USN-473-1: libgd2 vulnerabilities

Releases

• Ubuntu 7.04
• Ubuntu 6.10
• Ubuntu 6.06

Details

A buffer overflow was discovered in libgd2's font renderer. By tricking
an application using libgd2 into rendering a specially crafted string
with a JIS encoded font, a remote attacker could read heap memory or
crash the application, leading to a denial of service. (CVE-2007-0455)

Xavier Roche discovered that libgd2 did not correctly validate PNG
callback results. If an application were tricked into processing a
specially crafted PNG image, it would monopolize CPU resources. Since
libgd2 is often used in PHP and Perl web applications, this could lead
to a remote denial of service. (CVE-2007-2756)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 7.04

• libgd2-xpm - 2.0.34~rc1-2ubuntu1.1
• libgd2-noxpm - 2.0.34~rc1-2ubuntu1.1

Ubuntu 6.10

• libgd2-xpm - 2.0.33-4ubuntu2.1
• libgd2-noxpm - 2.0.33-4ubuntu2.1

Ubuntu 6.06

• libgd2-xpm - 2.0.33-2ubuntu5.2
• libgd2-noxpm - 2.0.33-2ubuntu5.2

After a standard system upgrade you need to reboot your computer to
effect the necessary changes.

References

• CVE-2007-0455
• CVE-2007-2756