Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2016-7568

Published: 28 September 2016

Integer overflow in the gdImageWebpCtx function in gd_webp.c in the GD Graphics Library (aka libgd) through 2.2.3, as used in PHP through 7.0.11, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted imagewebp and imagedestroy calls.

Notes

AuthorNote
mdeslaur
php uses the system libgd2
code in gd 2.1.x is different, can use the php5 patch

Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
libgd2
Launchpad, Ubuntu, Debian
upstream Needs triage

precise Not vulnerable
(code not present)
trusty
Released (2.1.0-3ubuntu0.5)
xenial
Released (2.1.1-4ubuntu0.16.04.5)
yakkety
Released (2.2.1-1ubuntu3.2)
Patches:
upstream: https://github.com/libgd/libgd/commit/40bec0f38f50e8510f5bb71a82f516d46facde03


php5
Launchpad, Ubuntu, Debian
upstream Needs triage

precise Not vulnerable
(uses system gd)
trusty Not vulnerable
(uses system gd)
xenial Does not exist

yakkety Does not exist

Patches:

upstream: http://git.php.net/?p=php-src.git;a=commit;h=46df0642618eabc5b5b7df490d1ae23bda00a745

php7.0
Launchpad, Ubuntu, Debian
upstream Needs triage

precise Does not exist

trusty Does not exist

xenial Not vulnerable
(uses system gd)
yakkety Not vulnerable
(uses system gd)
Patches:


upstream: https://github.com/php/php-src/commit/c18263e0e0769faee96a5d0ee04b750c442783c6