"In the GD Graphics Library (aka LibGD) through 2.2.5, there is a heap-based buffer over-read in tiffWriter in gd_tiff.c. NOTE: the vendor says "In my opinion this issue should not have a CVE, since the GD and GD2 formats are documented to be 'obsolete, and should only be used for development and testing purposes.'" Upstream bug: https://github.com/libgd/libgd/issues/383 Affected versions: <= 2.2.5. A fix does not seem likely.
https://github.com/libgd/libgd/commit/0be86e1926939a98afbd2f3a23c673dfc4df2a7c https://github.com/libgd/libgd/commit/2dbd8f6e66b73ed43d9b81a45350922b80f75397 There's a CVE dispute: The vendor says "In my opinion this issue should not have a CVE, since the GD and GD2 formats are documented to be 'obsolete, and should only be used for development and testing purposes.'"
Patch anyway: https://github.com/libgd/libgd/commit/2dbd8f6e66b73ed43d9b81a45350922b80f75397 included in 2.3.0.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e7220615bbaa8ce9c101b5130b58f705425c11ea commit e7220615bbaa8ce9c101b5130b58f705425c11ea Author: John Helmert III <jchelmert3@posteo.net> AuthorDate: 2020-06-23 20:43:01 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2020-06-25 11:27:00 +0000 media-libs/gd: Drop old (security cleanup) Bug: https://bugs.gentoo.org/711122 Bug: https://bugs.gentoo.org/719464 Package-Manager: Portage-2.3.102, Repoman-2.3.23 Signed-off-by: John Helmert III <jchelmert3@posteo.net> Closes: https://github.com/gentoo/gentoo/pull/16387 Signed-off-by: Joonas Niilola <juippis@gentoo.org> media-libs/gd/Manifest | 3 -- media-libs/gd/gd-2.2.5-r2.ebuild | 98 ---------------------------------------- 2 files changed, 101 deletions(-)