Debian Bug report logs -
#822242
libgd2: CVE-2016-3074: Signedness vulnerability causing heap overflow
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 22 Apr 2016 12:36:02 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in versions libgd2/2.1.1-4, libgd2/2.0.36~rc1~dfsg-1
Fixed in versions libgd2/2.1.1-4.1, libgd2/2.1.0-5+deb8u1, libgd2/2.0.36~rc1~dfsg-6.1+deb7u2
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, GD team <pkg-gd-devel@lists.alioth.debian.org>:
Bug#822242; Package src:libgd2.
(Fri, 22 Apr 2016 12:36:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, GD team <pkg-gd-devel@lists.alioth.debian.org>.
(Fri, 22 Apr 2016 12:36:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libgd2
Version: 2.1.1-4
Severity: grave
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for libgd2.
CVE-2016-3074[0]:
Signedness vulnerability causing heap overflow
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-3074
[1] https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19
Please adjust the affected versions in the BTS as needed.
Salvatore
Marked as found in versions libgd2/2.0.36~rc1~dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 23 Apr 2016 08:33:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, GD team <pkg-gd-devel@lists.alioth.debian.org>:
Bug#822242; Package src:libgd2.
(Sat, 23 Apr 2016 14:33:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to GD team <pkg-gd-devel@lists.alioth.debian.org>.
(Sat, 23 Apr 2016 14:33:08 GMT) (full text, mbox, link).
Message #12 received at 822242@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Ondrej and GD team,
On Fri, Apr 22, 2016 at 02:32:54PM +0200, Salvatore Bonaccorso wrote:
> Source: libgd2
> Version: 2.1.1-4
> Severity: grave
> Tags: security upstream patch fixed-upstream
>
> Hi,
>
> the following vulnerability was published for libgd2.
>
> CVE-2016-3074[0]:
> Signedness vulnerability causing heap overflow
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2016-3074
> [1] https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19
I prepared an upload for wheezy- and jessie-security, and attached is
a debdiff for sid as well.
I can upload to unstable with a NMU if needed as well.
Regards,
Salvatore
[libgd2_2.0.36~rc1~dfsg-6.1+deb7u2.debdiff (text/plain, attachment)]
[libgd2_2.1.0-5+deb8u1.debdiff (text/plain, attachment)]
[libgd2_2.1.1-4.1.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sat, 23 Apr 2016 18:09:15 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 23 Apr 2016 18:09:15 GMT) (full text, mbox, link).
Message #17 received at 822242-close@bugs.debian.org (full text, mbox, reply):
Source: libgd2
Source-Version: 2.1.1-4.1
We believe that the bug you reported is fixed in the latest version of
libgd2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 822242@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libgd2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 23 Apr 2016 10:49:43 +0200
Source: libgd2
Binary: libgd-tools libgd-dev libgd3 libgd-dbg
Architecture: source
Version: 2.1.1-4.1
Distribution: unstable
Urgency: high
Maintainer: GD team <pkg-gd-devel@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 822242
Description:
libgd-dbg - Debug symbols for GD Graphics Library
libgd-dev - GD Graphics Library (development version)
libgd-tools - GD command line tools and example code
libgd3 - GD Graphics Library
Changes:
libgd2 (2.1.1-4.1) unstable; urgency=high
.
* Non-maintainer upload (with Ondrej's approval directly uploaded)
* CVE-2016-3074: Signedness vulnerability causing heap overflow
(Closes: #822242)
Checksums-Sha1:
5b1cc784189ce843102c8463dd603b098d6d7ae0 2203 libgd2_2.1.1-4.1.dsc
94c303831087e5b9806a473e9edea4e4722a33f5 24152 libgd2_2.1.1-4.1.debian.tar.xz
Checksums-Sha256:
9076b9fe1ad485ebdf718a843e252fdcd7a045446692093f061e578e4d57f4b7 2203 libgd2_2.1.1-4.1.dsc
ce2051fcdb161e4f780650ca76c3144941eb62e9d186e1f8cd36b6efd6fedea0 24152 libgd2_2.1.1-4.1.debian.tar.xz
Files:
c8f9ec873eae7de41ab86e119a9bf533 2203 graphics optional libgd2_2.1.1-4.1.dsc
4e979e4846dec3817b5cc8bde6aeaf44 24152 graphics optional libgd2_2.1.1-4.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJXG7YiAAoJEAVMuPMTQ89E1dIP+wWxZzidLNS162nqYYAfUAcN
A1dWNCieSQXsk16cKLKlI0XV2Zh4ogbG6kcwROSBzRJGL0x3Q3BiHEurGQMdelgP
5heUVNUettAblVipOsGQOblJOsg5AVM+inLn4r/NZadbXw14FWTY7jW7DSRu06Ky
WslTgmZR/eNyd8hoJP083rJ/GoSTT+KwdbPj9BlPmdNZaZix7TjEi7nLce4JisTV
3Ft1Xq/QEM4PsuIFcatT4bme7O68LJt4mWOBxSBTSMJVv29pGDB8RGxAf9RTCB8/
YcUCCrcBBUY177f9j3i9IMKkYntiCilBUzicPPLgO7gJxz1KI3pUfz27QcbWjB7j
L2yIfV/PXbQAj366HP4RqCpi8y2K8Vk0t2E3cedIJK0TDWZkzVDGYErAoDY9KSY6
9kTLtvu5XKooh4o0zNHiFzjcONwX3bPMtA+tgeqOWOesVKGYJ8LGaZCGs8a+ITRF
1pxh4wK8A1juSFRlBcI6bxgOPHW+KWzwNRSZEv/uvMzFXb8DtsvjNHUO3SvCPHsX
rHDPp6MFmktvdPPQtzcV0fc7rurYogB2/Ab6GwLaKHBksLWL2Gu6iR9rWw4FimQV
5b7a5fNJtfxp+LfmDSg0W0uqVQ0pPq1zJhHZ9vFciQNxBtWWRBTGpgLAibh5LYK3
F3bOPP3EXsF6R0CBr+Kx
=/pdr
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 24 Apr 2016 16:21:28 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 24 Apr 2016 16:21:28 GMT) (full text, mbox, link).
Message #22 received at 822242-close@bugs.debian.org (full text, mbox, reply):
Source: libgd2
Source-Version: 2.1.0-5+deb8u1
We believe that the bug you reported is fixed in the latest version of
libgd2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 822242@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libgd2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 23 Apr 2016 11:19:01 +0200
Source: libgd2
Binary: libgd-tools libgd-dev libgd3 libgd-dbg libgd2-xpm-dev libgd2-noxpm-dev
Architecture: source
Version: 2.1.0-5+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: GD team <pkg-gd-devel@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 822242
Description:
libgd-dbg - Debug symbols for GD Graphics Library
libgd-dev - GD Graphics Library (development version)
libgd-tools - GD command line tools and example code
libgd2-noxpm-dev - GD Graphics Library (transitional package)
libgd2-xpm-dev - GD Graphics Library (transitional package)
libgd3 - GD Graphics Library
Changes:
libgd2 (2.1.0-5+deb8u1) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2016-3074: Signedness vulnerability causing heap overflow
(Closes: #822242)
Checksums-Sha1:
0ce203a0e673e5cea5793cbe46b04d81d18c7140 2337 libgd2_2.1.0-5+deb8u1.dsc
66c56fc07246b66ba649c83e996fd2085ea2f9e2 2004304 libgd2_2.1.0.orig.tar.xz
11f950bcd96a0001fe0505924945b4c226cb454a 37348 libgd2_2.1.0-5+deb8u1.debian.tar.xz
Checksums-Sha256:
19027b8f14e74783aa2c4f937ffab2827de12a39346da264f97fb53dd96797cd 2337 libgd2_2.1.0-5+deb8u1.dsc
fa6665dfe3d898019671293c84d77067a3d2ede50884dbcb6df899d508370e5a 2004304 libgd2_2.1.0.orig.tar.xz
7dc2c1f4accd5025f87a280011b5694cf809e588be69ae1a07820772c44871fa 37348 libgd2_2.1.0-5+deb8u1.debian.tar.xz
Files:
8a1317e01d18d11b16ffc463a784e909 2337 graphics optional libgd2_2.1.0-5+deb8u1.dsc
03588159bf4faab9079849c8d709acc6 2004304 graphics optional libgd2_2.1.0.orig.tar.xz
62a2b1ddcbdd3b57d5402c3a70c404ae 37348 graphics optional libgd2_2.1.0-5+deb8u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJXGz74AAoJEAVMuPMTQ89EiOYP/jWZzmV90W0tSXTo26gG7Yh5
P8VE4xvTKbSvvMUzI7fU7kVB0NcjSN+f0rnNoBYseqURjUHueOzRYfppt7hI/jEP
CUfoVNArytAv0YR8TywieERhDiZUlQHY6JEX1eW9ebdxi6rt3Oly673sqw7GmY9H
xhDDMgZnvLu9ZYNDxY+HAZdu5w+z5jYr0y+yVtgj5g9TrMV3lswS/PVBOYXco0X4
Ftv4dLZ8o4mk9ojD8Znh80uIPPnGzM4VT0tU/UlszGteXSQ60UR7fYQChFJP34eT
KGapw0KtyIvZhH/frfaZnhPqfbVxv4la9j4t8xJDjsqXNSNOjY7gamJx4fhFAPbe
MzyIcQ3yXMLsj6KVqf4yo4eiaBkrgDfc5RYgKXOT1vX2p6ofiTDC1/eVl23ZyPkk
grvD4OCwaaxJLVCQFBybmAnk3tqH5h4T4Xc5UNpu1ia/kG0Xq1cidF49jBCfHg2j
JgcphSgUgMi29TqmKUPkTWNyE52rtO/fo4cNq226PQymqN9XTUZzB7lkSr+p+keo
MrR54cCrExNLnNPPthyBOVAd2oITCux4bk0q5QlDTKJz23wdpzAKbqJN6omI7aRz
n9ijM1ERuNNHhNvSFxxFB3TAUQxFn/Kqqzg/iebWs0o/JfADaNZk7ZUKjXWMQCPI
ocm6obwJT0Fv5yHSldon
=KAFT
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Mon, 25 Apr 2016 22:21:36 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 25 Apr 2016 22:21:37 GMT) (full text, mbox, link).
Message #27 received at 822242-close@bugs.debian.org (full text, mbox, reply):
Source: libgd2
Source-Version: 2.0.36~rc1~dfsg-6.1+deb7u2
We believe that the bug you reported is fixed in the latest version of
libgd2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 822242@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libgd2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 23 Apr 2016 11:39:20 +0200
Source: libgd2
Binary: libgd-tools libgd2-xpm-dev libgd2-noxpm-dev libgd2-xpm libgd2-noxpm
Architecture: source amd64
Version: 2.0.36~rc1~dfsg-6.1+deb7u2
Distribution: wheezy-security
Urgency: high
Maintainer: GD team <pkg-gd-devel@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
libgd-tools - GD command line tools and example code
libgd2-noxpm - GD Graphics Library version 2 (without XPM support)
libgd2-noxpm-dev - GD Graphics Library version 2 (development version)
libgd2-xpm - GD Graphics Library version 2
libgd2-xpm-dev - GD Graphics Library version 2 (development version)
Closes: 822242
Changes:
libgd2 (2.0.36~rc1~dfsg-6.1+deb7u2) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2016-3074: Signedness vulnerability causing heap overflow
(Closes: #822242)
Checksums-Sha1:
619c3503f0e67cc84665423e1dc7169f99bdfec0 2411 libgd2_2.0.36~rc1~dfsg-6.1+deb7u2.dsc
090329d88b9b028f5ab65f9c92f7b96daa8f5ab7 28717 libgd2_2.0.36~rc1~dfsg-6.1+deb7u2.debian.tar.gz
