Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, GD Team <team+gd@tracker.debian.org>: Bug#929821; Package src:libgd2.
(Fri, 31 May 2019 20:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, GD Team <team+gd@tracker.debian.org>.
(Fri, 31 May 2019 20:45:04 GMT) (full text, mbox, link).
Marked as found in versions libgd2/2.2.4-2+deb9u4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Fri, 31 May 2019 20:45:04 GMT) (full text, mbox, link).
Marked as found in versions libgd2/2.2.4-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Fri, 31 May 2019 20:45:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, GD Team <team+gd@tracker.debian.org>: Bug#929821; Package src:libgd2.
(Tue, 11 Jun 2019 14:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonas Meurer <jonas@freesources.org>:
Extra info received and forwarded to list. Copy sent to GD Team <team+gd@tracker.debian.org>.
(Tue, 11 Jun 2019 14:57:03 GMT) (full text, mbox, link).
Hello,
Salvatore Bonaccorso wrote:
> The following vulnerability was published for libgd2.
>
> CVE-2019-11038[0]:
> Uninitialized read in gdImageCreateFromXbm
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
While working on a libgd2 update for Jessie LTS, I prepared a patch that
fixes this bug for unstable as well. If nobody objects, I would go ahead
with an NMU to get this CVE fixed in time for Buster, ok?
The patch (created with `git format-patch`) is attached.
I also sent the patch upstream: https://github.com/libgd/libgd/pull/503
Cheers
jonas
Information forwarded
to debian-bugs-dist@lists.debian.org, GD Team <team+gd@tracker.debian.org>: Bug#929821; Package src:libgd2.
(Tue, 11 Jun 2019 15:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonas Meurer <jonas@freesources.org>:
Extra info received and forwarded to list. Copy sent to GD Team <team+gd@tracker.debian.org>.
(Tue, 11 Jun 2019 15:57:03 GMT) (full text, mbox, link).
Jonas Meurer wrote:
> Salvatore Bonaccorso wrote:
> > The following vulnerability was published for libgd2.
> >
> > CVE-2019-11038[0]:
> > Uninitialized read in gdImageCreateFromXbm
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> While working on a libgd2 update for Jessie LTS, I prepared a patch that
> fixes this bug for unstable as well. If nobody objects, I would go ahead
> with an NMU to get this CVE fixed in time for Buster, ok?
>
> The patch (created with `git format-patch`) is attached.
>
> I also sent the patch upstream: https://github.com/libgd/libgd/pull/503
After uploading patched libgd2 to jessie and stretch, I also decided to
go ahead with the NMU to unstable.
I just uploaded libgd2 2.2.5-5.2 to the DELAYED-1 queue. Once it's been
accepted into unstable, I'll file a unblock request to get it into Buster.
I also pushed all three updates to the packaging Git repo at
https://salsa.debian.org/debian/libgd2
Cheers
jonas
Source: libgd2
Source-Version: 2.2.5-5.2
We believe that the bug you reported is fixed in the latest version of
libgd2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 929821@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Meurer <jonas@freesources.org> (supplier of updated libgd2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 11 Jun 2019 16:21:57 +0200
Source: libgd2
Architecture: source
Version: 2.2.5-5.2
Distribution: unstable
Urgency: high
Maintainer: GD Team <team+gd@tracker.debian.org>
Changed-By: Jonas Meurer <jonas@freesources.org>
Closes: 929821
Changes:
libgd2 (2.2.5-5.2) unstable; urgency=high
.
* Non-maintainer upload.
* Fix CVE-2019-11038: Uninitialized read in gdImageCreateFromXbm
(Closes: #929821)
Checksums-Sha1:
c4dd1974ba1d05322b9ad8a4fc36189252e27121 2209 libgd2_2.2.5-5.2.dsc
1fbec01ffa095d9fb58db6d9e42a2161d5d58bba 35712 libgd2_2.2.5-5.2.debian.tar.xz
71383e171e134fe117aaf8e5f52f1184fbafa55a 8138 libgd2_2.2.5-5.2_amd64.buildinfo
Checksums-Sha256:
809a0ce4575462532c74868161bcb680597a129f3878b402573670f8d697fe54 2209 libgd2_2.2.5-5.2.dsc
ea0af41d276cc2282fcff3b3ee112300f5216bc229cc45e4699389a616da47ad 35712 libgd2_2.2.5-5.2.debian.tar.xz
fcfe49f9856efabc69f480317089c3448f06e98918d9520ff63a115332dd3c39 8138 libgd2_2.2.5-5.2_amd64.buildinfo
Files:
47f8a89147ea4947d3ce8762b4624019 2209 graphics optional libgd2_2.2.5-5.2.dsc
636289b2bdb58aa626bf6d5ee759c383 35712 graphics optional libgd2_2.2.5-5.2.debian.tar.xz
74367df0de925f1fa799594c2d6ea189 8138 graphics optional libgd2_2.2.5-5.2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEELIzSg9Pv30M4kOeDUmLn/0kQSf4FAlz/zVsACgkQUmLn/0kQ
Sf4RHw/+MWbnH+bcsVoml5EDXeD6qzBi52yfofVUT/PtJSe3NiEwIZUfh699pNtm
fCOW9LZPpovmT9S4iuIr14yaQF2SObKvjq5zt36J6vkJCC2CIGx6CRlRjd8bcDTY
zXbWc2nj8rKI92XwcyeCWdjewjilDY/8cSTHUDpemlbcgLJIluTPLxdg2IHQQQH0
2Efd7JowpyhYOs2emGeQrBUDC1UI9xHSHtlOiSphmoxGMlfIvOrkra0nstuLZt8u
SDXmHvr61qoyfcSa4mAuwL/HZUL9GA6P84OBunn4Rx6VLZghE1C+4QeAc6fF4pSN
EpbJoW+elWCLXLJZYsecjlUOAhB/xk0UaLoU9FiMeaUHZyLw9a/ofpmcElOdN3+2
1KcRV/nBHfNXOq5K/X5szxeNXLqJ0nHuxMiPZFzlbAFLkHMTjNQUI2yw0VXcYQvt
v9ngI7huns7R+1tgxNgr8Q4jzQSbgkSXbz/0C1QBgloIu2nQIg0qJSo2KQpsiyYZ
vHlet5/OIsunbBHFmdHBwgC8Hmc1w5MjLzFHcgkxkhhh++VNIFZZYz2gaziPEhyK
GyiIU9skiCvhzyQ3tm6zPtVBNJFQF2NqlugqflOpzFOHVjsZIkHcXSQR8e2zfD7f
k5reJdfipEqnV9/8WclW4moRIrdJqMq9yyvn6yP92RKpYM1FPEI=
=jtkg
-----END PGP SIGNATURE-----
Reply sent
to Jonas Meurer <jonas@freesources.org>:
You have taken responsibility.
(Sun, 30 Jun 2019 18:36:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 30 Jun 2019 18:36:04 GMT) (full text, mbox, link).
Subject: Bug#929821: fixed in libgd2 2.2.4-2+deb9u5
Date: Sun, 30 Jun 2019 18:33:39 +0000
Source: libgd2
Source-Version: 2.2.4-2+deb9u5
We believe that the bug you reported is fixed in the latest version of
libgd2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 929821@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Meurer <jonas@freesources.org> (supplier of updated libgd2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 11 Jun 2019 17:33:42 +0200
Source: libgd2
Binary: libgd-tools libgd-dev libgd3
Architecture: source amd64
Version: 2.2.4-2+deb9u5
Distribution: stretch
Urgency: high
Maintainer: GD team <pkg-gd-devel@lists.alioth.debian.org>
Changed-By: Jonas Meurer <jonas@freesources.org>
Description:
libgd-dev - GD Graphics Library (development version)
libgd-tools - GD command line tools and example code
libgd3 - GD Graphics Library
Closes: 929821
Changes:
libgd2 (2.2.4-2+deb9u5) stretch; urgency=high
.
* Fix CVE-2019-11038: Uninitialized read in gdImageCreateFromXbm
(Closes: #929821)
Checksums-Sha1:
6b8ccb6d590657e4d0d284ee22a07902a86a0243 2191 libgd2_2.2.4-2+deb9u5.dsc
67779817d7aecb94594c43ace949af350ca1df7f 2478528 libgd2_2.2.4.orig.tar.xz
a16faae5c2c057c295af3dbbf6655b02fa5c1d37 30684 libgd2_2.2.4-2+deb9u5.debian.tar.xz
