Vulnerabilities > CVE-2016-6207 - Integer Overflow or Wraparound vulnerability in multiple products
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
Integer overflow in the _gdContributionsAlloc function in gd_interpolation.c in GD Graphics Library (aka libgd) before 2.2.3 allows remote attackers to cause a denial of service (out-of-bounds memory write or memory consumption) via unspecified vectors.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Forced Integer Overflow This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
Nessus
NASL family CGI abuses NASL id PHP_7_0_9.NASL description According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.9. It is, therefore, affected by multiple vulnerabilities : - A man-in-the-middle vulnerability exists, known as last seen 2020-06-01 modified 2020-06-02 plugin id 92556 published 2016-07-26 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92556 title PHP 7.0.x < 7.0.9 Multiple Vulnerabilities (httpoxy) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(92556); script_version("1.11"); script_cvs_date("Date: 2019/11/19"); script_cve_id( "CVE-2016-5385", "CVE-2016-5399", "CVE-2016-6207", "CVE-2016-6289", "CVE-2016-6290", "CVE-2016-6291", "CVE-2016-6292", "CVE-2016-6293", "CVE-2016-6294", "CVE-2016-6295", "CVE-2016-6296", "CVE-2016-6297" ); script_bugtraq_id( 91821, 92051, 92073, 92074, 92078, 92094, 92095, 92097, 92099 ); script_xref(name:"CERT", value:"797896"); script_xref(name:"EDB-ID", value:"40155"); script_name(english:"PHP 7.0.x < 7.0.9 Multiple Vulnerabilities (httpoxy)"); script_summary(english:"Checks the version of PHP."); script_set_attribute(attribute:"synopsis", value: "The version of PHP running on the remote web server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.9. It is, therefore, affected by multiple vulnerabilities : - A man-in-the-middle vulnerability exists, known as 'httpoxy', due to a failure to properly resolve namespace conflicts in accordance with RFC 3875 section 4.1.18. The HTTP_PROXY environment variable is set based on untrusted user data in the 'Proxy' header of HTTP requests. The HTTP_PROXY environment variable is used by some web client libraries to specify a remote proxy server. An unauthenticated, remote attacker can exploit this, via a crafted 'Proxy' header in an HTTP request, to redirect an application's internal HTTP traffic to an arbitrary proxy server where it may be observed or manipulated. (CVE-2016-5385) - An overflow condition exists in the php_bz2iop_read() function within file ext/bz2/bz2.c due to improper handling of error conditions. An unauthenticated, remote attacker can exploit this, via a crafted request, to execute arbitrary code. (CVE-2016-5399) - A flaw exists in the GD Graphics Library (libgd), specifically in the gdImageScaleTwoPass() function within file gd_interpolation.c, due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-6207) - An integer overflow condition exists in the virtual_file_ex() function within file Zend/zend_virtual_cwd.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-6289) - A use-after-free error exists within the file ext/session/session.c when handling 'var_hash' destruction. An unauthenticated, remote attacker can exploit this to deference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-6290) - An out-of-bounds read error exists in the exif_process_IFD_in_MAKERNOTE() function within file ext/exif/exif.c. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or disclose memory contents. (CVE-2016-6291) - A NULL pointer dereference flaw exists in the exif_process_user_comment() function within file ext/exif/exif.c. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-6292) - Multiple out-of-bounds read errors exist in the locale_accept_from_http() function within file ext/intl/locale/locale_methods.c. An unauthenticated, remote attacker can exploit these to cause a denial of service condition or disclose memory contents. (CVE-2016-6293, CVE-2016-6294) - A use-after-free error exists within file ext/snmp/snmp.c when handling garbage collection during deserialization of user-supplied input. An unauthenticated, remote attacker can exploit this to deference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-6295) - A heap-based buffer overflow condition exists in the simplestring_addn() function within file simplestring.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-6296) - An integer overflow condition exists in the php_stream_zip_opener() function within file ext/zip/zip_stream.c due to improper validation of user-supplied input when handling zip streams. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-6297) - An out-of-bounds read error exists in the GD Graphics Library (libgd), specifically in the gdImageScaleBilinearPalette() function within file gd_interpolation.c, when handling transparent color. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or disclose memory contents. - A heap-based buffer overflow condition exists in the mdecrypt_generic() function within file ext/mcrypt/mcrypt.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. - A flaw exists in the curl_unescape() function within file ext/curl/interface.c when handling string lengths. An unauthenticated, remote attacker can exploit this to cause heap corruption, resulting in a denial of service condition. - A heap-based buffer overflow condition exists in the mcrypt_generic() function within file ext/mcrypt/mcrypt.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. - A NULL write flaw exists in the GD Graphics Library (libgd) in the gdImageColorTransparent() function due to improper handling of negative transparent colors. A remote attacker can exploit this to disclose memory contents."); script_set_attribute(attribute:"see_also", value:"http://php.net/ChangeLog-7.php#7.0.9"); script_set_attribute(attribute:"see_also", value:"https://httpoxy.org"); script_set_attribute(attribute:"solution", value: "Upgrade to PHP version 7.0.9 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-6296"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/18"); script_set_attribute(attribute:"patch_publication_date", value:"2016/07/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/07/26"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("php_version.nasl"); script_require_keys("www/PHP"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("webapp_func.inc"); port = get_http_port(default:80, php:TRUE); php = get_php_from_kb( port : port, exit_on_fail : TRUE ); version = php["ver"]; source = php["src"]; backported = get_kb_item('www/php/'+port+'/'+version+'/backported'); if (report_paranoia < 2 && backported) audit(AUDIT_BACKPORT_SERVICE, port, "PHP "+version+" install"); # Check that it is the correct version of PHP if (version =~ "^7(\.0)?$") audit(AUDIT_VER_NOT_GRANULAR, "PHP", port, version); if (version !~ "^7\.0\.") audit(AUDIT_NOT_DETECT, "PHP version 7.0.x", port); if (version =~ "^7\.0\." && ver_compare(ver:version, fix:"7.0.9", strict:FALSE) < 0){ security_report_v4( port : port, extra : '\n Version source : ' + source + '\n Installed version : ' + version + '\n Fixed version : 7.0.9' + '\n', severity:SECURITY_HOLE ); } else audit(AUDIT_LISTEN_NOT_VULN, "PHP", port, version);NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2016-203-02.NASL description New php packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 92499 published 2016-07-22 reporter This script is Copyright (C) 2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/92499 title Slackware 14.0 / 14.1 / 14.2 / current : php (SSA:2016-203-02) (httpoxy) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2016-203-02. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(92499); script_version("$Revision: 2.3 $"); script_cvs_date("$Date: 2016/10/24 13:46:12 $"); script_cve_id("CVE-2016-5385", "CVE-2016-6207"); script_xref(name:"SSA", value:"2016-203-02"); script_name(english:"Slackware 14.0 / 14.1 / 14.2 / current : php (SSA:2016-203-02) (httpoxy)"); script_summary(english:"Checks for updated package in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "New php packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues." ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.425458 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?d89b3856" ); script_set_attribute(attribute:"solution", value:"Update the affected php package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:php"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.2"); script_set_attribute(attribute:"patch_publication_date", value:"2016/07/21"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/07/22"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016 Tenable Network Security, Inc."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"14.0", pkgname:"php", pkgver:"5.6.24", pkgarch:"i486", pkgnum:"1_slack14.0")) flag++; if (slackware_check(osver:"14.0", arch:"x86_64", pkgname:"php", pkgver:"5.6.24", pkgarch:"x86_64", pkgnum:"1_slack14.0")) flag++; if (slackware_check(osver:"14.1", pkgname:"php", pkgver:"5.6.24", pkgarch:"i486", pkgnum:"1_slack14.1")) flag++; if (slackware_check(osver:"14.1", arch:"x86_64", pkgname:"php", pkgver:"5.6.24", pkgarch:"x86_64", pkgnum:"1_slack14.1")) flag++; if (slackware_check(osver:"14.2", pkgname:"php", pkgver:"5.6.24", pkgarch:"i586", pkgnum:"1_slack14.2")) flag++; if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"php", pkgver:"5.6.24", pkgarch:"x86_64", pkgnum:"1_slack14.2")) flag++; if (slackware_check(osver:"current", pkgname:"php", pkgver:"5.6.24", pkgarch:"i586", pkgnum:"1")) flag++; if (slackware_check(osver:"current", arch:"x86_64", pkgname:"php", pkgver:"5.6.24", pkgarch:"x86_64", pkgnum:"1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-2303-1.NASL description This update for gd fixes the following issues : - CVE-2016-6214: Buffer over-read issue when parsing crafted TGA file [bsc#991436] - CVE-2016-6132: read out-of-bands was found in the parsing of TGA files using libgd [bsc#987577] - CVE-2016-6128: Invalid color index not properly handled [bsc#991710] - CVE-2016-6207: Integer overflow error within _gdContributionsAlloc() [bsc#991622] - CVE-2016-6161: global out of bounds read when encoding gif from malformed input withgd2togif [bsc#988032] - CVE-2016-5116: avoid stack overflow (read) with large names [bsc#982176] - CVE-2016-6905: Out-of-bounds read in function read_image_tga in gd_tga.c [bsc#995034] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 93506 published 2016-09-15 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93506 title SUSE SLED12 / SLES12 Security Update : gd (SUSE-SU-2016:2303-1) NASL family CGI abuses NASL id PHP_5_5_38.NASL description According to its banner, the version of PHP running on the remote web server is 5.5.x prior to 5.5.38. It is, therefore, affected by multiple vulnerabilities : - A Segfault condition occurs when accessing nvarchar(max) defined columns. (CVE-2015-8879) - A man-in-the-middle vulnerability exists, known as last seen 2020-06-01 modified 2020-06-02 plugin id 92554 published 2016-07-26 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92554 title PHP 5.5.x < 5.5.38 Multiple Vulnerabilities (httpoxy) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-2408-1.NASL description This update for php5 fixes the following security issues : - CVE-2016-6128: Invalid color index not properly handled [bsc#987580] - CVE-2016-6161: global out of bounds read when encoding gif from malformed input withgd2togif [bsc#988032] - CVE-2016-6292: NULL pointer dereference in exif_process_user_comment [bsc#991422] - CVE-2016-6295: Use after free in SNMP with GC and unserialize() [bsc#991424] - CVE-2016-6297: Stack-based buffer overflow vulnerability in php_stream_zip_opener [bsc#991426] - CVE-2016-6291: Out-of-bounds access in exif_process_IFD_in_MAKERNOTE [bsc#991427] - CVE-2016-6289: Integer overflow leads to buffer overflow in virtual_file_ex [bsc#991428] - CVE-2016-6290: Use after free in unserialize() with Unexpected Session Deserialization [bsc#991429] - CVE-2016-5399: Improper error handling in bzread() [bsc#991430] - CVE-2016-6296: Heap buffer overflow vulnerability in simplestring_addn in simplestring.c [bsc#991437] - CVE-2016-6207: Integer overflow error within _gdContributionsAlloc() [bsc#991434] - CVE-2014-3587: Integer overflow in the cdf_read_property_info affecting SLES11 SP3 [bsc#987530] - CVE-2016-6288: Buffer over-read in php_url_parse_ex [bsc#991433] - CVE-2016-7124: Create an Unexpected Object and Don last seen 2020-03-24 modified 2019-01-02 plugin id 119979 published 2019-01-02 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119979 title SUSE SLES12 Security Update : php5 (SUSE-SU-2016:2408-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3060-1.NASL description It was discovered that the GD library incorrectly handled certain malformed TGA images. If a user or automated system were tricked into processing a specially crafted TGA image, an attacker could cause a denial of service. (CVE-2016-6132, CVE-2016-6214) It was discovered that the GD library incorrectly handled memory when using gdImageScale(). A remote attacker could possibly use this issue to cause a denial of service or possibly execute arbitrary code. (CVE-2016-6207). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 92869 published 2016-08-11 reporter Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92869 title Ubuntu 14.04 LTS / 16.04 LTS : libgd2 vulnerabilities (USN-3060-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-1108.NASL description This update for gd fixes the following issues : - CVE-2016-6214: Buffer over-read issue when parsing crafted TGA file [bsc#991436] - CVE-2016-6132: read out-of-bands was found in the parsing of TGA files using libgd [bsc#987577] - CVE-2016-6128: Invalid color index not properly handled [bsc#991710] - CVE-2016-6207: Integer overflow error within _gdContributionsAlloc() [bsc#991622] - CVE-2016-6161: global out of bounds read when encoding gif from malformed input withgd2togif [bsc#988032] - CVE-2016-5116: avoid stack overflow (read) with large names [bsc#982176] - CVE-2016-6905: Out-of-bounds read in function read_image_tga in gd_tga.c [bsc#995034] This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2016-09-26 plugin id 93701 published 2016-09-26 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/93701 title openSUSE Security Update : gd (openSUSE-2016-1108) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_556D22865A5111E6A6C314DAE9D210B8.NASL description Pierre Joye reports : - fix php bug 72339, Integer Overflow in _gd2GetHeader (CVE-2016-5766) - gd: Buffer over-read issue when parsing crafted TGA file (CVE-2016-6132) - Integer overflow error within _gdContributionsAlloc() (CVE-2016-6207) - fix php bug 72494, invalid color index not handled, can lead to crash ( CVE-2016-6128) last seen 2020-06-01 modified 2020-06-02 plugin id 92740 published 2016-08-05 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92740 title FreeBSD : gd -- multiple vulnerabilities (556d2286-5a51-11e6-a6c3-14dae9d210b8) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201612-09.NASL description The remote host is affected by the vulnerability described in GLSA-201612-09 (GD: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in GD. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 95524 published 2016-12-05 reporter This script is Copyright (C) 2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/95524 title GLSA-201612-09 : GD: Multiple vulnerabilities NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-1156.NASL description This update for php5 fixes the following security issues : - CVE-2016-6128: Invalid color index not properly handled [bsc#987580] - CVE-2016-6161: global out of bounds read when encoding gif from malformed input withgd2togif [bsc#988032] - CVE-2016-6292: NULL pointer dereference in exif_process_user_comment [bsc#991422] - CVE-2016-6295: Use after free in SNMP with GC and unserialize() [bsc#991424] - CVE-2016-6297: Stack-based buffer overflow vulnerability in php_stream_zip_opener [bsc#991426] - CVE-2016-6291: Out-of-bounds access in exif_process_IFD_in_MAKERNOTE [bsc#991427] - CVE-2016-6289: Integer overflow leads to buffer overflow in virtual_file_ex [bsc#991428] - CVE-2016-6290: Use after free in unserialize() with Unexpected Session Deserialization [bsc#991429] - CVE-2016-5399: Improper error handling in bzread() [bsc#991430] - CVE-2016-6296: Heap buffer overflow vulnerability in simplestring_addn in simplestring.c [bsc#991437] - CVE-2016-6207: Integer overflow error within _gdContributionsAlloc() [bsc#991434] - CVE-2014-3587: Integer overflow in the cdf_read_property_info affecting SLES11 SP3 [bsc#987530] - CVE-2016-6288: Buffer over-read in php_url_parse_ex [bsc#991433] - CVE-2016-7124: Create an Unexpected Object and Don last seen 2020-06-05 modified 2016-10-05 plugin id 93856 published 2016-10-05 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93856 title openSUSE Security Update : php5 (openSUSE-2016-1156) NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-1003.NASL description This update for gd fixes the following issues : - CVE-2016-6214: Buffer over-read issue when parsing crafted TGA file [bsc#991436] - CVE-2016-6132: read out-of-bands was found in the parsing of TGA files using libgd [bsc#987577] - CVE-2016-6128: Invalid color index not properly handled [bsc#991710] - CVE-2016-6207: Integer overflow error within _gdContributionsAlloc() [bsc#991622] - CVE-2016-6161: global out of bounds read when encoding gif from malformed input withgd2togif [bsc#988032] last seen 2020-06-05 modified 2016-08-22 plugin id 93063 published 2016-08-22 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/93063 title openSUSE Security Update : gd (openSUSE-2016-1003) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3630.NASL description Secunia Research at Flexera Software discovered an integer overflow vulnerability within the _gdContributionsAlloc() function in libgd2, a library for programmatic graphics creation and manipulation. A remote attacker can take advantage of this flaw to cause a denial-of-service against an application using the libgd2 library. last seen 2020-06-01 modified 2020-06-02 plugin id 92572 published 2016-07-27 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92572 title Debian DSA-3630-1 : libgd2 - security update NASL family Fedora Local Security Checks NASL id FEDORA_2016-0DE0E0EE0C.NASL description Security fix for gd. ---- Security fix for CVE-2016-6161 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-10-06 plugin id 93872 published 2016-10-06 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93872 title Fedora 23 : gd (2016-0de0e0ee0c) NASL family Fedora Local Security Checks NASL id FEDORA_2016-615F3BF06E.NASL description **LibGD 2.2.3 release** Security related fixes: This flaw is caused by loading data from external sources (file, custom ctx, etc) and are