Vulnerabilities > CVE-2007-0455 - Classic Buffer Overflow vulnerability in multiple products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL

Summary

Buffer overflow in the gdImageStringFTEx function in gdft.c in GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-473-1.NASL
    descriptionA buffer overflow was discovered in libgd2
    last seen2020-06-01
    modified2020-06-02
    plugin id28074
    published2007-11-10
    reporterUbuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/28074
    titleUbuntu 6.06 LTS / 6.10 / 7.04 : libgd2 vulnerabilities (USN-473-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-473-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(28074);
      script_version("1.15");
      script_cvs_date("Date: 2019/08/02 13:33:01");
    
      script_cve_id("CVE-2007-0455", "CVE-2007-2756");
      script_xref(name:"USN", value:"473-1");
    
      script_name(english:"Ubuntu 6.06 LTS / 6.10 / 7.04 : libgd2 vulnerabilities (USN-473-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A buffer overflow was discovered in libgd2's font renderer. By
    tricking an application using libgd2 into rendering a specially
    crafted string with a JIS encoded font, a remote attacker could read
    heap memory or crash the application, leading to a denial of service.
    (CVE-2007-0455)
    
    Xavier Roche discovered that libgd2 did not correctly validate PNG
    callback results. If an application were tricked into processing a
    specially crafted PNG image, it would monopolize CPU resources. Since
    libgd2 is often used in PHP and Perl web applications, this could lead
    to a remote denial of service. (CVE-2007-2756).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/473-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libgd-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libgd2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libgd2-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libgd2-noxpm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libgd2-noxpm-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libgd2-xpm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libgd2-xpm-dev");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.06:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.10");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:7.04");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2007/06/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/10");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! ereg(pattern:"^(6\.06|6\.10|7\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 6.06 / 6.10 / 7.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"6.06", pkgname:"libgd-tools", pkgver:"2.0.33-2ubuntu5.2")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"libgd2", pkgver:"2.0.33-2ubuntu5.2")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"libgd2-dev", pkgver:"2.0.33-2ubuntu5.2")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"libgd2-noxpm", pkgver:"2.0.33-2ubuntu5.2")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"libgd2-noxpm-dev", pkgver:"2.0.33-2ubuntu5.2")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"libgd2-xpm", pkgver:"2.0.33-2ubuntu5.2")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"libgd2-xpm-dev", pkgver:"2.0.33-2ubuntu5.2")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"libgd-tools", pkgver:"2.0.33-4ubuntu2.1")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"libgd2-noxpm", pkgver:"2.0.33-4ubuntu2.1")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"libgd2-noxpm-dev", pkgver:"2.0.33-4ubuntu2.1")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"libgd2-xpm", pkgver:"2.0.33-4ubuntu2.1")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"libgd2-xpm-dev", pkgver:"2.0.33-4ubuntu2.1")) flag++;
    if (ubuntu_check(osver:"7.04", pkgname:"libgd-tools", pkgver:"2.0.34~rc1-2ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"7.04", pkgname:"libgd2-noxpm", pkgver:"2.0.34~rc1-2ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"7.04", pkgname:"libgd2-noxpm-dev", pkgver:"2.0.34~rc1-2ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"7.04", pkgname:"libgd2-xpm", pkgver:"2.0.34~rc1-2ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"7.04", pkgname:"libgd2-xpm-dev", pkgver:"2.0.34~rc1-2ubuntu1.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libgd-tools / libgd2 / libgd2-dev / libgd2-noxpm / libgd2-noxpm-dev / etc");
    }
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2007-0153.NASL
    descriptionUpdated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A flaw was found in the way the mbstring extension set global variables. A script which used the mb_parse_str() function to set global variables could be forced to enable the register_globals configuration option, possibly resulting in global variable injection. (CVE-2007-1583) A heap based buffer overflow flaw was discovered in PHP
    last seen2020-06-01
    modified2020-06-02
    plugin id25095
    published2007-04-30
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/25095
    titleCentOS 5 : php (CESA-2007:0153)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2007-038.NASL
    descriptionPHP 5.2.0 and 4.4 allows local users to bypass safe_mode and open_basedir restrictions via a malicious path and a null byte before a
    last seen2020-06-01
    modified2020-06-02
    plugin id24651
    published2007-02-18
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24651
    titleMandrake Linux Security Advisory : php (MDKSA-2007:038)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2007-0155.NASL
    descriptionUpdated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A denial of service flaw was found in the way PHP processed a deeply nested array. A remote attacker could cause the PHP interpreter to crash by submitting an input variable with a deeply nested array. (CVE-2007-1285) A flaw was found in the way PHP
    last seen2020-06-01
    modified2020-06-02
    plugin id25043
    published2007-04-19
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/25043
    titleCentOS 3 / 4 : php (CESA-2007:0155)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2015-604.NASL
    descriptionIt was discovered that libwmf did not correctly process certain WMF (Windows Metafiles) with embedded BMP images. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the application. (CVE-2015-0848 , CVE-2015-4588) It was discovered that libwmf did not properly process certain WMF files. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly exploit this flaw to cause a crash or execute arbitrary code with the privileges of the user running the application. (CVE-2015-4696) It was discovered that libwmf did not properly process certain WMF files. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly exploit this flaw to cause a crash. (CVE-2015-4695) The gdPngReadData function in libgd 2.0.34 allows user-assisted attackers to cause a denial of service (CPU consumption) via a crafted PNG image with truncated data, which causes an infinite loop in the png_read_info function in libpng. (CVE-2007-2756) Buffer overflow in the gdImageStringFTEx function in gdft.c in GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font. (CVE-2007-0455) The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before 5.3.1, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293 . NOTE: some of these details are obtained from third party information. (CVE-2009-3546) Integer overflow in gdImageCreateTrueColor function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to have unspecified attack vectors and impact. (CVE-2007-3472) The gdImageCreateXbm function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via unspecified vectors involving a gdImageCreate failure. (CVE-2007-3473)
    last seen2020-06-01
    modified2020-06-02
    plugin id86635
    published2015-10-29
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/86635
    titleAmazon Linux AMI : libwmf (ALAS-2015-604)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2007-455.NASL
    descriptionThis update fixes a number of security issues in PHP. A denial of service flaw was found in the way PHP processed a deeply nested array. A remote attacker could cause the PHP interpreter to crash by submitting an input variable with a deeply nested array. (CVE-2007-1285) A flaw was found in the way the mbstring extension set global variables. A script which used the mb_parse_str() function to set global variables could be forced to enable the register_globals configuration option, possibly resulting in global variable injection. (CVE-2007-1583) A flaw was discovered in the way PHP
    last seen2020-06-01
    modified2020-06-02
    plugin id25101
    published2007-04-30
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/25101
    titleFedora Core 5 : php-5.1.6-1.5 (2007-455)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2018-120-01.NASL
    descriptionNew libwmf packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id109432
    published2018-05-01
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109432
    titleSlackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : libwmf (SSA:2018-120-01)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2007-036.NASL
    descriptionBuffer overflow in the gdImageStringFTEx function in gdft.c in the GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font. Libwmf uses an embedded copy of the gd source and may also be affected by this issue. Packages have been patched to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id24649
    published2007-02-18
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24649
    titleMandrake Linux Security Advisory : libwmf (MDKSA-2007:036)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2008-0146.NASL
