Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 538686 (CVE-2014-9709)

Summary: <media-libs/gd-2.1.1: buffer read overflow in gd_gif_in.c (CVE-2014-9709)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: graphics+disabled, vapier
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bitbucket.org/libgd/gd-libgd/commits/47eb44b2e90ca88a08dca9f9a1aa9041e9587f43
See Also: https://bugzilla.redhat.com/show_bug.cgi?id=1188639
https://bugs.gentoo.org/show_bug.cgi?id=549978
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2015-02-03 16:32:11 UTC
From ${URL} :

Possible buffer read overflow was fixed upstream [1].
This was also reported against PHP:
https://bugs.php.net/bug.php?id=68601 (bug is private, fixed in PHP 5.6.5)

[1]: https://bitbucket.org/libgd/gd-libgd/commits/47eb44b2e90ca88a08dca9f9a1aa9041e9587f43


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 SpanKY gentoo-dev 2015-02-16 14:38:12 UTC
gd-2.1.1 is in the tree now, but will want to give it time to bake
Comment 2 SpanKY gentoo-dev 2015-12-15 13:53:32 UTC
fine to stabilize 2.1.1-r1
Comment 3 Gabor Kovari 2015-12-15 17:20:50 UTC
 amd64 : ok (builds) 

Couldn`t test functionality.
Comment 4 Agostino Sarubbo gentoo-dev 2015-12-16 08:45:24 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2015-12-16 08:46:56 UTC
x86 stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2015-12-17 09:10:39 UTC
Stable for HPPA PPC64.
Comment 7 Agostino Sarubbo gentoo-dev 2015-12-26 10:56:13 UTC
ppc stable
Comment 8 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-12-27 09:59:19 UTC
sparc stable
Comment 9 Markus Meier gentoo-dev 2016-01-07 20:20:34 UTC
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-01-10 10:41:14 UTC
alpha stable
Comment 11 Agostino Sarubbo gentoo-dev 2016-01-11 09:07:43 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2016-02-25 07:18:29 UTC
Arches and Maintainer(s), Thank you for your work.
New GLSA Request filed.

Also probably does not matter since in bug 571690 a newer version is stabilized, but arm was never marked as stable for this version in tree.

Maintainer(s), please drop the vulnerable version(s).
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2016-04-04 20:40:45 UTC
Arches and Maintainer(s), Thank you for your work.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2016-07-16 13:11:43 UTC
This issue was resolved and addressed in
 GLSA 201607-04 at https://security.gentoo.org/glsa/201607-04
by GLSA coordinator Aaron Bauman (b-man).