USN-473-1: libgd2 vulnerabilities

12 June 2007

libgd2 vulnerabilities



A buffer overflow was discovered in libgd2's font renderer. By tricking
an application using libgd2 into rendering a specially crafted string
with a JIS encoded font, a remote attacker could read heap memory or
crash the application, leading to a denial of service. (CVE-2007-0455)

Xavier Roche discovered that libgd2 did not correctly validate PNG
callback results. If an application were tricked into processing a
specially crafted PNG image, it would monopolize CPU resources. Since
libgd2 is often used in PHP and Perl web applications, this could lead
to a remote denial of service. (CVE-2007-2756)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 7.04
  • libgd2-xpm - 2.0.34~rc1-2ubuntu1.1
  • libgd2-noxpm - 2.0.34~rc1-2ubuntu1.1
Ubuntu 6.10
  • libgd2-xpm - 2.0.33-4ubuntu2.1
  • libgd2-noxpm - 2.0.33-4ubuntu2.1
Ubuntu 6.06
  • libgd2-xpm - 2.0.33-2ubuntu5.2
  • libgd2-noxpm - 2.0.33-2ubuntu5.2

After a standard system upgrade you need to reboot your computer to
effect the necessary changes.