GD library vulnerabilities

Tomas Hoger discovered that the GD library did not properly handle the number of colors in certain malformed GD images. If a user or automated system were tricked into processing a specially crafted GD image, an attacker could cause a denial of service or possibly execute arbitrary code. (CVE-2009-3546).
 

===========================================================
Ubuntu Security Notice USN-854-1          November 05, 2009
libgd2 vulnerabilities
CVE-2007-3475, CVE-2007-3476, CVE-2007-3477, CVE-2009-3293,
CVE-2009-3546
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  libgd2-noxpm                    2.0.33-2ubuntu5.4
  libgd2-xpm                      2.0.33-2ubuntu5.4

Ubuntu 8.04 LTS:
  libgd2-noxpm                    2.0.35.dfsg-3ubuntu2.1
  libgd2-xpm                      2.0.35.dfsg-3ubuntu2.1

Ubuntu 8.10:
  libgd2-noxpm                    2.0.36~rc1~dfsg-3ubuntu1.8.10.1
  libgd2-xpm                      2.0.36~rc1~dfsg-3ubuntu1.8.10.1

Ubuntu 9.04:
  libgd2-noxpm                    2.0.36~rc1~dfsg-3ubuntu1.9.04.1
  libgd2-xpm                      2.0.36~rc1~dfsg-3ubuntu1.9.04.1

Ubuntu 9.10:
  libgd2-noxpm                    2.0.36~rc1~dfsg-3ubuntu1.9.10.1
  libgd2-xpm                      2.0.36~rc1~dfsg-3ubuntu1.9.10.1


It was discovered that the GD library did not properly handle incorrect
color indexes. An attacker could send specially crafted input to
applications linked against libgd2 and cause a denial of service or
possibly execute arbitrary code. This issue only affected Ubuntu 6.06 LTS.
(CVE-2009-3293)

It was discovered that the GD library did not properly handle certain
malformed GIF images. If a user or automated system were tricked into
processing a specially crafted GIF image, an attacker could cause a denial
of service. This issue only affected Ubuntu 6.06 LTS. (CVE-2007-3475,
CVE-2007-3476)

It was discovered that the GD library did not properly handle large angle
degree values. An attacker could send specially crafted input to
applications linked against libgd2 and cause a denial of service. This
issue only affected Ubuntu 6.06 LTS. (CVE-2007-3477)
Posted on: 09/12/2009








0 Comments
If you want to leave a comment please Login or Register