#VU1003 Heap-based buffer overflow in GD Graphics Library - CVE-2016-7568
Published: October 17, 2016
Vulnerability identifier: #VU1003
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-7568
CWE-ID: CWE-122
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
GD Graphics Library
GD Graphics Library
Software vendor:
Boutell.Com, Inc.
Boutell.Com, Inc.
Description
The vulnerability allows a remote unauthenticated user to cause DoS conditions on the target system.
The weakness is due to integer overflow in the gdImageWebpCtx function in gd_webp.c in the GD Graphics Library (aka libgd). By performing a specially crafted imagewebp and imagedestroy calls, attackers can trigger a heap-based buffer overflow that lets them induce denial of service or execute arbitrary code.
Successful exploitation of the vulnerability results in denial of service or arbitrary code execution on the vulnerable system.
The weakness is due to integer overflow in the gdImageWebpCtx function in gd_webp.c in the GD Graphics Library (aka libgd). By performing a specially crafted imagewebp and imagedestroy calls, attackers can trigger a heap-based buffer overflow that lets them induce denial of service or execute arbitrary code.
Successful exploitation of the vulnerability results in denial of service or arbitrary code execution on the vulnerable system.
Remediation
Update to version 2.1.0-5+deb8u7.