#VU16916 Out-of-bounds write in PHP


Published: 2020-03-18 | Updated: 2021-06-17

Vulnerability identifier: #VU16916

Vulnerability risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-6977

CWE-ID: CWE-787

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
PHP
Universal components / Libraries / Scripting languages

Vendor: PHP Group

Description
The vulnerability allows a remote attacker to execute arbitrary on the target system.

The weakness exists due to out-of-bounds write in imagecolormatch. A remote attacker can write up to 1200 bytes over the boundaries of a buffer allocated in the imagecolormatch function, which then calls gdImageColorMatch() and execute arbitrary code with elevated privileges.

Mitigation
The vulnerability has been fixed in the versions 5.6.40, 7.1.26, 7.2.14, 7.3.1.

Vulnerable software versions

PHP: 7.2.0 - 7.2.13, 7.3.0 - 7.3.0beta3, 7.1.0 - 7.1.25, 5.6.0 - 5.6.39, 5.5.6

External links
http://bugs.php.net/bug.php?id=77270

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.


Latest bulletins with this vulnerability


Red Hat Enterprise Linux 8 update for gd
Slackware Linux update for gd
Red Hat update for rh-php72-php
OpenSUSE Linux update for gd
OpenSUSE Linux update for gd
Gentoo update for GD
OpenSUSE Linux update for php5
Ubuntu update for GD
OpenSUSE Linux update for php7
Debian update for libgd2