Debian Bug report logs -
#920728
libgd2: CVE-2019-6978
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 28 Jan 2019 15:51:02 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in versions libgd2/2.2.4-2+deb9u3, libgd2/2.2.4-2, libgd2/2.2.5-5
Fixed in versions libgd2/2.2.5-5.1, libgd2/2.2.4-2+deb9u4
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://github.com/libgd/libgd/issues/492
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, GD Team <team+gd@tracker.debian.org>:
Bug#920728; Package src:libgd2.
(Mon, 28 Jan 2019 15:51:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, GD Team <team+gd@tracker.debian.org>.
(Mon, 28 Jan 2019 15:51:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libgd2
Version: 2.2.5-5
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/libgd/libgd/issues/492
Hi,
The following vulnerability was published for libgd2.
CVE-2019-6978[0]:
| The GD Graphics Library (aka LibGD) 2.2.5 has a double free in the
| gdImage*Ptr() functions in gd_gif_out.c, gd_jpeg.c, and gd_wbmp.c.
| NOTE: PHP is unaffected.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-6978
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6978
[1] https://github.com/libgd/libgd/issues/492
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Tue, 29 Jan 2019 03:12:16 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, GD Team <team+gd@tracker.debian.org>:
Bug#920728; Package src:libgd2.
(Sun, 03 Feb 2019 15:15:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to GD Team <team+gd@tracker.debian.org>.
(Sun, 03 Feb 2019 15:15:05 GMT) (full text, mbox, link).
Message #12 received at 920728@bugs.debian.org (full text, mbox, reply):
Contol: tags -1 + patch
On Mon, Jan 28, 2019 at 04:50:27PM +0100, Salvatore Bonaccorso wrote:
> Source: libgd2
> Version: 2.2.5-5
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> Forwarded: https://github.com/libgd/libgd/issues/492
>
> Hi,
>
> The following vulnerability was published for libgd2.
>
> CVE-2019-6978[0]:
> | The GD Graphics Library (aka LibGD) 2.2.5 has a double free in the
> | gdImage*Ptr() functions in gd_gif_out.c, gd_jpeg.c, and gd_wbmp.c.
> | NOTE: PHP is unaffected.
Pending in git as https://salsa.debian.org/debian/libgd2/commit/c2add7d943a34b5e91428cb6b8b94d1fe049640e
Regards,
Salvatore
Marked as found in versions libgd2/2.2.4-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 03 Feb 2019 15:15:08 GMT) (full text, mbox, link).
Marked as found in versions libgd2/2.2.4-2+deb9u3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 03 Feb 2019 15:15:11 GMT) (full text, mbox, link).
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 920645-submit@bugs.debian.org.
(Mon, 04 Feb 2019 20:09:09 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 920645-submit@bugs.debian.org.
(Mon, 04 Feb 2019 20:09:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, GD Team <team+gd@tracker.debian.org>:
Bug#920728; Package src:libgd2.
(Mon, 04 Feb 2019 20:09:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to GD Team <team+gd@tracker.debian.org>.
(Mon, 04 Feb 2019 20:09:11 GMT) (full text, mbox, link).
Message #25 received at 920728@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 920645 + pending
Control: tags 920728 + patch
Control: tags 920728 + pending
Dear maintainer,
I've prepared an NMU for libgd2 (versioned as 2.2.5-5.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
[libgd2-2.2.5-5.1-nmu.diff (text/x-diff, attachment)]
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Wed, 06 Feb 2019 20:51:26 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 06 Feb 2019 20:51:26 GMT) (full text, mbox, link).
Message #30 received at 920728-close@bugs.debian.org (full text, mbox, reply):
Source: libgd2
Source-Version: 2.2.5-5.1
We believe that the bug you reported is fixed in the latest version of
libgd2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 920728@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libgd2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 02 Feb 2019 10:55:00 +0100
Source: libgd2
Binary: libgd-dev libgd-tools libgd-tools-dbgsym libgd3 libgd3-dbgsym
Architecture: source
Version: 2.2.5-5.1
Distribution: unstable
Urgency: medium
Maintainer: GD Team <team+gd@tracker.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 920645 920728
Description:
libgd-dev - GD Graphics Library (development version)
libgd-tools - GD command line tools and example code
