[Security Announce] [ MDKSA-2006:112 ] - Updated gd packages fix DoS vulnerability.
Posted on: 06/28/2006 05:22 AM

The Mandriva Security Team published a new security update for Mandriva Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2006:112
http://www.mandriva.com/security/
_______________________________________________________________________

Package : gd
Date : June 27, 2006
Affected: 10.2, 2006.0
_______________________________________________________________________

Problem Description:

The LZW decoding in the gdImageCreateFromGifPtr function in the Thomas
Boutell graphics draw (GD) library (aka libgd) 2.0.33 allows remote
attackers to cause a denial of service (CPU consumption) via malformed
GIF data that causes an infinite loop.

gd-2.0.15 in Corporate 3.0 is not affected by this issue.

Packages have been patched to correct this issue.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2906
_______________________________________________________________________

Updated Packages:

Mandriva Linux 10.2:
a8b7178a2e3aabd8f26f0575cc8775ae 10.2/RPMS/gd-utils-2.0.33-3.1.102mdk.i586.rpm
e3ef1e900f6de8cdaea4d6fd5a516476 10.2/RPMS/libgd2-2.0.33-3.1.102mdk.i586.rpm
cfe793a05357a871c3bce58ac19431a3 10.2/RPMS/libgd2-devel-2.0.33-3.1.102mdk.i586.rpm
21e65240b1c3afc878861e86e993df88 10.2/RPMS/libgd2-static-devel-2.0.33-3.1.102mdk.i586.rpm
ad156d018149831cf4c0fec70bb9ba67 10.2/SRPMS/gd-2.0.33-3.1.102mdk.src.rpm

Mandriva Linux 10.2/X86_64:
37d535359d49339434c107a48b11a8ea x86_64/10.2/RPMS/gd-utils-2.0.33-3.1.102mdk.x86_64.rpm
ff1287dd3c92ba8933162e5caf54d123 x86_64/10.2/RPMS/lib64gd2-2.0.33-3.1.102mdk.x86_64.rpm
4f8eaad304f1ed2e0be07f969d8cae72 x86_64/10.2/RPMS/lib64gd2-devel-2.0.33-3.1.102mdk.x86_64.rpm
df8f7bc54de7ab615128871448c8fcd4 x86_64/10.2/RPMS/lib64gd2-static-devel-2.0.33-3.1.102mdk.x86_64.rpm
ad156d018149831cf4c0fec70bb9ba67 x86_64/10.2/SRPMS/gd-2.0.33-3.1.102mdk.src.rpm

Mandriva Linux 2006.0:
464c206bd702817804b25b0602c9682d 2006.0/RPMS/gd-utils-2.0.33-3.1.20060mdk.i586.rpm
a1f0caedbb819ae5aaf0259d657ab137 2006.0/RPMS/libgd2-2.0.33-3.1.20060mdk.i586.rpm
2157623bebe2e780d519ab33f6846b4a 2006.0/RPMS/libgd2-devel-2.0.33-3.1.20060mdk.i586.rpm
38190793bfa2aec8feaaeec235c83020 2006.0/RPMS/libgd2-static-devel-2.0.33-3.1.20060mdk.i586.rpm
b95de17443646c61d83adba4378a5d71 2006.0/SRPMS/gd-2.0.33-3.1.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
4036c957b65111965a17c0e792b53739 x86_64/2006.0/RPMS/gd-utils-2.0.33-3.1.20060mdk.x86_64.rpm
30b39956ee262b92a88e6148d8691735 x86_64/2006.0/RPMS/lib64gd2-2.0.33-3.1.20060mdk.x86_64.rpm
1d28e426cecac98c3248d3c61727e842 x86_64/2006.0/RPMS/lib64gd2-devel-2.0.33-3.1.20060mdk.x86_64.rpm
9ef94ef9bb6b02afb3b67617eb3e36c9 x86_64/2006.0/RPMS/lib64gd2-static-devel-2.0.33-3.1.20060mdk.x86_64.rpm
b95de17443646c61d83adba4378a5d71 x86_64/2006.0/SRPMS/gd-2.0.33-3.1.20060mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
lt;security*mandriva.comgt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEoaz2mqjQ0CJFipgRAqjAAJoCtlhpb95ZmP0unk5MP92uOEekhQCdHlGH
kZbOHCAUixee4sfAOoBU7M8=
=hfg5
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/security_announce_mdksa_2006112__updated_gd_packages_fix_dos_vulnerability.html)