Vulnerabilities > CVE-2018-5711 - Infinite Loop vulnerability in multiple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1, has an integer signedness error that leads to an infinite loop via a crafted GIF file, as demonstrated by a call to the imagecreatefromgif or imagecreatefromstring PHP function. This is related to GetCode_ and gdImageCreateFromGifCtx.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-109.NASL description This update for gd fixes one issues. This security issue was fixed : - CVE-2018-5711: Prevent integer signedness error that could have lead to an infinite loop via a crafted GIF file allowing for DoS (bsc#1076391) This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2018-02-01 plugin id 106543 published 2018-02-01 reporter This script is Copyright (C) 2018-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/106543 title openSUSE Security Update : gd (openSUSE-2018-109) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2018-109. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(106543); script_version("3.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2018-5711"); script_name(english:"openSUSE Security Update : gd (openSUSE-2018-109)"); script_summary(english:"Check for the openSUSE-2018-109 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for gd fixes one issues. This security issue was fixed : - CVE-2018-5711: Prevent integer signedness error that could have lead to an infinite loop via a crafted GIF file allowing for DoS (bsc#1076391) This update was imported from the SUSE:SLE-12:Update update project." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1076391" ); script_set_attribute(attribute:"solution", value:"Update the affected gd packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:gd-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:gd-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:gd-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:gd-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:gd-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3"); script_set_attribute(attribute:"patch_publication_date", value:"2018/01/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/02/01"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.3", reference:"gd-2.1.0-24.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"gd-debuginfo-2.1.0-24.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"gd-debugsource-2.1.0-24.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"gd-devel-2.1.0-24.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"gd-32bit-2.1.0-24.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"gd-debuginfo-32bit-2.1.0-24.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "gd / gd-32bit / gd-debuginfo / gd-debuginfo-32bit / gd-debugsource / etc"); }
NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2521.NASL description According to the versions of the gd package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Integer overflow in gd_io.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to have unspecified impact via vectors involving the number of horizontal and vertical chunks in an image.(CVE-2016-10168) - Double free vulnerability in the gdImagePngPtr function in libgd2 before 2.2.5 allows remote attackers to cause a denial of service via vectors related to a palette with no colors.(CVE-2017-6362) - Integer signedness error in GD Graphics Library 2.1.1 (aka libgd or libgd2) allows remote attackers to cause a denial of service (crash) or potentially execute arbitrary code via crafted compressed gd2 data, which triggers a heap-based buffer overflow.(CVE-2016-3074) - Stack consumption vulnerability in the gdImageFillToBorder function in gd.c in the GD Graphics Library (aka libgd) before 2.2.2, as used in PHP before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (segmentation violation) via a crafted imagefilltoborder call that triggers use of a negative color value.(CVE-2016-9933) - gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1, has an integer signedness error that leads to an infinite loop via a crafted GIF file, as demonstrated by a call to the imagecreatefromgif or imagecreatefromstring PHP function. This is related to GetCode_ and gdImageCreateFromGifCtx.(CVE-2018-5711) - The gdImageCreateFromGd2Ctx function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted image file.(CVE-2016-10167) - The output function in gd_gif_out.c in the GD Graphics Library (aka libgd) allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted image.(CVE-2016-6161) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-08 modified 2019-12-04 plugin id 131674 published 2019-12-04 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131674 title EulerOS 2.0 SP2 : gd (EulerOS-SA-2019-2521) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(131674); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07"); script_cve_id( "CVE-2016-10167", "CVE-2016-10168", "CVE-2016-3074", "CVE-2016-6161", "CVE-2016-9933", "CVE-2017-6362", "CVE-2018-5711" ); script_name(english:"EulerOS 2.0 SP2 : gd (EulerOS-SA-2019-2521)"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "According to the versions of the gd package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Integer overflow in gd_io.