Bug#382506: marked as done (tetex-bin: DoS in embedded libgd2 copy [CVE-2006-2906])

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Mon, 14 Aug 2006 23:45:20 +0200
with message-id <20060814214520.GY4940@piware.de>
and subject line Bug#382506: tetex-bin: DoS in embedded libgd2 copy [CVE-2006-2906]
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

• To: Debian BTS Submit <submit@bugs.debian.org>
• Subject: tetex-bin: DoS in embedded libgd2 copy [CVE-2006-2906]
• From: Martin Pitt <martin.pitt@ubuntu.com>
• Date: Fri, 11 Aug 2006 16:49:25 +0200
• Message-id: <[🔎] 20060811144925.GI5244@piware.de>

Package: tetex-bin
Version: 3.0-13
Severity: normal
Tags: patch security

Hi!

tetex-bin 3.0 contains a copy of libgd2 source code in libs/gd. libgd2
had a recent security flaw that allows malicious graphic files to
trigger an endless loop. This is not a big deal, but it should get
fixed eventually. [1] has the original libgd2 patch.

libgd2 had more serious vulnerabilities in the past (CVE-2004-0990,
CVE-2004-0941), though. The best solution would be to build against
the system libgd2 library instead of using a code copy.

This does not affect 2.0.2, thus Sarge is not affected. (Even if it
was, a security update wouln't be warranted, given that it is a client
application and no long-running server).

Thank you,

Martin

[1] http://people.ubuntu.com/patches/libgd2.CVE-2006-2906.diff
-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?

Attachment: signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

• To: Frank Küster <frank@debian.org>, 382506-done@bugs.debian.org
• Subject: Re: Bug#382506: tetex-bin: DoS in embedded libgd2 copy [CVE-2006-2906]
• From: Martin Pitt <mpitt@debian.org>
• Date: Mon, 14 Aug 2006 23:45:20 +0200
• Message-id: <20060814214520.GY4940@piware.de>
• In-reply-to: <[🔎] 86psf359r6.fsf@alhambra.kuesterei.ch>
• References: <[🔎] 20060811144925.GI5244@piware.de> <[🔎] 86psf359r6.fsf@alhambra.kuesterei.ch>

Hi Frank,

Frank Küster [2006-08-14 22:43 +0200]:
> This we already do since 3.0-17, and testing has 3.0-18 already. 

Argh, my apologies. Apparently I checked an old version.

> Or do you think we should patch the unused code?

No, of course not.

Thank you and sorry for the noise,

Martin
-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?

Attachment: signature.asc
Description: Digital signature

--- End Message ---