Vulnerabilities > CVE-2009-3546 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

CVSS 0.0 - NONE

Attack vector

UNKNOWN

Attack complexity

UNKNOWN

Privileges required

UNKNOWN

Confidentiality impact

UNKNOWN

Integrity impact

UNKNOWN

Availability impact

UNKNOWN

libgd

php

CWE-119

nessus

NVD

Published: 2009-10-19

Updated: 2023-02-13

Summary

The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before 5.3.1, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293. NOTE: some of these details are obtained from third party information.

Vulnerable Configurations

Part	Description	Count
Application	Libgd Libgd GD Graphics Library 2.0.34 Libgd GD Graphics Library 2.0.33 Libgd GD Graphics Library 2.0.35 Libgd GD Graphics Library 2.0.36	11
Application	Php PHP PHP 5.2.11 PHP PHP 5.3.0	2

Common Weakness Enumeration (CWE)

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Common Attack Pattern Enumeration and Classification (CAPEC)

Buffer Overflow via Environment Variables
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
Client-side Injection-induced Buffer Overflow
This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
Filter Failure through Buffer Overflow
In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
MIME Conversion
An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2010-0495.NASL
description	Update to the latest PHP 5.2 release which focuses on improving the stability of the PHP 5.2.x branch with over 60 bug fixes, some of which are security related. All users of PHP 5.2 are encouraged to upgrade to this release. See http://www.php.net/releases/5_2_12.php for more details. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	47186
published	2010-07-01
reporter	This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/47186
title	Fedora 11 : maniadrive-1.2-17.fc11 / php-5.2.12-1.fc11 (2010-0495)

NASL family	Oracle Linux Local Security Checks
NASL id	ORACLELINUX_ELSA-2010-0003.NASL
description	From Red Hat Security Advisory 2010:0003 : Updated gd packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The gd packages provide a graphics library used for the dynamic creation of images, such as PNG and JPEG. A missing input sanitization flaw, leading to a buffer overflow, was discovered in the gd library. A specially crafted GD image file could cause an application using the gd library to crash or, possibly, execute arbitrary code when opened. (CVE-2009-3546) Users of gd should upgrade to these updated packages, which contain a backported patch to resolve this issue.
last seen	2020-06-01
modified	2020-06-02
plugin id	67980
published	2013-07-12
reporter	This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/67980
title	Oracle Linux 4 / 5 : gd (ELSA-2010-0003)

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-201001-03.NASL
description	The remote host is affected by the vulnerability described in GLSA-201001-03 (PHP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below and the associated PHP release notes for details. Impact : A context-dependent attacker could execute arbitrary code via a specially crafted string containing an HTML entity when the mbstring extension is enabled. Furthermore a remote attacker could execute arbitrary code via a specially crafted GD graphics file. A remote attacker could also cause a Denial of Service via a malformed string passed to the json_decode() function, via a specially crafted ZIP file passed to the php_zip_make_relative_path() function, via a malformed JPEG image passed to the exif_read_data() function, or via temporary file exhaustion. It is also possible for an attacker to spoof certificates, bypass various safe_mode and open_basedir restrictions when certain criteria are met, perform Cross-site scripting attacks, more easily perform SQL injection attacks, manipulate settings of other virtual hosts on the same server via a malicious .htaccess entry when running on Apache, disclose memory portions, and write arbitrary files via a specially crafted ZIP archive. Some vulnerabilities with unknown impact and attack vectors have been reported as well. Workaround : There is no known workaround at this time.
last seen	2020-06-01
modified	2020-06-02
plugin id	44892
published	2010-02-25
reporter	This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/44892
title	GLSA-201001-03 : PHP: Multiple vulnerabilities

