=========================================================== Ubuntu Security Notice USN-473-1 June 11, 2007 libgd2 vulnerabilities CVE-2007-0455, CVE-2007-2756 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 6.10 Ubuntu 7.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libgd2-noxpm 2.0.33-2ubuntu5.2 libgd2-xpm 2.0.33-2ubuntu5.2 Ubuntu 6.10: libgd2-noxpm 2.0.33-4ubuntu2.1 libgd2-xpm 2.0.33-4ubuntu2.1 Ubuntu 7.04: libgd2-noxpm 2.0.34~rc1-2ubuntu1.1 libgd2-xpm 2.0.34~rc1-2ubuntu1.1 After a standard system upgrade you need to reboot your computer to effect the necessary changes. Details follow: A buffer overflow was discovered in libgd2's font renderer. By tricking an application using libgd2 into rendering a specially crafted string with a JIS encoded font, a remote attacker could read heap memory or crash the application, leading to a denial of service. (CVE-2007-0455) Xavier Roche discovered that libgd2 did not correctly validate PNG callback results. If an application were tricked into processing a specially crafted PNG image, it would monopolize CPU resources. Since libgd2 is often used in PHP and Perl web applications, this could lead to a remote denial of service. (CVE-2007-2756)