USN-854-1: GD library vulnerabilities

Ubuntu Security Notice USN-854-1

5th November, 2009

libgd2 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 9.10
  • Ubuntu 9.04
  • Ubuntu 8.10
  • Ubuntu 8.04 LTS
  • Ubuntu 6.06 LTS

Software description

  • libgd2

Details

Tomas Hoger discovered that the GD library did not properly handle the
number of colors in certain malformed GD images. If a user or automated
system were tricked into processing a specially crafted GD image, an
attacker could cause a denial of service or possibly execute arbitrary
code. (CVE-2009-3546)

It was discovered that the GD library did not properly handle incorrect
color indexes. An attacker could send specially crafted input to
applications linked against libgd2 and cause a denial of service or
possibly execute arbitrary code. This issue only affected Ubuntu 6.06 LTS.
(CVE-2009-3293)

It was discovered that the GD library did not properly handle certain
malformed GIF images. If a user or automated system were tricked into
processing a specially crafted GIF image, an attacker could cause a denial
of service. This issue only affected Ubuntu 6.06 LTS. (CVE-2007-3475,
CVE-2007-3476)

It was discovered that the GD library did not properly handle large angle
degree values. An attacker could send specially crafted input to
applications linked against libgd2 and cause a denial of service. This
issue only affected Ubuntu 6.06 LTS. (CVE-2007-3477)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 9.10:
libgd2-xpm 2.0.36~rc1~dfsg-3ubuntu1.9.10.1
libgd2-noxpm 2.0.36~rc1~dfsg-3ubuntu1.9.10.1
Ubuntu 9.04:
libgd2-xpm 2.0.36~rc1~dfsg-3ubuntu1.9.04.1
libgd2-noxpm 2.0.36~rc1~dfsg-3ubuntu1.9.04.1
Ubuntu 8.10:
libgd2-xpm 2.0.36~rc1~dfsg-3ubuntu1.8.10.1
libgd2-noxpm 2.0.36~rc1~dfsg-3ubuntu1.8.10.1
Ubuntu 8.04 LTS:
libgd2-xpm 2.0.35.dfsg-3ubuntu2.1
libgd2-noxpm 2.0.35.dfsg-3ubuntu2.1
Ubuntu 6.06 LTS:
libgd2-xpm 2.0.33-2ubuntu5.4
libgd2-noxpm 2.0.33-2ubuntu5.4

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system upgrade is sufficient to effect the
necessary changes.

References

CVE-2007-3475, CVE-2007-3476, CVE-2007-3477, CVE-2009-3293, CVE-2009-3546