NASL family	SuSE Local Security Checks
NASL id	SUSE_APACHE2-MOD_PHP5-6846.NASL
description	This update of PHP5 fixes : - CVE-2008-5625: CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P): Permissions, Privileges, and Access Control (CWE-264) CVE-2008-5814: CVSS v2 Base Score: 2.6 (LOW) (AV:N/AC:H/Au:N/C:N/I:P/A:N): Cross-Site Scripting (XSS) (CWE-79) CVE-2009-2626: CVSS v2 Base Score: 6.4 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:P): Other (CWE-Other) CVE-2009-2687: CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P): Input Validation (CWE-20) CVE-2009-3546: CVSS v2 Base Score: 4.4 (moderate) (AV:L/AC:M/Au:N/C:P/I:P/A:P): Other (CWE-Other) CVE-2009-4017: CVSS v2 Base Score: 5.0 (moderate) (AV:N/AC:L/Au:N/C:N/I:N/A:P): Other (CWE-Other) CVE-2009-4142: CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N): Cross-Site Scripting (XSS). (CWE-79). (CVE-2008-5624: CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P): Permissions, Privileges, and Access Control (CWE-264))
last seen	2020-06-01
modified	2020-06-02
plugin id	44687
published	2010-02-23
reporter	This script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/44687
title	SuSE 10 Security Update : PHP5 (ZYPP Patch Number 6846)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2010-0003.NASL
description	Updated gd packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The gd packages provide a graphics library used for the dynamic creation of images, such as PNG and JPEG. A missing input sanitization flaw, leading to a buffer overflow, was discovered in the gd library. A specially crafted GD image file could cause an application using the gd library to crash or, possibly, execute arbitrary code when opened. (CVE-2009-3546) Users of gd should upgrade to these updated packages, which contain a backported patch to resolve this issue.
last seen	2020-06-01
modified	2020-06-02
plugin id	43628
published	2010-01-05
reporter	This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/43628
title	RHEL 4 / 5 : gd (RHSA-2010:0003)

NASL family	Amazon Linux Local Security Checks
NASL id	ALA_ALAS-2015-604.NASL
description	It was discovered that libwmf did not correctly process certain WMF (Windows Metafiles) with embedded BMP images. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the application. (CVE-2015-0848 , CVE-2015-4588) It was discovered that libwmf did not properly process certain WMF files. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly exploit this flaw to cause a crash or execute arbitrary code with the privileges of the user running the application. (CVE-2015-4696) It was discovered that libwmf did not properly process certain WMF files. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly exploit this flaw to cause a crash. (CVE-2015-4695) The gdPngReadData function in libgd 2.0.34 allows user-assisted attackers to cause a denial of service (CPU consumption) via a crafted PNG image with truncated data, which causes an infinite loop in the png_read_info function in libpng. (CVE-2007-2756) Buffer overflow in the gdImageStringFTEx function in gdft.c in GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font. (CVE-2007-0455) The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before 5.3.1, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293 . NOTE: some of these details are obtained from third party information. (CVE-2009-3546) Integer overflow in gdImageCreateTrueColor function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to have unspecified attack vectors and impact. (CVE-2007-3472) The gdImageCreateXbm function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via unspecified vectors involving a gdImageCreate failure. (CVE-2007-3473)
last seen	2020-06-01
modified	2020-06-02
plugin id	86635
published	2015-10-29
reporter	This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/86635
title	Amazon Linux AMI : libwmf (ALAS-2015-604)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2012-9314.NASL
description	This is an update, that fixes insufficient input validation in _gdGetColors(). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-03-17
modified	2012-07-01
plugin id	59800
published	2012-07-01
reporter	This script is Copyright (C) 2012-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/59800
title	Fedora 16 : gd-2.0.35-17.fc16 (2012-9314)

NASL family	Slackware Local Security Checks
NASL id	SLACKWARE_SSA_2018-120-01.NASL
description	New libwmf packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	109432
published	2018-05-01
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/109432
title	Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : libwmf (SSA:2018-120-01)

NASL family	Scientific Linux Local Security Checks
NASL id	SL_20100113_PHP_ON_SL3_X.NASL
description	CVE-2009-2687 php: exif_read_data crash on corrupted JPEG files CVE-2009-3292 php: exif extension: Multiple missing sanity checks in EXIF file processing CVE-2009-3291 php: openssl extension: Incorrect verification of SSL certificate with NUL in name CVE-2009-3546 gd: insufficient input validation in _gdGetColors() CVE-2009-4017 PHP: resource exhaustion attack via upload requests with lots of files CVE-2009-4142 php: htmlspecialchars() insufficient checking of input for multi-byte encodings Multiple missing input sanitization flaws were discovered in PHP
last seen	2020-06-01
modified	2020-06-02
plugin id	60723
published	2012-08-01
reporter	This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/60723
title	Scientific Linux Security Update : php on SL3.x, SL4.x, SL5.x i386/x86_64