    descriptionFrom Red Hat Security Advisory 2008:0146 : Updated gd packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The gd package contains a graphics library used for the dynamic creation of images such as PNG and JPEG. Multiple issues were discovered in the gd GIF image-handling code. A carefully-crafted GIF file could cause a crash or possibly execute code with the privileges of the application using the gd library. (CVE-2006-4484, CVE-2007-3475, CVE-2007-3476) An integer overflow was discovered in the gdImageCreateTrueColor() function, leading to incorrect memory allocations. A carefully crafted image could cause a crash or possibly execute code with the privileges of the application using the gd library. (CVE-2007-3472) A buffer over-read flaw was discovered. This could cause a crash in an application using the gd library to render certain strings using a JIS-encoded font. (CVE-2007-0455) A flaw was discovered in the gd PNG image handling code. A truncated PNG image could cause an infinite loop in an application using the gd library. (CVE-2007-2756) A flaw was discovered in the gd X BitMap (XBM) image-handling code. A malformed or truncated XBM image could cause a crash in an application using the gd library. (CVE-2007-3473) Users of gd should upgrade to these updated packages, which contain backported patches which resolve these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id67657
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67657
    titleOracle Linux 4 / 5 : gd (ELSA-2008-0146)
  • NASL familyCGI abuses
    NASL idPHP_4_4_7_OR_5_2_2.NASL
    descriptionAccording to its banner, the version of PHP installed on the remote host is older than 4.4.7 / 5.2.2. Such versions may be affected by several issues, including buffer overflows in the GD library.
    last seen2020-06-01
    modified2020-06-02
    plugin id25159
    published2007-05-04
    reporterThis script is Copyright (C) 2007-2018 Westpoint Limited.
    sourcehttps://www.tenable.com/plugins/nessus/25159
    titlePHP < 4.4.7 / 5.2.2 Multiple Vulnerabilities
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2007-0155.NASL
    descriptionFrom Red Hat Security Advisory 2007:0155 : Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A denial of service flaw was found in the way PHP processed a deeply nested array. A remote attacker could cause the PHP interpreter to crash by submitting an input variable with a deeply nested array. (CVE-2007-1285) A flaw was found in the way PHP
    last seen2020-06-01
    modified2020-06-02
    plugin id67471
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67471
    titleOracle Linux 3 / 4 : php (ELSA-2007-0155)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1936.NASL
    descriptionSeveral vulnerabilities have been discovered in libgd2, a library for programmatic graphics creation and manipulation. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-0455 Kees Cook discovered a buffer overflow in libgd2
    last seen2020-06-01
    modified2020-06-02
    plugin id44801
    published2010-02-24
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/44801
    titleDebian DSA-1936-1 : libgd2 - several vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2010-19022.NASL
    description - Mon Dec 6 2010 Caolan McNamara <caolanm at redhat.com> - 0.2.8.4-22 - Resolves: rhbz#660161 security issues Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id51414
    published2011-01-05
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/51414
    titleFedora 13 : libwmf-0.2.8.4-22.fc13 (2010-19022)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2007-149.NASL
    description - Mon Jan 29 2007 Ivana Varekova <varekova at redhat.com> - 2.0.33-10 - Resolves: #224610 CVE-2007-0455 gd buffer overrun Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id24324
    published2007-02-13
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24324
    titleFedora Core 6 : gd-2.0.33-10.fc6 (2007-149)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2008-0146.NASL
    descriptionUpdated gd packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The gd package contains a graphics library used for the dynamic creation of images such as PNG and JPEG. Multiple issues were discovered in the gd GIF image-handling code. A carefully-crafted GIF file could cause a crash or possibly execute code with the privileges of the application using the gd library. (CVE-2006-4484, CVE-2007-3475, CVE-2007-3476) An integer overflow was discovered in the gdImageCreateTrueColor() function, leading to incorrect memory allocations. A carefully crafted image could cause a crash or possibly execute code with the privileges of the application using the gd library. (CVE-2007-3472) A buffer over-read flaw was discovered. This could cause a crash in an application using the gd library to render certain strings using a JIS-encoded font. (CVE-2007-0455) A flaw was discovered in the gd PNG image handling code. A truncated PNG image could cause an infinite loop in an application using the gd library. (CVE-2007-2756) A flaw was discovered in the gd X BitMap (XBM) image-handling code. A malformed or truncated XBM image could cause a crash in an application using the gd library. (CVE-2007-3473) Users of gd should upgrade to these updated packages, which contain backported patches which resolve these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id31310
