Ubuntu Security Notice USN-473-1
11th June, 2007
libgd2 vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 7.04
- Ubuntu 6.10
- Ubuntu 6.06 LTS
Details
A buffer overflow was discovered in libgd2's font renderer. By tricking
an application using libgd2 into rendering a specially crafted string
with a JIS encoded font, a remote attacker could read heap memory or
crash the application, leading to a denial of service. (CVE-2007-0455)
Xavier Roche discovered that libgd2 did not correctly validate PNG
callback results. If an application were tricked into processing a
specially crafted PNG image, it would monopolize CPU resources. Since
libgd2 is often used in PHP and Perl web applications, this could lead
to a remote denial of service. (CVE-2007-2756)
Update instructions
The problem can be corrected by updating your system to the following package version:
- Ubuntu 7.04:
- libgd2-xpm 2.0.34~rc1-2ubuntu1.1
- libgd2-noxpm 2.0.34~rc1-2ubuntu1.1
- Ubuntu 6.10:
- libgd2-xpm 2.0.33-4ubuntu2.1
- libgd2-noxpm 2.0.33-4ubuntu2.1
- Ubuntu 6.06 LTS:
- libgd2-xpm 2.0.33-2ubuntu5.2
- libgd2-noxpm 2.0.33-2ubuntu5.2
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
After a standard system upgrade you need to reboot your computer to
effect the necessary changes.