CVE-2017-7890

Priority
Medium
Description
The GIF decoding function gdImageCreateFromGifCtx in gd_gif_in.c in the GD
Graphics Library (aka libgd), as used in PHP before 5.6.31 and 7.x before
7.1.7, does not zero colorMap arrays before use. A specially crafted GIF
image could use the uninitialized tables to read ~700 bytes from the top of
the stack, potentially disclosing sensitive information.
References
Bugs
Notes
 mdeslaur> php uses the system libgd2
Assigned-to
leosilva
Package
Upstream:needed
Ubuntu 17.10 (Artful Aardvark):released
Ubuntu 12.04 ESM (Precise Pangolin):released (2.0.36~rc1~dfsg-6ubuntu2.5)
Ubuntu 14.04 LTS (Trusty Tahr):released (2.1.0-3ubuntu0.7)
Ubuntu Core 15.04:DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (2.1.1-4ubuntu0.16.04.7)
Ubuntu 17.04 (Zesty Zapus):released (2.2.4-2ubuntu0.2)
Patches:
Patch:http://git.php.net/?p=php-src.git;a=commit;h=8dc4f4dc9e44d1cbfe4654aa6e0dc27c94913938
Patch:https://github.com/libgd/libgd/commit/c613bc169802bb4b639ee2e15c61b25b80a88424
Package
Source: php5 (LP Ubuntu Debian)
Upstream:released (5.6.31)
Ubuntu 17.10 (Artful Aardvark):DNE
Ubuntu 12.04 ESM (Precise Pangolin):not-affected (uses system gd)
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (uses system gd)
Ubuntu Core 15.04:DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 17.04 (Zesty Zapus):DNE
Package
Upstream:released (7.1.7)
Ubuntu 17.10 (Artful Aardvark):not-affected (uses system gd)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu Core 15.04:DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 17.04 (Zesty Zapus):DNE
Package
Upstream:released (7.0.21)
Ubuntu 17.10 (Artful Aardvark):DNE
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu Core 15.04:DNE
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (uses system gd)
Ubuntu 17.04 (Zesty Zapus):not-affected (uses system gd)
More Information

Updated: 2017-08-15 15:14:12 UTC (commit 13097)