[ANNOUNCEMENT] Updated: gd-2.0.34-1/libgd2-2.0.34-1/libgd-devel-2.0.34-1

Dr. Volker Zell dr.volker.zell@oracle.com
Fri Apr 6 12:25:00 GMT 2007


A new version of 'gd/libgd2/libgd-devel' has been uploaded to a server near you.

A graphics library for fast image creation.


* Update to latest upstream release.

* Cygwin specific patch (shared library support) applied upstream.

* Changed to cygport build framework.


This is the first release after moving the GD project to its new home: http://www.libgd.org

This release introduces a number of bug and security fixes. Upgrading is strongly recommended.

The most notable fixes are:

 * 32-bit multiplication overflow vulnerabilities along with a number of similar issues. These bugs come into play only when attempting to use images with extremely large dimensions.
 * Memory allocation errors that were not checked. This bug occurred when attempting to allocate an image larger than the available memory. The relevant function now fails gracefully.
 * Multiple issues in the GIF loader. Corrupt gif images would cause a segfault or infinite loop.
 * Malformed or empty PNG image also may have caused segfaults.
 * gdImageFillToBorder segfaulted when the color was not opaque (alpha > 0)
 * Antialiased lines drawn on an images edge caused a segfault. This bug occurred when a line started or ended near the bounds of the image.
 * gdImageFill segfaulted when used with patterns or invalid arguments.
 * gdImageFilledEllipse did not respect transparency. 

Detailed news:
 * Initialize variables in tweenColorTest, fix cache
 * gdImageFill, multiple segfaults with patterns or invalid arguments
 * gdImageRectangle draws corners twice
 * GIF Output does use the transparent color with truecolor images
 * Multiple security issues in GIF loader
 * gdIimageCopy doen't use the alpha channel
 * Add autogen and and misc configure/makefile (Lars Hecking)
 * gdImageFilledEllipse does not respect transparency
 * gdImageCreateFromPng*  crashes with empty file
 * gdImageCreateFromPngCrx, initialize the signature buffer not the
 * leak in jinit_2pass_quantizer (gd_topal.c)
 * Added santiy checks for possible memory allocation errors
 * gdImageCreatePaletteFromTrueColor, later color allocations overwrite
   the palette colors (Rob Leslie)
 * Obscure error on Sun's compiler in entities.tcl
   (John Ellson/Graphviz)
 * gdImageCreate, invalid gdFree call when overflow2 fails
   HWB_Diff, invalid usage of abs instead of fabs
   (Nick Atty)
 * Fixed gdImageCopyMergeGray when used with a true color image
   transparency preservation in gdImageCopyRotated
 * Out of range checks in gdImageSetAAPixelColor
 * gdFontCacheSetup does not stop on error
 * Errors when gdImageStringFTEx is called with an empty string
   (Kevin Scaldeferri)
 * gdft.c, uninitialized variable "charmap" and avoid divide-by-zero
   (John Ellson/Graphviz)
 * DISABLE_THREADS to permit disabling of thread support
   (John Ellson/Graphviz)
 * dynamicGetbuf, sourceGetbuf must return 0 for errors and EOF
 * gdSeek declaration is wrong
 * Windows native makefile (Edin Kadribašić)
 * restores the ability to recognize and handle a font with
 * Adobe-specific character encoding. Added gdFTEX_Adobe_Custom.
 * Shared library support on cygwin (Dr. Volker Zell)
 * Pattern-fill works incorrectly if tile is created via
 * gdImageCreateTruecolor (Ethan Merritt)
 * malformed PNG image crashes  (CRC error)
 * reading some gif images creates infinite loop
 * gdImageFillToBorder crashes when used with alpha
 * possible Buffer overflow in the gdImageStringFTEx function
   in gdft.c (CVE-2007-0455) (Kees Cook)

To update your installation, click on the "Install Cygwin now" link on
the http://cygwin.com/ web page.  This downloads setup.exe to your
system.  Save it and run setup, answer the questions and pick up
the above mentioned package from the 'Libs' category.

Note that downloads from sources.redhat.com (aka cygwin.com) aren't
allowed due to bandwidth limitations.  This means that you will need
to find a mirror which has this update.

These mirrors already got the package, the others will probably have 
the latest version of this package fairly soon:

In the US


has reliable high bandwidth connections.

If you want to make a point or ask a question the Cygwin mailing
list is the appropriate place.

To unsubscribe to the cygwin-announce mailing list, look at the
"List-Unsubscribe: " tag in the email header of this message.  Send
email to the address specified there.  It will be in the format:



Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

More information about the Cygwin mailing list