ESB-2017.2013 - [Linux][Debian] libgd2: Access confidential data - Existing account 2017-08-14

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2013
                          libgd2 security update
                              14 August 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libgd2
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   Debian GNU/Linux 9
                   Linux variants
Impact/Access:     Access Confidential Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-7890  

Original Bulletin: 
   http://www.debian.org/security/2017/dsa-3938

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running libgd2 check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3938-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 12, 2017                       https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : libgd2
CVE ID         : CVE-2017-7890
Debian Bug     : 869263

Matviy Kotoniy reported that the gdImageCreateFromGifCtx() function used
to load images from GIF format files in libgd2, a library for
programmatic graphics creation and manipulation, does not zero stack
allocated color map buffers before their use, which may result in
information disclosure if a specially crafted file is processed.

For the oldstable distribution (jessie), this problem has been fixed
in version 2.1.0-5+deb8u10.

For the stable distribution (stretch), this problem has been fixed in
version 2.2.4-2+deb9u1.

We recommend that you upgrade your libgd2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlmO9e5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0SCVhAAk0unKNrQqvnzieUN9dm3xCKmHnn3msOrK+/WUEhwG1Genql/avk9vJCv
1Rb/GExb422o9BbFSddZDOSenNCnqJttRD7GNayAIdKlwcsjPfcsW5YO47wUIeuz
1WiKy1ez2ULRDqD5qfNWOdt+QJFmtpBrKodbiprxGbicxrPnwjT/vVOZBSJoLidy
v1E9mszPLjfKrEmhxGLtwI/JwOnbQKklhcnVC5v8S7WlGRs425iQYn0GSFNEBxnI
ieSL6K5in6C6/fnwGvWtj1ySiB9gzlxbF6ZMN4Gq/9CF9+Nl4FkKTxba8NtRsdI5
QfkJSxTZ4Ht/guJXc2fgfwG3NfIDlqJOBtGugmUISihVLMkSguTEE7WHzVFeg765
RBYDFpu8ITnCBv6Ob3UTauQ78b2TQ6zRmfTVGgDcIY3gowFFG5Ygpsjv6vgUVPPr
ax6G7ePnk6hKIc+T6K++FJ7mUuW6s5SX4mUEz452tEnjdyL1xiTVqZl+OVqzBWEu
hfmGQh1P09HLPPHw3H0OvBHWWfc2bUi0EdvAQ9/DNMThHnvCUh4Cnc23OaRRtKen
uzmUVDFrWtGQsfhgsNFVZKoL1i+OeXXVMrT3GqKB0xmglxM51xuGoIVPvjcmrLpk
wmhxt0j3edmPiqzayCll3G4SA/FNKJTJ8kWGv4AoROeQuPEFBvM=
=84p8
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWZD1x4x+lLeg9Ub1AQgzWRAAlLYvYbT5fzxUMIbLJ872MZnO+Qi1OUOQ
GQq5p6emN+2pCS40exSV82h10aijfGh+gpkXyglaFv3sAIcpsMztK3ZYi7EgWpzR
YQKxYRCe8fmAT0fvdVzeb+6T7BkxpUewcUTS8AD4OaP7axBEFlJDXocrmQFBEDlb
n1ozd2fBG4b3vyQNON1VjsCDIUvqozhyr0tFoaVO4cOS3UxTx6oVIz5w/puZbbig
DDu5SVzmu/0LkV81BdoGJaFGQ/12YkE6KaTZcbmqzWU5ST65eAHyj48wBwKKD7WR
U0ipKZY8OHRHlUn9N6F8dVXiS2dS4LtO50YC00FZiFPARDdNa/xyk3N/9ZI9EkcQ
M8AK6Ym3L0kjgn0EtgHT++5pPCOaAXuuKdB1+4m0U+DdqJ2Sp8m+x9CFtqIJ/EoG
2ivxlwoLfsm2VOexnMnoSq1Sfm7or+jIptrck9CmHhAv8LadqmI8M/Fb12lEFdHX
0BgrXi6GfPkaLRInzc3UpCtRymPovJmxS1wrQxev27c6CyOD8NFrd2yaeImM9GnT
lv5b5vPannSeb76XtZMdc+n25RpW1iGX81PXSGmpQERIwSHI6r3RqKvtIoDfX77l
vNCaeNbOOGQXf6MSLqWwMxkYUBKgO/3tAfOzNkX/UvleVv9636dzwIky/CgXaYGW
aY89iJfzkyw=
=6T1Y
-----END PGP SIGNATURE-----

« Back to bulletins