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to have unspecified impact via vectors involving the number of horizontal and vertical chunks in an image.(CVE-2016-10168) - Double free vulnerability in the gdImagePngPtr function in libgd2 before 2.2.5 allows remote attackers to cause a denial of service via vectors related to a palette with no colors.(CVE-2017-6362) - Integer signedness error in GD Graphics Library 2.1.1 (aka libgd or libgd2) allows remote attackers to cause a denial of service (crash) or potentially execute arbitrary code via crafted compressed gd2 data, which triggers a heap-based buffer overflow.(CVE-2016-3074) - Stack consumption vulnerability in the gdImageFillToBorder function in gd.c in the GD Graphics Library (aka libgd) before 2.2.2, as used in PHP before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (segmentation violation) via a crafted imagefilltoborder call that triggers use of a negative color value.(CVE-2016-9933) - gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1, has an integer signedness error that leads to an infinite loop via a crafted GIF file, as demonstrated by a call to the imagecreatefromgif or imagecreatefromstring PHP function. This is related to GetCode_ and gdImageCreateFromGifCtx.(CVE-2018-5711) - The gdImageCreateFromGd2Ctx function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted image file.(CVE-2016-10167) - The output function in gd_gif_out.c in the GD Graphics Library (aka libgd) allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted image.(CVE-2016-6161) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2521 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9ed38664"); script_set_attribute(attribute:"solution", value: "Update the affected gd packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"patch_publication_date", value:"2019/12/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/04"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:gd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) || sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["gd-2.0.35-26.h11"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "gd"); }
NASL family CGI abuses NASL id PHP_7_2_1.NASL description According to its banner, the version of PHP running on the remote web server is 7.2.x prior to 7.2.1. It is, therefore, affected by the following vulnerabilities : - A denial of service (DoS) vulnerability exists in the imagecreatefromgif and imagecreatefromstring functions of the gd_gif_in.c script within GD Graphics Library (libgd) due to an integer signedness error. An unauthenticated, remote attacker can exploit this issue, via a crafted GIF file, to cause the applicaiton to stop responding. (CVE-2018-5711) - A cross-site scripting (XSS) vulnerability exists due to improper validation of .phar file before returning it to users. An unauthenticated, remote attacker can exploit this, by convincing a user to click a specially crafted URL, to execute arbitrary script code in a user last seen 2020-06-01 modified 2020-06-02 plugin id 105774 published 2018-01-12 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105774 title PHP 7.2.x < 7.2.1 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(105774); script_version("1.9"); script_cvs_date("Date: 2019/11/08"); script_cve_id("CVE-2018-5711", "CVE-2018-5712", "CVE-2018-14884"); script_bugtraq_id(102742, 102743, 104968); script_name(english:"PHP 7.2.x < 7.2.1 Multiple Vulnerabilities"); script_summary(english:"Checks the version of PHP."); script_set_attribute(attribute:"synopsis", value: "The version of PHP running on the remote web server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its banner, the version of PHP running on the remote web server is 7.2.x prior to 7.2.1. It is, therefore, affected by the following vulnerabilities : - A denial of service (DoS) vulnerability exists in the imagecreatefromgif and imagecreatefromstring functions of the gd_gif_in.c script within GD Graphics Library (libgd) due to an integer signedness error. An unauthenticated, remote attacker can exploit this issue, via a crafted GIF file, to cause the applicaiton to stop responding. (CVE-2018-5711) - A cross-site scripting (XSS) vulnerability exists due to improper validation of .phar file before returning it to users. An unauthenticated, remote attacker can exploit this, by convincing a user to click a specially crafted URL, to execute arbitrary script code in a user's browser session. (CVE-2018-5712) - A denial of service (DoS) vulnerability exists in the