8d681d996b1a1606b8f80e895e94f5ec23648845 169556 libgd-tools_2.0.36~rc1~dfsg-6.1+deb7u2_amd64.deb
70f5628e1247004304f36fb07a2e52e8120a7fa3 374904 libgd2-xpm-dev_2.0.36~rc1~dfsg-6.1+deb7u2_amd64.deb
7d3da06d94fa42160c5beb99b6c81572ff5a2d4c 372156 libgd2-noxpm-dev_2.0.36~rc1~dfsg-6.1+deb7u2_amd64.deb
2c038c10404b049adc852c84575b2feba7d7b337 233568 libgd2-xpm_2.0.36~rc1~dfsg-6.1+deb7u2_amd64.deb
868001e4c47528bfcfebd11ccaf45a206b5064e7 231158 libgd2-noxpm_2.0.36~rc1~dfsg-6.1+deb7u2_amd64.deb
Checksums-Sha256:
8c3d01be1f7528a164efe063c8df17e869a9a6b3c9ca0e786f3671d09100ea8d 2411 libgd2_2.0.36~rc1~dfsg-6.1+deb7u2.dsc
f32001406f86bda78f5a194457c9d7107ad7a4a141d3305067448918653c05d5 28717 libgd2_2.0.36~rc1~dfsg-6.1+deb7u2.debian.tar.gz
43f80cf1a9b9b11df62609b2ad95932f61dbee6614adb483dbccca72d12f2e13 169556 libgd-tools_2.0.36~rc1~dfsg-6.1+deb7u2_amd64.deb
552f54c73b0037cbabb36eb86d235dd968e140affeb10010f629b06d6aaf7c8d 374904 libgd2-xpm-dev_2.0.36~rc1~dfsg-6.1+deb7u2_amd64.deb
ee8500868c8d83ba49454b9439a73654e188d030cb3880745bab33483b34ba6a 372156 libgd2-noxpm-dev_2.0.36~rc1~dfsg-6.1+deb7u2_amd64.deb
1eb39b4cfbf297fe7cc6276ef03d9eb1ed642c21e38335067ee8478a7f7ca184 233568 libgd2-xpm_2.0.36~rc1~dfsg-6.1+deb7u2_amd64.deb
eb0a541721592ca50f585883db003c5e9b27b5207c62b66110ed5fcedc72397a 231158 libgd2-noxpm_2.0.36~rc1~dfsg-6.1+deb7u2_amd64.deb
Files:
3b496b087c4391d947191bad5db23f9a 2411 graphics optional libgd2_2.0.36~rc1~dfsg-6.1+deb7u2.dsc
312db3cafcd933e16ef7e85ae2e5d048 28717 graphics optional libgd2_2.0.36~rc1~dfsg-6.1+deb7u2.debian.tar.gz
561e3a85bbeafaee0c40bf4857e9c1b2 169556 graphics optional libgd-tools_2.0.36~rc1~dfsg-6.1+deb7u2_amd64.deb
c4ff026d99dead953e5439ada01248c0 374904 libdevel optional libgd2-xpm-dev_2.0.36~rc1~dfsg-6.1+deb7u2_amd64.deb
753b67bb8a3e5762762a8f9bcc92e711 372156 libdevel optional libgd2-noxpm-dev_2.0.36~rc1~dfsg-6.1+deb7u2_amd64.deb
a713e5b5086a9e5f7164ce08abdc7fcd 233568 libs optional libgd2-xpm_2.0.36~rc1~dfsg-6.1+deb7u2_amd64.deb
a5383078f1bf3fede03b3f80acb5a57f 231158 libs optional libgd2-noxpm_2.0.36~rc1~dfsg-6.1+deb7u2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJXG4PsAAoJEAVMuPMTQ89EW/UP/2e04vVcbuqtkgmll9iBeTjp
wC3PQWJpror2lDMmkUlCbt6zmgGgrf87Ufrc1WjKY0hy0wME2FbCMDH8DW7YUk0h
dv+kpZEZxG8hKnoFUAoY/Wn+CitIsdmceh41FaU3qhI5BZBt1/t3Z+iHdhis0Kcz
zjMoEPK9+pYakfSeK2fvFElFRjyOGjLt5Lk29uown6CI+FSjW6AnYtPENlfNJwJb
Vlp2abqLTyS8iRHSkHTfKuxuthJQMyOMLrquRLxFCdU+Zevvy3NoH6Eoim4/e28I
exyLN9y3IzCR4lZaZ1Kcpo2bpP1GmF18Q05R1H50t2WUKUIiMGudNiH0B49AfYDq
LQZUGtO9YBK70Mi5VwvdEFTva8LWvYPsY8Ay1x7toyhh05ekbUsr3pvab9KQ8wHe
4RXuMcTbR1rFoJXBs8NXy90teFbDa3cco5g0s/TFRscIYEYQmEdoy2igLFCcW0v/
B/vBCLSgRMxb7ZtnMq4hSUCss9tzx1Q/svuKMJkKKJttadwxhTghbnfUg24nvxYk
jg+SsoI1DXHR4a9WAOtjuxH9N1DMQGW79FfVm8CWLYb4ek75cphppcOXXkNDil7T
5CT1t5mEkHbGM9DuaGT7WBzgZrsYaR0viv/zxyPd6hnZ7VScXPEa3rOdqoYcVALn
uiVpDyZoH4Fixcv3nQ5/
=fgJf
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 26 Jun 2016 07:32:26 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:31:47 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon