Candidate: CVE-2016-7126
PublicDate: 2016-09-12 01:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7126
 http://www.openwall.com/lists/oss-security/2016/09/02/5
Description:
 The imagetruecolortopalette function in ext/gd/gd.c in PHP before 5.6.25
 and 7.x before 7.0.10 does not properly validate the number of colors,
 which allows remote attackers to cause a denial of service (select_colors
 allocation error and out-of-bounds write) or possibly have unspecified
 other impact via a large value in the third argument.
Ubuntu-Description:
Notes:
 tyhicks> The PHP bug states that libgd2 is not affected and I've verified this
  through code review and testing.
Bugs:
 https://bugs.php.net/bug.php?id=72697
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]

Patches_libgd2:
upstream_libgd2: not-affected (overflow checks performed)
precise_libgd2: not-affected (overflow checks performed)
trusty_libgd2: not-affected (overflow checks performed)
trusty/esm_libgd2: not-affected (overflow checks performed)
vivid/stable-phone-overlay_libgd2: DNE
vivid/ubuntu-core_libgd2: DNE
xenial_libgd2: not-affected
esm-infra/xenial_libgd2: not-affected
devel_libgd2: not-affected (overflow checks performed)

Patches_php5:
upstream_php5: needs-triage
precise_php5: not-affected (uses system gd)
trusty_php5: not-affected (uses system gd)
trusty/esm_php5: not-affected (uses system gd)
vivid/ubuntu-core_php5: DNE
vivid/stable-phone-overlay_php5: DNE
xenial_php5: DNE
devel_php5: DNE

Patches_php7.0:
 upstream: https://github.com/php/php-src/commit/b6f13a5ef9d6280cf984826a5de012a32c396cd4?w=1
upstream_php7.0: needs-triage
precise_php7.0: DNE
trusty_php7.0: DNE
trusty/esm_php7.0: DNE
vivid/ubuntu-core_php7.0: DNE
vivid/stable-phone-overlay_php7.0: DNE
xenial_php7.0: not-affected (uses system gd)
esm-infra/xenial_php7.0: not-affected (uses system gd)
devel_php7.0: not-affected (uses system gd)