hard to validate before calling libgd APIs : - fix php bug php#72339, Integer Overflow in _gd2GetHeader (CVE-2016-5766) - bug #248, fix Out-Of-Bounds Read in read_image_tga Using application provided parameters, in these cases invalid data causes the issues : - Integer overflow error within _gdContributionsAlloc() (CVE-2016-6207) - fix php bug php#72494, invalid color index not handled, can lead to crash - improve color check for CropThreshold Important update : - gdImageCopyResampled has been improved. Better handling of images with alpha channel, also brings libgd in sync with php last seen 2020-06-05 modified 2016-07-25 plugin id 92532 published 2016-07-25 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92532 title Fedora 24 : gd (2016-615f3bf06e) NASL family CGI abuses NASL id PHP_5_6_24.NASL description According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.24. It is, therefore, affected by multiple vulnerabilities : - A man-in-the-middle vulnerability exists, known as last seen 2020-06-01 modified 2020-06-02 plugin id 92555 published 2016-07-26 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92555 title PHP 5.6.x < 5.6.24 Multiple Vulnerabilities (httpoxy) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-2460-1.NASL description This update for php7 fixes the following security issues : - CVE-2016-6128: Invalid color index not properly handled [bsc#987580] - CVE-2016-6161: global out of bounds read when encoding gif from malformed input withgd2togif [bsc#988032] - CVE-2016-6292: NULL pointer dereference in exif_process_user_comment [bsc#991422] - CVE-2016-6295: Use after free in SNMP with GC and unserialize() [bsc#991424] - CVE-2016-6297: Stack-based buffer overflow vulnerability in php_stream_zip_opener [bsc#991426] - CVE-2016-6291: Out-of-bounds access in exif_process_IFD_in_MAKERNOTE [bsc#991427] - CVE-2016-6289: Integer overflow leads to buffer overflow in virtual_file_ex [bsc#991428] - CVE-2016-6290: Use after free in unserialize() with Unexpected Session Deserialization [bsc#991429] - CVE-2016-5399: Improper error handling in bzread() [bsc#991430] - CVE-2016-6296: Heap buffer overflow vulnerability in simplestring_addn in simplestring.c [bsc#991437] - CVE-2016-6207: Integer overflow error within _gdContributionsAlloc() [bsc#991434] - CVE-2016-4473: Invalid free() instead of efree() in phar_extract_file() - CVE-2016-7124: Create an Unexpected Object and Don last seen 2020-06-01 modified 2020-06-02 plugin id 119981 published 2019-01-02 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119981 title SUSE SLES12 Security Update : php7 (SUSE-SU-2016:2460-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-985.NASL description This update for php5 fixes the following issues : - security update : - CVE-2016-6128: Invalid color index not properly handled [bsc#987580] - CVE-2016-6161: global out of bounds read when encoding gif from malformed input withgd2togif [bsc#988032] - CVE-2016-6292: NULL pointer dereference in exif_process_user_comment [bsc#991422] - CVE-2016-6295: Use after free in SNMP with GC and unserialize() [bsc#991424] - CVE-2016-6297: Stack-based buffer overflow vulnerability in php_stream_zip_opener [bsc#991426] - CVE-2016-6291: Out-of-bounds access in exif_process_IFD_in_MAKERNOTE [bsc#991427] - CVE-2016-6289: Integer overflow leads to buffer overflow in virtual_file_ex [bsc#991428] - CVE-2016-6290: Use after free in unserialize() with Unexpected Session Deserialization [bsc#991429] - CVE-2016-5399: Improper error handling in bzread() [bsc#991430] - CVE-2016-6296: Heap buffer overflow vulnerability in simplestring_addn in simplestring.c [bsc#991437] - CVE-2016-6207: Integer overflow error within _gdContributionsAlloc() [bsc#991434] - CVE-2016-6288: Buffer over-read in php_url_parse_ex [bsc#991433] last seen 2020-06-05 modified 2016-08-16 plugin id 92982 published 2016-08-16 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92982 title openSUSE Security Update : php5 (openSUSE-2016-985)
Redhat
| advisories |
| ||||
| rpms |
|
References
- https://secunia.com/secunia_research/2016-9/
- https://libgd.github.io/release-2.2.3.html
- http://packetstormsecurity.com/files/138174/LibGD-2.2.2-Integer-Overflow-Denial-Of-Service.html
- http://www.securitytracker.com/id/1036535
- http://www.debian.org/security/2016/dsa-3630
- https://bugs.php.net/bug.php?id=72558
- http://lists.opensuse.org/opensuse-updates/2016-09/msg00078.html
- http://lists.opensuse.org/opensuse-updates/2016-08/msg00086.html
- http://www.ubuntu.com/usn/USN-3060-1
- http://www.securityfocus.com/bid/92080
- https://security.gentoo.org/glsa/201612-09
- http://rhn.redhat.com/errata/RHSA-2016-2750.html
- http://www.securityfocus.com/archive/1/539100/100/0/threaded