Your message dated Wed, 06 Feb 2019 20:49:57 +0000 with message-id <e1gru8r-0000kt...@fasolo.debian.org> and subject line Bug#920645: fixed in libgd2 2.2.5-5.1 has caused the Debian Bug report #920645, regarding libgd2: CVE-2019-6977 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 920645: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920645 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libgd2 Version: 2.2.5-5 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 2.2.4-2+deb9u3 Control: found -1 2.2.4-2 Hi, The following vulnerability was published for libgd2. CVE-2019-6977[0]: | gdImageColorMatch in gd_color_match.c in the GD Graphics Library (aka | LibGD) 2.2.5, as used in the imagecolormatch function in PHP before | 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1, | has a heap-based buffer overflow. This can be exploited by an attacker | who is able to trigger imagecolormatch calls with crafted image data. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-6977 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6977 [1] https://bugs.php.net/bug.php?id=77270 [2] https://gist.github.com/cmb69/1f36d285eb297ed326f5c821d7aafced Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libgd2 Source-Version: 2.2.5-5.1 We believe that the bug you reported is fixed in the latest version of libgd2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 920...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated libgd2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 02 Feb 2019 10:55:00 +0100 Source: libgd2 Binary: libgd-dev libgd-tools libgd-tools-dbgsym libgd3 libgd3-dbgsym Architecture: source Version: 2.2.5-5.1 Distribution: unstable Urgency: medium Maintainer: GD Team <team...@tracker.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 920645 920728 Description: libgd-dev - GD Graphics Library (development version) libgd-tools - GD command line tools and example code libgd3 - GD Graphics Library Changes: libgd2 (2.2.5-5.1) unstable; urgency=medium . * Non-maintainer upload. * Heap-based buffer overflow in gdImageColorMatch (CVE-2019-6977) (Closes: #920645) * Potential double-free in gdImage*Ptr() (CVE-2019-6978) (Closes: #920728) Checksums-Sha1: 42b163af78a87397b20a7990ea69d4d3dbe75c49 2364 libgd2_2.2.5-5.1.dsc ccaeb4361a9906f09d357522b3544f5ebf60c36c 35292 libgd2_2.2.5-5.1.debian.tar.xz Checksums-Sha256: 7315bbba389570a702db92aa2283b614efc95d81fe131074e5a8897d07953b98 2364 libgd2_2.2.5-5.1.dsc 69a9110470eefdc6874fcaab7d02b67db43974c3d5e431b8d2f16712ab69af22 35292 libgd2_2.2.5-5.1.debian.tar.xz Files: 1f8ed6ec471e26a93e806611e2ea47cf 2364 graphics optional libgd2_2.2.5-5.1.dsc a0cf086212a2573ac07454e950241b43 35292 graphics optional libgd2_2.2.5-5.1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlxYmj9fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EwJsQAIlDZiW+r/e2TJ7SwocSj5Rk9f2lJiuL G1NSOByoPefEdLUCeZ6o5Gfy4gTEBYEht1YYkbgwj5AhGUyo8Ia5Jego9560tHw+ XG/jLDKFHZp/OeZM9yOA0YYG+MHoowQwgDvyPj3a0t+1hdJrrY6D9nY23hTOAIvZ qWVBh7kfsvIYXcx+9BT2PVDo2rOnOYSKvqaPDgvOERSPjGy/nCBoRXG5VQPsUbEV Yfku6ziiwJM/o1OJM7o/VWG4VlSqsvBZNxgG825Lk/Owc25S6IMipCSVDf+LGUMK PCmPES0hq7cLDkinAjd2AgyluWkkWLEow/DZz0GXwiksBXhlH9WwSm63cNYK/Fnb ksFb3JdGao8z9SrGsByCNiRnt0lTruGtXL2Vci6doUR5raDNZ8Lw1wH67ecGZx4y M1VYQjYEgx02VKXQtNIQHRNE7fhnIql8QOSjAphF0A7wjSZ48fIDnLMYKPqt6L+o u/YnfbUY7/IsKHIJfkYzwpBT2nuBRTqzhQqPjualz91ZNTLRumZ9TuDezbM6XfPz kInTq7oPlioszAxH9sG+6fFQwHDAwxqSxZmbzLSxrb652Gr/SzUDOBEul/GCsKW0 aVfs0rlAxtYvDV3yeaDkyJbxjLRgbYBwsokd7er6Srm4CvZEC6tZYZ/a43B2l09J 8pPMjNwiLPKP =9jqn -----END PGP SIGNATURE-----
--- End Message ---
