ID CVE-2009-3546
Summary The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before 5.3.1, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293. NOTE: some of these details are obtained from third party information.
References
Vulnerable Configurations
  • cpe:2.3:a:libgd:gd_graphics_library:2.0.33
    cpe:2.3:a:libgd:gd_graphics_library:2.0.33
  • cpe:2.3:a:libgd:gd_graphics_library:2.0.36:rc1
    cpe:2.3:a:libgd:gd_graphics_library:2.0.36:rc1
  • cpe:2.3:a:libgd:gd_graphics_library:2.0.35
    cpe:2.3:a:libgd:gd_graphics_library:2.0.35
  • cpe:2.3:a:libgd:gd_graphics_library:2.0.35:rc1
    cpe:2.3:a:libgd:gd_graphics_library:2.0.35:rc1
  • cpe:2.3:a:libgd:gd_graphics_library:2.0.35:rc2
    cpe:2.3:a:libgd:gd_graphics_library:2.0.35:rc2
  • cpe:2.3:a:libgd:gd_graphics_library:2.0.35:rc3
    cpe:2.3:a:libgd:gd_graphics_library:2.0.35:rc3
  • cpe:2.3:a:libgd:gd_graphics_library:2.0.35:rc4
    cpe:2.3:a:libgd:gd_graphics_library:2.0.35:rc4
  • cpe:2.3:a:libgd:gd_graphics_library:2.0.35:rc5
    cpe:2.3:a:libgd:gd_graphics_library:2.0.35:rc5
  • cpe:2.3:a:libgd:gd_graphics_library:2.0.34
    cpe:2.3:a:libgd:gd_graphics_library:2.0.34
  • cpe:2.3:a:libgd:gd_graphics_library:2.0.34:rc1
    cpe:2.3:a:libgd:gd_graphics_library:2.0.34:rc1
  • cpe:2.3:a:libgd:gd_graphics_library:2.0.34:rc2
    cpe:2.3:a:libgd:gd_graphics_library:2.0.34:rc2
  • PHP 5.3.0
    cpe:2.3:a:php:php:5.3.0
  • PHP 5.2.11 -
    cpe:2.3:a:php:php:5.2.11
CVSS
Base: 9.3 (as of 20-10-2009 - 09:02)
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_4E8344A3CA5211DE8EE800215C6A37BB.NASL
    description CVE reports : The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.0, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 42428
    published 2009-11-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42428
    title FreeBSD : gd -- '_gdGetColors' remote buffer overflow vulnerability (4e8344a3-ca52-11de-8ee8-00215c6a37bb)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2010-0003.NASL
    description From Red Hat Security Advisory 2010:0003 : Updated gd packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The gd packages provide a graphics library used for the dynamic creation of images, such as PNG and JPEG. A missing input sanitization flaw, leading to a buffer overflow, was discovered in the gd library. A specially crafted GD image file could cause an application using the gd library to crash or, possibly, execute arbitrary code when opened. (CVE-2009-3546) Users of gd should upgrade to these updated packages, which contain a backported patch to resolve this issue.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67980
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67980
    title Oracle Linux 4 / 5 : gd (ELSA-2010-0003)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2012-9298.NASL
    description This is an update, that fixes insufficient input validation in _gdGetColors(). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-20
    plugin id 59799
    published 2012-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59799
    title Fedora 17 : gd-2.0.35-17.fc17 (2012-9298)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-854-1.NASL
    description Tomas Hoger discovered that the GD library did not properly handle the number of colors in certain malformed GD images. If a user or automated system were tricked into processing a specially crafted GD image, an attacker could cause a denial of service or possibly execute arbitrary code. (CVE-2009-3546) It was discovered that the GD library did not properly handle incorrect color indexes. An attacker could send specially crafted input to applications linked against libgd2 and cause a denial of service or possibly execute arbitrary code. This issue only affected Ubuntu 6.06 LTS. (CVE-2009-3293) It was discovered that the GD library did not properly handle certain malformed GIF images. If a user or automated system were tricked into processing a specially crafted GIF image, an attacker could cause a denial of service. This issue only affected Ubuntu 6.06 LTS. (CVE-2007-3475, CVE-2007-3476) It was discovered that the GD library did not properly handle large angle degree values. An attacker could send specially crafted input to applications linked against libgd2 and cause a denial of service. This issue only affected Ubuntu 6.06 LTS. (CVE-2007-3477). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 42407
    published 2009-11-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42407
    title Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : libgd2 vulnerabilities (USN-854-1)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2018-120-01.NASL
    description New libwmf packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues.
    last seen 2019-02-21
    modified 2018-05-01
    plugin id 109432
    published 2018-05-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109432
    title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : libwmf (SSA:2018-120-01)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2009-285.NASL
    description Multiple vulnerabilities has been found and corrected in php : The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.0, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293. NOTE: some of these details are obtained from third-party information (CVE-2009-3546). The tempnam function in ext/standard/file.c in PHP 5.2.11 and earlier, and 5.3.x before 5.3.1, allows context-dependent attackers to bypass safe_mode restrictions, and create files in group-writable or world-writable directories, via the dir and prefix arguments (CVE-2009-3557). The posix_mkfifo function in ext/posix/posix.c in PHP 5.2.11 and earlier, and 5.3.x before 5.3.1, allows context-dependent attackers to bypass open_basedir restrictions, and create FIFO files, via the pathname and mode arguments, as demonstrated by creating a .htaccess file (CVE-2009-3558). Additionally on CS4 a regression was found and fixed when using the gd-bundled.so variant from the php-gd package. This update fixes these vulnerabilities.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 42199
    published 2009-10-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42199
    title Mandriva Linux Security Advisory : php (MDVSA-2009:285)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2009-324.NASL
    description Multiple vulnerabilities was discovered and corrected in php : The dba_replace function in PHP 5.2.6 and 4.x allows context-dependent attackers to cause a denial of service (file truncation) via a key with the NULL byte. NOTE: this might only be a vulnerability in limited circumstances in which the attacker can modify or add database entries but does not have permissions to truncate the file (CVE-2008-7068). The JSON_parser function (ext/json/JSON_parser.c) in PHP 5.2.x before 5.2.9 allows remote attackers to cause a denial of service (segmentation fault) via a malformed string to the json_decode API function (CVE-2009-1271). - Fixed upstream bug #48378 (exif_read_data() segfaults on certain corrupted .jpeg files) (CVE-2009-2687). The php_openssl_apply_verification_policy function in PHP before 5.2.11 does not properly perform certificate validation, which has unknown impact and attack vectors, probably related to an ability to spoof certificates (CVE-2009-3291). Unspecified vulnerability in PHP before 5.2.11 has unknown impact and attack vectors related to missing sanity checks around exif processing. (CVE-2009-3292) Unspecified vulnerability in the imagecolortransparent function in PHP before 5.2.11 has unknown impact and attack vectors related to an incorrect sanity check for the color index. (CVE-2009-3293) The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.0, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293. NOTE: some of these details are obtained from third-party information (CVE-2009-3546). The tempnam function in ext/standard/file.c in PHP 5.2.11 and earlier, and 5.3.x before 5.3.1, allows context-dependent attackers to bypass safe_mode restrictions, and create files in group-writable or world-writable directories, via the dir and prefix arguments (CVE-2009-3557). The posix_mkfifo function in ext/posix/posix.c in PHP 5.2.11 and earlier, and 5.3.x before 5.3.1, allows context-dependent attackers to bypass open_basedir restrictions, and create FIFO files, via the pathname and mode arguments, as demonstrated by creating a .htaccess file (CVE-2009-3558). PHP 5.2.11, and 5.3.x before 5.3.1, does not restrict the number of temporary files created when handling a multipart/form-data POST request, which allows remote attackers to cause a denial of service (resource exhaustion), and makes it easier for remote attackers to exploit local file inclusion vulnerabilities, via multiple requests, related to lack of support for the max_file_uploads directive (CVE-2009-4017). The proc_open function in ext/standard/proc_open.c in PHP before 5.2.11 and 5.3.x before 5.3.1 does not enforce the (1) safe_mode_allowed_env_vars and (2) safe_mode_protected_env_vars directives, which allows context-dependent attackers to execute programs with an arbitrary environment via the env parameter, as demonstrated by a crafted value of the LD_LIBRARY_PATH environment variable (CVE-2009-4018). The dba_replace function in PHP 5.2.6 and 4.x allows context-dependent attackers to cause a denial of service (file truncation) via a key with the NULL byte. NOTE: this might only be a vulnerability in limited circumstances in which the attacker can modify or add database entries but does not have permissions to truncate the file (CVE-2008-7068). The php_openssl_apply_verification_policy function in PHP before 5.2.11 does not properly perform certificate validation, which has unknown impact and attack vectors, probably related to an ability to spoof certificates (CVE-2009-3291). Unspecified vulnerability in PHP before 5.2.11 has unknown impact and attack vectors related to missing sanity checks around exif processing. (CVE-2009-3292) Unspecified vulnerability in the imagecolortransparent function in PHP before 5.2.11 has unknown impact and attack vectors related to an incorrect sanity check for the color index. (CVE-2009-3293). However in Mandriva we don't use the bundled libgd source in php per default, there is a unsupported package in contrib named php-gd-bundled that eventually will get updated to pickup these fixes. The php-suhosin package has been upgraded to 0.9.22 which has better support for apache vhosts. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers This update provides a solution to these vulnerabilities.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 43043
    published 2009-12-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43043
    title Mandriva Linux Security Advisory : php (MDVSA-2009:324)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1936.NASL
    description Several vulnerabilities have been discovered in libgd2, a library for programmatic graphics creation and manipulation. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-0455 Kees Cook discovered a buffer overflow in libgd2's font renderer. An attacker could cause denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font. This issue only affects the oldstable distribution (etch). - CVE-2009-3546 Tomas Hoger discovered a boundary error in the '_gdGetColors()' function. An attacker could conduct a buffer overflow or buffer over-read attacks via a crafted GD file.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 44801
    published 2010-02-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44801
    title Debian DSA-1936-1 : libgd2 - several vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-0495.NASL
    description Update to the latest PHP 5.2 release which focuses on improving the stability of the PHP 5.2.x branch with over 60 bug fixes, some of which are security related. All users of PHP 5.2 are encouraged to upgrade to this release. See http://www.php.net/releases/5_2_12.php for more details. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 47186
    published 2010-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47186
    title Fedora 11 : maniadrive-1.2-17.fc11 / php-5.2.12-1.fc11 (2010-0495)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2010-0040.NASL
    description Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. Multiple missing input sanitization flaws were discovered in PHP's exif extension. A specially crafted image file could cause the PHP interpreter to crash or, possibly, disclose portions of its memory when a PHP script tried to extract Exchangeable image file format (Exif) metadata from the image file. (CVE-2009-2687, CVE-2009-3292) A missing input sanitization flaw, leading to a buffer overflow, was discovered in PHP's gd library. A specially crafted GD image file could cause the PHP interpreter to crash or, possibly, execute arbitrary code when opened. (CVE-2009-3546) It was discovered that PHP did not limit the maximum number of files that can be uploaded in one request. A remote attacker could use this flaw to instigate a denial of service by causing the PHP interpreter to use lots of system resources dealing with requests containing large amounts of files to be uploaded. This vulnerability depends on file uploads being enabled (which it is, in the default PHP configuration). (CVE-2009-4017) Note: This update introduces a new configuration option, max_file_uploads, used for limiting the number of files that can be uploaded in one request. By default, the limit is 20 files per request. It was discovered that PHP was affected by the previously published 'null prefix attack', caused by incorrect handling of NUL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse PHP into accepting it by mistake. (CVE-2009-3291) It was discovered that PHP's htmlspecialchars() function did not properly recognize partial multi-byte sequences for some multi-byte encodings, sending them to output without them being escaped. An attacker could use this flaw to perform a cross-site scripting attack. (CVE-2009-4142) All php users should upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 43878
    published 2010-01-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43878
    title CentOS 3 / 4 / 5 : php (CESA-2010:0040)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201006-16.NASL
    description The remote host is affected by the vulnerability described in GLSA-201006-16 (GD: User-assisted execution of arbitrary code) Tomas Hoger reported that the _gdGetColors() function in gd_gd.c does not properly verify the colorsTotal struct member, possibly leading to a buffer overflow. Impact : A remote attacker could entice a user to open a specially crafted image file with a program using the GD library, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application, or a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 46805