NASL family	SuSE Local Security Checks
NASL id	SUSE_11_0_APACHE2-MOD_PHP5-100212.NASL
description	This update of php5 fixes: CVE-2008-5624: CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P): Permissions, Privileges, and Access Control (CWE-264) CVE-2008-5625: CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P): Permissions, Privileges, and Access Control (CWE-264) CVE-2008-5814: CVSS v2 Base Score: 2.6 (LOW) (AV:N/AC:H/Au:N/C:N/I:P/A:N): Cross-Site Scripting (XSS) (CWE-79) CVE-2009-2626: CVSS v2 Base Score: 6.4 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:P): Other (CWE-Other) CVE-2009-2687: CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P): Input Validation (CWE-20) CVE-2009-3546: CVSS v2 Base Score: 4.4 (moderate) (AV:L/AC:M/Au:N/C:P/I:P/A:P): Other (CWE-Other) CVE-2009-4017: CVSS v2 Base Score: 5.0 (moderate) (AV:N/AC:L/Au:N/C:N/I:N/A:P): Other (CWE-Other) CVE-2009-4142: CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N): Cross-Site Scripting (XSS) (CWE-79)
last seen	2020-06-01
modified	2020-06-02
plugin id	44678
published	2010-02-23
reporter	This script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/44678
title	openSUSE Security Update : apache2-mod_php5 (apache2-mod_php5-1993)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2009-12017.NASL
description	Update to upstream PHP version 5.3.1 PHP 5.3.1 Release Announcement: http://www.php.net/releases/5_3_1.php Changelog: http://www.php.net/ChangeLog-5.php#5.3.1 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	43008
published	2009-12-07
reporter	This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/43008
title	Fedora 12 : maniadrive-1.2-19.fc12 / php-5.3.1-1.fc12 (2009-12017)

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-201006-16.NASL
description	The remote host is affected by the vulnerability described in GLSA-201006-16 (GD: User-assisted execution of arbitrary code) Tomas Hoger reported that the _gdGetColors() function in gd_gd.c does not properly verify the colorsTotal struct member, possibly leading to a buffer overflow. Impact : A remote attacker could entice a user to open a specially crafted image file with a program using the GD library, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application, or a Denial of Service condition. Workaround : There is no known workaround at this time.
last seen	2020-06-01
modified	2020-06-02
plugin id	46805
published	2010-06-04
reporter	This script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/46805
title	GLSA-201006-16 : GD: User-assisted execution of arbitrary code

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-1936.NASL
description	Several vulnerabilities have been discovered in libgd2, a library for programmatic graphics creation and manipulation. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-0455 Kees Cook discovered a buffer overflow in libgd2
last seen	2020-06-01
modified	2020-06-02
plugin id	44801
published	2010-02-24
reporter	This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/44801
title	Debian DSA-1936-1 : libgd2 - several vulnerabilities

