USN-473-1: libgd2 vulnerabilities

12 June 2007

libgd2 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 7.04
  • Ubuntu 6.10
  • Ubuntu 6.06 LTS

Software Description

Details

A buffer overflow was discovered in libgd2’s font renderer. By tricking an application using libgd2 into rendering a specially crafted string with a JIS encoded font, a remote attacker could read heap memory or crash the application, leading to a denial of service. (CVE-2007-0455)

Xavier Roche discovered that libgd2 did not correctly validate PNG callback results. If an application were tricked into processing a specially crafted PNG image, it would monopolize CPU resources. Since libgd2 is often used in PHP and Perl web applications, this could lead to a remote denial of service. (CVE-2007-2756)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 7.04
libgd2-noxpm - 2.0.34~rc1-2ubuntu1.1
libgd2-xpm - 2.0.34~rc1-2ubuntu1.1
Ubuntu 6.10
libgd2-noxpm - 2.0.33-4ubuntu2.1
libgd2-xpm - 2.0.33-4ubuntu2.1
Ubuntu 6.06 LTS
libgd2-noxpm - 2.0.33-2ubuntu5.2
libgd2-xpm - 2.0.33-2ubuntu5.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system upgrade you need to reboot your computer to effect the necessary changes.

References