Debian Bug report logs - #372912
libgd2: CVE-2006-2906: infinte lop via malformed gif

version graph

Package: libgd2; Maintainer for libgd2 is GD team <pkg-gd-devel@lists.alioth.debian.org>;

Reported by: Alec Berryman <alec@thened.net>

Date: Mon, 12 Jun 2006 13:18:23 UTC

Severity: important

Tags: patch, pending, security

Fixed in versions libgd2/2.0.33-5, libgd2/2.0.33-1.1sarge1

Done: Jonas Smedegaard <dr@jones.dk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Jonas Smedegaard <dr@jones.dk>:
Bug#372912; Package libgd2. Full text and rfc822 format available.

Acknowledgement sent to Alec Berryman <alec@thened.net>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Jonas Smedegaard <dr@jones.dk>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Alec Berryman <alec@thened.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libgd2: CVE-2006-2906: infinte lop via malformed gif
Date: Mon, 12 Jun 2006 08:01:14 -0500
Package: libgd2
Severity: important
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2006-2906: "The LZW decoding in the gdImageCreateFromGifPtr function
in the Thomas Boutell graphics draw (GD) library (aka libgd) 2.0.33
allows remote attackers to cause a denial of service (CPU consumption)
via malformed GIF data that causes an infinite loop."

The original BugTraq posting [1] includes a test case and a crude
patch.  I was unable to compile the test case; gcc complained about
something in the gif data and I was unable to track the error down.

Please include the CVE number in your changelog.

Thanks,

Alec

[1] http://www.securityfocus.com/archive/1/436132


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEjWWaAud/2YgchcQRArGqAKC1MuL7RB24bsofYGFRUAlBc/5n5wCgjLqe
/L6TaoW4CFDwDdn6sdhIHnA=
=QQ6t
-----END PGP SIGNATURE-----



Information forwarded to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>:
Bug#372912; Package libgd2. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <martin.pitt@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Jonas Smedegaard <dr@jones.dk>. Full text and rfc822 format available.

Message #10 received at 372912@bugs.debian.org (full text, mbox):

From: Martin Pitt <martin.pitt@ubuntu.com>
To: 372912@bugs.debian.org
Subject: Ubuntu patch
Date: Tue, 13 Jun 2006 11:37:35 +0200
[Message part 1 (text/plain, inline)]
Hi,

you can find the Ubuntu debdiff at

  http://patches.ubuntu.com/patches/libgd2.CVE-2006-2906.diff

Upstream's test cases worked fine for me, BTW (however, I moved the
static gif data declaration to the top).

Martin

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]

Reply sent to Jonas Smedegaard <dr@jones.dk>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Alec Berryman <alec@thened.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 372912-close@bugs.debian.org (full text, mbox):

From: Jonas Smedegaard <dr@jones.dk>
To: 372912-close@bugs.debian.org
Subject: Bug#372912: fixed in libgd2 2.0.33-5
Date: Sun, 16 Jul 2006 23:50:47 -0700
Source: libgd2
Source-Version: 2.0.33-5

We believe that the bug you reported is fixed in the latest version of
libgd2, which is due to be installed in the Debian FTP archive:

