libgd2 - Debian Package Tracker

general

source: libgd2 (main)
version: 2.3.0-2
maintainer: GD Team (DMD)
uploaders: Ondřej Surý [DMD]
arch: any
std-ver: 3.9.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.2.4-2+deb9u5
o-o-sec: 2.2.4-2+deb9u4
oldstable: 2.2.5-5.2
stable: 2.3.0-2
testing: 2.3.0-2
unstable: 2.3.0-2

versioned links

2.2.4-2+deb9u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.2.4-2+deb9u5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.2.5-5.2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.3.0-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libgd-dev (1 bugs: 0, 1, 0, 0)
libgd-tools
libgd3

action needed

Debci reports failed tests high

unstable: fail (log)
The tests ran in 0:07:17
Last run: 2021-09-05T18:42:04.000Z
Previous status: fail

testing: fail (log)
The tests ran in 0:09:37
Last run: 2021-09-15T23:23:49.000Z
Previous status: fail

stable: fail (log)
The tests ran in 0:10:22
Last run: 2021-09-15T19:41:29.000Z
Previous status: fail

Created: 2019-01-17 Last update: 2021-09-20 12:11

A new upstream version is available: 2.3.3 high

A new upstream version 2.3.3 is available, you should consider packaging it.

Created: 2021-02-01 Last update: 2021-09-20 09:57

5 security issues in stretch high

There are 5 open security issues in stretch.

1 important issue:

CVE-2021-40812: The GD Graphics Library (aka LibGD) through 2.3.2 has an out-of-bounds read because of the lack of certain gdGetBuf and gdPutBuf return value checks.

4 issues postponed or untriaged:

CVE-2017-6363: (needs triaging) ** DISPUTED ** In the GD Graphics Library (aka LibGD) through 2.2.5, there is a heap-based buffer over-read in tiffWriter in gd_tiff.c. NOTE: the vendor says "In my opinion this issue should not have a CVE, since the GD and GD2 formats are documented to be 'obsolete, and should only be used for development and testing purposes.'"
CVE-2018-14553: (needs triaging) gdImageClone in gd.c in libgd 2.1.0-rc2 through 2.2.5 has a NULL pointer dereference allowing attackers to crash an application via a specific function call sequence. Only affects PHP when linked with an external libgd (not bundled).
CVE-2021-38115: (needs triaging) read_header_tga in gd_tga.c in the GD Graphics Library (aka LibGD) through 2.3.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted TGA file.
CVE-2021-40145: (needs triaging) ** DISPUTED ** gdImageGd2Ptr in gd_gd2.c in the GD Graphics Library (aka LibGD) through 2.3.2 has a double free. NOTE: the vendor's position is "The GD2 image format is a proprietary image format of libgd. It has to be regarded as being obsolete, and should only be used for development and testing purposes."

Created: 2021-09-09 Last update: 2021-09-13 18:30

3 security issues in sid high

There are 3 open security issues in sid.

3 important issues:

CVE-2021-38115: read_header_tga in gd_tga.c in the GD Graphics Library (aka LibGD) through 2.3.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted TGA file.
CVE-2021-40145: ** DISPUTED ** gdImageGd2Ptr in gd_gd2.c in the GD Graphics Library (aka LibGD) through 2.3.2 has a double free. NOTE: the vendor's position is "The GD2 image format is a proprietary image format of libgd. It has to be regarded as being obsolete, and should only be used for development and testing purposes."
CVE-2021-40812: The GD Graphics Library (aka LibGD) through 2.3.2 has an out-of-bounds read because of the lack of certain gdGetBuf and gdPutBuf return value checks.

Created: 2021-08-05 Last update: 2021-09-13 18:30

3 security issues in bookworm high

There are 3 open security issues in bookworm.

3 important issues:

CVE-2021-38115: read_header_tga in gd_tga.c in the GD Graphics Library (aka LibGD) through 2.3.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted TGA file.
CVE-2021-40145: ** DISPUTED ** gdImageGd2Ptr in gd_gd2.c in the GD Graphics Library (aka LibGD) through 2.3.2 has a double free. NOTE: the vendor's position is "The GD2 image format is a proprietary image format of libgd. It has to be regarded as being obsolete, and should only be used for development and testing purposes."
CVE-2021-40812: The GD Graphics Library (aka LibGD) through 2.3.2 has an out-of-bounds read because of the lack of certain gdGetBuf and gdPutBuf return value checks.

Created: 2021-08-15 Last update: 2021-09-13 18:30

Standards version of the package is outdated. high

The package is severely out of date with respect to the Debian Policy. The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.0 instead of 3.9.3).

Created: 2014-08-04 Last update: 2021-08-18 14:03

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2021-08-14 Last update: 2021-09-20 12:01

lintian reports 6 warnings normal

Lintian reports 6 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2020-08-22 Last update: 2021-04-11 10:17

5 low-priority security issues in buster low

There are 5 open security issues in buster.

5 issues left for the package maintainer to handle:

CVE-2017-6363: (needs triaging) ** DISPUTED ** In the GD Graphics Library (aka LibGD) through 2.2.5, there is a heap-based buffer over-read in tiffWriter in gd_tiff.c. NOTE: the vendor says "In my opinion this issue should not have a CVE, since the GD and GD2 formats are documented to be 'obsolete, and should only be used for development and testing purposes.'"
CVE-2018-14553: (needs triaging) gdImageClone in gd.c in libgd 2.1.0-rc2 through 2.2.5 has a NULL pointer dereference allowing attackers to crash an application via a specific function call sequence. Only affects PHP when linked with an external libgd (not bundled).
CVE-2021-38115: (needs triaging) read_header_tga in gd_tga.c in the GD Graphics Library (aka LibGD) through 2.3.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted TGA file.
CVE-2021-40145: (needs triaging) ** DISPUTED ** gdImageGd2Ptr in gd_gd2.c in the GD Graphics Library (aka LibGD) through 2.3.2 has a double free. NOTE: the vendor's position is "The GD2 image format is a proprietary image format of libgd. It has to be regarded as being obsolete, and should only be used for development and testing purposes."
CVE-2021-40812: (needs triaging) The GD Graphics Library (aka LibGD) through 2.3.2 has an out-of-bounds read because of the lack of certain gdGetBuf and gdPutBuf return value checks.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-02-19 Last update: 2021-09-13 18:30

3 low-priority security issues in bullseye low

There are 3 open security issues in bullseye.

