From ${URL} : It was found that libgd did not properly handle invalid color index, which could lead to a denial of service against applications using the libgd library. Upstream patches: https://github.com/libgd/libgd/commit/1ccfe21e14c4d18336f9da8515cd17db88c3de61 https://github.com/libgd/libgd/commit/6ff72ae40c7c20ece939afb362d98cc37f4a1c96 CVE assignment: http://seclists.org/oss-sec/2016/q2/627 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
hasn't seen a release yet. there's some other various security fixes landing too before it'll be cut.
Targeted release upstream is 2.2.3. @SpanKY, sec team does not include version in bug title until an ebuild is present in tree. Please do keep letting us know the targeted release though as it helps significantly.
Arches, please stabilize: =media-libs/gd-2.2.3 Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Stable on alpha.
Stable for HPPA PPC64.
amd64 stable
arm stable
x86 stable
sparc stable
ppc stable
ia64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Arches, Thank you for your work. Maintainer(s), please drop the vulnerable version(s). GLSA Vote: No
(In reply to Yury German from comment #12) > Maintainer(s), please drop the vulnerable version(s). Done.
GLSA is not optional here.
This issue was resolved and addressed in GLSA 201612-09 at https://security.gentoo.org/glsa/201612-09 by GLSA coordinator Aaron Bauman (b-man).
