==========================================================================
Ubuntu Security Notice USN-2987-1
May 31, 2016

libgd2 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 16.04 LTS
– Ubuntu 15.10
– Ubuntu 14.04 LTS
– Ubuntu 12.04 LTS

Summary:

The GD library could be made to crash or run programs if it processed a
specially crafted image file.

Software Description:
– libgd2: GD Graphics Library

Details:

It was discovered that the GD library incorrectly handled certain color
tables in XPM images. If a user or automated system were tricked into
processing a specially crafted XPM image, an attacker could cause a denial
of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
(CVE-2014-2497)

It was discovered that the GD library incorrectly handled certain malformed
GIF images. If a user or automated system were tricked into processing a
specially crafted GIF image, an attacker could cause a denial of service.
This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
(CVE-2014-9709)

It was discovered that the GD library incorrectly handled memory when using
gdImageFillToBorder(). A remote attacker could possibly use this issue to
cause a denial of service. (CVE-2015-8874)

It was discovered that the GD library incorrectly handled memory when using
gdImageScaleTwoPass(). A remote attacker could possibly use this issue to
cause a denial of service. This issue only applied to Ubuntu 14.04 LTS,
Ubuntu 15.10 and Ubuntu 16.04 LTS. (CVE-2015-8877)

Hans Jerry Illikainen discovered that the GD library incorrectly handled
certain malformed GD images. If a user or automated system were tricked
into processing a specially crafted GD image, an attacker could cause a
denial of service or possibly execute arbitrary code. (CVE-2016-3074)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS:
libgd3 2.1.1-4ubuntu0.16.04.1

Ubuntu 15.10:
libgd3 2.1.1-4ubuntu0.15.10.1

Ubuntu 14.04 LTS:
libgd3 2.1.0-3ubuntu0.1

Ubuntu 12.04 LTS:
libgd2-noxpm 2.0.36~rc1~dfsg-6ubuntu2.1
libgd2-xpm 2.0.36~rc1~dfsg-6ubuntu2.1

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2987-1
CVE-2014-2497, CVE-2014-9709, CVE-2015-8874, CVE-2015-8877,
CVE-2016-3074

Package Information:
https://launchpad.net/ubuntu/+source/libgd2/2.1.1-4ubuntu0.16.04.1
https://launchpad.net/ubuntu/+source/libgd2/2.1.1-4ubuntu0.15.10.1
https://launchpad.net/ubuntu/+source/libgd2/2.1.0-3ubuntu0.1
https://launchpad.net/ubuntu/+source/libgd2/2.0.36~rc1~dfsg-6ubuntu2.1

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2

iQIcBAEBCgAGBQJXTbWCAAoJEGVp2FWnRL6TXd8P/01TM1s+kG/Bs4MHWR03K5uy
BqvG84osWhM0eTXjTUmAbXz5DeqbPfnxZ4ujWjJHs3d38uiCFy1+XikgBND6+VMt
mxk93vygP5t6BZqs+1d915tH4Yiax9LCLrrUvJIHIs8b2Zd55pnQTrsrxvbddtAz
v8KaMpFqFfZ8LTsqKA5r3Oa4hG42VD9TQ45vYC5hKG688aMarqHeRixLxMsdubk9
DzUiFmXOc/aHDEaCCVBFErqxhGlz8/uh7/cC687IgT7+JSA3fa6dnF7jSV7jakbJ
HouRaITPLcp4OO8TlCCC0L1nelUaK8SwybcTvnA+2CIe+QWEgaobVqG48vDSnuFJ
/0JGWUMWROVrsN1rpdBEN2bCR6TCMl0QioqcpW+LJ7OB/Z4GZRh3rLfuUXPHc4R2
nVjlAV3T7UM38VySRulkcZ7o6uqxmVb96uBKzDrM51T7kdQebUW/I0ZpFF+Ixdef
fmJocXwmhBfuMAuK/tt08lJcgvvqXFkwfHNnbK8Hf0tOMQ+/bH1B1viduQJhCPE8
ucsQ9/35peD1q1TzMrp7fE3/xqOGCSAbN3wpdKpbTLQjfHYlSJgIPXkWDymhqsWf
9Pn40gB/5JxJGc++bay74nr3/zTXypSG6DRAZaG1aLJFQvnG2NL4I97WJovKQPeR
MVZq+v/QGRhJD4NIY15R
=nH9U
—–END PGP SIGNATURE—–
—