-
libgd2 (2.0.34~rc1-2ubuntu1.2) feisty-security; urgency=low
* SECURITY UPDATE: improper bounds checking could lead to a denial of
service or possibly arbitrary code execution
* fix gd.c to properly check width and height in gdImageCreateTrueColor()
* References:
CVE-2007-3996
-- Jamie Strandboge <email address hidden> Fri, 14 Dec 2007 14:41:38 -0500
-
libgd2 (2.0.34~rc1-2ubuntu1.1) feisty-security; urgency=low
* SECURITY UPDATE: memory leak via font manipulation, endless loop via PNG.
* gd_png.c: abort on corrupted PNGs.
- upstream fixes backported inline
- CVE-2007-2756
* gdft.c: detect end of string correctly.
- upstream fixes backported inline
- CVE-2007-0455
* debian/control: maintainer field updates.
-- Kees Cook <email address hidden> Mon, 11 Jun 2007 14:55:51 -0700
-
libgd2 (2.0.34~rc1-2ubuntu1) feisty; urgency=low
* Merge from debian unstable, remaining changes:
- debian/control: Drop unnecessary build dependency 'gnulib'.
libgd2 (2.0.34~rc1-2) unstable; urgency=high
* Use CDBS-calculated DEB_UPSTREAM_VERSION for package dependencies
(and locally-calculated version string only for soname). Fixes
unsatisfiable dependenices with the current odd version number and
thus closes: bug#409213 (thanks to Aaron M. Ucko).
* Move inclusion of copyright-check cdbs snippet below cleanup, to
avoid possible FTBFS.
* Invoke ldconfig in postinst/postrm.
libgd2 (2.0.34~rc1-1) unstable; urgency=high
* New upstream prerelease.
* Drop all patches. Bugfixing patches are all either adopted or
differently implemented upstream now, and the only feature patch to
improve anti-aliasing is recommended by upstream to be avoided for
now (will be included in later releases of GD).
* Drop pthreads workaround. Upstream now properly handles this.
* Avoid fallback build-dependencies on xlibs-dev, thanks to lintian.
Avoid *-dev package dependencies too, and tighten build-dependency
on d-shlibs to versions supporting the neat new runtime override
feature of d-devlibdeps used for this.
* Drop duplicate build-dependency on autotools-dev, thanks to lintian.
* Bump up standards-version to 3.7.2.
* Update debian/copyright and long descriptions with new upstream
author and new upstream URLs.
* Semi-autoupdate debian/control to have the above take effect:
$ DEB_BUILD_OPTIONS=cdbs-autoupdate fakeroot debian/rules clean
* Update debian/copyright-hints due to the relibtoolization.
* Add new CDBS snippet vcs.mk hinting about the source environment.
* Fix copyright-check CDBS snippet to properly ignore also
CDBS-overridden autotools files.
* Set urgency high, as the older pathced code is known to contain
several bugs fixed in current upstream code. Work is ongoing about
resolving if any of those bugs have known security issues with an
official CVE.
libgd2 (2.0.33-6) unstable; urgency=high
* Acknowledge NMUs. Closes: bug#384838, #383747. Thanks to Paul and
MartÃn Ferrari, and to Andreas Barth and Steinar H. Gunderson for
watching my back.
* Update local cdbs snippets (and add debian/README.cdbs-tweaks to
source, documenting their purpose), fixing a FTBFS. Closes:
bug#396174, thanks to Martin Pitt.
* Semi-autoupdate debian/control to have the above take effect:
$ DEB_BUILD_OPTIONS=cdbs-autoupdate fakeroot debian/rules clean
* Add patch 1009 to fix segfaults due to lack of boundary checks for
anti-aliasing. Closes: bug#404774, thanks (again!) to Paul.
* Set urgency=high as the above is important to include with etch.
-- Kees Cook <email address hidden> Tue, 6 Feb 2007 21:15:32 -0800
-
libgd2 (2.0.33-5.2ubuntu1) feisty; urgency=low
* Merge from debian unstable, remaining changes:
- debian/control: Drop unnecessary build dependency 'gnulib'.
- debian/rules: Don't use copyright-check.mk, it breaks cleaning.
libgd2 (2.0.33-5.2) unstable; urgency=high
* Non-maintainer upload.
* remove 1006_western_european_fonts.patch, as this breaks (at least)
two different packages, and creates issues for people with central
european encoding. It is also an unnecessary derivation from upstream.
Closes: #383747
-- Martin Pitt <email address hidden> Tue, 19 Dec 2006 16:14:39 +0100
-
libgd2 (2.0.33-5.1ubuntu1) feisty; urgency=low
* Synchronize to Debian, remaining Ubuntu changes:
- debian/control: Drop unnecessary build dependency 'gnulib'.
- debian/rules: Don't use copyright-check.mk, it breaks cleaning.
libgd2 (2.0.33-5.1) unstable; urgency=medium
* Non-maintainer upload.
* 1008_segfault_invalid_gif.patch: New patch, adapted by Stefan Fritsch;
fixes segfault (and possible security issue) when reading some forms
of corrupted GIFs. (Closes: #384838)
libgd2 (2.0.33-5) unstable; urgency=low
* Merge patch 1002 with different approach from ubuntu, and rename as
1002_CVE-2006-2906 now that the bug (infinite loop in GIF code) has
an official name. Closes: bug#372912 (thanks to Alec Berryman
<email address hidden> for reporting, and to Martin Pitt
<email address hidden> for providing a patch).
* Add patch to switch to western european fonts (ISO8859-1/ISO8859-15)
instead of the current eastern european (ISO8859-2).
* Add --without-xpm option to configure when compiling -noxpm variant.
Closes: bug#370572 (thanks to Omniflux <email address hidden>).
* Indent Homepage string in long descriptions.
* Add patch 1007 to avoid advertising external libraries in
gdlib-config script (advertise them in new --static-libs instead).
Closes: bug#375806 (thanks to Samuel Thibault
<email address hidden>).
-- Martin Pitt <email address hidden> Mon, 30 Oct 2006 11:18:06 +0100
-
libgd2 (2.0.33-4ubuntu2) edgy; urgency=low
* SECURITY UPDATE: DoS due to infinite loop.
* Add debian/patches/1006_infinite_loop.patch:
- Cut off loops in GIF reading functions after 1024 iterations to prevent
infinite loops.
- Patch provided from upstream (Xavier Roche).
- CVE-2006-2906
-- Martin Pitt <email address hidden> Wed, 11 Oct 2006 14:46:59 +0200
