Your message dated Wed, 10 Oct 2018 23:08:48 +0000
with message-id <[email protected]>
and subject line Bug#887485: fixed in libgd2 2.2.5-4.1
has caused the Debian Bug report #887485,
regarding libgd2: CVE-2018-5711 Inifinite loop via crafted gif file
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
887485: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887485
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libgd2
X-Debbugs-CC: [email protected]
[email protected]
Severity: important
Tags: security
Hi,
the following vulnerability was published for libgd2.
CVE-2018-5711[0]:
| gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP
| before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x
| before 7.2.1, has an integer signedness error that leads to an infinite
| loop via a crafted GIF file, as demonstrated by a call to the
| imagecreatefromgif or imagecreatefromstring PHP function. This is
| related to GetCode_ and gdImageCreateFromGifCtx.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-5711
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5711
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: libgd2
Source-Version: 2.2.5-4.1
We believe that the bug you reported is fixed in the latest version of
libgd2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated libgd2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 06 Oct 2018 00:22:59 +0200
Source: libgd2
Binary: libgd-tools libgd-dev libgd3
Architecture: source
Version: 2.2.5-4.1
Distribution: unstable
Urgency: medium
Maintainer: GD team <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 887485 906840 906886
Description:
libgd-dev - GD Graphics Library (development version)
libgd-tools - GD command line tools and example code
libgd3 - GD Graphics Library
Changes:
libgd2 (2.2.5-4.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Potential infinite loop in gdImageCreateFromGifCtx (CVE-2018-5711)
(Closes: #887485)
* bmp: check return value in gdImageBmpPtr (CVE-2018-1000222)
(Closes: #906886)
* Remove src/Makefile.am patching in
tests-make-a-little-change-for-autopkgtest.patch. Fixes "libgd2 FTBFS:
cannot find -lgd".
Thanks to Helmut Grohne and Adrian Bunk (Closes: #906840)
Checksums-Sha1:
c06f8e9cfb8f728a08b46f62a2b3ea81b90af416 2397 libgd2_2.2.5-4.1.dsc
8dcc3f62e0435cc08d56da84587152b88b39917c 33172 libgd2_2.2.5-4.1.debian.tar.xz
Checksums-Sha256:
8092f42b63fb30fdc84a35dca5a0b2d5b5ee3b67520a83b484dd18e7ca2dd48c 2397
libgd2_2.2.5-4.1.dsc
0227d8d78d338c2bbd70b784870ea88e386584136f0cf2446410d9c6c4216ee0 33172
libgd2_2.2.5-4.1.debian.tar.xz
Files:
6d4108e5c40c3883f6e24bf0f96b6134 2397 graphics optional libgd2_2.2.5-4.1.dsc
cb26d94f2a44a8005b314489fcf5ea9f 33172 graphics optional
libgd2_2.2.5-4.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlu35SZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EATYP/imvCOjKgdDswRkWvYRoFgI6LuGaXX8V
nOqaZ/rnXMv4QiYhx8bPavLCAxU2/sWFYMLfIcVt0++zcWVatWDxgfvICz0Hlniv
TrE+VkPBY/W1LibPBK50lOpz4BowG+Un3HjhMmshDzKPrVVR/D/Wp7uaD1cXyINj
f/vQeuPll+t8cw+4ft8f5D9290VpDT95jch/NOGPzd5Xs0tIDEEBx+xzDs6P1t8X
e8jv7s3RntvjMhy4PYEhseX0O+w+3HCJ96LCKXe06DtaTfv60pj9cO/JM+Vi9k04
/XWJ4G+AWHziOOg2gHqzgH2H2yi/Or4Cu0vh0vos/zbs+TJXAFXNz+fnMgBMDlIE
U3TBiTJLwCRvsugyb0VScT8PrACvFZp4hccbiqrD1yHf7po/QWVMb936Qo3ZPImu
n3/R5NLXtY0r10hEpl8D+F7tuD4NtyBXvh3Wwwp98tSHBEoIxkYC1wIdwF6L/JZ2
JuBeg/gC8gLA+Khih5MwYSvHVmPfj/NTwp8VxC1MiNVG6SoFZZLrXSDbVtC92qoy
BsLr6DI+MIviJWadBQDYK9gZhTSOGPB40Ljdov+GjjlTOQkji/SSxjhhvERyZtYM
qokXEM3JmnvTDKME0FZFNSko/Db8WWN8pzVSM6ct0YajV5DbpJd3VgS9dLN/v2ri
KrFW+DWu8VKa
=pAts
-----END PGP SIGNATURE-----
--- End Message ---
