CVE-2017-7890 (retired)

Priority
Description
The GIF decoding function gdImageCreateFromGifCtx in gd_gif_in.c in the GD
Graphics Library (aka libgd), as used in PHP before 5.6.31 and 7.x before
7.1.7, does not zero colorMap arrays before use. A specially crafted GIF
image could use the uninitialized tables to read ~700 bytes from the top of
the stack, potentially disclosing sensitive information.
Notes
 mdeslaur> php uses the system libgd2
Assigned-to
leosilva
Package
Upstream:needed
Ubuntu 12.04 ESM (Precise Pangolin):released (2.0.36~rc1~dfsg-6ubuntu2.5)
Ubuntu 16.04 LTS (Xenial Xerus):released (2.1.1-4ubuntu0.16.04.7)
Patches:
Other:http://git.php.net/?p=php-src.git;a=commit;h=8dc4f4dc9e44d1cbfe4654aa6e0dc27c94913938
Other:https://github.com/libgd/libgd/commit/c613bc169802bb4b639ee2e15c61b25b80a88424
Package
Source: php5 (LP Ubuntu Debian)
Upstream:released (5.6.31)
Ubuntu 12.04 ESM (Precise Pangolin):not-affected (uses system gd)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Package
Upstream:released (7.0.21)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (uses system gd)
Package
Upstream:released (7.1.7)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
More Information

Updated: 2019-08-23 09:19:38 UTC (commit 436fd4ed4cf0038ddd382cb8649607ace163dda7)