f43417f4d995c7cf418976812b8bda8d079a6dc5 271344 libgd-dev_2.2.4-2+deb9u5_amd64.deb
be0703f552897c4ba06715a6f74d806d17da4b79 46288 libgd-tools-dbgsym_2.2.4-2+deb9u5_amd64.deb
551de75c937dcd955781fb114448af02f9fcf297 34830 libgd-tools_2.2.4-2+deb9u5_amd64.deb
6270f1fe71d0d743090325458e1c61f037092af8 8570 libgd2_2.2.4-2+deb9u5_amd64.buildinfo
997b418e7d93c32e35b31b87c86c5b31a83c03a1 245784 libgd3-dbgsym_2.2.4-2+deb9u5_amd64.deb
a9e8cd42306e57660eae6e1b17e737bcb600120d 132168 libgd3_2.2.4-2+deb9u5_amd64.deb
Checksums-Sha256:
a239c011de077572244b500f98ceb44e50a876ca5ae2958ab29e118b4d10ce8e 2191 libgd2_2.2.4-2+deb9u5.dsc
137f13a7eb93ce72e32ccd7cebdab6874f8cf7ddf31d3a455a68e016ecd9e4e6 2478528 libgd2_2.2.4.orig.tar.xz
348e38aa9b1f74154cc88b207b3af5047e0744a9fe91f37ddbfc87abe8468bd9 30684 libgd2_2.2.4-2+deb9u5.debian.tar.xz
d63583a7dae0dff24fb8e3d23263bfad762f36ac8480c7d8b953bc023882cdf7 271344 libgd-dev_2.2.4-2+deb9u5_amd64.deb
2f10856fd0263f57bab960787a5e2e168075b83bcff0ff8076c7b48fa0b676ee 46288 libgd-tools-dbgsym_2.2.4-2+deb9u5_amd64.deb
b58a4fe57aaf6d27c010b442ffd697fde465c885ef71eb2f7a8c452a36b07e85 34830 libgd-tools_2.2.4-2+deb9u5_amd64.deb
3e56836559802b7813b54183306f50da0e73996d46b9bc6a2cf6d582b7cf5f8d 8570 libgd2_2.2.4-2+deb9u5_amd64.buildinfo
97e1029379c9c3d61fe0a2e72a25bae01224aaa5439f7a42895a151c0dc45070 245784 libgd3-dbgsym_2.2.4-2+deb9u5_amd64.deb
7f1edf9bc8819a962b7338aec0b68f933ec0c6c6a7179876550178ea7704a6bf 132168 libgd3_2.2.4-2+deb9u5_amd64.deb
Files:
9747c706899f212c940bcc95b42540e1 2191 graphics optional libgd2_2.2.4-2+deb9u5.dsc
a244855a323a3ea1975d708eb1e12b7a 2478528 graphics optional libgd2_2.2.4.orig.tar.xz
f9fb36c41703a2919cc255370c2567e9 30684 graphics optional libgd2_2.2.4-2+deb9u5.debian.tar.xz
d49d0f49fcc1ebcc3b658bfb17ef0147 271344 libdevel optional libgd-dev_2.2.4-2+deb9u5_amd64.deb
dc7ef3e2ea7151385a700bc58cb52f67 46288 debug extra libgd-tools-dbgsym_2.2.4-2+deb9u5_amd64.deb
52b022701dadf58155f1649097739d7f 34830 graphics optional libgd-tools_2.2.4-2+deb9u5_amd64.deb
57dccb56b4f4a1ab569cb24ba756d6c3 8570 graphics optional libgd2_2.2.4-2+deb9u5_amd64.buildinfo
21e416b6eace5eda44bb6f336a2ff519 245784 debug extra libgd3-dbgsym_2.2.4-2+deb9u5_amd64.deb
bec41babf796fbd03f43cdb68e59f66d 132168 libs optional libgd3_2.2.4-2+deb9u5_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEELIzSg9Pv30M4kOeDUmLn/0kQSf4FAlz/y64ACgkQUmLn/0kQ
Sf7CqQ//cNy54lrUIHJOONpL+9otnI56KfmN+KEWXKnV2HWriiQ5imKGpXC0AZIr
1Mo7TmtFQJi8vs2SYdFchKqcNgDIT0jKsy3gl6DrzjeyZ2PPDBCZu55SslHiXY+S
BfwPssSbgy0P/+fmUwvJ/aP4szDmlrRgz6X5M0uI8zWwxjfIBdQVET+EXt75m9kY
T7PKF8jn+AGOzEVqcLuxo97rO4XiiIbcns5INWyS8lWeYIBTqFl8h5Vl1/0/vnji
hj3cu/pJgl53Ow0HgbMcoohdLKqVRsIFlHJKC3OLQ9GhAzdFDsFCgQ30ZD12RV6J
k9sHO2+ngOU1vouMhDmfczQNFFimmCVn8VhiynsL6dPbhJaeCsgq5WgLBaJPGdx0
bGQ8QvZHngQc7rTvIYK9LiWKR1HCTe3xcKrtINuR9EVnW1IUVsk+HjF9Niq8GnJ1
X5382s9uV24ZIStjT/t11vRqP7A1iLQEtbOQ4s8YPtIVmGC471GE0OMk34oZPFRH
H//WSxRes1Slf6cjCgqxYkLsMnJ7yqhv6N656w5N9eCYTXHLSgpxuOooW0MzQrqX
w/OYQpf2z24dsEoJ3/4Ynlv/qGeTphKgJzbQjsE5Lc3/zvm6EPyHZ7khcljpcQnr
5c+DSn0URcHt6RYI1cWJINxSQbDNCNXeXVNB5irBygNusOHU7EQ=
=ONUM
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 29 Jul 2019 07:25:01 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.