3

USN-854-1: GD library vulnerabilities

view full story
linux-howto

http://www.ubuntu.com – Referenced CVEs:  CVE-2007-3475, CVE-2007-3476, CVE-2007-3477, CVE-2009-3293, CVE-2009-3546 Description:  =========================================================== Ubuntu Security Notice USN-854-1 November 05, 2009 libgd2 vulnerabilities CVE-2007-3475, CVE-2007-3476, CVE-2007-3477, CVE-2009-3293, CVE-2009-3546 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 Ubuntu 9.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libgd2-noxpm 2.0.33-2ubuntu5.4 libgd2-xpm 2.0.33-2ubuntu5.4 Ubuntu 8.04 LTS: libgd2-noxpm 2.0.35.dfsg-3ubuntu2.1 libgd2-xpm 2.0.35.dfsg-3ubuntu2.1 Ubuntu 8.10: libgd2-noxpm 2.0.36~rc1~dfsg-3ubuntu1.8.10.1 libgd2-xpm 2.0.36~rc1~dfsg-3ubuntu1.8.10.1 Ubuntu 9.04: libgd2-noxpm 2.0.36~rc1~dfsg-3ubuntu1.9.04.1 libgd2-xpm 2.0.36~rc1~dfsg-3ubuntu1.9.04.1 Ubuntu 9.10: libgd2-noxpm 2.0.36~rc1~dfsg-3ubuntu1.9.10.1 libgd2-xpm 2.0.36~rc1~dfsg-3ubuntu1.9.10.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Tomas Hoger discovered that the GD library did not properly handle the number of colors in certain malformed GD images. If a user or automated system were tricked into processing a specially crafted GD image, an attacker could cause a denial of service or possibly execute arbitrary code. (CVE-2009-3546) It was discovered that the GD library did not properly handle incorrect color indexes. An attacker could send specially crafted input to applications linked against libgd2 and cause a denial of service or possibly execute arbitrary code. This issue only affected Ubuntu 6.06 LTS. (CVE-2009-3293) It was discovered that the GD library did not properly handle certain malformed GIF images. If a user or automated system were tricked into processing a specially crafted GIF image, an attacker could cause a denial of service. This issue only affected Ubuntu 6.06 LTS. (CVE-2007-3475, CVE-2007-3476) It was discovered that the GD library did not properly handle large angle degree values. An attacker could send specially crafted input to applications linked against libgd2 and cause a denial of service. This issue only affected Ubuntu 6.06 LTS. (CVE-2007-3477) (Distributions)