NASL family	Mandriva Local Security Checks
NASL id	MANDRIVA_MDVSA-2009-324.NASL
description	Multiple vulnerabilities was discovered and corrected in php : The dba_replace function in PHP 5.2.6 and 4.x allows context-dependent attackers to cause a denial of service (file truncation) via a key with the NULL byte. NOTE: this might only be a vulnerability in limited circumstances in which the attacker can modify or add database entries but does not have permissions to truncate the file (CVE-2008-7068). The JSON_parser function (ext/json/JSON_parser.c) in PHP 5.2.x before 5.2.9 allows remote attackers to cause a denial of service (segmentation fault) via a malformed string to the json_decode API function (CVE-2009-1271). - Fixed upstream bug #48378 (exif_read_data() segfaults on certain corrupted .jpeg files) (CVE-2009-2687). The php_openssl_apply_verification_policy function in PHP before 5.2.11 does not properly perform certificate validation, which has unknown impact and attack vectors, probably related to an ability to spoof certificates (CVE-2009-3291). Unspecified vulnerability in PHP before 5.2.11 has unknown impact and attack vectors related to missing sanity checks around exif processing. (CVE-2009-3292) Unspecified vulnerability in the imagecolortransparent function in PHP before 5.2.11 has unknown impact and attack vectors related to an incorrect sanity check for the color index. (CVE-2009-3293) The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.0, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293. NOTE: some of these details are obtained from third-party information (CVE-2009-3546). The tempnam function in ext/standard/file.c in PHP 5.2.11 and earlier, and 5.3.x before 5.3.1, allows context-dependent attackers to bypass safe_mode restrictions, and create files in group-writable or world-writable directories, via the dir and prefix arguments (CVE-2009-3557). The posix_mkfifo function in ext/posix/posix.c in PHP 5.2.11 and earlier, and 5.3.x before 5.3.1, allows context-dependent attackers to bypass open_basedir restrictions, and create FIFO files, via the pathname and mode arguments, as demonstrated by creating a .htaccess file (CVE-2009-3558). PHP 5.2.11, and 5.3.x before 5.3.1, does not restrict the number of temporary files created when handling a multipart/form-data POST request, which allows remote attackers to cause a denial of service (resource exhaustion), and makes it easier for remote attackers to exploit local file inclusion vulnerabilities, via multiple requests, related to lack of support for the max_file_uploads directive (CVE-2009-4017). The proc_open function in ext/standard/proc_open.c in PHP before 5.2.11 and 5.3.x before 5.3.1 does not enforce the (1) safe_mode_allowed_env_vars and (2) safe_mode_protected_env_vars directives, which allows context-dependent attackers to execute programs with an arbitrary environment via the env parameter, as demonstrated by a crafted value of the LD_LIBRARY_PATH environment variable (CVE-2009-4018). The dba_replace function in PHP 5.2.6 and 4.x allows context-dependent attackers to cause a denial of service (file truncation) via a key with the NULL byte. NOTE: this might only be a vulnerability in limited circumstances in which the attacker can modify or add database entries but does not have permissions to truncate the file (CVE-2008-7068). The php_openssl_apply_verification_policy function in PHP before 5.2.11 does not properly perform certificate validation, which has unknown impact and attack vectors, probably related to an ability to spoof certificates (CVE-2009-3291). Unspecified vulnerability in PHP before 5.2.11 has unknown impact and attack vectors related to missing sanity checks around exif processing. (CVE-2009-3292) Unspecified vulnerability in the imagecolortransparent function in PHP before 5.2.11 has unknown impact and attack vectors related to an incorrect sanity check for the color index. (CVE-2009-3293). However in Mandriva we don
last seen	2020-06-01
modified	2020-06-02
plugin id	43043
published	2009-12-08
reporter	This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/43043
title	Mandriva Linux Security Advisory : php (MDVSA-2009:324)

NASL family	Scientific Linux Local Security Checks
NASL id	SL_20100104_GD_ON_SL4_X.NASL
description	A missing input sanitization flaw, leading to a buffer overflow, was discovered in the gd library. A specially crafted GD image file could cause an application using the gd library to crash or, possibly, execute arbitrary code when opened. (CVE-2009-3546)
last seen	2020-06-01
modified	2020-06-02
plugin id	60714
published	2012-08-01
reporter	This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/60714
title	Scientific Linux Security Update : gd on SL4.x, SL5.x i386/x86_64

NASL family	Mandriva Local Security Checks
NASL id	MANDRIVA_MDVSA-2009-285.NASL
description	Multiple vulnerabilities has been found and corrected in php : The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.0, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293. NOTE: some of these details are obtained from third-party information (CVE-2009-3546). The tempnam function in ext/standard/file.c in PHP 5.2.11 and earlier, and 5.3.x before 5.3.1, allows context-dependent attackers to bypass safe_mode restrictions, and create files in group-writable or world-writable directories, via the dir and prefix arguments (CVE-2009-3557). The posix_mkfifo function in ext/posix/posix.c in PHP 5.2.11 and earlier, and 5.3.x before 5.3.1, allows context-dependent attackers to bypass open_basedir restrictions, and create FIFO files, via the pathname and mode arguments, as demonstrated by creating a .htaccess file (CVE-2009-3558). Additionally on CS4 a regression was found and fixed when using the gd-bundled.so variant from the php-gd package. This update fixes these vulnerabilities.
last seen	2020-06-01
modified	2020-06-02
plugin id	42199
published	2009-10-22
reporter	This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/42199
title	Mandriva Linux Security Advisory : php (MDVSA-2009:285)

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2010-0040.NASL
description	Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. Multiple missing input sanitization flaws were discovered in PHP
last seen	2020-06-01
modified	2020-06-02
plugin id	43878
published	2010-01-14
reporter	This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/43878
title	CentOS 3 / 4 / 5 : php (CESA-2010:0040)

NASL family	FreeBSD Local Security Checks
NASL id	FREEBSD_PKG_CA139C7F2A8C11E5A4A5002590263BF5.NASL
description	Mitre reports : Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function, a different set of vulnerabilities than CVE-2004-0990. Buffer overflow in the gdImageStringFTEx function in gdft.c in GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font. The gdPngReadData function in libgd 2.0.34 allows user-assisted attackers to cause a denial of service (CPU consumption) via a crafted PNG image with truncated data, which causes an infinite loop in the png_read_info function in libpng. Integer overflow in gdImageCreateTrueColor function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to have unspecified attack vectors and impact. The gdImageCreateXbm function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via unspecified vectors involving a gdImageCreate failure. The (a) imagearc and (b) imagefilledarc functions in GD Graphics Library (libgd) before 2.0.35 allow attackers to cause a denial of service (CPU consumption) via a large (1) start or (2) end angle degree value. The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before 5.3.1, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293. NOTE: some of these details are obtained from third party information. Heap-based buffer overflow in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image. meta.h in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted WMF file. Use-after-free vulnerability in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) via a crafted WMF file to the (1) wmf2gd or (2) wmf2eps command. Heap-based buffer overflow in the DecodeImage function in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted
last seen	2020-06-01
modified	2020-06-02
plugin id	84782
published	2015-07-16
reporter	This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/84782
title	FreeBSD : libwmf -- multiple vulnerabilities (ca139c7f-2a8c-11e5-a4a5-002590263bf5)

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2010-0003.NASL
description	Updated gd packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The gd packages provide a graphics library used for the dynamic creation of images, such as PNG and JPEG. A missing input sanitization flaw, leading to a buffer overflow, was discovered in the gd library. A specially crafted GD image file could cause an application using the gd library to crash or, possibly, execute arbitrary code when opened. (CVE-2009-3546) Users of gd should upgrade to these updated packages, which contain a backported patch to resolve this issue.
last seen	2020-06-01
modified	2020-06-02
plugin id	43625
published	2010-01-05
reporter	This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/43625
title	CentOS 4 / 5 : gd (CESA-2010:0003)

NASL family	Oracle Linux Local Security Checks
NASL id	ORACLELINUX_ELSA-2010-0040.NASL
description	From Red Hat Security Advisory 2010:0040 : Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. Multiple missing input sanitization flaws were discovered in PHP
last seen	2020-06-01
modified	2020-06-02
plugin id	67986
published	2013-07-12
reporter	This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/67986
title	Oracle Linux 3 / 4 / 5 : php (ELSA-2010-0040)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2010-0040.NASL
description	Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. Multiple missing input sanitization flaws were discovered in PHP
last seen	2020-06-01
modified	2020-06-02
plugin id	43883
published	2010-01-14
reporter	This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/43883
title	RHEL 3 / 4 / 5 : php (RHSA-2010:0040)

NASL family	SuSE Local Security Checks
NASL id	SUSE_11_1_APACHE2-MOD_PHP5-100212.NASL
description	This update of php5 fixes: CVE-2008-5624: CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P): Permissions, Privileges, and Access Control (CWE-264) CVE-2008-5625: CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P): Permissions, Privileges, and Access Control (CWE-264) CVE-2008-5814: CVSS v2 Base Score: 2.6 (LOW) (AV:N/AC:H/Au:N/C:N/I:P/A:N): Cross-Site Scripting (XSS) (CWE-79) CVE-2009-2626: CVSS v2 Base Score: 6.4 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:P): Other (CWE-Other) CVE-2009-2687: CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P): Input Validation (CWE-20) CVE-2009-3546: CVSS v2 Base Score: 4.4 (moderate) (AV:L/AC:M/Au:N/C:P/I:P/A:P): Other (CWE-Other) CVE-2009-4017: CVSS v2 Base Score: 5.0 (moderate) (AV:N/AC:L/Au:N/C:N/I:N/A:P): Other (CWE-Other) CVE-2009-4142: CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N): Cross-Site Scripting (XSS) (CWE-79)
last seen	2020-06-01
modified	2020-06-02
plugin id	44680
published	2010-02-23
reporter	This script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/44680
title	openSUSE Security Update : apache2-mod_php5 (apache2-mod_php5-1993)

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-854-1.NASL
description	Tomas Hoger discovered that the GD library did not properly handle the number of colors in certain malformed GD images. If a user or automated system were tricked into processing a specially crafted GD image, an attacker could cause a denial of service or possibly execute arbitrary code. (CVE-2009-3546) It was discovered that the GD library did not properly handle incorrect color indexes. An attacker could send specially crafted input to applications linked against libgd2 and cause a denial of service or possibly execute arbitrary code. This issue only affected Ubuntu 6.06 LTS. (CVE-2009-3293) It was discovered that the GD library did not properly handle certain malformed GIF images. If a user or automated system were tricked into processing a specially crafted GIF image, an attacker could cause a denial of service. This issue only affected Ubuntu 6.06 LTS. (CVE-2007-3475, CVE-2007-3476) It was discovered that the GD library did not properly handle large angle degree values. An attacker could send specially crafted input to applications linked against libgd2 and cause a denial of service. This issue only affected Ubuntu 6.06 LTS. (CVE-2007-3477). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	42407
published	2009-11-06
reporter	Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/42407
title	Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : libgd2 vulnerabilities (USN-854-1)

NASL family	SuSE Local Security Checks
NASL id	SUSE_11_2_APACHE2-MOD_PHP5-100215.NASL
description	This update of php5 fixes: CVE-2008-5624: CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P): Permissions, Privileges, and Access Control (CWE-264) CVE-2008-5625: CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P): Permissions, Privileges, and Access Control (CWE-264) CVE-2008-5814: CVSS v2 Base Score: 2.6 (LOW) (AV:N/AC:H/Au:N/C:N/I:P/A:N): Cross-Site Scripting (XSS) (CWE-79) CVE-2009-2626: CVSS v2 Base Score: 6.4 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:P): Other (CWE-Other) CVE-2009-2687: CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P): Input Validation (CWE-20) CVE-2009-3546: CVSS v2 Base Score: 4.4 (moderate) (AV:L/AC:M/Au:N/C:P/I:P/A:P): Other (CWE-Other) CVE-2009-4017: CVSS v2 Base Score: 5.0 (moderate) (AV:N/AC:L/Au:N/C:N/I:N/A:P): Other (CWE-Other) CVE-2009-4142: CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N): Cross-Site Scripting (XSS) (CWE-79)
last seen	2020-06-01
modified	2020-06-02
plugin id	44683
published	2010-02-23
reporter	This script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/44683
title	openSUSE Security Update : apache2-mod_php5 (apache2-mod_php5-1993)

NASL family	SuSE Local Security Checks
NASL id	SUSE_11_APACHE2-MOD_PHP5-100212.NASL
description	This update of PHP5 fixes : - CVE-2008-5624: CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) : Permissions, Privileges, and Access Control (CWE-264) - CVE-2008-5625: CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) : Permissions, Privileges, and Access Control (CWE-264) - Cross-Site Scripting (XSS). (CWE-79). (CVE-2008-5814: CVSS v2 Base Score: 2.6 (LOW) (AV:N/AC:H/Au:N/C:N/I:P/A:N)) - CVE-2009-2626: CVSS v2 Base Score: 6.4 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:P) : Other (CWE-Other) - CVE-2009-2687: CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P) : Input Validation (CWE-20) - CVE-2009-3546: CVSS v2 Base Score: 4.4 (moderate) (AV:L/AC:M/Au:N/C:P/I:P/A:P) : Other (CWE-Other) - CVE-2009-4017: CVSS v2 Base Score: 5.0 (moderate) (AV:N/AC:L/Au:N/C:N/I:N/A:P) : Other (CWE-Other) - Cross-Site Scripting (XSS) (CWE-79). (CVE-2009-4142: CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N))
last seen	2020-06-01
modified	2020-06-02
plugin id	44686
published	2010-02-23
reporter	This script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/44686
title	SuSE 11 Security Update : PHP5 (SAT Patch Number 1978)

NASL family	FreeBSD Local Security Checks
NASL id	FREEBSD_PKG_4E8344A3CA5211DE8EE800215C6A37BB.NASL
description	CVE reports : The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.0, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293.
last seen	2020-06-01
modified	2020-06-02
plugin id	42428
published	2009-11-09
reporter	This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/42428
title	FreeBSD : gd -- '_gdGetColors' remote buffer overflow vulnerability (4e8344a3-ca52-11de-8ee8-00215c6a37bb)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2012-9298.NASL
description	This is an update, that fixes insufficient input validation in _gdGetColors(). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-03-17
modified	2012-07-01
plugin id	59799
published	2012-07-01
reporter	This script is Copyright (C) 2012-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/59799
title	Fedora 17 : gd-2.0.35-17.fc17 (2012-9298)

NASL family	Mandriva Local Security Checks
NASL id	MANDRIVA_MDVSA-2009-284.NASL
description	A vulnerability has been found and corrected in gd : The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.0, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293. NOTE: some of these details are obtained from third-party information (CVE-2009-3546). This update fixes this vulnerability. Update : Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers
last seen	2020-06-01
modified	2020-06-02
plugin id	42198
published	2009-10-22
reporter	This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/42198
title	Mandriva Linux Security Advisory : gd (MDVSA-2009:284-1)

NASL family	SuSE Local Security Checks
NASL id	SUSE_APACHE2-MOD_PHP5-6847.NASL
description	This update of PHP5 fixes : - CVE-2008-5625: CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P): Permissions, Privileges, and Access Control (CWE-264) CVE-2008-5814: CVSS v2 Base Score: 2.6 (LOW) (AV:N/AC:H/Au:N/C:N/I:P/A:N): Cross-Site Scripting (XSS) (CWE-79) CVE-2009-2626: CVSS v2 Base Score: 6.4 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:P): Other (CWE-Other) CVE-2009-2687: CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P): Input Validation (CWE-20) CVE-2009-3546: CVSS v2 Base Score: 4.4 (moderate) (AV:L/AC:M/Au:N/C:P/I:P/A:P): Other (CWE-Other) CVE-2009-4017: CVSS v2 Base Score: 5.0 (moderate) (AV:N/AC:L/Au:N/C:N/I:N/A:P): Other (CWE-Other) CVE-2009-4142: CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N): Cross-Site Scripting (XSS). (CWE-79). (CVE-2008-5624: CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P): Permissions, Privileges, and Access Control (CWE-264))
last seen	2020-06-01
modified	2020-06-02
plugin id	49829
published	2010-10-11
reporter	This script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/49829
title	SuSE 10 Security Update : PHP5 (ZYPP Patch Number 6847)

Oval

accepted

2013-04-29T04:12:16.577-04:00

class

vulnerability

contributors

name Aharon Chernin
organization SCAP.com, LLC
name Dragos Prisaca
organization G2, Inc.

definition_extensions

comment The operating system installed on the system is Red Hat Enterprise Linux 3
oval oval:org.mitre.oval:def:11782
comment CentOS Linux 3.x
oval oval:org.mitre.oval:def:16651
comment The operating system installed on the system is Red Hat Enterprise Linux 4
oval oval:org.mitre.oval:def:11831
comment CentOS Linux 4.x
oval oval:org.mitre.oval:def:16636
comment Oracle Linux 4.x
oval oval:org.mitre.oval:def:15990
comment The operating system installed on the system is Red Hat Enterprise Linux 5
oval oval:org.mitre.oval:def:11414
comment The operating system installed on the system is CentOS Linux 5.x
oval oval:org.mitre.oval:def:15802
comment Oracle Linux 5.x
oval oval:org.mitre.oval:def:15459

description

family

unix

oval:org.mitre.oval:def:11199

status

accepted

submitted

2010-07-09T03:56:16-04:00

title

version

Redhat

advisories

bugzilla

id	529213
title	CVE-2009-3546 gd: insufficient input validation in _gdGetColors()

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 4 is installed
oval oval:com.redhat.rhba:tst:20070304025

AND
comment gd-devel is earlier than 0:2.0.28-5.4E.el4_8.1
oval oval:com.redhat.rhsa:tst:20100003001
comment gd-devel is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20060194004
AND
comment gd-progs is earlier than 0:2.0.28-5.4E.el4_8.1
oval oval:com.redhat.rhsa:tst:20100003003
comment gd-progs is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20060194002
AND
comment gd is earlier than 0:2.0.28-5.4E.el4_8.1
oval oval:com.redhat.rhsa:tst:20100003005
comment gd is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20060194006

AND

comment Red Hat Enterprise Linux 5 is installed
oval oval:com.redhat.rhba:tst:20070331005

AND
comment gd-devel is earlier than 0:2.0.33-9.4.el5_4.2
oval oval:com.redhat.rhsa:tst:20100003008
comment gd-devel is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20080146013
AND
comment gd is earlier than 0:2.0.33-9.4.el5_4.2
oval oval:com.redhat.rhsa:tst:20100003010
comment gd is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20080146009
AND
comment gd-progs is earlier than 0:2.0.33-9.4.el5_4.2
oval oval:com.redhat.rhsa:tst:20100003012
comment gd-progs is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20080146011

rhsa

id	RHSA-2010:0003
released	2010-01-04
severity	Moderate
title	RHSA-2010:0003: gd security update (Moderate)

rpms

gd-0:2.0.28-5.4E.el4_8.1
gd-0:2.0.33-9.4.el5_4.2
gd-debuginfo-0:2.0.28-5.4E.el4_8.1
gd-debuginfo-0:2.0.33-9.4.el5_4.2
gd-devel-0:2.0.28-5.4E.el4_8.1
gd-devel-0:2.0.33-9.4.el5_4.2
gd-progs-0:2.0.28-5.4E.el4_8.1
gd-progs-0:2.0.33-9.4.el5_4.2
php-0:4.3.2-54.ent
php-0:4.3.9-3.29
php-0:5.1.6-24.el5_4.5
php-bcmath-0:5.1.6-24.el5_4.5
php-cli-0:5.1.6-24.el5_4.5
php-common-0:5.1.6-24.el5_4.5
php-dba-0:5.1.6-24.el5_4.5
php-debuginfo-0:4.3.2-54.ent
php-debuginfo-0:4.3.9-3.29
php-debuginfo-0:5.1.6-24.el5_4.5
php-devel-0:4.3.2-54.ent
php-devel-0:4.3.9-3.29
php-devel-0:5.1.6-24.el5_4.5
php-domxml-0:4.3.9-3.29
php-gd-0:4.3.9-3.29
php-gd-0:5.1.6-24.el5_4.5
php-imap-0:4.3.2-54.ent
php-imap-0:4.3.9-3.29
php-imap-0:5.1.6-24.el5_4.5
php-ldap-0:4.3.2-54.ent
php-ldap-0:4.3.9-3.29
php-ldap-0:5.1.6-24.el5_4.5
php-mbstring-0:4.3.9-3.29
php-mbstring-0:5.1.6-24.el5_4.5
php-mysql-0:4.3.2-54.ent
php-mysql-0:4.3.9-3.29
php-mysql-0:5.1.6-24.el5_4.5
php-ncurses-0:4.3.9-3.29
php-ncurses-0:5.1.6-24.el5_4.5
php-odbc-0:4.3.2-54.ent
php-odbc-0:4.3.9-3.29
php-odbc-0:5.1.6-24.el5_4.5
php-pdo-0:5.1.6-24.el5_4.5
php-pear-0:4.3.9-3.29
php-pgsql-0:4.3.2-54.ent
php-pgsql-0:4.3.9-3.29
php-pgsql-0:5.1.6-24.el5_4.5
php-snmp-0:4.3.9-3.29
php-snmp-0:5.1.6-24.el5_4.5
php-soap-0:5.1.6-24.el5_4.5
php-xml-0:5.1.6-24.el5_4.5
php-xmlrpc-0:4.3.9-3.29
php-xmlrpc-0:5.1.6-24.el5_4.5

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

Oval

Redhat

References