ID CVE-2007-0455
Summary Buffer overflow in the gdImageStringFTEx function in gdft.c in GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font.
References
Vulnerable Configurations
  • cpe:2.3:a:gd_graphics_library:gdlib:2.0.1
    cpe:2.3:a:gd_graphics_library:gdlib:2.0.1
  • cpe:2.3:a:gd_graphics_library:gdlib:2.0.15
    cpe:2.3:a:gd_graphics_library:gdlib:2.0.15
  • cpe:2.3:a:gd_graphics_library:gdlib:2.0.20
    cpe:2.3:a:gd_graphics_library:gdlib:2.0.20
  • cpe:2.3:a:gd_graphics_library:gdlib:2.0.21
    cpe:2.3:a:gd_graphics_library:gdlib:2.0.21
  • cpe:2.3:a:gd_graphics_library:gdlib:2.0.22
    cpe:2.3:a:gd_graphics_library:gdlib:2.0.22
  • cpe:2.3:a:gd_graphics_library:gdlib:2.0.23
    cpe:2.3:a:gd_graphics_library:gdlib:2.0.23
  • cpe:2.3:a:gd_graphics_library:gdlib:2.0.26
    cpe:2.3:a:gd_graphics_library:gdlib:2.0.26
  • cpe:2.3:a:gd_graphics_library:gdlib:2.0.27
    cpe:2.3:a:gd_graphics_library:gdlib:2.0.27
  • cpe:2.3:a:gd_graphics_library:gdlib:2.0.28
    cpe:2.3:a:gd_graphics_library:gdlib:2.0.28
  • cpe:2.3:a:gd_graphics_library:gdlib:2.0.33
    cpe:2.3:a:gd_graphics_library:gdlib:2.0.33
CVSS
Base: 7.5 (as of 30-01-2007 - 14:17)
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2018-120-01.NASL
    description New libwmf packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues.
    last seen 2019-02-21
    modified 2018-05-01
    plugin id 109432
    published 2018-05-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109432
    title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : libwmf (SSA:2018-120-01)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-473-1.NASL
    description A buffer overflow was discovered in libgd2's font renderer. By tricking an application using libgd2 into rendering a specially crafted string with a JIS encoded font, a remote attacker could read heap memory or crash the application, leading to a denial of service. (CVE-2007-0455) Xavier Roche discovered that libgd2 did not correctly validate PNG callback results. If an application were tricked into processing a specially crafted PNG image, it would monopolize CPU resources. Since libgd2 is often used in PHP and Perl web applications, this could lead to a remote denial of service. (CVE-2007-2756). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 28074
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28074
    title Ubuntu 6.06 LTS / 6.10 / 7.04 : libgd2 vulnerabilities (USN-473-1)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-109.NASL
    description Buffer overflow in the gdImageStringFTEx function in gdft.c in the GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font. Tetex 3.x uses an embedded copy of the gd source and may also be affected by this issue (CVE-2007-0455). A buffer overflow in the open_sty function for makeindex in Tetex could allow user-assisted remote attackers to overwrite files and possibly execute arbitrary code via a long filename (CVE-2007-0650). The updated packages have been patched to prevent these issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 25311
    published 2007-05-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25311
    title Mandrake Linux Security Advisory : tetex (MDKSA-2007:109)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1936.NASL
    description Several vulnerabilities have been discovered in libgd2, a library for programmatic graphics creation and manipulation. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-0455 Kees Cook discovered a buffer overflow in libgd2's font renderer. An attacker could cause denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font. This issue only affects the oldstable distribution (etch). - CVE-2009-3546 Tomas Hoger discovered a boundary error in the '_gdGetColors()' function. An attacker could conduct a buffer overflow or buffer over-read attacks via a crafted GD file.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 44801
    published 2010-02-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44801
    title Debian DSA-1936-1 : libgd2 - several vulnerabilities
  • NASL family CGI abuses
    NASL id PHP_4_4_7_OR_5_2_2.NASL
    description According to its banner, the version of PHP installed on the remote host is older than 4.4.7 / 5.2.2. Such versions may be affected by several issues, including buffer overflows in the GD library.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 25159
    published 2007-05-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25159
    title PHP < 4.4.7 / 5.2.2 Multiple Vulnerabilities
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2015-604.NASL
    description It was discovered that libwmf did not correctly process certain WMF (Windows Metafiles) with embedded BMP images. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the application. (CVE-2015-0848 , CVE-2015-4588) It was discovered that libwmf did not properly process certain WMF files. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly exploit this flaw to cause a crash or execute arbitrary code with the privileges of the user running the application. (CVE-2015-4696) It was discovered that libwmf did not properly process certain WMF files. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly exploit this flaw to cause a crash. (CVE-2015-4695) The gdPngReadData function in libgd 2.0.34 allows user-assisted attackers to cause a denial of service (CPU consumption) via a crafted PNG image with truncated data, which causes an infinite loop in the png_read_info function in libpng. (CVE-2007-2756) Buffer overflow in the gdImageStringFTEx function in gdft.c in GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font. (CVE-2007-0455) The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before 5.3.1, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293 . NOTE: some of these details are obtained from third party information. (CVE-2009-3546) Integer overflow in gdImageCreateTrueColor function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to have unspecified attack vectors and impact. (CVE-2007-3472) The gdImageCreateXbm function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via unspecified vectors involving a gdImageCreate failure. (CVE-2007-3473)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 86635
    published 2015-10-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86635
    title Amazon Linux AMI : libwmf (ALAS-2015-604)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2008-0146.NASL
    description Updated gd packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The gd package contains a graphics library used for the dynamic creation of images such as PNG and JPEG. Multiple issues were discovered in the gd GIF image-handling code. A carefully-crafted GIF file could cause a crash or possibly execute code with the privileges of the application using the gd library. (CVE-2006-4484, CVE-2007-3475, CVE-2007-3476) An integer overflow was discovered in the gdImageCreateTrueColor() function, leading to incorrect memory allocations. A carefully crafted image could cause a crash or possibly execute code with the privileges of the application using the gd library. (CVE-2007-3472) A buffer over-read flaw was discovered. This could cause a crash in an application using the gd library to render certain strings using a JIS-encoded font. (CVE-2007-0455) A flaw was discovered in the gd PNG image handling code. A truncated PNG image could cause an infinite loop in an application using the gd library. (CVE-2007-2756) A flaw was discovered in the gd X BitMap (XBM) image-handling code. A malformed or truncated XBM image could cause a crash in an application using the gd library. (CVE-2007-3473) Users of gd should upgrade to these updated packages, which contain backported patches which resolve these issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 31306
    published 2008-02-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31306
    title RHEL 4 / 5 : gd (RHSA-2008:0146)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2008-0146.NASL
    description Updated gd packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The gd package contains a graphics library used for the dynamic creation of images such as PNG and JPEG. Multiple issues were discovered in the gd GIF image-handling code. A carefully-crafted GIF file could cause a crash or possibly execute code with the privileges of the application using the gd library. (CVE-2006-4484, CVE-2007-3475, CVE-2007-3476) An integer overflow was discovered in the gdImageCreateTrueColor() function, leading to incorrect memory allocations. A carefully crafted image could cause a crash or possibly execute code with the privileges of the application using the gd library. (CVE-2007-3472) A buffer over-read flaw was discovered. This could cause a crash in an application using the gd library to render certain strings using a JIS-encoded font. (CVE-2007-0455) A flaw was discovered in the gd PNG image handling code. A truncated PNG image could cause an infinite loop in an application using the gd library. (CVE-2007-2756) A flaw was discovered in the gd X BitMap (XBM) image-handling code. A malformed or truncated XBM image could cause a crash in an application using the gd library. (CVE-2007-3473) Users of gd should upgrade to these updated packages, which contain backported patches which resolve these issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 31310
    published 2008-02-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31310
    title CentOS 4 / 5 : gd (CESA-2008:0146)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-035.NASL
    description Buffer overflow in the gdImageStringFTEx function in gdft.c in the GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font. Packages have been patched to correct this issue.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 24648
    published 2007-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24648
    title Mandrake Linux Security Advisory : gd (MDKSA-2007:035)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2007-0155.NASL
    description Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A denial of service flaw was found in the way PHP processed a deeply nested array. A remote attacker could cause the PHP interpreter to crash by submitting an input variable with a deeply nested array. (CVE-2007-1285) A flaw was found in the way PHP's unserialize() function processed data. If a remote attacker was able to pass arbitrary data to PHP's unserialize() function, they could possibly execute arbitrary code as the apache user. (CVE-2007-1286) A flaw was found in the way the mbstring extension set global variables. A script which used the mb_parse_str() function to set global variables could be forced to enable the register_globals configuration option, possibly resulting in global variable injection. (CVE-2007-1583) A double free flaw was found in PHP's session_decode() function. If a remote attacker was able to pass arbitrary data to PHP's session_decode() function, they could possibly execute arbitrary code as the apache user. (CVE-2007-1711) A flaw was discovered in the way PHP's mail() function processed header data. If a script sent mail using a Subject header containing a string from an untrusted source, a remote attacker could send bulk e-mail to unintended recipients. (CVE-2007-1718) A heap based buffer overflow flaw was discovered in PHP's gd extension. A script that could be forced to process WBMP images from an untrusted source could result in arbitrary code execution. (CVE-2007-1001) A buffer over-read flaw was discovered in PHP's gd extension. A script that could be forced to write arbitrary string using a JIS font from an untrusted source could cause the PHP interpreter to crash. (CVE-2007-0455) Users of PHP should upgrade to these updated packages which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 25043
    published 2007-04-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25043
    title CentOS 3 / 4 : php (CESA-2007:0155)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2008-0146.NASL
    description From Red Hat Security Advisory 2008:0146 : Updated gd packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The gd package contains a graphics library used for the dynamic creation of images such as PNG and JPEG. Multiple issues were discovered in the gd GIF image-handling code. A carefully-crafted GIF file could cause a crash or possibly execute code with the privileges of the application using the gd library. (CVE-2006-4484, CVE-2007-3475, CVE-2007-3476) An integer overflow was discovered in the gdImageCreateTrueColor() function, leading to incorrect memory allocations. A carefully crafted image could cause a crash or possibly execute code with the privileges of the application using the gd library. (CVE-2007-3472) A buffer over-read flaw was discovered. This could cause a crash in an application using the gd library to render certain strings using a JIS-encoded font. (CVE-2007-0455) A flaw was discovered in the gd PNG image handling code. A truncated PNG image could cause an infinite loop in an application using the gd library. (CVE-2007-2756) A flaw was discovered in the gd X BitMap (XBM) image-handling code. A malformed or truncated XBM image could cause a crash in an application using the gd library. (CVE-2007-3473) Users of gd should upgrade to these updated packages, which contain backported patches which resolve these issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 67657
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67657
    title Oracle Linux 4 / 5 : gd (ELSA-2008-0146)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20080228_GD_ON_SL4_X.NASL
    description Multiple issues were discovered in the gd GIF image-handling code. A carefully-crafted GIF file could cause a crash or possibly execute code with the privileges of the application using the gd library. (CVE-2006-4484, CVE-2007-3475, CVE-2007-3476) An integer overflow was discovered in the gdImageCreateTrueColor() function, leading to incorrect memory allocations. A carefully crafted image could cause a crash or possibly execute code with the privileges of the application using the gd library. (CVE-2007-3472) A buffer over-read flaw was discovered. This could cause a crash in an application using the gd library to render certain strings using a JIS-encoded font. (CVE-2007-0455) A flaw was discovered in the gd PNG image handling code. A truncated PNG image could cause an infinite loop in an application using the gd library. (CVE-2007-2756) A flaw was discovered in the gd X BitMap (XBM) image-handling code. A malformed or truncated XBM image could cause a crash in an application using the gd library. (CVE-2007-3473)
    last seen 2019-02-21
    modified 2019-01-07
    plugin id 60367
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60367
    title Scientific Linux Security Update : gd on SL4.x, SL5.x i386/x86_64
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0155.NASL
    description Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A denial of service flaw was found in the way PHP processed a deeply nested array. A remote attacker could cause the PHP interpreter to crash by submitting an input variable with a deeply nested array. (CVE-2007-1285) A flaw was found in the way PHP's unserialize() function processed data. If a remote attacker was able to pass arbitrary data to PHP's unserialize() function, they could possibly execute arbitrary code as the apache user. (CVE-2007-1286) A flaw was found in the way the mbstring extension set global variables. A script which used the mb_parse_str() function to set global variables could be forced to enable the register_globals configuration option, possibly resulting in global variable injection. (CVE-2007-1583) A double free flaw was found in PHP's session_decode() function. If a remote attacker was able to pass arbitrary data to PHP's session_decode() function, they could possibly execute arbitrary code as the apache user. (CVE-2007-1711) A flaw was discovered in the way PHP's mail() function processed header data. If a script sent mail using a Subject header containing a string from an untrusted source, a remote attacker could send bulk e-mail to unintended recipients. (CVE-2007-1718) A heap based buffer overflow flaw was discovered in PHP's gd extension. A script that could be forced to process WBMP images from an untrusted source could result in arbitrary code execution. (CVE-2007-1001) A buffer over-read flaw was discovered in PHP's gd extension. A script that could be forced to write arbitrary string using a JIS font from an untrusted source could cause the PHP interpreter to crash. (CVE-2007-0455) Users of PHP should upgrade to these updated packages which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 25068
    published 2007-04-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25068
    title RHEL 3 / 4 : php (RHSA-2007:0155)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_CA139C7F2A8C11E5A4A5002590263BF5.NASL
    description Mitre reports : Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function, a different set of vulnerabilities than CVE-2004-0990. Buffer overflow in the gdImageStringFTEx function in gdft.c in GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font. The gdPngReadData function in libgd 2.0.34 allows user-assisted attackers to cause a denial of service (CPU consumption) via a crafted PNG image with truncated data, which causes an infinite loop in the png_read_info function in libpng. Integer overflow in gdImageCreateTrueColor function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to have unspecified attack vectors and impact. The gdImageCreateXbm function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via unspecified vectors involving a gdImageCreate failure. The (a) imagearc and (b) imagefilledarc functions in GD Graphics Library (libgd) before 2.0.35 allow attackers to cause a denial of service (CPU consumption) via a large (1) start or (2) end angle degree value. The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before 5.3.1, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293. NOTE: some of these details are obtained from third party information. Heap-based buffer overflow in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image. meta.h in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted WMF file. Use-after-free vulnerability in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) via a crafted WMF file to the (1) wmf2gd or (2) wmf2eps command. Heap-based buffer overflow in the DecodeImage function in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted 'run-length count' in an image in a WMF file.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 84782
    published 2015-07-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84782
    title FreeBSD : libwmf -- multiple vulnerabilities (ca139c7f-2a8c-11e5-a4a5-002590263bf5)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-036.NASL
    description Buffer overflow in the gdImageStringFTEx function in gdft.c in the GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font. Libwmf uses an embedded copy of the gd source and may also be affected by this issue. Packages have been patched to correct this issue.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 24649
    published 2007-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24649
    title Mandrake Linux Security Advisory : libwmf (MDKSA-2007:036)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0153.NASL
    description Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A flaw was found in the way the mbstring extension set global variables. A script which used the mb_parse_str() function to set global variables could be forced to enable the register_globals configuration option, possibly resulting in global variable injection. (CVE-2007-1583) A heap based buffer overflow flaw was discovered in PHP's gd extension. A script that could be forced to process WBMP images from an untrusted source could result in arbitrary code execution. (CVE-2007-1001) A buffer over-read flaw was discovered in PHP's gd extension. A script that could be forced to write arbitrary string using a JIS font from an untrusted source could cause the PHP interpreter to crash. (CVE-2007-0455) A flaw was discovered in the way PHP's mail() function processed header data. If a script sent mail using a Subject header containing a string from an untrusted source, a remote attacker could send bulk e-mail to unintended recipients. (CVE-2007-1718) Users of PHP should upgrade to these updated packages which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 25325
    published 2007-05-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25325
    title RHEL 5 : php (RHSA-2007:0153)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2007-0153.NASL
    description Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A flaw was found in the way the mbstring extension set global variables. A script which used the mb_parse_str() function to set global variables could be forced to enable the register_globals configuration option, possibly resulting in global variable injection. (CVE-2007-1583) A heap based buffer overflow flaw was discovered in PHP's gd extension. A script that could be forced to process WBMP images from an untrusted source could result in arbitrary code execution. (CVE-2007-1001) A buffer over-read flaw was discovered in PHP's gd extension. A script that could be forced to write arbitrary string using a JIS font from an untrusted source could cause the PHP interpreter to crash. (CVE-2007-0455) A flaw was discovered in the way PHP's mail() function processed header data. If a script sent mail using a Subject header containing a string from an untrusted source, a remote attacker could send bulk e-mail to unintended recipients. (CVE-2007-1718) Users of PHP should upgrade to these updated packages which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 25095
    published 2007-04-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25095
    title CentOS 5 : php (CESA-2007:0153)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-038.NASL
    description PHP 5.2.0 and 4.4 allows local users to bypass safe_mode and open_basedir restrictions via a malicious path and a null byte before a ';' in a session_save_path argument, followed by an allowed path, which causes a parsing inconsistency in which PHP validates the allowed path but sets session.save_path to the malicious path. (CVE-2006-6383) Buffer overflow in the gdImageStringFTEx function in gdft.c in GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font. PHP uses an embedded copy of GD and may be susceptible to the same issue. (CVE-2007-0455) Updated packages have been patched to correct these issues. Users must restart Apache for the changes to take effect.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 24651
    published 2007-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24651
    title Mandrake Linux Security Advisory : php (MDKSA-2007:038)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2007-150.NASL
    description - Mon Jan 29 2007 Ivana Varekova - 2.0.33-7 - Resolves: #224610 CVE-2007-0455 gd buffer overrun Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-21
    plugin id 24325
    published 2007-02-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24325
    title Fedora Core 5 : gd-2.0.33-7.fc5 (2007-150)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-19033.NASL
    description - Mon Dec 6 2010 Caolan McNamara - 0.2.8.4-27 - Resolves: rhbz#660161 security issues Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 51415
    published 2011-01-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51415
    title Fedora 14 : libwmf-0.2.8.4-27.fc14 (2010-19033)
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL7859.NASL
    description The remote BIG-IP device is missing a patch required by a security advisory.
    last seen 2019-02-21
    modified 2019-01-04
    plugin id 78215
    published 2014-10-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78215
    title F5 Networks BIG-IP : Multiple PHP vulnerabilities (SOL7859)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-19022.NASL
    description - Mon Dec 6 2010 Caolan McNamara - 0.2.8.4-22 - Resolves: rhbz#660161 security issues Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 51414
    published 2011-01-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51414
    title Fedora 13 : libwmf-0.2.8.4-22.fc13 (2010-19022)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2007-0155.NASL
    description From Red Hat Security Advisory 2007:0155 : Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A denial of service flaw was found in the way PHP processed a deeply nested array. A remote attacker could cause the PHP interpreter to crash by submitting an input variable with a deeply nested array. (CVE-2007-1285) A flaw was found in the way PHP's unserialize() function processed data. If a remote attacker was able to pass arbitrary data to PHP's unserialize() function, they could possibly execute arbitrary code as the apache user. (CVE-2007-1286) A flaw was found in the way the mbstring extension set global variables. A script which used the mb_parse_str() function to set global variables could be forced to enable the register_globals configuration option, possibly resulting in global variable injection. (CVE-2007-1583) A double free flaw was found in PHP's session_decode() function. If a remote attacker was able to pass arbitrary data to PHP's session_decode() function, they could possibly execute arbitrary code as the apache user. (CVE-2007-1711) A flaw was discovered in the way PHP's mail() function processed header data. If a script sent mail using a Subject header containing a string from an untrusted source, a remote attacker could send bulk e-mail to unintended recipients. (CVE-2007-1718) A heap based buffer overflow flaw was discovered in PHP's gd extension. A script that could be forced to process WBMP images from an untrusted source could result in arbitrary code execution. (CVE-2007-1001) A buffer over-read flaw was discovered in PHP's gd extension. A script that could be forced to write arbitrary string using a JIS font from an untrusted source could cause the PHP interpreter to crash. (CVE-2007-0455) Users of PHP should upgrade to these updated packages which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67471
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67471
    title Oracle Linux 3 / 4 : php (ELSA-2007-0155)
oval via4
accepted 2013-04-29T04:13:05.695-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description Buffer overflow in the gdImageStringFTEx function in gdft.c in GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font.
family unix
id oval:org.mitre.oval:def:11303
status accepted
submitted 2010-07-09T03:56:16-04:00
title Buffer overflow in the gdImageStringFTEx function in gdft.c in GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font.
version 24
redhat via4
advisories
  • rhsa
    id RHSA-2007:0153
  • rhsa
    id RHSA-2007:0155
  • rhsa
    id RHSA-2007:0162
  • rhsa
    id RHSA-2008:0146
rpms
  • php-0:5.1.6-11.el5
  • php-bcmath-0:5.1.6-11.el5
  • php-cli-0:5.1.6-11.el5
  • php-common-0:5.1.6-11.el5
  • php-dba-0:5.1.6-11.el5
  • php-devel-0:5.1.6-11.el5
  • php-gd-0:5.1.6-11.el5
  • php-imap-0:5.1.6-11.el5
  • php-ldap-0:5.1.6-11.el5
  • php-mbstring-0:5.1.6-11.el5
  • php-mysql-0:5.1.6-11.el5
  • php-ncurses-0:5.1.6-11.el5
  • php-odbc-0:5.1.6-11.el5
  • php-pdo-0:5.1.6-11.el5
  • php-pgsql-0:5.1.6-11.el5
  • php-snmp-0:5.1.6-11.el5
  • php-soap-0:5.1.6-11.el5
  • php-xml-0:5.1.6-11.el5
  • php-xmlrpc-0:5.1.6-11.el5
  • php-0:4.3.2-40.ent
  • php-devel-0:4.3.2-40.ent
  • php-imap-0:4.3.2-40.ent
  • php-ldap-0:4.3.2-40.ent
  • php-mysql-0:4.3.2-40.ent
  • php-odbc-0:4.3.2-40.ent
  • php-pgsql-0:4.3.2-40.ent
  • php-0:4.3.9-3.22.4
  • php-devel-0:4.3.9-3.22.4
  • php-domxml-0:4.3.9-3.22.4
  • php-gd-0:4.3.9-3.22.4
  • php-imap-0:4.3.9-3.22.4
  • php-ldap-0:4.3.9-3.22.4
  • php-mbstring-0:4.3.9-3.22.4
  • php-mysql-0:4.3.9-3.22.4
  • php-ncurses-0:4.3.9-3.22.4
  • php-odbc-0:4.3.9-3.22.4
  • php-pear-0:4.3.9-3.22.4
  • php-pgsql-0:4.3.9-3.22.4
  • php-snmp-0:4.3.9-3.22.4
  • php-xmlrpc-0:4.3.9-3.22.4
  • gd-0:2.0.28-5.4E.el4_6.1
  • gd-devel-0:2.0.28-5.4E.el4_6.1
  • gd-progs-0:2.0.28-5.4E.el4_6.1
  • gd-0:2.0.33-9.4.el5_1.1
  • gd-devel-0:2.0.33-9.4.el5_1.1
  • gd-progs-0:2.0.33-9.4.el5_1.1
refmap via4
bid 22289
bugtraq 20070418 rPSA-2007-0073-1 php php-mysql php-pgsql
confirm
fedora
  • FEDORA-2007-150
  • FEDORA-2010-19022
  • FEDORA-2010-19033
mandriva
  • MDKSA-2007:035
  • MDKSA-2007:036
  • MDKSA-2007:038
  • MDKSA-2007:109
mlist [security-announce] 20070208 rPSA-2007-0028-1 gd
secunia
  • 23916
  • 24022
  • 24052
  • 24053
  • 24107
  • 24143
  • 24151
  • 24924
  • 24945
  • 24965
  • 25575
  • 29157
  • 42813
trustix 2007-0007
ubuntu USN-473-1
vupen
  • ADV-2007-0400
  • ADV-2011-0022
statements via4
contributor Mark J Cox
lastmodified 2007-05-14
organization Red Hat
statement Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=234312 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/
Last major update 07-03-2011 - 21:49
Published 30-01-2007 - 12:28
Last modified 16-10-2018 - 12:32
Back to Top