    published2008-02-29
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/31310
    titleCentOS 4 / 5 : gd (CESA-2008:0146)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20080228_GD_ON_SL4_X.NASL
    descriptionMultiple issues were discovered in the gd GIF image-handling code. A carefully-crafted GIF file could cause a crash or possibly execute code with the privileges of the application using the gd library. (CVE-2006-4484, CVE-2007-3475, CVE-2007-3476) An integer overflow was discovered in the gdImageCreateTrueColor() function, leading to incorrect memory allocations. A carefully crafted image could cause a crash or possibly execute code with the privileges of the application using the gd library. (CVE-2007-3472) A buffer over-read flaw was discovered. This could cause a crash in an application using the gd library to render certain strings using a JIS-encoded font. (CVE-2007-0455) A flaw was discovered in the gd PNG image handling code. A truncated PNG image could cause an infinite loop in an application using the gd library. (CVE-2007-2756) A flaw was discovered in the gd X BitMap (XBM) image-handling code. A malformed or truncated XBM image could cause a crash in an application using the gd library. (CVE-2007-3473)
    last seen2020-06-01
    modified2020-06-02
    plugin id60367
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60367
    titleScientific Linux Security Update : gd on SL4.x, SL5.x i386/x86_64
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2007-035.NASL
    descriptionBuffer overflow in the gdImageStringFTEx function in gdft.c in the GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font. Packages have been patched to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id24648
    published2007-02-18
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24648
    titleMandrake Linux Security Advisory : gd (MDKSA-2007:035)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_CA139C7F2A8C11E5A4A5002590263BF5.NASL
    descriptionMitre reports : Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function, a different set of vulnerabilities than CVE-2004-0990. Buffer overflow in the gdImageStringFTEx function in gdft.c in GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font. The gdPngReadData function in libgd 2.0.34 allows user-assisted attackers to cause a denial of service (CPU consumption) via a crafted PNG image with truncated data, which causes an infinite loop in the png_read_info function in libpng. Integer overflow in gdImageCreateTrueColor function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to have unspecified attack vectors and impact. The gdImageCreateXbm function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via unspecified vectors involving a gdImageCreate failure. The (a) imagearc and (b) imagefilledarc functions in GD Graphics Library (libgd) before 2.0.35 allow attackers to cause a denial of service (CPU consumption) via a large (1) start or (2) end angle degree value. The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before 5.3.1, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293. NOTE: some of these details are obtained from third party information. Heap-based buffer overflow in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image. meta.h in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted WMF file. Use-after-free vulnerability in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) via a crafted WMF file to the (1) wmf2gd or (2) wmf2eps command. Heap-based buffer overflow in the DecodeImage function in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted
    last seen2020-06-01
    modified2020-06-02
    plugin id84782
    published2015-07-16
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84782
    titleFreeBSD : libwmf -- multiple vulnerabilities (ca139c7f-2a8c-11e5-a4a5-002590263bf5)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2008-0146.NASL
