From geissert at debian.org  Tue Oct 27 06:38:42 2009
From: geissert at debian.org (Raphael Geissert)
Date: Tue, 27 Oct 2009 00:38:42 -0600
Subject: [pkg-GD-devel] Bug#552534: libgd2: CVE-2009-3546: possible buffer
	overflow or buffer over-read attacks via crafted files
Message-ID: <200910270038.43192.geissert@debian.org>

Source: libgd2
Version: 2.0.36~rc1~dfsg-3
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libgd2.

CVE-2009-3546[0]:
| The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.0, and the
| GD Graphics Library 2.x, does not properly verify a certain
| colorsTotal structure member, which might allow remote attackers to
| conduct buffer overflow or buffer over-read attacks via a crafted GD
| file, a different vulnerability than CVE-2009-3293.  NOTE: some of
| these details are obtained from third party information.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3546
    http://security-tracker.debian.org/tracker/CVE-2009-3546

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net




From atomo64+ddpo at gmail.com  Thu Oct 29 05:38:31 2009
From: atomo64+ddpo at gmail.com (DDPOMail robot)
Date: Thu, 29 Oct 2009 05:38:31 -0000
Subject: [pkg-GD-devel] Possible problems in your Debian packages
Message-ID: <E1N3NiN-0002PV-SM@alioth.debian.org>

This is an automated mail. These mails are sent twice a month.
For more information about these mails, refer to
http://wiki.debian.org/qa.debian.org/DdpoByMail

=== libgd2:
= There are 3 unfixed security issue(s), please fix them.
 See http://security-tracker.debian.net/tracker/source-package/libgd2
= 1 bug(s) that should be fixed soon:
- #552534 <http://bugs.debian.org/552534>
  libgd2: CVE-2009-3546: possible buffer overflow or buffer over-read attacks via crafted files
  Appears to affect stable, you should fix it for the next point release
= Lintian reports 12 warning(s), you should consider fixing them.
 See http://lintian.debian.org/maintainer/pkg-gd-devel at lists.alioth.debian.org.html#libgd2

=== Packages with a new upstream version according to DEHS:
  libgd-gd2-noxpm-perl  2.44  (Debian: 2.39-2)
  libgd-gd2-perl  2.44  (Debian: 2.39-2)

------------ interesting stuff probably ends here ------------
We are sorry if this mail was useless for you. If you think it was
avoidable (that we can detect easily that the problems weren't
actually problems), please reply to it and let us know.

If you don't want to receive this type of mail any more, you can reply
to this mail and use one of the following commands at the beginning of
the mail:
- unsubscribe <email>
You will no longer receive any mail for any package. If you received
this email because you are subscribed to packages on the PTS, this
won't remove your PTS subscription.
- ignore <package> <email>
You will no longer receive information about that package in those
mails. So if that package is the only one with problems, you won't
receive anything.
- ignore <bug> <email>
You will no longer receive information about this bug.

All commands are manually processed, but you will receive
confirmation. The commands are just here so that we know precisely
what you want.

A more detailed status of your packages is available from the DDPO.
See:
http://qa.debian.org/developer.php?login=pkg-gd-devel at lists.alioth.debian.org

Don't hesitate to reply to this mail if you have questions or if you
believe it can be improved. The wiki page will be updated with useful
information.
--
DDPOMail,
run by Raphael Geissert