Vulnerabilities > CVE-2018-14553 - NULL Pointer Dereference vulnerability in multiple products

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

network

low complexity

nessus

NVD

Published: 2020-02-11

Updated: 2024-04-07

Summary

gdImageClone in gd.c in libgd 2.1.0-rc2 through 2.2.5 has a NULL pointer dereference allowing attackers to crash an application via a specific function call sequence. Only affects PHP when linked with an external libgd (not bundled).

Vulnerable Configurations

Part	Description	Count
Application	Libgd Libgd Libgd 2.1.1 Libgd Libgd 2.2.0 Libgd Libgd 2.2.1 Libgd Libgd 2.2.2 Libgd Libgd 2.2.3 Libgd Libgd 2.2.4 Libgd Libgd 2.2.5 Libgd Libgd 2.1.0	9
OS	Fedoraproject Fedoraproject Fedora 32	1
OS	Canonical Canonical Ubuntu Linux 18.04 Canonical Ubuntu Linux 14.04 Canonical Ubuntu Linux 19.10 Canonical Ubuntu Linux 16.04	4
OS	Debian Debian Debian Linux 8.0	1
OS	Opensuse Opensuse Leap 15.1	1

Common Weakness Enumeration (CWE)

CWE-476 - NULL Pointer Dereference

Nessus

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2020-332.NASL
description	This update for gd fixes the following issues : Security issue fixed : - CVE-2018-14553: Fixed a NULL pointer dereference in gdImageClone (bsc#1165471). - CVE-2019-11038: Fixed a information disclosure in gdImageCreateFromXbm() (bsc#1140120). This update was imported from the SUSE:SLE-15:Update update project.
last seen	2020-03-18
modified	2020-03-11
plugin id	134398
published	2020-03-11
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/134398
title	openSUSE Security Update : gd (openSUSE-2020-332)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2020-332. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(134398); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/13"); script_cve_id("CVE-2018-14553", "CVE-2019-11038"); script_name(english:"openSUSE Security Update : gd (openSUSE-2020-332)"); script_summary(english:"Check for the openSUSE-2020-332 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for gd fixes the following issues : Security issue fixed : - CVE-2018-14553: Fixed a NULL pointer dereference in gdImageClone (bsc#1165471). - CVE-2019-11038: Fixed a information disclosure in gdImageCreateFromXbm() (bsc#1140120). This update was imported from the SUSE:SLE-15:Update update project." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1140120" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1165471" ); script_set_attribute(attribute:"solution", value:"Update the affected gd packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-11038"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:gd-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:gd-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:gd-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libgd3"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libgd3-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libgd3-32bit-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libgd3-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/06/19"); script_set_attribute(attribute:"patch_publication_date", value:"2020/03/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/11"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) \|\| release =~ "^(SLED\|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE15\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586\|i686\|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE15.1", reference:"gd-2.2.5-lp151.6.6.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"gd-debuginfo-2.2.5-lp151.6.6.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"gd-debugsource-2.2.5-lp151.6.6.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"gd-devel-2.2.5-lp151.6.6.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"libgd3-2.2.5-lp151.6.6.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"libgd3-debuginfo-2.2.5-lp151.6.6.1") ) flag++; if ( rpm_check(release:"SUSE15.1", cpu:"x86_64", reference:"libgd3-32bit-2.2.5-lp151.6.6.1") ) flag++; if ( rpm_check(release:"SUSE15.1", cpu:"x86_64", reference:"libgd3-32bit-debuginfo-2.2.5-lp151.6.6.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "gd / gd-debuginfo / gd-debugsource / gd-devel / libgd3 / etc"); }

NASL family	Slackware Local Security Checks
NASL id	SLACKWARE_SSA_2020-083-01.NASL
description	New gd packages are available for Slackware 14.2 and -current to fix security issues.
last seen	2020-03-26
modified	2020-03-24
plugin id	134850
published	2020-03-24
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/134850
title	Slackware 14.2 / current : gd (SSA:2020-083-01)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DLA-2106.NASL
description	A vulnerability was discovered in libgd2, the GD graphics library, whereby an attacker can employ a specific function call sequence to trigger a NULL pointer dereference, subsequently crash the application using libgd2, and create a denial of service. For Debian 8
last seen	2020-03-17
modified	2020-02-18
plugin id	133730
published	2020-02-18
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/133730
title	Debian DLA-2106-1 : libgd2 security update

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2020-0623-1.NASL
description	This update for gd fixes the following issues : CVE-2017-7890: Fixed a buffer over-read into uninitialized memory (bsc#1050241). CVE-2018-14553: Fixed a NULL pointer dereference in gdImageClone() (bsc#1165471). CVE-2019-11038: Fixed a information disclosure in gdImageCreateFromXbm() (bsc#1140120). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-03-18
modified	2020-03-10
plugin id	134366
published	2020-03-10
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/134366
title	SUSE SLED12 / SLES12 Security Update : gd (SUSE-SU-2020:0623-1)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2020-0594-1.NASL
description	This update for gd fixes the following issues : Security issue fixed : CVE-2018-14553: Fixed a NULL pointer dereference in gdImageClone (bsc#1165471). CVE-2019-11038: Fixed a information disclosure in gdImageCreateFromXbm() (bsc#1140120). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-03-18
modified	2020-03-06
plugin id	134297
published	2020-03-06
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/134297
title	SUSE SLED15 / SLES15 Security Update : gd (SUSE-SU-2020:0594-1)

NASL family	PhotonOS Local Security Checks
NASL id	PHOTONOS_PHSA-2020-2_0-0213_LIBGD.NASL
description	An update of the libgd package has been released.
last seen	2020-03-17
modified	2020-03-11
plugin id	134422
published	2020-03-11
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/134422
title	Photon OS 2.0: Libgd PHSA-2020-2.0-0213

NASL family	PhotonOS Local Security Checks
NASL id	PHOTONOS_PHSA-2020-3_0-0063_LIBGD.NASL
description	An update of the libgd package has been released.
last seen	2020-03-17
modified	2020-03-02
plugin id	134210
published	2020-03-02
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/134210
title	Photon OS 3.0: Libgd PHSA-2020-3.0-0063

References

CVE is a registered MITRE Corporation trademark and MITRE's CVE website is the authoritative source of CVE content. CWE is a registered MITRE Corporation trademark and MITRE's CWE website is the authoritative source of CWE content.