    published 2010-06-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=46805
    title GLSA-201006-16 : GD: User-assisted execution of arbitrary code
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2009-284.NASL
    description A vulnerability has been found and corrected in gd : The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.0, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293. NOTE: some of these details are obtained from third-party information (CVE-2009-3546). This update fixes this vulnerability. Update : Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 42198
    published 2009-10-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42198
    title Mandriva Linux Security Advisory : gd (MDVSA-2009:284-1)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20100104_GD_ON_SL4_X.NASL
    description A missing input sanitization flaw, leading to a buffer overflow, was discovered in the gd library. A specially crafted GD image file could cause an application using the gd library to crash or, possibly, execute arbitrary code when opened. (CVE-2009-3546)
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 60714
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60714
    title Scientific Linux Security Update : gd on SL4.x, SL5.x i386/x86_64
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2012-9314.NASL
    description This is an update, that fixes insufficient input validation in _gdGetColors(). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-20
    plugin id 59800
    published 2012-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59800
    title Fedora 16 : gd-2.0.35-17.fc16 (2012-9314)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2015-604.NASL
    description It was discovered that libwmf did not correctly process certain WMF (Windows Metafiles) with embedded BMP images. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the application. (CVE-2015-0848 , CVE-2015-4588) It was discovered that libwmf did not properly process certain WMF files. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly exploit this flaw to cause a crash or execute arbitrary code with the privileges of the user running the application. (CVE-2015-4696) It was discovered that libwmf did not properly process certain WMF files. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly exploit this flaw to cause a crash. (CVE-2015-4695) The gdPngReadData function in libgd 2.0.34 allows user-assisted attackers to cause a denial of service (CPU consumption) via a crafted PNG image with truncated data, which causes an infinite loop in the png_read_info function in libpng. (CVE-2007-2756) Buffer overflow in the gdImageStringFTEx function in gdft.c in GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font. (CVE-2007-0455) The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before 5.3.1, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293 . NOTE: some of these details are obtained from third party information. (CVE-2009-3546) Integer overflow in gdImageCreateTrueColor function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to have unspecified attack vectors and impact. (CVE-2007-3472) The gdImageCreateXbm function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via unspecified vectors involving a gdImageCreate failure. (CVE-2007-3473)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 86635
    published 2015-10-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86635
    title Amazon Linux AMI : libwmf (ALAS-2015-604)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201001-03.NASL
    description The remote host is affected by the vulnerability described in GLSA-201001-03 (PHP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below and the associated PHP release notes for details. Impact : A context-dependent attacker could execute arbitrary code via a specially crafted string containing an HTML entity when the mbstring extension is enabled. Furthermore a remote attacker could execute arbitrary code via a specially crafted GD graphics file. A remote attacker could also cause a Denial of Service via a malformed string passed to the json_decode() function, via a specially crafted ZIP file passed to the php_zip_make_relative_path() function, via a malformed JPEG image passed to the exif_read_data() function, or via temporary file exhaustion. It is also possible for an attacker to spoof certificates, bypass various safe_mode and open_basedir restrictions when certain criteria are met, perform Cross-site scripting attacks, more easily perform SQL injection attacks, manipulate settings of other virtual hosts on the same server via a malicious .htaccess entry when running on Apache, disclose memory portions, and write arbitrary files via a specially crafted ZIP archive. Some vulnerabilities with unknown impact and attack vectors have been reported as well. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 44892
    published 2010-02-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44892
    title GLSA-201001-03 : PHP: Multiple vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2010-0040.NASL
    description Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. Multiple missing input sanitization flaws were discovered in PHP's exif extension. A specially crafted image file could cause the PHP interpreter to crash or, possibly, disclose portions of its memory when a PHP script tried to extract Exchangeable image file format (Exif) metadata from the image file. (CVE-2009-2687, CVE-2009-3292) A missing input sanitization flaw, leading to a buffer overflow, was discovered in PHP's gd library. A specially crafted GD image file could cause the PHP interpreter to crash or, possibly, execute arbitrary code when opened. (CVE-2009-3546) It was discovered that PHP did not limit the maximum number of files that can be uploaded in one request. A remote attacker could use this flaw to instigate a denial of service by causing the PHP interpreter to use lots of system resources dealing with requests containing large amounts of files to be uploaded. This vulnerability depends on file uploads being enabled (which it is, in the default PHP configuration). (CVE-2009-4017) Note: This update introduces a new configuration option, max_file_uploads, used for limiting the number of files that can be uploaded in one request. By default, the limit is 20 files per request. It was discovered that PHP was affected by the previously published 'null prefix attack', caused by incorrect handling of NUL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse PHP into accepting it by mistake. (CVE-2009-3291) It was discovered that PHP's htmlspecialchars() function did not properly recognize partial multi-byte sequences for some multi-byte encodings, sending them to output without them being escaped. An attacker could use this flaw to perform a cross-site scripting attack. (CVE-2009-4142) All php users should upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 43883
    published 2010-01-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43883
    title RHEL 3 / 4 / 5 : php (RHSA-2010:0040)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_1_APACHE2-MOD_PHP5-100212.NASL
    description This update of php5 fixes: CVE-2008-5624: CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P): Permissions, Privileges, and Access Control (CWE-264) CVE-2008-5625: CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P): Permissions, Privileges, and Access Control (CWE-264) CVE-2008-5814: CVSS v2 Base Score: 2.6 (LOW) (AV:N/AC:H/Au:N/C:N/I:P/A:N): Cross-Site Scripting (XSS) (CWE-79) CVE-2009-2626: CVSS v2 Base Score: 6.4 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:P): Other (CWE-Other) CVE-2009-2687: CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P): Input Validation (CWE-20) CVE-2009-3546: CVSS v2 Base Score: 4.4 (moderate) (AV:L/AC:M/Au:N/C:P/I:P/A:P): Other (CWE-Other) CVE-2009-4017: CVSS v2 Base Score: 5.0 (moderate) (AV:N/AC:L/Au:N/C:N/I:N/A:P): Other (CWE-Other) CVE-2009-4142: CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N): Cross-Site Scripting (XSS) (CWE-79)
    last seen 2019-02-21
    modified 2016-12-21
    plugin id 44680
    published 2010-02-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44680
    title openSUSE Security Update : apache2-mod_php5 (apache2-mod_php5-1993)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_APACHE2-MOD_PHP5-6847.NASL
    description This update of PHP5 fixes : - CVE-2008-5625: CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P): Permissions, Privileges, and Access Control (CWE-264) CVE-2008-5814: CVSS v2 Base Score: 2.6 (LOW) (AV:N/AC:H/Au:N/C:N/I:P/A:N): Cross-Site Scripting (XSS) (CWE-79) CVE-2009-2626: CVSS v2 Base Score: 6.4 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:P): Other (CWE-Other) CVE-2009-2687: CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P): Input Validation (CWE-20) CVE-2009-3546: CVSS v2 Base Score: 4.4 (moderate) (AV:L/AC:M/Au:N/C:P/I:P/A:P): Other (CWE-Other) CVE-2009-4017: CVSS v2 Base Score: 5.0 (moderate) (AV:N/AC:L/Au:N/C:N/I:N/A:P): Other (CWE-Other) CVE-2009-4142: CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N): Cross-Site Scripting (XSS). (CWE-79). (CVE-2008-5624: CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P): Permissions, Privileges, and Access Control (CWE-264))
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 49829
    published 2010-10-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=49829
    title SuSE 10 Security Update : PHP5 (ZYPP Patch Number 6847)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_CA139C7F2A8C11E5A4A5002590263BF5.NASL
    description Mitre reports : Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function, a different set of vulnerabilities than CVE-2004-0990. Buffer overflow in the gdImageStringFTEx function in gdft.c in GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font. The gdPngReadData function in libgd 2.0.34 allows user-assisted attackers to cause a denial of service (CPU consumption) via a crafted PNG image with truncated data, which causes an infinite loop in the png_read_info function in libpng. Integer overflow in gdImageCreateTrueColor function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to have unspecified attack vectors and impact. The gdImageCreateXbm function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via unspecified vectors involving a gdImageCreate failure. The (a) imagearc and (b) imagefilledarc functions in GD Graphics Library (libgd) before 2.0.35 allow attackers to cause a denial of service (CPU consumption) via a large (1) start or (2) end angle degree value. The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before 5.3.1, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293. NOTE: some of these details are obtained from third party information. Heap-based buffer overflow in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image. meta.h in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted WMF file. Use-after-free vulnerability in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) via a crafted WMF file to the (1) wmf2gd or (2) wmf2eps command. Heap-based buffer overflow in the DecodeImage function in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted 'run-length count' in an image in a WMF file.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 84782
    published 2015-07-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84782
    title FreeBSD : libwmf -- multiple vulnerabilities (ca139c7f-2a8c-11e5-a4a5-002590263bf5)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2009-12017.NASL
    description Update to upstream PHP version 5.3.1 PHP 5.3.1 Release Announcement: http://www.php.net/releases/5_3_1.php Changelog: http://www.php.net/ChangeLog-5.php#5.3.1 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-21
    plugin id 43008
    published 2009-12-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43008
    title Fedora 12 : maniadrive-1.2-19.fc12 / php-5.3.1-1.fc12 (2009-12017)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2010-0003.NASL
    description Updated gd packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The gd packages provide a graphics library used for the dynamic creation of images, such as PNG and JPEG. A missing input sanitization flaw, leading to a buffer overflow, was discovered in the gd library. A specially crafted GD image file could cause an application using the gd library to crash or, possibly, execute arbitrary code when opened. (CVE-2009-3546) Users of gd should upgrade to these updated packages, which contain a backported patch to resolve this issue.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 43628
    published 2010-01-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43628
    title RHEL 4 / 5 : gd (RHSA-2010:0003)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2010-0003.NASL
    description Updated gd packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The gd packages provide a graphics library used for the dynamic creation of images, such as PNG and JPEG. A missing input sanitization flaw, leading to a buffer overflow, was discovered in the gd library. A specially crafted GD image file could cause an application using the gd library to crash or, possibly, execute arbitrary code when opened. (CVE-2009-3546) Users of gd should upgrade to these updated packages, which contain a backported patch to resolve this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 43625
    published 2010-01-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43625
    title CentOS 4 / 5 : gd (CESA-2010:0003)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_APACHE2-MOD_PHP5-100212.NASL
    description This update of PHP5 fixes : - CVE-2008-5624: CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) : Permissions, Privileges, and Access Control (CWE-264) - CVE-2008-5625: CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) : Permissions, Privileges, and Access Control (CWE-264) - Cross-Site Scripting (XSS). (CWE-79). (CVE-2008-5814: CVSS v2 Base Score: 2.6 (LOW) (AV:N/AC:H/Au:N/C:N/I:P/A:N)) - CVE-2009-2626: CVSS v2 Base Score: 6.4 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:P) : Other (CWE-Other) - CVE-2009-2687: CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P) : Input Validation (CWE-20) - CVE-2009-3546: CVSS v2 Base Score: 4.4 (moderate) (AV:L/AC:M/Au:N/C:P/I:P/A:P) : Other (CWE-Other) - CVE-2009-4017: CVSS v2 Base Score: 5.0 (moderate) (AV:N/AC:L/Au:N/C:N/I:N/A:P) : Other (CWE-Other) - Cross-Site Scripting (XSS) (CWE-79). (CVE-2009-4142: CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N))
    last seen 2019-02-21
    modified 2016-12-21
    plugin id 44686
    published 2010-02-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44686
    title SuSE 11 Security Update : PHP5 (SAT Patch Number 1978)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_2_APACHE2-MOD_PHP5-100215.NASL