    descriptionUpdated gd packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The gd package contains a graphics library used for the dynamic creation of images such as PNG and JPEG. Multiple issues were discovered in the gd GIF image-handling code. A carefully-crafted GIF file could cause a crash or possibly execute code with the privileges of the application using the gd library. (CVE-2006-4484, CVE-2007-3475, CVE-2007-3476) An integer overflow was discovered in the gdImageCreateTrueColor() function, leading to incorrect memory allocations. A carefully crafted image could cause a crash or possibly execute code with the privileges of the application using the gd library. (CVE-2007-3472) A buffer over-read flaw was discovered. This could cause a crash in an application using the gd library to render certain strings using a JIS-encoded font. (CVE-2007-0455) A flaw was discovered in the gd PNG image handling code. A truncated PNG image could cause an infinite loop in an application using the gd library. (CVE-2007-2756) A flaw was discovered in the gd X BitMap (XBM) image-handling code. A malformed or truncated XBM image could cause a crash in an application using the gd library. (CVE-2007-3473) Users of gd should upgrade to these updated packages, which contain backported patches which resolve these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id31306
    published2008-02-28
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/31306
    titleRHEL 4 / 5 : gd (RHSA-2008:0146)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2010-19033.NASL
    description - Mon Dec 6 2010 Caolan McNamara <caolanm at redhat.com> - 0.2.8.4-27 - Resolves: rhbz#660161 security issues Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id51415
    published2011-01-05
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/51415
    titleFedora 14 : libwmf-0.2.8.4-27.fc14 (2010-19033)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2007-0153.NASL
    descriptionUpdated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A flaw was found in the way the mbstring extension set global variables. A script which used the mb_parse_str() function to set global variables could be forced to enable the register_globals configuration option, possibly resulting in global variable injection. (CVE-2007-1583) A heap based buffer overflow flaw was discovered in PHP
    last seen2020-06-01
    modified2020-06-02
    plugin id25325
    published2007-05-25
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/25325
    titleRHEL 5 : php (RHSA-2007:0153)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2007-415.NASL
    descriptionThis update fixes a number of security issues in PHP. A denial of service flaw was found in the way PHP processed a deeply nested array. A remote attacker could cause the PHP interpreter to crash by submitting an input variable with a deeply nested array. (CVE-2007-1285) A flaw was found in the way the mbstring extension set global variables. A script which used the mb_parse_str() function to set global variables could be forced to enable the register_globals configuration option, possibly resulting in global variable injection. (CVE-2007-1583) A flaw was discovered in the way PHP
    last seen2020-06-01
    modified2020-06-02
    plugin id25046
    published2007-04-19
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/25046
    titleFedora Core 6 : php-5.1.6-3.5.fc6 (2007-415)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2007-0155.NASL
    descriptionUpdated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A denial of service flaw was found in the way PHP processed a deeply nested array. A remote attacker could cause the PHP interpreter to crash by submitting an input variable with a deeply nested array. (CVE-2007-1285) A flaw was found in the way PHP
    last seen2020-06-01
    modified2020-06-02
    plugin id25068
    published2007-04-19
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/25068
    titleRHEL 3 / 4 : php (RHSA-2007:0155)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2007-109.NASL
    descriptionBuffer overflow in the gdImageStringFTEx function in gdft.c in the GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font. Tetex 3.x uses an embedded copy of the gd source and may also be affected by this issue (CVE-2007-0455). A buffer overflow in the open_sty function for makeindex in Tetex could allow user-assisted remote attackers to overwrite files and possibly execute arbitrary code via a long filename (CVE-2007-0650). The updated packages have been patched to prevent these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id25311
    published2007-05-25
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/25311
    titleMandrake Linux Security Advisory : tetex (MDKSA-2007:109)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2007-150.NASL
    description - Mon Jan 29 2007 Ivana Varekova <varekova at redhat.com> - 2.0.33-7 - Resolves: #224610 CVE-2007-0455 gd buffer overrun Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id24325
    published2007-02-13
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24325
    titleFedora Core 5 : gd-2.0.33-7.fc5 (2007-150)
  • NASL familyF5 Networks Local Security Checks
    NASL idF5_BIGIP_SOL7859.NASL
    descriptionThe remote BIG-IP device is missing a patch required by a security advisory.
    last seen2020-06-01
    modified2020-06-02
    plugin id78215
    published2014-10-10
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/78215
    titleF5 Networks BIG-IP : Multiple PHP vulnerabilities (SOL7859)

Oval

accepted2013-04-29T04:13:05.695-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 5
    ovaloval:org.mitre.oval:def:11414
  • commentThe operating system installed on the system is CentOS Linux 5.x
    ovaloval:org.mitre.oval:def:15802
  • commentOracle Linux 5.x
    ovaloval:org.mitre.oval:def:15459
descriptionBuffer overflow in the gdImageStringFTEx function in gdft.c in GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font.
familyunix
idoval:org.mitre.oval:def:11303
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleBuffer overflow in the gdImageStringFTEx function in gdft.c in GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font.
version27

Redhat

advisories
  • rhsa
    idRHSA-2007:0153
  • rhsa
    idRHSA-2007:0155
  • rhsa
    idRHSA-2007:0162
  • rhsa
    idRHSA-2008:0146
rpms
  • php-0:5.1.6-11.el5
  • php-bcmath-0:5.1.6-11.el5
  • php-cli-0:5.1.6-11.el5
  • php-common-0:5.1.6-11.el5
  • php-dba-0:5.1.6-11.el5
  • php-debuginfo-0:5.1.6-11.el5
  • php-devel-0:5.1.6-11.el5
  • php-gd-0:5.1.6-11.el5
  • php-imap-0:5.1.6-11.el5
  • php-ldap-0:5.1.6-11.el5
  • php-mbstring-0:5.1.6-11.el5
  • php-mysql-0:5.1.6-11.el5
  • php-ncurses-0:5.1.6-11.el5
  • php-odbc-0:5.1.6-11.el5
  • php-pdo-0:5.1.6-11.el5
  • php-pgsql-0:5.1.6-11.el5
  • php-snmp-0:5.1.6-11.el5
  • php-soap-0:5.1.6-11.el5
  • php-xml-0:5.1.6-11.el5
  • php-xmlrpc-0:5.1.6-11.el5
  • php-0:4.3.2-40.ent
  • php-0:4.3.9-3.22.4
  • php-debuginfo-0:4.3.2-40.ent
  • php-debuginfo-0:4.3.9-3.22.4
  • php-devel-0:4.3.2-40.ent
  • php-devel-0:4.3.9-3.22.4
  • php-domxml-0:4.3.9-3.22.4
  • php-gd-0:4.3.9-3.22.4
  • php-imap-0:4.3.2-40.ent
  • php-imap-0:4.3.9-3.22.4
  • php-ldap-0:4.3.2-40.ent
  • php-ldap-0:4.3.9-3.22.4
  • php-mbstring-0:4.3.9-3.22.4
  • php-mysql-0:4.3.2-40.ent
  • php-mysql-0:4.3.9-3.22.4
  • php-ncurses-0:4.3.9-3.22.4
  • php-odbc-0:4.3.2-40.ent
  • php-odbc-0:4.3.9-3.22.4
  • php-pear-0:4.3.9-3.22.4
  • php-pgsql-0:4.3.2-40.ent
  • php-pgsql-0:4.3.9-3.22.4
  • php-snmp-0:4.3.9-3.22.4
  • php-xmlrpc-0:4.3.9-3.22.4
  • php-0:5.1.6-3.el4s1.6
  • php-bcmath-0:5.1.6-3.el4s1.6
  • php-cli-0:5.1.6-3.el4s1.6
  • php-common-0:5.1.6-3.el4s1.6
  • php-dba-0:5.1.6-3.el4s1.6
  • php-debuginfo-0:5.1.6-3.el4s1.6
  • php-devel-0:5.1.6-3.el4s1.6
  • php-gd-0:5.1.6-3.el4s1.6
  • php-imap-0:5.1.6-3.el4s1.6
  • php-ldap-0:5.1.6-3.el4s1.6
  • php-mbstring-0:5.1.6-3.el4s1.6
  • php-mysql-0:5.1.6-3.el4s1.6
  • php-ncurses-0:5.1.6-3.el4s1.6
  • php-odbc-0:5.1.6-3.el4s1.6
  • php-pdo-0:5.1.6-3.el4s1.6
  • php-pgsql-0:5.1.6-3.el4s1.6
  • php-snmp-0:5.1.6-3.el4s1.6
  • php-soap-0:5.1.6-3.el4s1.6
  • php-xml-0:5.1.6-3.el4s1.6
  • php-xmlrpc-0:5.1.6-3.el4s1.6
  • gd-0:2.0.28-5.4E.el4_6.1
  • gd-0:2.0.33-9.4.el5_1.1
  • gd-debuginfo-0:2.0.28-5.4E.el4_6.1
  • gd-debuginfo-0:2.0.33-9.4.el5_1.1
  • gd-devel-0:2.0.28-5.4E.el4_6.1
  • gd-devel-0:2.0.33-9.4.el5_1.1
  • gd-progs-0:2.0.28-5.4E.el4_6.1
  • gd-progs-0:2.0.33-9.4.el5_1.1

Statements

contributorMark J Cox
lastmodified2007-05-14
organizationRed Hat
statementRed Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=234312 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/

References