libgd3 - GD Graphics Library
Changes:
libgd2 (2.2.5-5.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Heap-based buffer overflow in gdImageColorMatch (CVE-2019-6977)
(Closes: #920645)
* Potential double-free in gdImage*Ptr() (CVE-2019-6978) (Closes: #920728)
Checksums-Sha1:
42b163af78a87397b20a7990ea69d4d3dbe75c49 2364 libgd2_2.2.5-5.1.dsc
ccaeb4361a9906f09d357522b3544f5ebf60c36c 35292 libgd2_2.2.5-5.1.debian.tar.xz
Checksums-Sha256:
7315bbba389570a702db92aa2283b614efc95d81fe131074e5a8897d07953b98 2364 libgd2_2.2.5-5.1.dsc
69a9110470eefdc6874fcaab7d02b67db43974c3d5e431b8d2f16712ab69af22 35292 libgd2_2.2.5-5.1.debian.tar.xz
Files:
1f8ed6ec471e26a93e806611e2ea47cf 2364 graphics optional libgd2_2.2.5-5.1.dsc
a0cf086212a2573ac07454e950241b43 35292 graphics optional libgd2_2.2.5-5.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlxYmj9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EwJsQAIlDZiW+r/e2TJ7SwocSj5Rk9f2lJiuL
G1NSOByoPefEdLUCeZ6o5Gfy4gTEBYEht1YYkbgwj5AhGUyo8Ia5Jego9560tHw+
XG/jLDKFHZp/OeZM9yOA0YYG+MHoowQwgDvyPj3a0t+1hdJrrY6D9nY23hTOAIvZ
qWVBh7kfsvIYXcx+9BT2PVDo2rOnOYSKvqaPDgvOERSPjGy/nCBoRXG5VQPsUbEV
Yfku6ziiwJM/o1OJM7o/VWG4VlSqsvBZNxgG825Lk/Owc25S6IMipCSVDf+LGUMK
PCmPES0hq7cLDkinAjd2AgyluWkkWLEow/DZz0GXwiksBXhlH9WwSm63cNYK/Fnb
ksFb3JdGao8z9SrGsByCNiRnt0lTruGtXL2Vci6doUR5raDNZ8Lw1wH67ecGZx4y
M1VYQjYEgx02VKXQtNIQHRNE7fhnIql8QOSjAphF0A7wjSZ48fIDnLMYKPqt6L+o
u/YnfbUY7/IsKHIJfkYzwpBT2nuBRTqzhQqPjualz91ZNTLRumZ9TuDezbM6XfPz
kInTq7oPlioszAxH9sG+6fFQwHDAwxqSxZmbzLSxrb652Gr/SzUDOBEul/GCsKW0
aVfs0rlAxtYvDV3yeaDkyJbxjLRgbYBwsokd7er6Srm4CvZEC6tZYZ/a43B2l09J
8pPMjNwiLPKP
=9jqn
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sat, 09 Feb 2019 21:51:51 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 09 Feb 2019 21:51:51 GMT) (full text, mbox, link).
Message #35 received at 920728-close@bugs.debian.org (full text, mbox, reply):
Source: libgd2
Source-Version: 2.2.4-2+deb9u4
We believe that the bug you reported is fixed in the latest version of
libgd2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 920728@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libgd2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 02 Feb 2019 10:49:03 +0100
Source: libgd2
Binary: libgd-tools libgd-dev libgd3
Architecture: source
Version: 2.2.4-2+deb9u4
Distribution: stretch-security
Urgency: high
Maintainer: GD team <pkg-gd-devel@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 920645 920728
Description:
libgd-dev - GD Graphics Library (development version)
libgd-tools - GD command line tools and example code
libgd3 - GD Graphics Library
Changes:
libgd2 (2.2.4-2+deb9u4) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Heap-based buffer overflow in gdImageColorMatch (CVE-2019-6977)
(Closes: #920645)
* Potential double-free in gdImage*Ptr() (CVE-2019-6978) (Closes: #920728)
Checksums-Sha1:
fab60b8ba18d41caa1ede6f9c629b0fb023f9b80 2346 libgd2_2.2.4-2+deb9u4.dsc
f2825f40ee181d22ac7c7a332662980f52484377 30244 libgd2_2.2.4-2+deb9u4.debian.tar.xz
Checksums-Sha256:
10d21c630e27d5984d71ee8c9df57431438f4f9198975d27070f36f4b3bb1351 2346 libgd2_2.2.4-2+deb9u4.dsc
99207705ac51c2e6ec915987531feadfbd5ab3fabd6c97998501d866443f88ef 30244 libgd2_2.2.4-2+deb9u4.debian.tar.xz
Files:
8caef9413ab03bc2a0dc20e372fea579 2346 graphics optional libgd2_2.2.4-2+deb9u4.dsc
7070ecdee544d47e607f223374593af4 30244 graphics optional libgd2_2.2.4-2+deb9u4.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlxVaJhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EyNoP/1IXf8pwuoK04SRlYxiHYdwqCVVnVGSX
bRmWaQUxLd4LHg4t6Pj2hS/mWNIg/DXfTIOrab/VTxjqFUEKgQjw4OOweUz9bz3q
Gz9lUYcSInCExy/3UX6EYydOm6F/UzznCku+vFpIfUdHy9wKfXDqIe22euPpZfSi
6benz08PYbJ1NM++2PnUIZ8iWl5Ulbp9p7wYTPiXRUFfvKKsgPWsBdbHAo9I0jUW
B8qxVc+QjZKGHqttTiG7X4IYn2eDZMBnWAslbGn/lxiUxUjUey0gElfX4MaxvjAZ
k5Fx0UlD8zRjlrwjKG2PwZx4BBNhGuDQmJtzhfyFpZpckctNIZ0fyQxRHy00VpBI
+BXcqkDvuBYNXoS7vDNGBqxjvizDmWuUMYTp8MxZYu5OmfU+IfI+sF5WC2ooocMq
Emczm06rBPqAOC/j3sCJkK3jSqpNUG2EKI7LUioIBlKNfeRCeymE6VrIv2HpE+y2
azKNKzExePHsL3vONRAmENxTJjjH1MN4SPk+Ms675lb6s6s5IETcuRHAasb+Y4mQ
w+iWVIRLjSlhfR8D6VUnpF/9jlLgmY6kKbs6plOpH8IaEpUfYzVX25Gs8+ohJWq2
mt0jnJ2uNCXTvFOJaAqhSYt9OTcQkpHTCUPPk28oE0N/fvSwBI6gtEgDWkNpS+tJ
HJo8aLmJllgb
=yNy+
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 12 Mar 2019 07:26:53 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:41:18 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon