587662 – (CVE-2016-6128) <media-libs/gd-2.2.3: Invalid color index not properly handled

Bug 587662 (CVE-2016-6128) - <media-libs/gd-2.2.3: Invalid color index not properly handled

Summary: <media-libs/gd-2.2.3: Invalid color index not properly handled

Status:	RESOLVED FIXED

Alias:	CVE-2016-6128

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	A3 [glsa cve]
Keywords:

Depends on:
Blocks:	CVE-2016-6132 CVE-2016-5766 CVE-2016-6207
	Show dependency tree

Reported:	2016-07-01 07:36 UTC by Agostino Sarubbo
Modified:	2016-12-04 11:08 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2016-07-01 07:36:43 UTC

From ${URL} :

It was found that libgd did not properly handle invalid color index, which could lead to a denial of service against applications using the libgd 
library.

Upstream patches:

https://github.com/libgd/libgd/commit/1ccfe21e14c4d18336f9da8515cd17db88c3de61
https://github.com/libgd/libgd/commit/6ff72ae40c7c20ece939afb362d98cc37f4a1c96

CVE assignment:

http://seclists.org/oss-sec/2016/q2/627


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 SpanKY gentoo-dev

2016-07-04 01:47:50 UTC

hasn't seen a release yet.  there's some other various security fixes landing too before it'll be cut.

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2016-07-04 03:49:13 UTC

Targeted release upstream is 2.2.3.

@SpanKY, sec team does not include version in bug title until an ebuild is present in tree.  Please do keep letting us know the targeted release though as it helps significantly.

Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev

2016-09-02 11:11:02 UTC

Arches, please stabilize:
=media-libs/gd-2.2.3
Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

Comment 4 Tobias Klausmann (RETIRED) gentoo-dev

2016-09-02 19:21:50 UTC

Stable on alpha.

Comment 5 Jeroen Roovers (RETIRED) gentoo-dev

2016-09-03 09:23:19 UTC

Stable for HPPA PPC64.

Comment 6 Agostino Sarubbo gentoo-dev

2016-09-10 12:49:33 UTC

amd64 stable

Comment 7 Markus Meier gentoo-dev

2016-09-24 19:17:47 UTC

arm stable

Comment 8 Agostino Sarubbo gentoo-dev

2016-09-29 08:41:54 UTC

x86 stable

Comment 9 Agostino Sarubbo gentoo-dev

2016-09-29 09:36:51 UTC

sparc stable

Comment 10 Agostino Sarubbo gentoo-dev

2016-09-29 12:37:49 UTC

ppc stable

Comment 11 Agostino Sarubbo gentoo-dev

2016-09-29 13:30:17 UTC

ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.

Comment 12 Yury German Gentoo Infrastructure

2016-10-31 05:58:33 UTC

Arches, Thank you for your work.

Maintainer(s), please drop the vulnerable version(s).

GLSA Vote: No

Comment 13 Markus Meier gentoo-dev

2016-11-02 18:54:59 UTC

(In reply to Yury German from comment #12)
> Maintainer(s), please drop the vulnerable version(s).

Done.

Comment 14 Aaron Bauman (RETIRED) gentoo-dev

2016-11-11 06:44:19 UTC

GLSA is not optional here.

Comment 15 GLSAMaker/CVETool Bot gentoo-dev

2016-12-04 11:08:41 UTC

This issue was resolved and addressed in
 GLSA 201612-09 at https://security.gentoo.org/glsa/201612-09
by GLSA coordinator Aaron Bauman (b-man).