Debians sikkerhedsbulletin

DSA-1613-1 libgd2 -- flere sårbarheder

Rapporteret den:
22. jul 2008
Berørte pakker:
libgd2
Sårbar:
Ja
Referencer i sikkerhedsdatabaser:
I Debians fejlsporingssystem: Fejl 443456.
I Mitres CVE-ordbog: CVE-2007-3476, CVE-2007-3477, CVE-2007-3996, CVE-2007-2445.
Yderligere oplysninger:

Flere sårbarheder er opdaget i libgd2, et bibliotek til programatisk grafikfremstilling og -manipulering. Projektet Common Vulnerabilities and Exposures har fundet frem til følgende problemer:

  • CVE-2007-2445

    Gråskala-PNG-filer indeholdende ugyldige tRNS-chunk-CRC-værdier kunne forårsage et lammelsesangreb (denial of service, crash), hvis et ondsindet fremstillet billede blev indlæst i et program ved hjælp af libgd.

  • CVE-2007-3476

    En array-indekseringsfejl i libgds GIF-håndtering kunne medføre et lammelsesangreb (crash med heap-korruption) hvis eksceptionelt store farveindeksværdier blev leveret i en ondsindet fremstillet GIF-billedfil.

  • CVE-2007-3477

    Rutinerne imagearc() og imagefilledarc() i libgd gjorde det muligt for en angriber at kontrollere parametrene anvendt til at angive en bue i disse tegnefunktioner, til at igangsætte et lammelsesangreb (umådeholdent CPU-forbrug).

  • CVE-2007-3996

    Flere heltalsoverløb fandtes i libgds rutiner til ændring af billedstørrelser og fremstilling af billeder; disse svagheder gjorde det muligt for en angriber at kontrollere parametrene overført til rutinerne og dermed igangsætte et crash eller udføre vilkårlig kode med rettighederne hørende til brugeren, der kørte et program eller fortolker linket mod libgd2.

I den stabile distribution (etch), er disse problemer rettet i version 2.0.33-5.2etch1.

I den ustabile distribution (sid), er disse problemer rettet i version 2.0.35.dfsg-1.

Vi anbefaler at du opgraderer dine libgd2-pakker.

Rettet i:

Debian GNU/Linux 4.0 (etch)

Kildekode:
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2_2.0.33-5.2etch1.diff.gz
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2_2.0.33-5.2etch1.dsc
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2_2.0.33.orig.tar.gz
Alpha:
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-5.2etch1_alpha.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-5.2etch1_alpha.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-5.2etch1_alpha.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-5.2etch1_alpha.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-5.2etch1_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-5.2etch1_amd64.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-5.2etch1_amd64.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-5.2etch1_amd64.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-5.2etch1_amd64.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-5.2etch1_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-5.2etch1_arm.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-5.2etch1_arm.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-5.2etch1_arm.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-5.2etch1_arm.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-5.2etch1_arm.deb
HP Precision:
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-5.2etch1_hppa.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-5.2etch1_hppa.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-5.2etch1_hppa.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-5.2etch1_hppa.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-5.2etch1_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-5.2etch1_i386.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-5.2etch1_i386.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-5.2etch1_i386.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-5.2etch1_i386.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-5.2etch1_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-5.2etch1_ia64.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-5.2etch1_ia64.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-5.2etch1_ia64.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-5.2etch1_ia64.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-5.2etch1_ia64.deb
Big-endian MIPS:
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-5.2etch1_mips.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-5.2etch1_mips.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-5.2etch1_mips.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-5.2etch1_mips.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-5.2etch1_mips.deb
Little-endian MIPS:
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-5.2etch1_mipsel.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-5.2etch1_mipsel.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-5.2etch1_mipsel.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-5.2etch1_mipsel.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-5.2etch1_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-5.2etch1_powerpc.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-5.2etch1_powerpc.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-5.2etch1_powerpc.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-5.2etch1_powerpc.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-5.2etch1_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-5.2etch1_s390.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-5.2etch1_s390.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-5.2etch1_s390.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-5.2etch1_s390.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-5.2etch1_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm_2.0.33-5.2etch1_sparc.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd-tools_2.0.33-5.2etch1_sparc.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-xpm-dev_2.0.33-5.2etch1_sparc.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm_2.0.33-5.2etch1_sparc.deb
http://security.debian.org/pool/updates/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-5.2etch1_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.