libgd-tools_2.0.33-5_powerpc.deb
  to pool/main/libg/libgd2/libgd-tools_2.0.33-5_powerpc.deb
libgd2-noxpm-dev_2.0.33-5_powerpc.deb
  to pool/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-5_powerpc.deb
libgd2-noxpm_2.0.33-5_powerpc.deb
  to pool/main/libg/libgd2/libgd2-noxpm_2.0.33-5_powerpc.deb
libgd2-xpm-dev_2.0.33-5_powerpc.deb
  to pool/main/libg/libgd2/libgd2-xpm-dev_2.0.33-5_powerpc.deb
libgd2-xpm_2.0.33-5_powerpc.deb
  to pool/main/libg/libgd2/libgd2-xpm_2.0.33-5_powerpc.deb
libgd2_2.0.33-5.diff.gz
  to pool/main/libg/libgd2/libgd2_2.0.33-5.diff.gz
libgd2_2.0.33-5.dsc
  to pool/main/libg/libgd2/libgd2_2.0.33-5.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 372912@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated libgd2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 17 Jul 2006 02:15:53 +0200
Source: libgd2
Binary: libgd2-noxpm-dev libgd2-noxpm libgd2-xpm libgd2-xpm-dev libgd-tools
Architecture: source powerpc
Version: 2.0.33-5
Distribution: unstable
Urgency: low
Maintainer: Jonas Smedegaard <dr@jones.dk>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Description: 
 libgd-tools - GD command line tools and example code
 libgd2-noxpm - GD Graphics Library version 2 (without XPM support)
 libgd2-noxpm-dev - GD Graphics Library version 2 (development version)
 libgd2-xpm - GD Graphics Library version 2
 libgd2-xpm-dev - GD Graphics Library version 2 (development version)
Closes: 370572 372912 375806
Changes: 
 libgd2 (2.0.33-5) unstable; urgency=low
 .
   * Merge patch 1002 with different approach from ubuntu, and rename as
     1002_CVE-2006-2906 now that the bug (infinite loop in GIF code) has
     an official name. Closes: bug#372912 (thanks to Alec Berryman
     <alec@thened.net> for reporting, and to Martin Pitt
     <martin.pitt@ubuntu.com> for providing a patch).
   * Add patch to switch to western european fonts (ISO8859-1/ISO8859-15)
     instead of the current eastern european (ISO8859-2).
   * Add --without-xpm option to configure when compiling -noxpm variant.
     Closes: bug#370572 (thanks to Omniflux <omniflux@omniflux.com>).
   * Indent Homepage string in long descriptions.
   * Add patch 1007 to avoid advertising external libraries in
     gdlib-config script (advertise them in new --static-libs instead).
     Closes: bug#375806 (thanks to Samuel Thibault
     <samuel.thibault@ens-lyon.org>).
Files: 
 fbdeb41e56b030277ead295509b098be 965 libs optional libgd2_2.0.33-5.dsc
 3b3895db79feb2fbeffd921739a62aa4 296542 libs optional libgd2_2.0.33-5.diff.gz
 7ad5d87f2f48bc6f9ca463de44dfaea7 152600 graphics optional libgd-tools_2.0.33-5_powerpc.deb
 c7dbb8e4e66e58ee3d576a1b63fdbb22 346594 libdevel optional libgd2-xpm-dev_2.0.33-5_powerpc.deb
 84cd002a2506f228fc7125d933d519f5 343860 libdevel optional libgd2-noxpm-dev_2.0.33-5_powerpc.deb
 2d07124362cc36ec0d6c70552cde2408 203920 libs optional libgd2-xpm_2.0.33-5_powerpc.deb
 e8d38293978c5405097d3ef845333b8f 201960 libs optional libgd2-noxpm_2.0.33-5_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEuwJOn7DbMsAkQLgRAkWnAJwMDvuQhlTPo3Y3eFG6/EbbOQT5lgCeI50E
AhIbizogNej9Om3KRICmreM=
=NG8d
-----END PGP SIGNATURE-----




Reply sent to Jonas Smedegaard <dr@jones.dk>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Alec Berryman <alec@thened.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #20 received at 372912-close@bugs.debian.org (full text, mbox):

From: Jonas Smedegaard <dr@jones.dk>
To: 372912-close@bugs.debian.org
Subject: Bug#372912: fixed in libgd2 2.0.33-1.1sarge1
Date: Wed, 30 Aug 2006 23:02:29 -0700
Source: libgd2
Source-Version: 2.0.33-1.1sarge1

