Comment 1 Christopher Díaz Riveros (RETIRED) 2017-09-04 15:46:40 UTC

(In reply to Ian Zimmerman from comment #0)
> Upstream ticket:
> https://github.com/libgd/libgd/issues/381
> 
> Affected version: 2.2.4
> 
> Debian advisory:
> https://www.debian.org/security/2017/dsa-3961
> 
> Upstream fix:
> https://github.com/libgd/libgd/commit/
> 56ce6ef068b954ad28379e83cca04feefc51320c

Thank you for reporting the issue.

From Debian advisory:

A double-free vulnerability was discovered in the gdImagePngPtr() function in libgd2, a library for programmatic graphics creation and manipulation, which may result in denial of service or potentially the execution of arbitrary code if a specially crafted file is processed.

@Maintainers, after the bump please call for stabilization when ready, or let us know.

Gentoo Security Padawan
ChrisADR

Comment 2 SpanKY 2018-01-30 03:46:44 UTC

gd-2.2.5 is in the tree now

Comment 3 Aaron Bauman (RETIRED) 2018-03-23 22:04:03 UTC

@arches, please stabilize.

Comment 4 Mikle Kolyada (RETIRED) 2018-03-24 21:07:46 UTC

amd64 stable

Comment 5 Sergei Trofimovich (RETIRED) 2018-03-24 21:37:45 UTC

ia64 stable

Comment 6 Sergei Trofimovich (RETIRED) 2018-03-25 13:49:34 UTC

ppc64 stable

Comment 7 Sergei Trofimovich (RETIRED) 2018-03-25 18:06:07 UTC

ppc stable

Comment 8 Thomas Deutschmann (RETIRED) 2018-03-25 22:44:07 UTC

x86 stable

Comment 9 Tobias Klausmann (RETIRED) 2018-03-31 14:18:48 UTC

Stable on alpha.

Comment 10 Markus Meier 2018-04-08 10:49:06 UTC

arm stable

Comment 11 Mart Raudsepp 2018-04-18 06:53:38 UTC

adding missing sparc CC..

Comment 12 Larry the Git Cow 2018-04-20 19:01:02 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d965891b7b86fae7eae9bee9ba7c90791e2a2f60

commit d965891b7b86fae7eae9bee9ba7c90791e2a2f60
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-04-20 10:13:45 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-04-20 19:00:52 +0000

    media-libs/gd: stable 2.2.5 for sparc
    
    Bug: https://bugs.gentoo.org/629886
    Package-Manager: Portage-2.3.24, Repoman-2.3.6
    RepoMan-Options: --include-arches="sparc"

 media-libs/gd/gd-2.2.5.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)}

Comment 13 Matt Turner 2018-04-22 19:25:17 UTC

hppa stable

Comment 14 Aaron Bauman (RETIRED) 2018-04-22 21:10:32 UTC

This is a DoS and downgraded to B3.

GLSA Vote: No

Comment 15 Larry the Git Cow 2018-04-22 21:11:14 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9df83d31d0160508d26e7ec731b88835582ca92b

commit 9df83d31d0160508d26e7ec731b88835582ca92b
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2018-04-22 21:10:44 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2018-04-22 21:11:06 +0000

    media-libs/gd: drop vulnerable
    
    Closes: https://bugs.gentoo.org/629886
    Package-Manager: Portage-2.3.31, Repoman-2.3.9

 media-libs/gd/Manifest        |  1 -
 media-libs/gd/gd-2.2.4.ebuild | 62 -------------------------------------------
 2 files changed, 63 deletions(-)