Debian Bug report logs -
#824627
libgd2: CVE-2015-8874
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 18 May 2016 06:24:01 UTC
Severity: important
Tags: fixed-upstream, jessie, patch, security, sid, stretch, upstream
Found in versions libgd2/2.0.36~rc1~dfsg-6.1, libgd2/2.1.0-5
Fixed in versions libgd2/2.2.1-1, libgd2/2.0.36~rc1~dfsg-6.1+deb7u3, libgd2/2.1.0-5+deb8u2
Done: Ondřej Surý <ondrej@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, GD team <pkg-gd-devel@lists.alioth.debian.org>
:
Bug#824627
; Package src:libgd2
.
(Wed, 18 May 2016 06:24:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, GD team <pkg-gd-devel@lists.alioth.debian.org>
.
(Wed, 18 May 2016 06:24:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libgd2
Version: 2.1.0-5
Severity: important
Tags: security upstream patch
Hi,
the following vulnerability was published for libgd2.
CVE-2015-8874[0]:
| Stack consumption vulnerability in GD in PHP before 5.6.12 allows
| remote attackers to cause a denial of service via a crafted
| imagefilltoborder call.
It can be reproduced with the testcase from the php commit.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-8874
Please adjust the affected versions in the BTS as needed. I have not
checked older versions thatn the one in jessie.
Regards,
Salvatore
Added tag(s) sid, jessie, stretch, and wheezy.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 19 May 2016 18:09:50 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, GD team <pkg-gd-devel@lists.alioth.debian.org>
:
Bug#824627
; Package src:libgd2
.
(Thu, 19 May 2016 19:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Ondřej Surý <ondrej@sury.org>
:
Extra info received and forwarded to list. Copy sent to GD team <pkg-gd-devel@lists.alioth.debian.org>
.
(Thu, 19 May 2016 19:45:03 GMT) (full text, mbox, link).
Message #12 received at 824627@bugs.debian.org (full text, mbox, reply):
Thanks Salvatore,
I'll take care of it tomorrow, and I'll push upstream to release a
bugfix release as well.
Cheers,
--
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver
Vše pro chleba (https://vseprochleba.cz) – Potřeby pro pečení chleba
všeho druhu
On Wed, May 18, 2016, at 08:21, Salvatore Bonaccorso wrote:
> Source: libgd2
> Version: 2.1.0-5
> Severity: important
> Tags: security upstream patch
>
> Hi,
>
> the following vulnerability was published for libgd2.
>
> CVE-2015-8874[0]:
> | Stack consumption vulnerability in GD in PHP before 5.6.12 allows
> | remote attackers to cause a denial of service via a crafted
> | imagefilltoborder call.
>
> It can be reproduced with the testcase from the php commit.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2015-8874
>
> Please adjust the affected versions in the BTS as needed. I have not
> checked older versions thatn the one in jessie.
>
> Regards,
> Salvatore
>
> --
> pkg-GD-devel mailing list
> pkg-GD-devel@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-gd-devel
Marked as fixed in versions libgd2/2.2.1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Tue, 24 May 2016 06:57:08 GMT) (full text, mbox, link).
Marked as found in versions libgd2/2.0.36~rc1~dfsg-6.1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Tue, 24 May 2016 07:00:08 GMT) (full text, mbox, link).
Marked as fixed in versions libgd2/2.0.36~rc1~dfsg-6.1+deb7u3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Tue, 24 May 2016 07:00:09 GMT) (full text, mbox, link).
Removed tag(s) wheezy.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Tue, 24 May 2016 07:00:12 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Tue, 24 May 2016 07:06:03 GMT) (full text, mbox, link).
Reply sent
to Ondřej Surý <ondrej@debian.org>
:
You have taken responsibility.
(Fri, 27 May 2016 22:36:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Fri, 27 May 2016 22:36:04 GMT) (full text, mbox, link).
Message #27 received at 824627-close@bugs.debian.org (full text, mbox, reply):
Source: libgd2
Source-Version: 2.1.0-5+deb8u2
We believe that the bug you reported is fixed in the latest version of
libgd2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 824627@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ondřej Surý <ondrej@debian.org> (supplier of updated libgd2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 20 May 2016 10:58:03 +0200
Source: libgd2
Binary: libgd-tools libgd-dev libgd3 libgd-dbg libgd2-xpm-dev libgd2-noxpm-dev
Architecture: source amd64
Version: 2.1.0-5+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: GD team <pkg-gd-devel@lists.alioth.debian.org>
Changed-By: Ondřej Surý <ondrej@debian.org>
Description:
libgd-dbg - Debug symbols for GD Graphics Library
libgd-dev - GD Graphics Library (development version)
libgd-tools - GD command line tools and example code
libgd2-noxpm-dev - GD Graphics Library (transitional package)
libgd2-xpm-dev - GD Graphics Library (transitional package)
libgd3 - GD Graphics Library
Closes: 824627
Changes:
libgd2 (2.1.0-5+deb8u2) jessie-security; urgency=high
.