We believe that the bug you reported is fixed in the latest version of
libgd2, which is due to be installed in the Debian FTP archive:

libgd-tools_2.0.33-1.1sarge1_powerpc.deb
  to pool/main/libg/libgd2/libgd-tools_2.0.33-1.1sarge1_powerpc.deb
libgd2-dev_2.0.33-1.1sarge1_all.deb
  to pool/main/libg/libgd2/libgd2-dev_2.0.33-1.1sarge1_all.deb
libgd2-noxpm-dev_2.0.33-1.1sarge1_powerpc.deb
  to pool/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-1.1sarge1_powerpc.deb
libgd2-noxpm_2.0.33-1.1sarge1_powerpc.deb
  to pool/main/libg/libgd2/libgd2-noxpm_2.0.33-1.1sarge1_powerpc.deb
libgd2-xpm-dev_2.0.33-1.1sarge1_powerpc.deb
  to pool/main/libg/libgd2/libgd2-xpm-dev_2.0.33-1.1sarge1_powerpc.deb
libgd2-xpm_2.0.33-1.1sarge1_powerpc.deb
  to pool/main/libg/libgd2/libgd2-xpm_2.0.33-1.1sarge1_powerpc.deb
libgd2_2.0.33-1.1sarge1.diff.gz
  to pool/main/libg/libgd2/libgd2_2.0.33-1.1sarge1.diff.gz
libgd2_2.0.33-1.1sarge1.dsc
  to pool/main/libg/libgd2/libgd2_2.0.33-1.1sarge1.dsc
libgd2_2.0.33-1.1sarge1_all.deb
  to pool/main/libg/libgd2/libgd2_2.0.33-1.1sarge1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 372912@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated libgd2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 17 Jul 2006 01:06:53 +0200
Source: libgd2
Binary: libgd2-dev libgd2-noxpm-dev libgd2-noxpm libgd2-xpm libgd2 libgd2-xpm-dev libgd-tools
Architecture: source all powerpc
Version: 2.0.33-1.1sarge1
Distribution: stable-security
Urgency: high
Maintainer: Jonas Smedegaard <dr@jones.dk>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Description: 
 libgd-tools - GD command line tools and example code
 libgd2     - GD Graphics Library version 2
 libgd2-dev - GD Graphics Library version 2 (development version)
 libgd2-noxpm - GD Graphics Library version 2 (without XPM support)
 libgd2-noxpm-dev - GD Graphics Library version 2 (development version)
 libgd2-xpm - GD Graphics Library version 2
 libgd2-xpm-dev - GD Graphics Library version 2 (development version)
Closes: 372912
Changes: 
 libgd2 (2.0.33-1.1sarge1) stable-security; urgency=high
 .
   * Apply patch to fix infinite loop in GIF code. Closes: bug#372912
     (thanks to Alec Berryman <alec@thened.net> for reporting, and to
     Martin Pitt <martin.pitt@ubuntu.com> for providing a patch).
     Reported as CVE-2006-2906.
   * Include this and the earlier security fix as isolated patches in
     the source:
     + 1001_CAN-2004-0941.patch
     + 1002_CVE-2006-2906.patch
Files: 
 e389163781898504ec6e8e0018cd1fdd 885 libs optional libgd2_2.0.33-1.1sarge1.dsc
 be0a6d326cd8567e736fbc75df0a5c45 587617 libs optional libgd2_2.0.33.orig.tar.gz
 50e0aa54bda19f06041d78a5771c7fd1 260955 libs optional libgd2_2.0.33-1.1sarge1.diff.gz
 4ef28350291c173754332cc61cb54ba1 128500 oldlibs optional libgd2_2.0.33-1.1sarge1_all.deb
 bcaaacf60733a35002b999f8851ce3a7 128526 oldlibs optional libgd2-dev_2.0.33-1.1sarge1_all.deb
 46c99b85b1faf609147cc111b747841d 150276 graphics optional libgd-tools_2.0.33-1.1sarge1_powerpc.deb
 47c92a9a5bbc22637f5fee0223034a97 344206 libdevel optional libgd2-xpm-dev_2.0.33-1.1sarge1_powerpc.deb
 505e633e80f425c8b9422e83997ac07c 341538 libdevel optional libgd2-noxpm-dev_2.0.33-1.1sarge1_powerpc.deb
 16d8a96a3fc3b28a7355680fedaef3e8 200916 libs optional libgd2-xpm_2.0.33-1.1sarge1_powerpc.deb
 c8168aa92f4008e2943893fa5ccae820 198830 libs optional libgd2-noxpm_2.0.33-1.1sarge1_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEutSqn7DbMsAkQLgRAtaAAKCCriWL5Y/0mJDgmIP5hYlUERpS6gCeI2Z2
mpANkBNFOAkWRvb3Vv0yRdE=
=jeaK
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#372912; Package libgd2. Full text and rfc822 format available.