ext/standard/http_fopen_wrapper.c script due to http_header_value possibly being a NULL value in an atoi call. An unauthenticated, remote attacker can exploit this issue, via a specifically crafted HTTP response, to cause the application to stop responding. (CVE-2018-14884) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"http://php.net/ChangeLog-7.php#7.2.1"); script_set_attribute(attribute:"solution", value: "Upgrade to PHP version 7.2.1 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-5712"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/01/04"); script_set_attribute(attribute:"patch_publication_date", value:"2018/01/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/12"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("php_version.nasl"); script_require_keys("www/PHP"); script_require_ports("Services/www", 80); exit(0); } include("vcf.inc"); include("vcf_extras.inc"); include("http.inc"); include("webapp_func.inc"); vcf::php::initialize(); port = get_http_port(default:80, php:TRUE); app_info = vcf::php::get_app_info(port:port); flags = [ { "xss" : TRUE } ]; constraints = [ { "min_version" : "7.2.0alpha0", "fixed_version" : "7.2.1" } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING, flags:flags);
NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2020-083-01.NASL description New gd packages are available for Slackware 14.2 and -current to fix security issues. last seen 2020-03-26 modified 2020-03-24 plugin id 134850 published 2020-03-24 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134850 title Slackware 14.2 / current : gd (SSA:2020-083-01) NASL family CGI abuses NASL id PHP_7_1_13.NASL description According to its banner, the version of PHP running on the remote web server is 7.1.x prior to 7.1.13. It is, therefore, affected by the following vulnerabilities : - A denial of service (DoS) vulnerability exists in the imagecreatefromgif and imagecreatefromstring functions of the gd_gif_in.c script within GD Graphics Library (libgd) due to an integer signedness error. An unauthenticated, remote attacker can exploit this issue, via a crafted GIF file, to cause the applicaiton to stop responding. (CVE-2018-5711) - A cross-site scripting (XSS) vulnerability exists due to improper validation of .phar file before returning it to users. An unauthenticated, remote attacker can exploit this, by convincing a user to click a specially crafted URL, to execute arbitrary script code in a user last seen 2020-06-01 modified 2020-06-02 plugin id 105773 published 2018-01-12 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105773 title PHP 7.1.x < 7.1.13 Multiple Vulnerabilities NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2018-034-01.NASL description New php packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 106586 published 2018-02-05 reporter This script is Copyright (C) 2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/106586 title Slackware 14.0 / 14.1 / 14.2 / current : php (SSA:2018-034-01) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-0235-1.NASL description This update for gd fixes several issues. This security issue was fixed : - CVE-2018-5711: Prevent integer signedness error that could have lead to an infinite loop via a crafted GIF file allowing for DoS (bsc#1076391) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 106439 published 2018-01-29 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106439 title SUSE SLES11 Security Update : gd (SUSE-SU-2018:0235-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-0308-1.NASL description This update for php7 fixes several issues. These security issues were fixed : - CVE-2018-5712: Prevent reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file that allowed for information disclosure (bsc#1076220). - CVE-2018-5711: Prevent integer signedness error that could have lead to an infinite loop via a crafted GIF file allowing for DoS (bsc#1076391) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-24 modified 2019-01-02 plugin id 120015 published 2019-01-02 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120015 title SUSE SLES12 Security Update : php7 (SUSE-SU-2018:0308-1) NASL family Fedora Local Security Checks NASL id FEDORA_2018-BA81E4E4A0.NASL description Fix CVE-2018-5711 - Potential infinite loop in gdImageCreateFromGifCtx Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-03-29 plugin id 108700 published 2018-03-29 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108700 title Fedora 27 : gd (2018-ba81e4e4a0) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2649.NASL description According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - ** DISPUTED ** Integer overflow in the php_raw_url_encode function in ext/standard/url.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to cause a denial of service (application crash) via a long string to the rawurlencode function. NOTE: the vendor says last seen 2020-05-08 modified 2019-12-18 plugin id 132184 published 2019-12-18 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132184 title EulerOS 2.0 SP3 : php (EulerOS-SA-2019-2649) NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-119.NASL description This update for php7 fixes several issues. These security issues were fixed : - CVE-2018-5712: Prevent reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file that allowed for information disclosure (bsc#1076220). - CVE-2018-5711: Prevent integer signedness error that could have lead to an infinite loop via a crafted GIF file allowing for DoS (bsc#1076391) This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2018-02-01 plugin id 106550 published 2018-02-01 reporter This script is Copyright (C) 2018-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/106550 title openSUSE Security Update : php7 (openSUSE-2018-119) NASL family CGI abuses NASL id PHP_7_0_27.NASL description According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.27. It is, therefore, affected by the following vulnerabilities : - A denial of service (DoS) vulnerability exists in the imagecreatefromgif and imagecreatefromstring functions of the gd_gif_in.c script within GD Graphics Library (libgd) due to an integer signedness error. An unauthenticated, remote attacker can exploit this issue, via a crafted GIF file, to cause the applicaiton to stop responding. (CVE-2018-5711) - A cross-site scripting (XSS) vulnerability exists due to improper validation of .phar file before returning it to users. An unauthenticated, remote attacker can exploit this, by convincing a user to click a specially crafted URL, to execute arbitrary script code in a user last seen 2020-06-01 modified 2020-06-02 plugin id 105772 published 2018-01-12 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105772 title PHP 7.0.x < 7.0.27 Multiple Vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1651.NASL description Several issues in libgd2, a graphics library that allows to quickly draw images, have been found. CVE-2019-6977 A potential double free in gdImage*Ptr() has been reported by Solmaz Salimi (aka. Rooney). CVE-2019-6978 Simon Scannell found a heap-based buffer overflow, exploitable with crafted image data. CVE-2018-1000222 A new double free vulnerabilities in gdImageBmpPtr() has been reported by Solmaz Salimi (aka. Rooney). CVE-2018-5711 Due to an integer signedness error the GIF core parsing function can enter an infinite loop. This will lead to a Denial of Service and exhausted server resources. For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 121483 published 2019-01-31 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121483 title Debian DLA-1651-1 : libgd2 security update NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-0260-1.NASL description This update for gd fixes one issues. This security issue was fixed : - CVE-2018-5711: Prevent integer signedness error that could have lead to an infinite loop via a crafted GIF file allowing for DoS (bsc#1076391) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 106470 published 2018-01-30 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106470 title SUSE SLED12 / SLES12 Security Update : gd (SUSE-SU-2018:0260-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-0216-1.NASL description This update for php5 fixes several issues. These security issues were fixed : - CVE-2018-5712: Prevent reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file that allowed for information disclosure (bsc#1076220) - CVE-2018-5711: Prevent integer signedness error that could have lead to an infinite loop via a crafted GIF file allowing for DoS (bsc#1076391) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-24 modified 2019-01-02 plugin id 120013 published 2019-01-02 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120013 title SUSE SLES12 Security Update : php5 (SUSE-SU-2018:0216-1) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1248.NASL description It was discovered that there was a denial of service attack in the libgd2 image library. A corrupt file could have exploited a signedness confusion leading to an infinite loop. For Debian 7 last seen 2020-03-17 modified 2018-01-19 plugin id 106175 published 2018-01-19 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106175 title Debian DLA-1248-1 : libgd2 security update NASL family CGI abuses NASL id PHP_5_6_33.NASL description According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.33. It is, therefore, affected by multiple vulnerabilities : - A potential infinite loop in gdImageCreateFromGifCtx. (CVE-2018-5711) - A reflected XSS in .phar 404 page exists due to improper validation of user-supplied input before returning it to users. An unauthenticated, remote attacker can exploit this, by convincing a user to click a specially crafted URL, to execute arbitrary script code in a user