Double free error in gd (Alpine package)
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2016-6912 |
| CWE-ID | CWE-415 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
gd (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Double free error
EUVDB-ID: #VU7573
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-6912
CWE-ID:
CWE-415 - Double Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack and potentially compromise vulnerable system.
The vulnerability exists due to double free error when processing large image width and height values in gdImageWebPtr() function in the GD Graphics Library (aka libgd). A remote attacker create a specially crafted image file, trigger double free error and crash the affected application or execute arbitrary code on the target system.
Install update from vendor's website.
Vulnerable software versionsgd (Alpine package): 2.1.1-r2
gd (Alpine package):
External linkshttp://git.alpinelinux.org/aports/commit/?id=1b8dc16a8d83cea1a0638ca75a327f234049e6fd
http://git.alpinelinux.org/aports/commit/?id=08114de6e0da35db211984405c8d9043e426ea58
http://git.alpinelinux.org/aports/commit/?id=87a5a2c48f6c4e068c31ba4ba9665d05a4a88682
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
