SB2016102113 - Heap-based buffer overflow in gd (Alpine package)
Published: October 21, 2016
Security Bulletin ID
SB2016102113
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Heap-based buffer overflow (CVE-ID: CVE-2016-7568)
The vulnerability allows a remote unauthenticated user to cause DoS conditions on the target system.The weakness is due to integer overflow in the gdImageWebpCtx function in gd_webp.c in the GD Graphics Library (aka libgd). By performing a specially crafted imagewebp and imagedestroy calls, attackers can trigger a heap-based buffer overflow that lets them induce denial of service or execute arbitrary code.
Successful exploitation of the vulnerability results in denial of service or arbitrary code execution on the vulnerable system.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=451ff1929d8530ffbceb863acaeb212e545c3080
- https://git.alpinelinux.org/aports/commit/?id=0b18843792bc3a090f55ce0f51d3f3049ff91f23
- https://git.alpinelinux.org/aports/commit/?id=406fd782d7205c90c4586a1716ec8f6698263dd3
- https://git.alpinelinux.org/aports/commit/?id=5c6026e8ae9b21f78707f703bae4c46a8e299801
- https://git.alpinelinux.org/aports/commit/?id=f9837e07e07a853b319e1ecc711223d5683e20a8
- https://git.alpinelinux.org/aports/commit/?id=23b9a4551f77c59c198fb0ab0c1b3fab1b59713c
- https://git.alpinelinux.org/aports/commit/?id=e52825649f88796511db5350698443009cc47d06
- https://git.alpinelinux.org/aports/commit/?id=e75858307e07c46124b8f604df3a02f0f2c88dbf