Debian-LTS has issued an advisory on February 17: https://www.debian.org/lts/security/2020/dla-2106 Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
'libgd' has no registered nor evident maintainer, so assigning this globally.
Assignee: bugsquad => pkg-bugs
Status comment: (none) => Patch available from upstream
Suggested advisory: ======================== The updated packages fix a security vulnerability: gdImageClone in gd.c in libgd 2.1.0-rc2 through 2.2.5 has a NULL pointer dereference allowing attackers to crash an application via a specific function call sequence. (CVE-2018-14553) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14553 https://www.debian.org/lts/security/2020/dla-2106 ======================== Updated packages in core/updates_testing: ======================== lib(64)gd3-2.2.5-5.1.mga7 lib(64)gd-devel-2.2.5-5.1.mga7 lib(64)gd-static-devel-2.2.5-5.1.mga7 gd-utils-2.2.5-5.1.mga7 from SRPMS: libgd-2.2.5-5.1.mga7.src.rpm
Version: Cauldron => 7CVE: (none) => CVE-2018-14553CC: (none) => nicolas.salgueroWhiteboard: MGA7TOO => (none)Assignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNEDSource RPM: libgd-2.2.5-6.mga8.src.rpm => libgd-2.2.5-5.mga7.src.rpm
Status comment: Patch available from upstream => (none)
Mageia7, x86_64 Updated the packages. Referring to tests on bug 23496, carried out some image conversions using gd-utils. $ pngtogd jessica1.png jessica.gd $ file jessica.gd jessica.gd: data $ pngtogd2 jessica1.png jessica.gd2 2048 1 $ file jessica.pd2 jessica.gd2: data $ gd2togif jessica.gd2 jessica.gif $ eom jessica.gif The displayed image looked like the original jessica1.png, with the same dimensions. $ gdtopng jessica.gd jessica2.png $ eom jessica2.png The image matched the original. $ gdparttopng jessica.gd2 extract.png 300 271 600 542 Extracting from (300, 271), size is 600x542 $ eom extract.png The image sample looked as expected. The help is still in error: $ gdparttopng --help Usage: gdparttopng filename.gd filename.png x y w h $ gdparttopng jessica.gd jessica3.png 300 271 600 542 Extracting from (300, 271), size is 600x542 Input is not in GD2 format! Either the command should be renamed to gd2parttopng or the usage string should be edited. A small matter; not enough to block this update.
CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0098.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED