Your message dated Mon, 14 Aug 2006 23:45:20 +0200 with message-id <20060814214520.GY4940@piware.de> and subject line Bug#382506: tetex-bin: DoS in embedded libgd2 copy [CVE-2006-2906] has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---
- To: Debian BTS Submit <submit@bugs.debian.org>
- Subject: tetex-bin: DoS in embedded libgd2 copy [CVE-2006-2906]
- From: Martin Pitt <martin.pitt@ubuntu.com>
- Date: Fri, 11 Aug 2006 16:49:25 +0200
- Message-id: <[🔎] 20060811144925.GI5244@piware.de>
Package: tetex-bin Version: 3.0-13 Severity: normal Tags: patch security Hi! tetex-bin 3.0 contains a copy of libgd2 source code in libs/gd. libgd2 had a recent security flaw that allows malicious graphic files to trigger an endless loop. This is not a big deal, but it should get fixed eventually. [1] has the original libgd2 patch. libgd2 had more serious vulnerabilities in the past (CVE-2004-0990, CVE-2004-0941), though. The best solution would be to build against the system libgd2 library instead of using a code copy. This does not affect 2.0.2, thus Sarge is not affected. (Even if it was, a security update wouln't be warranted, given that it is a client application and no long-running server). Thank you, Martin [1] http://people.ubuntu.com/patches/libgd2.CVE-2006-2906.diff -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates?Attachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: Frank Küster <frank@debian.org>, 382506-done@bugs.debian.org
- Subject: Re: Bug#382506: tetex-bin: DoS in embedded libgd2 copy [CVE-2006-2906]
- From: Martin Pitt <mpitt@debian.org>
- Date: Mon, 14 Aug 2006 23:45:20 +0200
- Message-id: <20060814214520.GY4940@piware.de>
- In-reply-to: <[🔎] 86psf359r6.fsf@alhambra.kuesterei.ch>
- References: <[🔎] 20060811144925.GI5244@piware.de> <[🔎] 86psf359r6.fsf@alhambra.kuesterei.ch>
Hi Frank, Frank Küster [2006-08-14 22:43 +0200]: > This we already do since 3.0-17, and testing has 3.0-18 already. Argh, my apologies. Apparently I checked an old version. > Or do you think we should patch the unused code? No, of course not. Thank you and sorry for the noise, Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates?Attachment: signature.asc
Description: Digital signature
--- End Message ---