Heap-based buffer overflow in GD Graphics Library - CVE-2016-7568

 

Heap-based buffer overflow in GD Graphics Library - CVE-2016-7568

Published: October 17, 2016


Vulnerability identifier: #VU1003
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-7568
CWE-ID: CWE-122
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Boutell.Com, Inc.
Affected software:
GD Graphics Library

Detailed vulnerability description

The vulnerability allows a remote unauthenticated user to cause DoS conditions on the target system.
The weakness is due to integer overflow in the gdImageWebpCtx function in gd_webp.c in the GD Graphics Library (aka libgd). By performing a specially crafted imagewebp and imagedestroy calls, attackers can trigger a heap-based buffer overflow that lets them induce denial of service or execute arbitrary code.
Successful exploitation of the vulnerability results in denial of service or arbitrary code execution on the vulnerable system.

How to mitigate CVE-2016-7568

Update to version 2.1.0-5+deb8u7.

Sources