[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#382506: tetex-bin: DoS in embedded libgd2 copy [CVE-2006-2906]

Package: tetex-bin
Version: 3.0-13
Severity: normal
Tags: patch security


tetex-bin 3.0 contains a copy of libgd2 source code in libs/gd. libgd2
had a recent security flaw that allows malicious graphic files to
trigger an endless loop. This is not a big deal, but it should get
fixed eventually. [1] has the original libgd2 patch.

libgd2 had more serious vulnerabilities in the past (CVE-2004-0990,
CVE-2004-0941), though. The best solution would be to build against
the system libgd2 library instead of using a code copy.

This does not affect 2.0.2, thus Sarge is not affected. (Even if it
was, a security update wouln't be warranted, given that it is a client
application and no long-running server).

Thank you,


[1] http://people.ubuntu.com/patches/libgd2.CVE-2006-2906.diff
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?

Attachment: signature.asc
Description: Digital signature

Reply to: