CVE-2007-3996
Published: 4 September 2007
Multiple integer overflows in libgd in PHP before 5.2.4 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large (1) srcW or (2) srcH value to the (a) gdImageCopyResized function, or a large (3) sy (height) or (4) sx (width) value to the (b) gdImageCreate or the (c) gdImageCreateTrueColor function.
Notes
Author | Note |
---|---|
jdstrand | note this is gdImageCreate and gdImageCreateTrueColor dapper-gutsy libgd2 are affected to varying degrees php5-gd segfaults on feisty and gutsy before patching libgd2, and dapper-gutsy segfault after (this is because feisty-gutsy had a partial fix already in libgd2). php5-gd is not handling the error condition when libgd2 fails properly. Verified that 5.2.4 works with patched libgd2. |
Priority
Status
Package | Release | Status |
---|---|---|
libgd2 Launchpad, Ubuntu, Debian |
dapper |
Released
(2.0.33-2ubuntu5.3)
|
edgy |
Released
(2.0.33-4ubuntu2.2)
|
|
feisty |
Released
(2.0.34~rc1-2ubuntu1.2)
|
|
gutsy |
Released
(2.0.34-1ubuntu1.1)
|
|
hardy |
Not vulnerable
(2.0.35.dfsg-3ubuntu1)
|
|
intrepid |
Not vulnerable
(2.0.35.dfsg-3ubuntu1)
|
|
upstream |
Released
(2.0.35)
|
|
php5 Launchpad, Ubuntu, Debian |
dapper |
Released
(5.1.2-1ubuntu3.13)
|
edgy |
Ignored
(end of life, was needed)
|
|
feisty |
Ignored
(end of life, was needed)
|
|
gutsy |
Released
(5.2.3-1ubuntu6.5)
|
|
hardy |
Not vulnerable
(5.2.4-2ubuntu3)
|
|
intrepid |
Not vulnerable
(5.2.4-2ubuntu3)
|
|
upstream |
Released
(5.2.4)
|
|
Patches: vendor: http://www.mandriva.com/security/advisories?name=MDKSA-2007:187 upstream: http://cvs.php.net/viewvc.cgi/php-src/ext/gd/gd.c?r1=1.312.2.20.2.28&r2=1.312.2.20.2.29 |