This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --===============4964307388108704571== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="mLWc20ORqs8qOOGk4rdwibH7PxmJ6EdI4"
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --mLWc20ORqs8qOOGk4rdwibH7PxmJ6EdI4 Content-Type: multipart/mixed; boundary="v8W88NPgTnjuX7CfJQi3R5DGeUeh1Ihxa" From: Marc Deslauriers <marc.deslauriers@canonical.com> Reply-To: Ubuntu Security <security@ubuntu.com> To: ubuntu-security-announce@lists.ubuntu.com Message-ID: <88c10751-5d9f-be28-019a-cad956b72ad8@canonical.com> Subject: [USN-3213-1] GD library vulnerabilities
--v8W88NPgTnjuX7CfJQi3R5DGeUeh1Ihxa Content-Type: text/plain; charset=utf- Content-Transfer-Encoding: quoted-printable
========================================================================== Ubuntu Security Notice USN-3213-1 February 28, 2017
libgd2 vulnerabilities ==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10 - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS
Summary:
The GD library could be made to crash or run programs if it processed a specially crafted image file.
Software Description: - libgd2: GD Graphics Library
Details:
Stefan Esser discovered that the GD library incorrectly handled memory when processing certain images. If a user or automated system were tricked into processing a specially crafted image, an attacker could cause a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-10166)
It was discovered that the GD library incorrectly handled certain malformed images. If a user or automated system were tricked into processing a specially crafted image, an attacker could cause a denial of service. (CVE-2016-10167)
It was discovered that the GD library incorrectly handled certain malformed images. If a user or automated system were tricked into processing a specially crafted image, an attacker could cause a denial of service, or possibly execute arbitrary code. (CVE-2016-10168)
Ibrahim El-Sayed discovered that the GD library incorrectly handled certain malformed TGA images. If a user or automated system were tricked into processing a specially crafted TGA image, an attacker could cause a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-6906)
Ibrahim El-Sayed discovered that the GD library incorrectly handled certain malformed WebP images. If a user or automated system were tricked into processing a specially crafted WebP image, an attacker could cause a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-6912)
It was discovered that the GD library incorrectly handled creating oversized images. If a user or automated system were tricked into creating a specially crafted image, an attacker could cause a denial of service. (CVE-2016-9317)
It was discovered that the GD library incorrectly handled filling certain images. If a user or automated system were tricked into filling an image, an attacker could cause a denial of service. (CVE-2016-9933)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 16.10: libgd3 2.2.1-1ubuntu3.3
Ubuntu 16.04 LTS: libgd3 2.1.1-4ubuntu0.16.04.6
Ubuntu 14.04 LTS: libgd3 2.1.0-3ubuntu0.6
Ubuntu 12.04 LTS: libgd2-noxpm 2.0.36~rc1~dfsg-6ubuntu2.4 libgd2-xpm 2.0.36~rc1~dfsg-6ubuntu2.4
In general, a standard system update will make all the necessary changes.
References: http://www.ubuntu.com/usn/usn-3213-1 CVE-2016-10166, CVE-2016-10167, CVE-2016-10168, CVE-2016-6906, CVE-2016-6912, CVE-2016-9317, CVE-2016-9933
Package Information: https://launchpad.net/ubuntu/+source/libgd2/2.2.1-1ubuntu3.3 https://launchpad.net/ubuntu/+source/libgd2/2.1.1-4ubuntu0.16.04.6 https://launchpad.net/ubuntu/+source/libgd2/2.1.0-3ubuntu0.6 https://launchpad.net/ubuntu/+source/libgd2/2.0.36~rc1~dfsg-6ubuntu2.4
--v8W88NPgTnjuX7CfJQi3R5DGeUeh1Ihxa--
--mLWc20ORqs8qOOGk4rdwibH7PxmJ6EdI4 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2
iQIcBAEBCgAGBQJYtc1WAAoJEGVp2FWnRL6TpOUQAKXEDnd5Iz5Y1R6VAf9aslhe m6fZ4v6yAAiQQ45QozPKjQmrZwybiTNXa/Dn89bnLay1x8t0ByYgHaZhnsYqVXVU hxWD0/f3nhWjdqILQLXyk0H+PWsyQIOK2vg2AwVWbbDw3OS5+ztgTllM1eTmbQt2 9MYYlLX+sLcbT0wjYU0qWWx9GWVkxbRhHhBOIuWzzGWJzi5rxjvvD1wQaBw+aGlI 233sPuccgxdHK5pQVrBXx4dESBGW3EXuTFyC1TB2M/GYf08uVhlkbIE8JEbXVCkw Zt7CK1jSCN1s3ucGkiMpd+G7t9XQb/uvhuLm6UMcuMNSqtD+bbZrka4o+F8mRums 1FKRJnSYAuIpI6Kzy7VOQWUxTQnbPdKqKsWgzpe45cZxRcpl8UK7rh5Ng+cHsEY9 nKxwqN/doLf5fe/bttRB67H4cMTNbMNKOQKmBMynzJidMxOwFTVTRRo8n0nc+8pO zqhamHVoeo7bpbunTZYUxpI5cDVLzZAiCVUIMABC57e0FtSVF/2pIbeTABr/zrFo f7PMADQlwYYcK9w+MHrK90irqi7yGqxdGp8ZhbZ5mu/UjR/6c0o/yoZujTBTxReZ tyVfG7/RglNrbiHfxTKWY+mp2icJ6tA8sPWE/oKL3W0J3rkFHLTOTRKnzmeLEoAI Ak7eVtTQ1CDF3fWmEC0+ =vCW9 -----END PGP SIGNATURE-----
--mLWc20ORqs8qOOGk4rdwibH7PxmJ6EdI4--
--===============4964307388108704571== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
-- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
--===============4964307388108704571==--
|