* [CVE-2015-8874]: Stack consumption vulnerability in GD allows remote
attackers to cause a denial of service via a crafted imagefilltoborder
call (Closes: #824627)
Checksums-Sha1:
ad32ac0e90643d11a81173a90d8b2884ef2cb265 2467 libgd2_2.1.0-5+deb8u2.dsc
66c56fc07246b66ba649c83e996fd2085ea2f9e2 2004304 libgd2_2.1.0.orig.tar.xz
f9c79b74b4d8f6c4a66426f54b934469cfd13302 37612 libgd2_2.1.0-5+deb8u2.debian.tar.xz
d14739fa063d1565cf4a1d1e85bdc077a8522c03 41818 libgd-tools_2.1.0-5+deb8u2_amd64.deb
ba775010d97dbb079a7d468dc943e2b0d0924201 285822 libgd-dev_2.1.0-5+deb8u2_amd64.deb
9d2aee7376988be822b5881eaab018f831c0c8fe 147108 libgd3_2.1.0-5+deb8u2_amd64.deb
0cb56a363a0f91832bc08e55c85e92667c8c12ac 315044 libgd-dbg_2.1.0-5+deb8u2_amd64.deb
7b353152e86a3f1930d75af8a8aab59f1e71eb38 1226 libgd2-xpm-dev_2.1.0-5+deb8u2_amd64.deb
56e3d88360f184fee9f2409a42437a39d4333104 1234 libgd2-noxpm-dev_2.1.0-5+deb8u2_amd64.deb
Checksums-Sha256:
a755508e3802b554c6be318d8fe40847cbc04a1eeb44a28344145ff352a28e0d 2467 libgd2_2.1.0-5+deb8u2.dsc
fa6665dfe3d898019671293c84d77067a3d2ede50884dbcb6df899d508370e5a 2004304 libgd2_2.1.0.orig.tar.xz
fc6c9939b11e4441ceea9f0f7c6741079771b2026da2c2da96d097b8c756d65a 37612 libgd2_2.1.0-5+deb8u2.debian.tar.xz
97279f089a5536844bbeb004d3acd96d6d0b9bdda50f1c802873f329ebabcdbf 41818 libgd-tools_2.1.0-5+deb8u2_amd64.deb
c6486c8ddbc2f7fae11e98e4ff299b5dce06eb63a479c119043c911efdced337 285822 libgd-dev_2.1.0-5+deb8u2_amd64.deb
f0ec46a415b30470ea4736e5d4b512e497fd9eab1f8cac79e1f531d7b5291597 147108 libgd3_2.1.0-5+deb8u2_amd64.deb
35b26b4bb880cc7b04f029648b4b17f40489d2865b002206b8c31a79f76bb8c4 315044 libgd-dbg_2.1.0-5+deb8u2_amd64.deb
f818468b0444379b5ef9cc95025e3929c666f9a8931cb37e3cc40997693b903e 1226 libgd2-xpm-dev_2.1.0-5+deb8u2_amd64.deb
54e405d17d3554dfc5bd9f0f08d93320a36d6d398958af9339c5a7f7468034da 1234 libgd2-noxpm-dev_2.1.0-5+deb8u2_amd64.deb
Files:
8cd8fa15b3427922cc54ba6d92ad0ed3 2467 graphics optional libgd2_2.1.0-5+deb8u2.dsc
03588159bf4faab9079849c8d709acc6 2004304 graphics optional libgd2_2.1.0.orig.tar.xz
6173306342db643359534dc14e2693b7 37612 graphics optional libgd2_2.1.0-5+deb8u2.debian.tar.xz
cb9147730c8a5b753505d6c427cc6baa 41818 graphics optional libgd-tools_2.1.0-5+deb8u2_amd64.deb
147a26fc313b945423a1603c518ea429 285822 libdevel optional libgd-dev_2.1.0-5+deb8u2_amd64.deb
1894d2367bd55c4da93a5cdb9d836f83 147108 libs optional libgd3_2.1.0-5+deb8u2_amd64.deb
46c2d3c5886117efc95a8cffd18cd30e 315044 debug extra libgd-dbg_2.1.0-5+deb8u2_amd64.deb
71105078341d00fe776968a30f4273a1 1226 oldlibs extra libgd2-xpm-dev_2.1.0-5+deb8u2_amd64.deb
af257237ce30b171cd2e3d6c14bd4c93 1234 oldlibs extra libgd2-noxpm-dev_2.1.0-5+deb8u2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQJ8BAEBCgBmBQJXPvNmXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzMEI5MzNEODBGQ0UzRDk4MUEyRDM4RkIw
Qzk5QjcwRUY0RkNCQjA3AAoJEAyZtw70/LsHGoUP/1mWk0Kd9G2jHz49iw+fdYl/
19CeyocbnyoIDDWxGHPVjG4r0U2R2tpbxPRDzql6n1OGRdp3npFroKEbAmXNKOzq
WH05uY4fJsb/yZFSrn0TxcpmupAFmUaRxpiTsb343qeWMT2tZprA84Zqis7OFA+m
8oo2g3WLNJA+9yW3LkOHhHxyH6MRBFqjyELRxYUUVGKWcQd69YErBsHOGXpo0cWg
Adcu5UwAi0O4gSDQvql9ANT/sMndl88khz+GMv3msS1qP+p9CavQI/fN5Sba/942
HDI2HsHlK8TkehelXCDOs2YUBlyBO6RiCR1ezaXUr+3UMUtxk2t9S9s1eSRMT1dP
Um8HVdY+tU+UZ3chPiua9jHOsuBYvjaPe3d1TQ8vhxvtprVN14Y2gXlpBECVTX2L
HAujLEi4uZTTdS9Xw7D8n0TCZuRNtMKWni3u3ZXEBdN19zu3g+fwmKfNpvjeveBo
GsdvCY0a+AeczFomPVtqCYqWJjY3EUN83PqnUeqriWuUY2fjIYDjKhJJMLuiJRRU
PZ/uiy2NwWx5RASXQSY2BtZdBQeZ+HCGZ9EFVmBY5uYKuUs7YQhxbsmXBtxnbR4o
/F+/tAvQqiPT8kdh0b4aDNDvlsyUfA4o9vc6e+kzL8O7ArFShgDa1Yh6ktpQF4D6
YTZbXeZbvGcS3+NVkZ9f
=ZBmt
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 26 Jun 2016 07:31:19 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:17:05 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.