Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 292130 (CVE-2009-3546) - <media-libs/gd-2.0.35-r1 Improper colorsTotal structure member verification (CVE-2009-3546)
Summary: <media-libs/gd-2.0.35-r1 Improper colorsTotal structure member verification (...
Alias: CVE-2009-3546
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on:
Blocks: 292132
  Show dependency tree
Reported: 2009-11-06 15:07 UTC by Tobias Heinlein (RETIRED)
Modified: 2010-06-03 14:15 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

gd-2.0.35.ebuild.patch (gd-2.0.35.ebuild.patch,875 bytes, text/plain)
2009-11-09 12:39 UTC, Markus Meier
no flags Details
gd-2.0.35-maxcolors.patch (gd-2.0.35-maxcolors.patch,414 bytes, text/plain)
2009-11-09 12:40 UTC, Markus Meier
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Heinlein (RETIRED) gentoo-dev 2009-11-06 15:07:14 UTC
CVE-2009-3546 (
  The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.0, and the
  GD Graphics Library 2.x, does not properly verify a certain
  colorsTotal structure member, which might allow remote attackers to
  conduct buffer overflow or buffer over-read attacks via a crafted GD
  file, a different vulnerability than CVE-2009-3293.  NOTE: some of
  these details are obtained from third party information.
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2009-11-06 15:11:36 UTC
Maintainers, please provide a fixed ebuild.
Comment 2 Markus Meier gentoo-dev 2009-11-09 12:39:47 UTC
Created attachment 209726 [details]

@mike: any objections to commit these two files?
Comment 3 Markus Meier gentoo-dev 2009-11-09 12:40:09 UTC
Created attachment 209727 [details]
Comment 4 SpanKY gentoo-dev 2009-11-09 12:52:30 UTC
looks fine to me, thanks
Comment 5 Markus Meier gentoo-dev 2009-11-09 13:00:53 UTC
bumped in cvs.

*gd-2.0.35-r1 (09 Nov 2009)

  09 Nov 2009; Markus Meier <> +gd-2.0.35-r1.ebuild,
  revision bump wrt security bug #292130
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2009-11-09 17:17:24 UTC
Arches, please stabilise
target keywords: alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc ~sparc-fbsd x86 ~x86-fbsd
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2009-11-09 18:30:37 UTC
x86 stable
Comment 8 Dawid Węgliński (RETIRED) gentoo-dev 2009-11-10 13:25:59 UTC
amd64 stable
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2009-11-10 18:28:54 UTC
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2009-11-11 01:31:55 UTC
Stable for HPPA.
Comment 11 Brent Baude (RETIRED) gentoo-dev 2009-11-17 16:18:48 UTC
ppc64 done
Comment 12 nixnut (RETIRED) gentoo-dev 2009-11-21 20:08:02 UTC
ppc stable
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2009-12-18 02:08:34 UTC
GLSA request filed.
Comment 14 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-03 14:15:14 UTC
GLSA 201006-16