3 issues left for the package maintainer to handle:

CVE-2021-38115: (needs triaging) read_header_tga in gd_tga.c in the GD Graphics Library (aka LibGD) through 2.3.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted TGA file.
CVE-2021-40145: (needs triaging) ** DISPUTED ** gdImageGd2Ptr in gd_gd2.c in the GD Graphics Library (aka LibGD) through 2.3.2 has a double free. NOTE: the vendor's position is "The GD2 image format is a proprietary image format of libgd. It has to be regarded as being obsolete, and should only be used for development and testing purposes."
CVE-2021-40812: (needs triaging) The GD Graphics Library (aka LibGD) through 2.3.2 has an out-of-bounds read because of the lack of certain gdGetBuf and gdPutBuf return value checks.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-08-14 Last update: 2021-09-13 18:30

news

[rss feed]

[2020-05-19] libgd2 2.3.0-2 MIGRATED to testing (Debian testing watch)
[2020-05-06] Accepted libgd2 2.3.0-2 (source) into unstable (Ondřej Surý)
[2020-04-24] Accepted libgd2 2.3.0-1 (source) into unstable (Ondřej Surý)
[2020-02-18] Accepted libgd2 2.1.0-5+deb8u14 (source) into oldoldstable (Roberto C. Sanchez)
[2019-06-30] Accepted libgd2 2.2.4-2+deb9u5 (source amd64) into proposed-updates->stable-new, proposed-updates (Jonas Meurer)
[2019-06-15] libgd2 2.2.5-5.2 MIGRATED to testing (Debian testing watch)
[2019-06-12] Accepted libgd2 2.2.5-5.2 (source) into unstable (Jonas Meurer)
[2019-06-11] Accepted libgd2 2.1.0-5+deb8u13 (source amd64) into oldstable (Jonas Meurer)
[2019-02-12] libgd2 2.2.5-5.1 MIGRATED to testing (Debian testing watch)
[2019-02-09] Accepted libgd2 2.2.4-2+deb9u4 (source) into proposed-updates->stable-new, proposed-updates (Salvatore Bonaccorso)
[2019-02-06] Accepted libgd2 2.2.5-5.1 (source) into unstable (Salvatore Bonaccorso)
[2019-02-04] Accepted libgd2 2.2.4-2+deb9u4 (source) into stable->embargoed, stable (Salvatore Bonaccorso)
[2019-01-30] Accepted libgd2 2.1.0-5+deb8u12 (source amd64) into oldstable (Thorsten Alteholz)
[2018-11-03] libgd2 2.2.5-5 MIGRATED to testing (Debian testing watch)
[2018-10-29] Accepted libgd2 2.2.5-5 (source) into unstable (Ondřej Surý)
[2018-10-20] Accepted libgd2 2.2.4-2+deb9u3 (source amd64) into proposed-updates->stable-new, proposed-updates (Moritz Mühlenhoff)
[2018-10-16] libgd2 2.2.5-4.1 MIGRATED to testing (Debian testing watch)
[2018-10-10] Accepted libgd2 2.2.5-4.1 (source) into unstable (Salvatore Bonaccorso)
[2018-01-19] Accepted libgd2 2.0.36~rc1~dfsg-6.1+deb7u11 (source amd64) into oldoldstable (Chris Lamb)
[2017-10-29] libgd2 2.2.5-4 MIGRATED to testing (Debian testing watch)
[2017-10-22] Accepted libgd2 2.2.5-4 (source) into unstable (Ondřej Surý)
[2017-09-22] Accepted libgd2 2.0.36~rc1~dfsg-6.1+deb7u10 (source amd64) into oldoldstable (Emilio Pozuelo Monfort)
[2017-09-21] libgd2 2.2.5-3 MIGRATED to testing (Debian testing watch)
[2017-09-18] Accepted libgd2 2.2.5-3 (source) into unstable (Ondřej Surý)
[2017-09-08] Accepted libgd2 2.1.0-5+deb8u11 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Salvatore Bonaccorso)
[2017-09-07] Accepted libgd2 2.2.4-2+deb9u2 (source) into proposed-updates->stable-new, proposed-updates (Salvatore Bonaccorso)
[2017-09-04] Accepted libgd2 2.2.5-2 (source) into unstable (Ondřej Surý)
[2017-08-30] Accepted libgd2 2.2.5-1 (source amd64) into unstable (Ondřej Surý)
[2017-08-12] Accepted libgd2 2.0.36~rc1~dfsg-6.1+deb7u9 (source amd64) into oldoldstable (Thorsten Alteholz)
[2017-08-12] Accepted libgd2 2.1.0-5+deb8u10 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Salvatore Bonaccorso)

bugs [bug history graph]

all: 6
RC: 0
I&N: 5
M&W: 1
F&P: 0
patch: 1

links

homepage
lintian (0, 6)
buildd: logs, clang, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.3.0-2ubuntu1
8 bugs (1 patch)
patches for 2.3.0-2ubuntu1