LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

The Android Dev Phone 1

LWN.net Weekly Edition for December 25, 2008

The Grumpy Editor's 2008 retrospective

The 2008 Linux and free software timeline

LWN.net Weekly Edition for December 18, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

OpenPKG alert OpenPKG-SA-2007.016 (gd)



From:
    	      OpenPKG GmbH <openpkg-noreply@openpkg.com>


To:
    	      openpkg-announce@openpkg.org


Subject:
    	      [OpenPKG-SA-2007.016] OpenPKG Security Advisory (gd)


Date:
    	      Fri, 18 May 2007 08:42:33 +0200


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

____________________________________________________________________________

Publisher Name:          OpenPKG GmbH
Publisher Home:          http://openpkg.com/

Advisory Id (public):    OpenPKG-SA-2007.016
Advisory Type:           OpenPKG Security Advisory (SA)
Advisory Directory:      http://openpkg.com/go/OpenPKG-SA
Advisory Document:       http://openpkg.com/go/OpenPKG-SA-2007.016
Advisory Published:      2007-05-18 08:42 UTC

Issue Id (internal):     OpenPKG-SI-20070518.02
Issue First Created:     2007-05-18
Issue Last Modified:     2007-05-18
Issue Revision:          03
____________________________________________________________________________

Subject Name:            libgd
Subject Summary:         Fast Graphics Generation Library
Subject Home:            http://www.libgd.org/
Subject Versions:        * <= 2.0.33

Vulnerability Id:        CVE-2007-0455
Vulnerability Scope:     global (not OpenPKG specific)

Attack Feasibility:      run-time
Attack Vector:           remote network
Attack Impact:           denial of service

Description:
    Multiple security issues exist in the fast graphics generation
    library libgd (aka GD) [0], versions up to and including 2.0.33.
    The issues include 32-bit multiplication overflow vulnerabilities,
    memory allocation errors that were not checked, DoS via corrupt GIF
    images and malformed or empty PNG images, "gdImageFillToBorder"
    crashed when the color was not opaque, crashes on antialiased lines
    drawn on an images edge, and "gdImageFill" crashed when used with
    patterns or invalid arguments [1][2].

References:
    [0] http://www.libgd.org/
    [1] http://www.libgd.org/ReleaseNote020034
    [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0455
____________________________________________________________________________

Primary Package Name:    gd
Primary Package Home:    http://openpkg.org/go/package/gd

Corrected Distribution:  Corrected Branch: Corrected Package:
OpenPKG Enterprise       E1.0-SOLID        gd-2.0.33-E1.0.1
OpenPKG Community        CURRENT           gd-2.0.34-20070207
____________________________________________________________________________

For security reasons, this document was digitally signed with the
OpenPGP public key of the OpenPKG GmbH (public key id 61B7AE34)
which you can download from http://openpkg.com/openpkg.com.pgp
or retrieve from the OpenPGP keyserver at hkp://pgp.openpkg.org/.
Follow the instructions at http://openpkg.com/security/signatures/
for more details on how to verify the integrity of this document.
____________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG GmbH <http://openpkg.com/>

iD8DBQFGTUrUZwQuyWG3rjQRAvOXAJ4qmxhLEZewuS8tucnraxKu/wfJdQCfbuHm
DHBMdcRsudXX2x04opetiYo=
=Zu9b
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenPKG                                             http://openpkg.org
Announcement List                         openpkg-announce@openpkg.org
(Log in to post comments)

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds