Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 292130 (CVE-2009-3546)

Summary: <media-libs/gd-2.0.35-r1 Improper colorsTotal structure member verification (CVE-2009-3546)
Product: Gentoo Security Reporter: Tobias Heinlein (RETIRED) <keytoaster>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: graphics+disabled, vapier
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://svn.php.net/viewvc?view=revision&revision=289557
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 292132    
Attachments:
Description Flags
gd-2.0.35.ebuild.patch
none
gd-2.0.35-maxcolors.patch none

Description Tobias Heinlein (RETIRED) gentoo-dev 2009-11-06 15:07:14 UTC 
CVE-2009-3546 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3546):
  The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.0, and the
  GD Graphics Library 2.x, does not properly verify a certain
  colorsTotal structure member, which might allow remote attackers to
  conduct buffer overflow or buffer over-read attacks via a crafted GD
  file, a different vulnerability than CVE-2009-3293.  NOTE: some of
  these details are obtained from third party information.
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2009-11-06 15:11:36 UTC 
Maintainers, please provide a fixed ebuild.
Comment 2 Markus Meier gentoo-dev 2009-11-09 12:39:47 UTC 
Created attachment 209726 [details]
gd-2.0.35.ebuild.patch

@mike: any objections to commit these two files?
Comment 3 Markus Meier gentoo-dev 2009-11-09 12:40:09 UTC 
Created attachment 209727 [details]
gd-2.0.35-maxcolors.patch
Comment 4 SpanKY gentoo-dev 2009-11-09 12:52:30 UTC 
looks fine to me, thanks
Comment 5 Markus Meier gentoo-dev 2009-11-09 13:00:53 UTC 
bumped in cvs.

*gd-2.0.35-r1 (09 Nov 2009)

  09 Nov 2009; Markus Meier <maekke@gentoo.org> +gd-2.0.35-r1.ebuild,
  +files/gd-2.0.35-maxcolors.patch:
  revision bump wrt security bug #292130
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2009-11-09 17:17:24 UTC 
Arches, please stabilise
   =media-libs/gd-2.0.35-r1
target keywords: alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc ~sparc-fbsd x86 ~x86-fbsd
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2009-11-09 18:30:37 UTC 
x86 stable
Comment 8 Dawid Węgliński (RETIRED) gentoo-dev 2009-11-10 13:25:59 UTC 
amd64 stable
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2009-11-10 18:28:54 UTC 
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2009-11-11 01:31:55 UTC 
Stable for HPPA.
Comment 11 Brent Baude (RETIRED) gentoo-dev 2009-11-17 16:18:48 UTC 
ppc64 done
Comment 12 nixnut (RETIRED) gentoo-dev 2009-11-21 20:08:02 UTC 
ppc stable
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2009-12-18 02:08:34 UTC 
GLSA request filed.
Comment 14 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-03 14:15:14 UTC 
GLSA 201006-16