Acknowledgement sent to Jonas Smedegaard <dr@jones.dk>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #25 received at 372912@bugs.debian.org (full text, mbox):

From: Jonas Smedegaard <dr@jones.dk>
To: Pierre Joye <pierre.dev@gmail.com>, 368096@bugs.debian.org
Cc: 278625@bugs.debian.org, 372912@bugs.debian.org
Subject: Re: Bug#368096: debian bug 368096
Date: Tue, 02 Jan 2007 18:08:47 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pierre Joye wrote:
> Hello,
> 
> On 1/2/07, Jonas Smedegaard <dr@jones.dk> wrote:
> 
>> >> While checking the current bug in debian libgd, I found the gnuplot
>> >> one (#368096).
>> >
>> > I forgot to mention that it does not segfault using CVS but using
>> debian
>> > libgd.
>>
>> I am happy to hear that.
>>
>> I was made aware of the new upstream CVS code only a few days ago, but
>> has hesitated switching to that, as I found no mention  of fixes to the
>> following publicly announced security issues:
>>
>> CAN-2004-0990: http://bugs.debian.org/278625
> 
> Fixed, there is a overflow2 check now (gd_png.c line 319).
> 
>> CVE-2006-2906: http://bugs.debian.org/372912
> 
> Fixed, see #5 in libgd/ISSUES.

Excellent! Thanks for the confirmation.


>> Please confirm (preferrably directly to those bugreports) that the
>> current code in fact is not vulnerable to those issues, and I will be
>> most happy to switch.
> 
> Is it possible to do not mix all discussions in one bug report? It
> will be confusing very quickly.

Most certainly.

The intend was indeed for you to not respond here, but at those
respective bugreports instead. I have done it now.

If you reply to this email, then please target only the bugreports
relevant to what you want to comment on. And no need to cc me when
mailing bugreports: The package maintainer automatically gets a copy.

I just want a single public place to place our conversation, and a
single reference in each relevant bugreport to where that place is.



> I'm installing the issues tracker, it
> should be online tonight, I would like to centralize all issues there,
> is it ok for you? (you can obviously keep the debian tracker but it
> will really ease our lifes if we centralize gd bugs in the gd
> project).

I will happily use that issue tracker of yours as soon as it is up and
running.

Ideally you should not need to worry about the Debian issue tracker at
all. It is my job as package maintainer to juggle with multiple issue
tracking systems and multiple upstream developers. Not yours as upstream
developer.

Looking forward to your having an issue tracker of your own :-)


 - Jonas

- --
* Jonas Smedegaard - idealist og Internet-arkitekt
* Tlf.: +45 40843136  Website: http://dr.jones.dk/

 - Enden er nær: http://www.shibumi.org/eoti.htm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFmpGen7DbMsAkQLgRAjz1AJ96WuY2EFGGiZYEvnl170gTgcLFWgCeKvB1
vvc+tMYOq00Cy8i/e0blJcw=
=4sCZ
-----END PGP SIGNATURE-----



Tags added: pending Request was from Sean Finney <seanius@alioth.debian.org> to control@bugs.debian.org. (Thu, 21 Jun 2007 16:09:34 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 20 Jul 2007 07:25:49 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 10:38:15 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.