last seen 2020-06-01 modified 2020-06-02 plugin id 105771 published 2018-01-12 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105771 title PHP 5.6.x < 5.6.33 Multiple Vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2018-331AF74020.NASL description Fix CVE-2018-5711 - Potential infinite loop in gdImageCreateFromGifCtx Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-04-05 plugin id 108836 published 2018-04-05 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108836 title Fedora 26 : gd (2018-331af74020) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201903-18.NASL description The remote host is affected by the vulnerability described in GLSA-201903-18 (GD: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in GD. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could entice a user to process a specially crafted image, possibly resulting in execution of arbitrary code or a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 123424 published 2019-03-28 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123424 title GLSA-201903-18 : GD: Multiple vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2018-1AEAC808CE.NASL description Fix CVE-2018-5711 - Potential infinite loop in gdImageCreateFromGifCtx Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120264 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120264 title Fedora 28 : gd (2018-1aeac808ce) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-0806-1.NASL description This update for php53 fixes several issues. These security issues were fixed : - CVE-2016-10712: In PHP all of the return values of stream_get_meta_data could be controlled if the input can be controlled (e.g., during file uploads). (bsc#1080234) - CVE-2018-5712: Prevent reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file that allowed for information disclosure (bsc#1076220) - CVE-2018-5711: Prevent integer signedness error that could have lead to an infinite loop via a crafted GIF file allowing for DoS (bsc#1076391) - CVE-2016-5773: php_zip.c in the zip extension in PHP improperly interacted with the unserialize implementation and garbage collection, which allowed remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data containing a ZipArchive object. (bsc#986247) - CVE-2016-5771: spl_array.c in the SPL extension in PHP improperly interacted with the unserialize implementation and garbage collection, which allowed remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data. (bsc#986391) - CVE-2018-7584: Fixed stack-based buffer under-read while parsing an HTTPresponse in the php_stream_url_wrap_http_ex. (bsc#1083639) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 108650 published 2018-03-27 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108650 title SUSE SLES11 Security Update : php53 (SUSE-SU-2018:0806-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3755-1.NASL description It was discovered that GD incorrectly handled certain images. An attacker could possibly use this issue to execute arbitrary code. (CVE-2018-1000222) It was discovered that GD incorrectly handled certain GIF files. An attacker could possibly use this issue to cause a denial of service. (CVE-2018-5711). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 112150 published 2018-08-28 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112150 title Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : libgd2 vulnerabilities (USN-3755-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1984.NASL description According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The get_icu_disp_value_src_php function in ext/intl/locale/locale_methods.c in PHP before 5.3.29, 5.4.x before 5.4.30, and 5.5.x before 5.5.14 does not properly restrict calls to the ICU uresbund.cpp component, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a locale_get_display_name call with a long first argument.(CVE-2014-9912) - Use-after-free vulnerability in the spl_ptr_heap_insert function in ext/spl/spl_heap.c in PHP before 5.5.27 and 5.6.x before 5.6.11 allows remote attackers to execute arbitrary code by triggering a failed SplMinHeap::compare operation.(CVE-2015-4116) - A flaw was found in the way the way PHP last seen 2020-05-08 modified 2019-09-24 plugin id 129178 published 2019-09-24 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129178 title EulerOS 2.0 SP5 : php (EulerOS-SA-2019-1984) NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-99.NASL description This update for php5 fixes several issues. These security issues were fixed : - CVE-2018-5712: Prevent reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file that allowed for information disclosure (bsc#1076220) - CVE-2018-5711: Prevent integer signedness error that could have lead to an infinite loop via a crafted GIF file allowing for DoS (bsc#1076391) This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2018-01-29 plugin id 106434 published 2018-01-29 reporter This script is Copyright (C) 2018-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/106434 title openSUSE Security Update : php5 (openSUSE-2018-99) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2018-946.NASL description Reflected XSS in .phar 404 page An issue was discovered in PHP; there is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file. (CVE-2018-5712) Denial of Service (DoS) via infinite loop in libgd gdImageCreateFromGifCtx function in ext/gd/libgd/gd_gif_in.c The gd_gif_in.c file in the GD Graphics Library (aka libgd), as used in PHP has an integer signedness error that leads to an infinite loop via a crafted GIF file, as demonstrated by a call to the imagecreatefromgif or imagecreatefromstring PHP function. This is related to GetCode_ and gdImageCreateFromGifCtx. (CVE-2018-5711) last seen 2020-06-01 modified 2020-06-02 plugin id 106691 published 2018-02-09 reporter This script is Copyright (C) 2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/106691 title Amazon Linux AMI : php56 / php70,php71 (ALAS-2018-946)
Redhat
advisories |
| ||||||||
rpms |
|
Seebug
bulletinFamily | exploit |
description | Recently, I reviewed several Web frameworks and language implementations, and found some vulnerabilities. This is an simple and interesting case, and seems easy to exploit in real world! ### Affected All PHP version * PHP 5 < 5.6.33 * PHP 7.0 < 7.0.27 * PHP 7.1 < 7.1.13 * PHP 7.2 < 7.2.1 ### Vulnerability Details The vulnerability is on the file [`ext/gd/libgd/gd_gif_in.c`](https://github.com/php/php-src/blob/c5767db441e4db2a1e07b5880129ad7ce0b25b6f/ext/gd/libgd/gd_gif_in.c) There is a while-loop in [`LWZReadByte`](https://github.com/php/php-src/blob/c5767db441e4db2a1e07b5880129ad7ce0b25b6f/ext/gd/libgd/gd_gif_in.c#L460) ``` 460 do { 461 sd->firstcode = sd->oldcode = 461 GetCode(fd, &sd->scd, sd->code_size, FALSE, ZeroDataBlockP); 463 } while (sd->firstcode == sd->clear_code); ``` Function `GetCode` is just a wrapper, and [`GetCode_`](https://github.com/php/php-src/blob/c5767db441e4db2a1e07b5880129ad7ce0b25b6f/ext/gd/libgd/gd_gif_in.c#L376) do the real stuff. ``` 376 static int 377 GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP) 378 { 379 int i, j, ret; 380 unsigned char count; ... 399 if ((count = GetDataBlock(fd, &scd->buf[2], ZeroDataBlockP)) <= 0) 400 scd->done = TRUE; ... 405 } ``` `GetCode_` call [`GetDataBlock`](https://github.com/php/php-src/blob/c5767db441e4db2a1e07b5880129ad7ce0b25b6f/ext/gd/libgd/gd_gif_in.c#L333) to read data from GIF! ``` 332 static int 333 GetDataBlock_(gdIOCtx *fd, unsigned char *buf, int *ZeroDataBlockP) 334 { 335 unsigned char count; 336 336 if (! ReadOK(fd,&count,1)) { 338 return -1; 339 } 340 341 *ZeroDataBlockP = count == 0; 342 343 if ((count != 0) && (! ReadOK(fd, buf, count))) { 344 return -1; 345 } 346 347 return count; 348 } ``` OK, here are all vulnerable code, can you spot the vulnerability? :P The bug relied on the type conversion from int to `unsigned` char. As you can see: If `GetDataBlock_` return `-1`, `scd->done` in line 400 will set to True, and stop the while-loop. But it will never be executed because the definition of `count` is `unsigned char`, it’s always be a positive from 0 to 255. So the result is, one single GIF can make an infinite loop and exhausted the server resource. ### PoC ``` $ curl -L https://git.io/vN0n4 | xxd -r > poc.gif $ php -r 'imagecreatefromgif("poc.gif");' Infinite loop here... ``` It's easy to exploit in real world because lots of websites resize user-uploaded image by GD library... |
id | SSV:97122 |
last seen | 2018-02-03 |
modified | 2018-02-02 |
published | 2018-02-02 |
reporter | Root |
source | https://www.seebug.org/vuldb/ssvid-97122 |
title | PHP CVE-2018-5711 - Hanging Websites by a Harmful GIF |
References
- http://php.net/ChangeLog-5.php
- http://php.net/ChangeLog-5.php
- http://php.net/ChangeLog-7.php
- http://php.net/ChangeLog-7.php
- https://access.redhat.com/errata/RHSA-2018:1296
- https://access.redhat.com/errata/RHSA-2018:1296
- https://access.redhat.com/errata/RHSA-2019:2519
- https://access.redhat.com/errata/RHSA-2019:2519
- https://bugs.php.net/bug.php?id=75571
- https://bugs.php.net/bug.php?id=75571
- https://lists.debian.org/debian-lts-announce/2018/01/msg00022.html
- https://lists.debian.org/debian-lts-announce/2018/01/msg00022.html
- https://lists.debian.org/debian-lts-announce/2019/01/msg00028.html
- https://lists.debian.org/debian-lts-announce/2019/01/msg00028.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CZ2QADQTKRHTGB2AHD7J4QQNDLBEMM6/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CZ2QADQTKRHTGB2AHD7J4QQNDLBEMM6/
- https://security.gentoo.org/glsa/201903-18
- https://security.gentoo.org/glsa/201903-18
- https://usn.ubuntu.com/3755-1/
- https://usn.ubuntu.com/3755-1/
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpuapr2020.html