DSA 1117-1: New libgd2 packages fix denial of service
Posted on: 07/21/2006 06:12 PM

The Debian Security Team published a new security update for Debian GNU/Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1117-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
July 21st, 2006 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : libgd2
Vulnerability : insufficient input sanitising
Problem-Type : local(remote)
Debian-specific: no
CVE ID : CVE-2006-2906
Debian Bug : 372912

It was discoverd that the GD graphics library performs insufficient checks
of the validity of GIF images, which might lead to denial of service by
tricking the application into an infinite loop.

For the stable distribution (sarge) this problem has been fixed in
version 2.0.33-1.1sarge1.

For the unstable distribution (sid) this problem has been fixed in
version 2.0.33-5.

We recommend that you upgrade your libgd2 packages.


Upgrade Instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/libg/libgd2/libgd2_2.0.33-1.1sarge1.dsc
Size/MD5 checksum: 885 e389163781898504ec6e8e0018cd1fdd
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2_2.0.33-1.1sarge1.diff.gz
Size/MD5 checksum: 260955 50e0aa54bda19f06041d78a5771c7fd1
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2_2.0.33.orig.tar.gz
Size/MD5 checksum: 587617 be0a6d326cd8567e736fbc75df0a5c45

Architecture independent components:

http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-dev_2.0.33-1.1sarge1_all.deb
Size/MD5 checksum: 128526 bcaaacf60733a35002b999f8851ce3a7
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2_2.0.33-1.1sarge1_all.deb
Size/MD5 checksum: 128500 4ef28350291c173754332cc61cb54ba1

Alpha architecture:

http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-1.1sarge1_alpha.deb
Size/MD5 checksum: 144914 65aa478f07315cb7e62ac6d91177b96d
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-1.1sarge1_alpha.deb
Size/MD5 checksum: 206668 8cded1b036579ebc7c62f1ac37824ac6
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-1.1sarge1_alpha.deb
Size/MD5 checksum: 357800 cc21def16f0e514da5d34c2f513b3daf
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-1.1sarge1_alpha.deb
Size/MD5 checksum: 208490 fa17839a6953dbd709eda8783be6ead1
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-1.1sarge1_alpha.deb
Size/MD5 checksum: 362160 0be347a2217d06fe7ef36b002ea7c9ca

AMD64 architecture:

http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-1.1sarge1_amd64.deb
Size/MD5 checksum: 141774 1f54d14b016a5ad132998ff669226244
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-1.1sarge1_amd64.deb
Size/MD5 checksum: 196436 6ff8e6d85237e34ddd12c9aea85bd314
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-1.1sarge1_amd64.deb
Size/MD5 checksum: 337310 bfd77a6cdc6aaa1c64d6c4be1a8acea8
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-1.1sarge1_amd64.deb
Size/MD5 checksum: 198932 a084415f7c3dfc684569d626dd80aacb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-1.1sarge1_amd64.deb
Size/MD5 checksum: 340294 8fdc6f33e6253346c4f853db61501a21

ARM architecture:

http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-1.1sarge1_arm.deb
Size/MD5 checksum: 141374 b157ca4d44fffd20740c162535ca9e3f
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-1.1sarge1_arm.deb
Size/MD5 checksum: 188664 5b3a0e8dcb02e3fa83cb8a618a57c456
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-1.1sarge1_arm.deb
Size/MD5 checksum: 334316 74999431b3008c7f4820d0405a236c0f
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-1.1sarge1_arm.deb
Size/MD5 checksum: 191308 b29466e1a38e863dce0b1cdb535e3cfc
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-1.1sarge1_arm.deb
Size/MD5 checksum: 337536 761e0550e4d9343d2056dba350c1cd1f

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-1.1sarge1_i386.deb
Size/MD5 checksum: 141786 1cc957c1d1cb93e2d80c85d0c84dcfd1
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-1.1sarge1_i386.deb
Size/MD5 checksum: 191932 f66bc591f047503e80d107458e938416
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-1.1sarge1_i386.deb
Size/MD5 checksum: 328576 27953838b048aab48d4eee40fc630f6f
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-1.1sarge1_i386.deb
Size/MD5 checksum: 193690 580d72764e8b331f9be599b45894497d
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-1.1sarge1_i386.deb
Size/MD5 checksum: 330848 0c980ae4c5a0e93725175e69c7d8176f

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-1.1sarge1_ia64.deb
Size/MD5 checksum: 146290 a07f3ae8f234ca3e3b5e81eebf3c446d
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-1.1sarge1_ia64.deb
Size/MD5 checksum: 224272 c057fe07156af1945b9eab8909a28bec
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-1.1sarge1_ia64.deb
Size/MD5 checksum: 370376 6f8485a4f4d916d75dc21b20a113ad98
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-1.1sarge1_ia64.deb
Size/MD5 checksum: 227040 4983686be756f0fdd7ab03cf1cc9c195
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-1.1sarge1_ia64.deb
Size/MD5 checksum: 373400 896aaaaec2747772779073c837fe2d84

