwHsrFtQE+W7zXJpkw2
mcHWeE/OGkW5
=7iRt
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sat, 12 Aug 2017 15:03:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 12 Aug 2017 15:03:08 GMT) (full text, mbox, link).
Message #28 received at 869263-close@bugs.debian.org (full text, mbox, reply):
Source: libgd2
Source-Version: 2.1.0-5+deb8u10
We believe that the bug you reported is fixed in the latest version of
libgd2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 869263@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libgd2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 12 Aug 2017 06:15:41 +0200
Source: libgd2
Binary: libgd-tools libgd-dev libgd3 libgd-dbg libgd2-xpm-dev libgd2-noxpm-dev
Architecture: source
Version: 2.1.0-5+deb8u10
Distribution: jessie-security
Urgency: high
Maintainer: GD team <pkg-gd-devel@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 869263
Description:
libgd-dbg - Debug symbols for GD Graphics Library
libgd-dev - GD Graphics Library (development version)
libgd-tools - GD command line tools and example code
libgd2-noxpm-dev - GD Graphics Library (transitional package)
libgd2-xpm-dev - GD Graphics Library (transitional package)
libgd3 - GD Graphics Library
Changes:
libgd2 (2.1.0-5+deb8u10) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2017-7890: Fix unitialized memory read vulnerability in GIF reading
(Closes: #869263)
Checksums-Sha1:
6b471163b732b336ff19a052230c75a8fd553893 2510 libgd2_2.1.0-5+deb8u10.dsc
9b0e83c48a8edb727982d7a4d35b7adf709d137b 38344 libgd2_2.1.0-5+deb8u10.debian.tar.xz
Checksums-Sha256:
a382d058da161bf93b31142d0e8b618dc9a3502917fa72de00c6c38eb6ce5d12 2510 libgd2_2.1.0-5+deb8u10.dsc
c8ced061a104ed1d162996ff76ce442bf85cfc14ccf116af774da7857309c53d 38344 libgd2_2.1.0-5+deb8u10.debian.tar.xz
Files:
3bbea5b0f884ece5786d4b7fd431af5c 2510 graphics optional libgd2_2.1.0-5+deb8u10.dsc
f1a2511ce95eae332d69203e23b97d5d 38344 graphics optional libgd2_2.1.0-5+deb8u10.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlmOlodfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ELlYP+QHMRx2fRGHrMRBgPszvF+HMF6lbhyG6
Tw21pHJUAEgYLMsC4MZWD6+zp8P5by3C7TXklW7xIo8npMdodWXfvaMW67Kcut2l
PLFzesHOd/IUCOmbj+43Qgu75kw1XL8kt+C7Gc355h4Ban2ZWROnAin6aVWmMI+/
hfH+RCeLHvxOISldib0pMVTIKCduwTVD/toA28XQj0CkOPg+lJg2b+wzWCfVyCI3
5koWwPfaMrjisnuL3qbeqPfLwmFO761d6T+qNdnag1cFOfEpokmzKBEIOs9gI/Wn
ZcXRVJFe3cs1ft5nXkTnkWgeCF586APdXhO4ZH7ElFbJ2Fav/eKoE60kR19n7LLM
RVTOqvZTLbkEUBlX8Now35Nd2qbumh0Fw8Dz7SMfCZYlEsy6vlcYPszk5hI9gGaU
LuxIfNuBWZdsxljJq6Ow0J7azQ3Hqo2oHF1yNs2xuF8pwrbYTifWJuDY1UeU8JS9
eGQfPtVljCNL9TB3YSVujL/ZdWpopuG5iVa4ECpwXb2OGuTqJ8TM3XzNYvhsO9/U
4HsZQzAHmDIwJ8rWj9lwyRBe8mTDz5Acb1h/0DC7Ev5UVDEdk0pS/GleDS0g/56M
fPkMYL/BaXKSTUK33+19Ni3EGqGUiF0dVeKwfBcOnRoV9Kr8WOFe9p8VERtt3qR4
8xTGdhX6WPyu
=RQob
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, GD team <pkg-gd-devel@lists.alioth.debian.org>:
Bug#869263; Package src:libgd2.
(Wed, 30 Aug 2017 15:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to GD team <pkg-gd-devel@lists.alioth.debian.org>.
(Wed, 30 Aug 2017 15:03:03 GMT) (full text, mbox, link).
Message #33 received at 869263@bugs.debian.org (full text, mbox, reply):
Source: libgd2
Source-Version: 2.2.5-1
On Sat, Jul 22, 2017 at 09:11:15AM +0200, Salvatore Bonaccorso wrote:
> Source: libgd2
> Version: 2.2.4-2
> Severity: important
> Tags: security upstream
> Forwarded: https://github.com/libgd/libgd/issues/399
>
> Hi,
>
> the following vulnerability was published for libgd2.
>
> CVE-2017-7890[0]:
> Buffer over-read into uninitialized memory
This one is fixed with the 2.2.5-1 upload to unstable.
Regards,
Salvatore
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Wed, 30 Aug 2017 15:03:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 30 Aug 2017 15:03:08 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 19 Oct 2017 07:29:21 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:34:29 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon