#VU7575 Improper input validation in GD Graphics Library


Published: 2017-07-19

Vulnerability identifier: #VU7575

Vulnerability risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-10167

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
GD Graphics Library
Universal components / Libraries / Libraries used by multiple products

Vendor: Boutell.Com, Inc.

Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation when processing images in gdImageCreateFromGd2Ctx() function in gd_gd2.c. A remote attacker can supply a malformed image and crash the application, using the affected library.

Mitigation
Update to version 2.2.4.

Vulnerable software versions

GD Graphics Library: 2.1.0 - 2.2.3

External links
http://github.com/libgd/libgd/blob/gd-2.2.4/CHANGELOG.md

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Red Hat update for php
Slackware Linux update for libwmf
Red Hat update for libgd
Slackware Linux update for gd
Amazon Linux AMI update for php70
Amazon Linux AMI update for php56
SUSE Linux update for php53
Slackware Linux update for php
Improper input validation in gd (Alpine package)