Debian Bug report logs - #408982
CVE-2007-0455: libgd2: "gdImageStringFTEx()" Denial of Service

version graph

Package: libgd2; Maintainer for libgd2 is GD team <pkg-gd-devel@lists.alioth.debian.org>;

Reported by: Alex de Oliveira Silva <enerv@host.sk>

Date: Mon, 29 Jan 2007 18:03:07 UTC

Severity: important

Tags: security

Found in versions 2.0.33-5.2, 2.0.33-6

Fixed in versions 2.0.34-1, libgd2/2.0.33-5.2etch2

Done: Giuseppe Iuculano <iuculano@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>:
Bug#408982; Package libgd2. Full text and rfc822 format available.

Acknowledgement sent to Alex de Oliveira Silva <enerv@host.sk>:
New Bug report received and forwarded. Copy sent to Jonas Smedegaard <dr@jones.dk>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Alex de Oliveira Silva <enerv@host.sk>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2007-0455: libgd2: "gdImageStringFTEx()" Denial of Service
Date: Mon, 29 Jan 2007 14:52:45 -0300
[Message part 1 (text/plain, inline)]
Package: libgd2
Version: 2.0.33-6
Severity: important
Tags: security

Maybe the libgd2 is affected with this vulnerability.

The vulnerability is caused due to an error within the
"gdImageStringFTEx()" function in gdft.c, which can be exploited to
increment the terminating NULL of a string, potentially resulting in a
buffer overflow.

Successful exploitation requires that a JIS-encoded font is used.

Solution:
Do not use JIS-encoded fonts with an application using GD Graphics
Library.

Patch:
Exist one patch in Red Hat to solve it.
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=224607
patch attached in email.


Note:
Please mention the CVE id in the changelog.



regards,
-- 
   .''`.  
  : :' :    Alex de Oliveira Silva | enerv
  `. `'     www.enerv.net
    `- 
[libgd2.patch (text/x-c, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>:
Bug#408982; Package libgd2. Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@debian.org>:
Extra info received and forwarded to list. Copy sent to Jonas Smedegaard <dr@jones.dk>. Full text and rfc822 format available.

Message #10 received at 408982@bugs.debian.org (full text, mbox):

From: sean finney <seanius@debian.org>
To: 425978@bugs.debian.org, 408982@bugs.debian.org, 426100@bugs.debian.org, 425754@bugs.debian.org, 425584@bugs.debian.org
Subject: patch for security issues
Date: Tue, 29 May 2007 23:08:53 +0200
[Message part 1 (text/plain, inline)]
hi,

i previously emailed jonas tonight with a patch that can be used to 
incorporate fixes for the above bugs in etch.  for posterity, here it is.  i 
hear there are going to be a few more security issues surfacing in the near 
future, so i won't be sending this to the security team yet, but if i haven't 
heard a request not to do so i will probably do so after the other issues are 
dealt with.


	sean
[libgd2_2.0.33-5.2etch1.interdiff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Bug marked as found in version 2.0.33-5.2. Request was from Touko Korpela <tkorpela@phnet.fi> to control@bugs.debian.org. (Sun, 12 Aug 2007 22:39:08 GMT) Full text and rfc822 format available.

Reply sent to Giuseppe Iuculano <iuculano@debian.org>:
You have taken responsibility. (Sat, 05 Dec 2009 22:18:03 GMT) Full text and rfc822 format available.

Notification sent to Alex de Oliveira Silva <enerv@host.sk>:
Bug acknowledged by developer. (Sat, 05 Dec 2009 22:18:03 GMT) Full text and rfc822 format available.