HP Precision architecture:

http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-1.1sarge1_hppa.deb
Size/MD5 checksum: 143562 c4223c693e1a24336ddab5a92e3d019b
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-1.1sarge1_hppa.deb
Size/MD5 checksum: 204504 371343c96979ae3b6688a9471333dd20
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-1.1sarge1_hppa.deb
Size/MD5 checksum: 345608 267ea3ea2dedc6b7d1b991821eff0327
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-1.1sarge1_hppa.deb
Size/MD5 checksum: 207026 ad942c88f11286a44e9aac850fb10a3a
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-1.1sarge1_hppa.deb
Size/MD5 checksum: 348272 926ac97ade522d92be98fd0035536c45

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-1.1sarge1_m68k.deb
Size/MD5 checksum: 141456 1477bf288e99fa9bdf1640c828d7f1a5
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-1.1sarge1_m68k.deb
Size/MD5 checksum: 184864 9cde2fe10257ecaf581300e024dd7f0c
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-1.1sarge1_m68k.deb
Size/MD5 checksum: 323520 634a13523c02c7b831228c128fe320c8
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-1.1sarge1_m68k.deb
Size/MD5 checksum: 187018 b6fcadf304e52fa9e57ceb168e495156
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-1.1sarge1_m68k.deb
Size/MD5 checksum: 325634 44468789f4014425c7c84c62fdb07914

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-1.1sarge1_mips.deb
Size/MD5 checksum: 155774 5af80762b00f46f1f9fdc46a78941191
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-1.1sarge1_mips.deb
Size/MD5 checksum: 195396 c10d28c9f999639745c04889c0581516
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-1.1sarge1_mips.deb
Size/MD5 checksum: 344960 0b3bc47908a4f25ebb58b27c5e6fa730
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-1.1sarge1_mips.deb
Size/MD5 checksum: 198016 9fe5be1930a8f9ff4ab15b09aff626fb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-1.1sarge1_mips.deb
Size/MD5 checksum: 347410 da9fb9aeb4c9891cb5dec62ca9263aaa

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-1.1sarge1_mipsel.deb
Size/MD5 checksum: 155772 58c478bc430bd49cece6e748218e6200
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-1.1sarge1_mipsel.deb
Size/MD5 checksum: 195330 ca975af25d3362ce4a4c9e19b1d27b50
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-1.1sarge1_mipsel.deb
Size/MD5 checksum: 344992 096e665346647e297e943684e7222e5f
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-1.1sarge1_mipsel.deb
Size/MD5 checksum: 197846 660f0ba2f884e249d5ffd7302f398a01
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-1.1sarge1_mipsel.deb
Size/MD5 checksum: 347270 69c4a6744e74455997a8228566a47f00

PowerPC architecture:

http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-1.1sarge1_powerpc.deb
Size/MD5 checksum: 150276 46c99b85b1faf609147cc111b747841d
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-1.1sarge1_powerpc.deb
Size/MD5 checksum: 198830 c8168aa92f4008e2943893fa5ccae820
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-1.1sarge1_powerpc.deb
Size/MD5 checksum: 341538 505e633e80f425c8b9422e83997ac07c
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-1.1sarge1_powerpc.deb
Size/MD5 checksum: 200916 16d8a96a3fc3b28a7355680fedaef3e8
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-1.1sarge1_powerpc.deb
Size/MD5 checksum: 344206 47c92a9a5bbc22637f5fee0223034a97

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-1.1sarge1_s390.deb
Size/MD5 checksum: 142414 a30ad94d6ca809d519a088771b31fc1d
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-1.1sarge1_s390.deb
Size/MD5 checksum: 199456 c99ca505a026d2b7b01dea1eaeebc4a5
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-1.1sarge1_s390.deb
Size/MD5 checksum: 337702 c45bca23bef2f03a03a6e07e37757281
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-1.1sarge1_s390.deb
Size/MD5 checksum: 202030 34639f38ecfed22b1b1887a918516dce
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-1.1sarge1_s390.deb
Size/MD5 checksum: 341264 c510662e0889b70e73b8e76c568009e6

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-1.1sarge1_sparc.deb
Size/MD5 checksum: 141382 71ccad065f8a4a21ee8337537e732b90
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-1.1sarge1_sparc.deb
Size/MD5 checksum: 191428 aa0a6d650fb2eb6322d2582f7489ed73
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-1.1sarge1_sparc.deb
Size/MD5 checksum: 332436 26d15a5c68f2a47a5eccf4ba3b4980fb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-1.1sarge1_sparc.deb
Size/MD5 checksum: 194072 95aa9e357d5dd4f0105e1f7888b9bb4f
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-1.1sarge1_sparc.deb
Size/MD5 checksum: 334118 a6d05fae692cd60c72b231a78230a38a


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show lt;pkggt;' and http://packages.debian.org/lt;pkggt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEwP4VXm3vHE4uyloRAmsZAKDNNtLkk8pu74ItZ+FiwvNBCh8XtgCgodBY
aDbnxJJl5wHK/XslepqaJa0=
=vPD4
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/dsa_1117_1_new_libgd2_packages_fix_denial_of_service.html)