Slackware Linux update for gd
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2016-9317 CVE-2016-6912 CVE-2016-10166 CVE-2016-10167 CVE-2016-10168 |
| CWE-ID | CWE-20 CWE-415 CWE-191 CWE-190 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Slackware Linux Operating systems & Components / Operating system |
| Vendor | Slackware |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Improper input validation
EUVDB-ID: #VU7572
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-9317
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation when processing overly large images in the gdImageCreate() function in the GD Graphics Library (aka libgd) before 2.2.4. A remote attacker can supply an overly large image and crash the application, using the affected library.
Update the affected package gd.
Vulnerable software versionsSlackware Linux: 14.2
External linkshttp://www.slackware.com/security/viewer.php?l=slackware-security&y=2017&m=slackware-security.377075
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Double free error
EUVDB-ID: #VU7573
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-6912
CWE-ID:
CWE-415 - Double Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack and potentially compromise vulnerable system.
The vulnerability exists due to double free error when processing large image width and height values in gdImageWebPtr() function in the GD Graphics Library (aka libgd). A remote attacker create a specially crafted image file, trigger double free error and crash the affected application or execute arbitrary code on the target system.
Update the affected package gd.
Vulnerable software versionsSlackware Linux: 14.2
External linkshttp://www.slackware.com/security/viewer.php?l=slackware-security&y=2017&m=slackware-security.377075
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Integer underflow
EUVDB-ID: #VU7574
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-10166
CWE-ID:
CWE-191 - Integer underflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack and potentially compromise vulnerable system.
The vulnerability exists due to integer underflow when decrementing the "u" variable in _gdContributionsAlloc() function in gd_interpolation.c. A remote attacker create a specially crafted image file, trigger memory corruption and crash the affected application or execute arbitrary code on the target system.
Update the affected package gd.
Vulnerable software versionsSlackware Linux: 14.2
External linkshttp://www.slackware.com/security/viewer.php?l=slackware-security&y=2017&m=slackware-security.377075
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Improper input validation
EUVDB-ID: #VU7575
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-10167
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation when processing images in gdImageCreateFromGd2Ctx() function in gd_gd2.c. A remote attacker can supply a malformed image and crash the application, using the affected library.
Update the affected package gd.
Vulnerable software versionsSlackware Linux: 14.2
External linkshttp://www.slackware.com/security/viewer.php?l=slackware-security&y=2017&m=slackware-security.377075
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Integer overflow
EUVDB-ID: #VU7576
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-10168
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack and potentially compromise vulnerable system.
The vulnerability exists due to integer overflow when processing the number of horizontal and vertical chunks in an image in gd_io.c. A remote attacker create a specially crafted image file, trigger memory corruption and crash the affected application or execute arbitrary code on the target system.
Update the affected package gd.
Vulnerable software versionsSlackware Linux: 14.2
External linkshttp://www.slackware.com/security/viewer.php?l=slackware-security&y=2017&m=slackware-security.377075
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