Message #17 received at 408982-close@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <iuculano@debian.org>
To: 408982-close@bugs.debian.org
Subject: Bug#408982: fixed in libgd2 2.0.33-5.2etch2
Date: Sat, 05 Dec 2009 22:15:03 +0000
Source: libgd2
Source-Version: 2.0.33-5.2etch2

We believe that the bug you reported is fixed in the latest version of
libgd2, which is due to be installed in the Debian FTP archive:

libgd-tools_2.0.33-5.2etch2_i386.deb
  to main/libg/libgd2/libgd-tools_2.0.33-5.2etch2_i386.deb
libgd2-noxpm-dev_2.0.33-5.2etch2_i386.deb
  to main/libg/libgd2/libgd2-noxpm-dev_2.0.33-5.2etch2_i386.deb
libgd2-noxpm_2.0.33-5.2etch2_i386.deb
  to main/libg/libgd2/libgd2-noxpm_2.0.33-5.2etch2_i386.deb
libgd2-xpm-dev_2.0.33-5.2etch2_i386.deb
  to main/libg/libgd2/libgd2-xpm-dev_2.0.33-5.2etch2_i386.deb
libgd2-xpm_2.0.33-5.2etch2_i386.deb
  to main/libg/libgd2/libgd2-xpm_2.0.33-5.2etch2_i386.deb
libgd2_2.0.33-5.2etch2.diff.gz
  to main/libg/libgd2/libgd2_2.0.33-5.2etch2.diff.gz
libgd2_2.0.33-5.2etch2.dsc
  to main/libg/libgd2/libgd2_2.0.33-5.2etch2.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 408982@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated libgd2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 10 Nov 2009 10:15:53 +0100
Source: libgd2
Binary: libgd2-noxpm-dev libgd2-noxpm libgd2-xpm libgd2-xpm-dev libgd-tools
Architecture: source i386
Version: 2.0.33-5.2etch2
Distribution: oldstable-security
Urgency: high
Maintainer: Jonas Smedegaard <dr@jones.dk>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description: 
 libgd-tools - GD command line tools and example code
 libgd2-noxpm - GD Graphics Library version 2 (without XPM support)
 libgd2-noxpm-dev - GD Graphics Library version 2 (development version)
 libgd2-xpm - GD Graphics Library version 2
 libgd2-xpm-dev - GD Graphics Library version 2 (development version)
Closes: 408982 552534
Changes: 
 libgd2 (2.0.33-5.2etch2) oldstable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed CVE-2009-3546: possible buffer overflow or buffer over-read attacks
     via crafted files (Closes: #552534)
   * Fixed CVE-2007-0455: Buffer overflow in the gdImageStringFTEx function in
     gdft.c (Closes: #408982)
Files: 
 c143f788dec8bc93ba7d80532600e09c 988 libs optional libgd2_2.0.33-5.2etch2.dsc
 d2f4b2221cb0e05063f85157711638c7 301479 libs optional libgd2_2.0.33-5.2etch2.diff.gz
 be7a5db664baec27428b8092acd942a9 143160 graphics optional libgd-tools_2.0.33-5.2etch2_i386.deb
 c6374428f8f2fc3c56cca141fda12267 335496 libdevel optional libgd2-xpm-dev_2.0.33-5.2etch2_i386.deb
 16b228575857c08de542a1679bcde839 333956 libdevel optional libgd2-noxpm-dev_2.0.33-5.2etch2_i386.deb
 faa4e27f258d87a2d6716a1c7522ae96 198922 libs optional libgd2-xpm_2.0.33-5.2etch2_i386.deb
 70de99f091a5ca73c3a9e14735a7f715 197048 libs optional libgd2-noxpm_2.0.33-5.2etch2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkr5MsYACgkQNxpp46476aqq6wCaAl5wT78dAZwx3hpBD7SrY2pJ
IuoAnA4gD0PWKDsmW3xLehwzm9CMT+Iz
=FrTS
-----END PGP SIGNATURE-----





Bug Marked as fixed in versions 2.0.34-1. Request was from Julien Cristau <jcristau@debian.org> to control@bugs.debian.org. (Mon, 25 Jul 2011 19:27:03 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 28 Aug 2011 07:39:20 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 10:36:49 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.