SB2017071905 - Slackware Linux update for gd

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2017071905

SB2017071905 - Slackware Linux update for gd

Published: July 19, 2017

Security Bulletin ID SB2017071905
Severity
High
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 60% Low 40%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Improper input validation (CVE-ID: CVE-2016-9317)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation when processing overly large images in the gdImageCreate() function in the GD Graphics Library (aka libgd) before 2.2.4. A remote attacker can supply an overly large image and crash the application, using the affected library.

2) Double free error (CVE-ID: CVE-2016-6912)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack and potentially compromise vulnerable system.

The vulnerability exists due to double free error when processing large image width and height values in gdImageWebPtr() function in the GD Graphics Library (aka libgd). A remote attacker create a specially crafted image file, trigger double free error and crash the affected application or execute arbitrary code on the target system.

3) Integer underflow (CVE-ID: CVE-2016-10166)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack and potentially compromise vulnerable system.

The vulnerability exists due to integer underflow when decrementing the "u" variable in _gdContributionsAlloc() function in gd_interpolation.c. A remote attacker create a specially crafted image file, trigger memory corruption and crash the affected application or execute arbitrary code on the target system.

4) Improper input validation (CVE-ID: CVE-2016-10167)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation when processing images in gdImageCreateFromGd2Ctx() function in gd_gd2.c. A remote attacker can supply a malformed image and crash the application, using the affected library.

5) Integer overflow (CVE-ID: CVE-2016-10168)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack and potentially compromise vulnerable system.

The vulnerability exists due to integer overflow when processing the number of horizontal and vertical chunks in an image in gd_io.c. A remote attacker create a specially crafted image file, trigger memory corruption and crash the affected application or execute arbitrary code on the target system.

Remediation

Install update from vendor's website.

References