Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 587662 (CVE-2016-6128) - <media-libs/gd-2.2.3: Invalid color index not properly handled
Summary: <media-libs/gd-2.2.3: Invalid color index not properly handled
Status: RESOLVED FIXED
Alias: CVE-2016-6128
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A3 [glsa cve]
Keywords:
Depends on:
Blocks: CVE-2016-6132 CVE-2016-5766 CVE-2016-6207
  Show dependency tree
 
Reported: 2016-07-01 07:36 UTC by Agostino Sarubbo
Modified: 2016-12-04 11:08 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-07-01 07:36:43 UTC
From ${URL} :

It was found that libgd did not properly handle invalid color index, which could lead to a denial of service against applications using the libgd 
library.

Upstream patches:

https://github.com/libgd/libgd/commit/1ccfe21e14c4d18336f9da8515cd17db88c3de61
https://github.com/libgd/libgd/commit/6ff72ae40c7c20ece939afb362d98cc37f4a1c96

CVE assignment:

http://seclists.org/oss-sec/2016/q2/627


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 SpanKY gentoo-dev 2016-07-04 01:47:50 UTC
hasn't seen a release yet.  there's some other various security fixes landing too before it'll be cut.
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-07-04 03:49:13 UTC
Targeted release upstream is 2.2.3.

@SpanKY, sec team does not include version in bug title until an ebuild is present in tree.  Please do keep letting us know the targeted release though as it helps significantly.
Comment 3 Kristian Fiskerstrand gentoo-dev Security 2016-09-02 11:11:02 UTC
Arches, please stabilize:
=media-libs/gd-2.2.3
Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 4 Tobias Klausmann gentoo-dev 2016-09-02 19:21:50 UTC
Stable on alpha.
Comment 5 Jeroen Roovers gentoo-dev 2016-09-03 09:23:19 UTC
Stable for HPPA PPC64.
Comment 6 Agostino Sarubbo gentoo-dev 2016-09-10 12:49:33 UTC
amd64 stable
Comment 7 Markus Meier gentoo-dev 2016-09-24 19:17:47 UTC
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-09-29 08:41:54 UTC
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-09-29 09:36:51 UTC
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-09-29 12:37:49 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2016-09-29 13:30:17 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 Yury German Gentoo Infrastructure gentoo-dev Security 2016-10-31 05:58:33 UTC
Arches, Thank you for your work.

Maintainer(s), please drop the vulnerable version(s).

GLSA Vote: No
Comment 13 Markus Meier gentoo-dev 2016-11-02 18:54:59 UTC
(In reply to Yury German from comment #12)
> Maintainer(s), please drop the vulnerable version(s).

Done.
Comment 14 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-11-11 06:44:19 UTC
GLSA is not optional here.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2016-12-04 11:08:41 UTC
This issue was resolved and addressed in
 GLSA 201612-09 at https://security.gentoo.org/glsa/201612-09
by GLSA coordinator Aaron Bauman (b-man).