From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 2BD95138326 for ; Sat, 16 Jul 2016 13:12:08 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 8B8EE21C093; Sat, 16 Jul 2016 13:11:04 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id B347621C012 for ; Sat, 16 Jul 2016 13:10:07 +0000 (UTC) Received: from [10.10.10.105] (oki-180-131-246-59.jptransit.net [180.131.246.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: bman) by smtp.gentoo.org (Postfix) with ESMTPSA id C39F7340817 for ; Sat, 16 Jul 2016 13:10:04 +0000 (UTC) To: gentoo-announce@lists.gentoo.org From: Aaron Bauman Subject: [gentoo-announce] [ GLSA 201607-04 ] GD: Multiple vulnerabilities Message-ID: <0c9128c0-a9f7-5c11-605d-480e56813fb1@gentoo.org> Date: Sat, 16 Jul 2016 22:09:54 +0900 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="1Fr1RL6qcuigHusBmxaUPU1kIkUNFbxX4" X-Archives-Salt: 4703e7a2-b341-433f-906a-c8566ca20ea2 X-Archives-Hash: 9ba138f65c8982bdf97c575279a3ea0d This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --1Fr1RL6qcuigHusBmxaUPU1kIkUNFbxX4 Content-Type: multipart/mixed; boundary="COTex6b4bdMBgp2hI0JA7bEbFcD45Jiok" From: Aaron Bauman To: gentoo-announce@lists.gentoo.org Message-ID: <0c9128c0-a9f7-5c11-605d-480e56813fb1@gentoo.org> Subject: [ GLSA 201607-04 ] GD: Multiple vulnerabilities --COTex6b4bdMBgp2hI0JA7bEbFcD45Jiok Content-Type: multipart/alternative; boundary="------------E8E515DB01FC7FA66D07200D" This is a multi-part message in MIME format. --------------E8E515DB01FC7FA66D07200D Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201607-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: GD: Multiple vulnerabilities Date: July 16, 2016 Bugs: #504872, #538686, #581942 ID: 201607-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis =3D=3D=3D=3D=3D=3D=3D=3D Multiple vulnerabilities have been found in GD, the worst of which allows remote attackers to execute arbitrary code. Background =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D GD is a graphic library for fast image creation. Affected packages =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 media-libs/gd < 2.2.2 >=3D 2.2.2=20 Description =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Multiple vulnerabilities have been discovered in GD. Please review the CVE identifiers referenced below for details. Impact =3D=3D=3D=3D=3D=3D A remote attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition. Workaround =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D There is no known workaround at this time. Resolution =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D All GD users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=3Dmedia-libs/gd-2.2.2" References =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D [ 1 ] CVE-2014-2497 http://web.nvd.nist.gov/view/vuln/detail?vulnId=3DCVE-2014-2497 [ 2 ] CVE-2014-9709 http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2014-9709 [ 3 ] CVE-2016-3074 http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2016-3074 Availability =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201607-04 Concerns? =3D=3D=3D=3D=3D=3D=3D=3D=3D Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License =3D=3D=3D=3D=3D=3D=3D Copyright 2016 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 --------------E8E515DB01FC7FA66D07200D Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable

- - - - - - - - - - - - - - - - - -=
 - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 201607-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                           https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
    Title: GD: Multiple vulnerabilities
     Date: July 16, 2016
     Bugs: #504872, #538686, #581942
       ID: 201607-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
=3D=3D=3D=3D=3D=3D=3D=3D

Multiple vulnerabilities have been found in GD, the worst of which
allows remote attackers to execute arbitrary code.

Background
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

GD is a graphic library for fast image creation.

Affected packages
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

    -------------------------------------------------------------------
     Package              /     Vulnerable     /            Unaffected
    -------------------------------------------------------------------
  1  media-libs/gd                < 2.2.2                    >=3D 2=
=2E2.2=20

Description
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Multiple vulnerabilities have been discovered in GD. Please review the
CVE identifiers referenced below for details.

Impact
=3D=3D=3D=3D=3D=3D

A remote attacker could possibly execute arbitrary code with the
privileges of the process, or cause a Denial of Service condition.

Workaround
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

There is no known workaround at this time.

Resolution
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

All GD users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=3Dmedia-libs/gd-2.2.2"

References
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

[ 1 ] CVE-2014-2497
      http://web.nvd.nist.gov/view/vul=
n/detail?vulnId=3DCVE-2014-2497
[ 2 ] CVE-2014-9709
      http://cve.mitre.org/cgi-bin/cvena=
me.cgi?name=3DCVE-2014-9709
[ 3 ] CVE-2016-3074
      http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-20=
16-3074

Availability
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/201607-04

Concerns?
=3D=3D=3D=3D=3D=3D=3D=3D=3D

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https=
://bugs.gentoo.org.

License
=3D=3D=3D=3D=3D=3D=3D

Copyright 2016 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5
--------------E8E515DB01FC7FA66D07200D-- --COTex6b4bdMBgp2hI0JA7bEbFcD45Jiok-- --1Fr1RL6qcuigHusBmxaUPU1kIkUNFbxX4 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1 iQJ8BAEBCgBmBQJXijIlXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ1OTcyRDI4NDhFOEE0NDYwRTdERTY4QUM5 RjI4QkQ4QkQxRTM5NUZGAAoJEJ8ovYvR45X/DcoP/i/OwACj3ic7h5b27upj4gUm VpTsmL2hJKOL1ohHQMlXhiUQhiLAEiv9Dn07f2ElMlqXRptUOFMV8yeIkY+drBXu +Bs1AZQe7+OA2jH9fzwcEgrW5v7M0BgYHN0FbjRLFO+XsH6FiH48rXmxXML4eXsG iFQLeOeEVuw+6LfO488SAD0FKHgteajv4ttrG0T/9p7ivPZ4tw2ftMH6IQF6tjdy S+YZDJGEXLFEHzDoeySFX5rl5xDv4/VCYHtayzgQIxZi31EucPvPrV8bKnvsDR/e olVOIeY7JAnWOYFOvjfO9BZvZqn/1jLzoxo9j/Eo706aB5bu1Sj/Qtmw0pF56KQp GFgC1pIppTPepmlI/nzVKS+oOsUyKn+kYE/0kF54VX+Ie3J58iTDIfoSCESpxdjc 5X66Bksu179dYoMsNUL80Slni5goNElAuUEwfO4kyGy1XKpbRkGkCsJz3sHRapq3 1EkxgGCGcVQvduZ0aciI6jWTvoL9lPMDPRTeuu711IUQwCudKZsDLM4+J8M5XrXw yL9QcdPO2x+moz4cbKm25PaqblYIdHt+HGVdZdRqeZ/ZWW+3Tip+f2swqWn/yvd3 ZwlZCd8HYY249ydkOtZBLkbdVyhEDIO+UKKa81YIo48/DUY1FHTISBasruq1+txK 1oGwRJuO6L8WV6FUaWEK =qTks -----END PGP SIGNATURE----- --1Fr1RL6qcuigHusBmxaUPU1kIkUNFbxX4--