USN-854-1: GD library vulnerabilities

5 November 2009

libgd2 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 9.10
  • Ubuntu 9.04
  • Ubuntu 8.10
  • Ubuntu 8.04 LTS
  • Ubuntu 6.06 LTS

Software Description

  • libgd2

Details

Tomas Hoger discovered that the GD library did not properly handle the number of colors in certain malformed GD images. If a user or automated system were tricked into processing a specially crafted GD image, an attacker could cause a denial of service or possibly execute arbitrary code. (CVE-2009-3546)

It was discovered that the GD library did not properly handle incorrect color indexes. An attacker could send specially crafted input to applications linked against libgd2 and cause a denial of service or possibly execute arbitrary code. This issue only affected Ubuntu 6.06 LTS. (CVE-2009-3293)

It was discovered that the GD library did not properly handle certain malformed GIF images. If a user or automated system were tricked into processing a specially crafted GIF image, an attacker could cause a denial of service. This issue only affected Ubuntu 6.06 LTS. (CVE-2007-3475, CVE-2007-3476)

It was discovered that the GD library did not properly handle large angle degree values. An attacker could send specially crafted input to applications linked against libgd2 and cause a denial of service. This issue only affected Ubuntu 6.06 LTS. (CVE-2007-3477)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 9.10
libgd2-noxpm - 2.0.36~rc1~dfsg-3ubuntu1.9.10.1
libgd2-xpm - 2.0.36~rc1~dfsg-3ubuntu1.9.10.1
Ubuntu 9.04
libgd2-noxpm - 2.0.36~rc1~dfsg-3ubuntu1.9.04.1
libgd2-xpm - 2.0.36~rc1~dfsg-3ubuntu1.9.04.1
Ubuntu 8.10
libgd2-noxpm - 2.0.36~rc1~dfsg-3ubuntu1.8.10.1
libgd2-xpm - 2.0.36~rc1~dfsg-3ubuntu1.8.10.1
Ubuntu 8.04 LTS
libgd2-noxpm - 2.0.35.dfsg-3ubuntu2.1
libgd2-xpm - 2.0.35.dfsg-3ubuntu2.1
Ubuntu 6.06 LTS
libgd2-noxpm - 2.0.33-2ubuntu5.4
libgd2-xpm - 2.0.33-2ubuntu5.4

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system upgrade is sufficient to effect the necessary changes.

References