See bug #135860 for further details.
Mike please advise and patch as necessary.
vapier, please advise/fix. kthanx
Vapier, any news on this one?
<@SpanKY> vorlon078: need to contact upstream as they havent done a release yet
Created attachment 101093 [details] gd-patches.tar.bz2 update gd with debian patches: 1001_CAN-2004-0941.patch 1002_CVE-2006-2906.patch 1003_fix_aa_segfault.patch 1004_improve_aa_lines.patch 1005_graphviz_sanitize.patch 1006_western_european_fonts.patch 1007_minimize_linking_deps.patch 1008_segfault_invalid_gif.patch
vapier, could you check/apply the needed patch for this issue?
Just an update here, thanks to koredn from #gentoo-php This project has been moved and is being developed by Pierre Joye (a PHP dev). <Pierre> kore_: it is already fixed, in gd cvs and php-src (in a cleaner way btw)" <kore_> Pierre, Is there already a ETA for a 2.0.34 release? < koredn> <Pierre> kore_: RC should go out shortly (waiting some autoconf commit) http://cvs.php.net/viewcvs.cgi/gd/libgd/ According to Pierre, Gentoo developers already know about this... :P Anyway, unless vapier feels like doing something here, I'll try to ask CHTEKK to take over this and stick the package under PHP herd.
yes, "Gentoo developers" already know this because i've been talking to Pierre on the GD development lists ... fancy that
(In reply to comment #13) > yes, "Gentoo developers" already know this because i've been talking to Pierre > on the GD development lists ... fancy that Wonderful, then maybe you could have responded to one of the 9 pings on this bug... I'm afraid security folks are missing paranormal skills :P
Pierre (the new gd maintainer) asked me to post the following comment: For the record, I strongly recommend to do not apply all patches from debian but from the libgd CVS. A couple of patches listed here should not be applied at all, no matter the distribution: 1006_western_european_fonts.patch 1004_improve_aa_lines.patch 1005_graphviz_sanitize.patch is unknown to me or maybe already committed as I applied almost all graphiz patches sent to T. Boutell (will download it and compare later this week). As Vapier said earlier, he follows the list and can contact me for any further informations. I will be happy to help gentoo to bring some order in the patch mess. Thanks for your work and heads up :)
sure, i should have kept security devs informed ... but that doesnt mean i need some lackey who thinks he knows how to help gd-2.0.34 in portage
Thanks vapier, arches please test gd-2.0.34 and mark stable if appropriate , thanks a lot
x86 stable
ppc stable
Stable on hppa
amd64 stable
Stable on IA64.
sparc stable.
Stable on Alpha.
ppc64 stable
Thanks all, time to vote for a GLSA: i vote yes because it's an infinite loop (cpu consumption) that could be triggered through a PHP script using gd, for example, or any other server-oriented application calling gd.
I would vote NO, as the impact is fairly minor.
I agree with falco here voting yes
back to [noglsa] after having talked with the discoverer who says that it doesn't merit an update. Although there is a possible incrementation of the pointer on the NULL char, it seems very very hard to obtain. Feel free to reopen if you disagree.
