Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2007-3996

Published: 4 September 2007

Multiple integer overflows in libgd in PHP before 5.2.4 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large (1) srcW or (2) srcH value to the (a) gdImageCopyResized function, or a large (3) sy (height) or (4) sx (width) value to the (b) gdImageCreate or the (c) gdImageCreateTrueColor function.

Notes

AuthorNote
jdstrand
note this is gdImageCreate and gdImageCreateTrueColor
dapper-gutsy libgd2 are affected to varying degrees
php5-gd segfaults on feisty and gutsy before patching libgd2,
and dapper-gutsy segfault after (this is because feisty-gutsy had a partial
fix already in libgd2).  php5-gd is not handling the error condition when
libgd2 fails properly.  Verified that 5.2.4 works with patched libgd2.

Priority

Medium

Status

Package Release Status
libgd2
Launchpad, Ubuntu, Debian
dapper
Released (2.0.33-2ubuntu5.3)
edgy
Released (2.0.33-4ubuntu2.2)
feisty
Released (2.0.34~rc1-2ubuntu1.2)
gutsy
Released (2.0.34-1ubuntu1.1)
hardy Not vulnerable
(2.0.35.dfsg-3ubuntu1)
intrepid Not vulnerable
(2.0.35.dfsg-3ubuntu1)
upstream
Released (2.0.35)
php5
Launchpad, Ubuntu, Debian
dapper
Released (5.1.2-1ubuntu3.13)
edgy Ignored
(end of life, was needed)
feisty Ignored
(end of life, was needed)
gutsy
Released (5.2.3-1ubuntu6.5)
hardy Not vulnerable
(5.2.4-2ubuntu3)
intrepid Not vulnerable
(5.2.4-2ubuntu3)
upstream
Released (5.2.4)
Patches:
vendor: http://www.mandriva.com/security/advisories?name=MDKSA-2007:187
upstream: http://cvs.php.net/viewvc.cgi/php-src/ext/gd/gd.c?r1=1.312.2.20.2.28&r2=1.312.2.20.2.29