    description This update of php5 fixes: CVE-2008-5624: CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P): Permissions, Privileges, and Access Control (CWE-264) CVE-2008-5625: CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P): Permissions, Privileges, and Access Control (CWE-264) CVE-2008-5814: CVSS v2 Base Score: 2.6 (LOW) (AV:N/AC:H/Au:N/C:N/I:P/A:N): Cross-Site Scripting (XSS) (CWE-79) CVE-2009-2626: CVSS v2 Base Score: 6.4 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:P): Other (CWE-Other) CVE-2009-2687: CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P): Input Validation (CWE-20) CVE-2009-3546: CVSS v2 Base Score: 4.4 (moderate) (AV:L/AC:M/Au:N/C:P/I:P/A:P): Other (CWE-Other) CVE-2009-4017: CVSS v2 Base Score: 5.0 (moderate) (AV:N/AC:L/Au:N/C:N/I:N/A:P): Other (CWE-Other) CVE-2009-4142: CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N): Cross-Site Scripting (XSS) (CWE-79)
    last seen 2019-02-21
    modified 2016-12-21
    plugin id 44683
    published 2010-02-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44683
    title openSUSE Security Update : apache2-mod_php5 (apache2-mod_php5-1993)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20100113_PHP_ON_SL3_X.NASL
    description CVE-2009-2687 php: exif_read_data crash on corrupted JPEG files CVE-2009-3292 php: exif extension: Multiple missing sanity checks in EXIF file processing CVE-2009-3291 php: openssl extension: Incorrect verification of SSL certificate with NUL in name CVE-2009-3546 gd: insufficient input validation in _gdGetColors() CVE-2009-4017 PHP: resource exhaustion attack via upload requests with lots of files CVE-2009-4142 php: htmlspecialchars() insufficient checking of input for multi-byte encodings Multiple missing input sanitization flaws were discovered in PHP's exif extension. A specially crafted image file could cause the PHP interpreter to crash or, possibly, disclose portions of its memory when a PHP script tried to extract Exchangeable image file format (Exif) metadata from the image file. (CVE-2009-2687, CVE-2009-3292) A missing input sanitization flaw, leading to a buffer overflow, was discovered in PHP's gd library. A specially crafted GD image file could cause the PHP interpreter to crash or, possibly, execute arbitrary code when opened. (CVE-2009-3546) It was discovered that PHP did not limit the maximum number of files that can be uploaded in one request. A remote attacker could use this flaw to instigate a denial of service by causing the PHP interpreter to use lots of system resources dealing with requests containing large amounts of files to be uploaded. This vulnerability depends on file uploads being enabled (which it is, in the default PHP configuration). (CVE-2009-4017) Note: This update introduces a new configuration option, max_file_uploads, used for limiting the number of files that can be uploaded in one request. By default, the limit is 20 files per request. It was discovered that PHP was affected by the previously published 'null prefix attack', caused by incorrect handling of NUL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse PHP into accepting it by mistake. (CVE-2009-3291) It was discovered that PHP's htmlspecialchars() function did not properly recognize partial multi-byte sequences for some multi-byte encodings, sending them to output without them being escaped. An attacker could use this flaw to perform a cross-site scripting attack. (CVE-2009-4142) After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 60723
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60723
    title Scientific Linux Security Update : php on SL3.x, SL4.x, SL5.x i386/x86_64
  • NASL family SuSE Local Security Checks
    NASL id SUSE_APACHE2-MOD_PHP5-6846.NASL
    description This update of PHP5 fixes : - CVE-2008-5625: CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P): Permissions, Privileges, and Access Control (CWE-264) CVE-2008-5814: CVSS v2 Base Score: 2.6 (LOW) (AV:N/AC:H/Au:N/C:N/I:P/A:N): Cross-Site Scripting (XSS) (CWE-79) CVE-2009-2626: CVSS v2 Base Score: 6.4 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:P): Other (CWE-Other) CVE-2009-2687: CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P): Input Validation (CWE-20) CVE-2009-3546: CVSS v2 Base Score: 4.4 (moderate) (AV:L/AC:M/Au:N/C:P/I:P/A:P): Other (CWE-Other) CVE-2009-4017: CVSS v2 Base Score: 5.0 (moderate) (AV:N/AC:L/Au:N/C:N/I:N/A:P): Other (CWE-Other) CVE-2009-4142: CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N): Cross-Site Scripting (XSS). (CWE-79). (CVE-2008-5624: CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P): Permissions, Privileges, and Access Control (CWE-264))
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 44687
    published 2010-02-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44687
    title SuSE 10 Security Update : PHP5 (ZYPP Patch Number 6846)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2010-0040.NASL
    description From Red Hat Security Advisory 2010:0040 : Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. Multiple missing input sanitization flaws were discovered in PHP's exif extension. A specially crafted image file could cause the PHP interpreter to crash or, possibly, disclose portions of its memory when a PHP script tried to extract Exchangeable image file format (Exif) metadata from the image file. (CVE-2009-2687, CVE-2009-3292) A missing input sanitization flaw, leading to a buffer overflow, was discovered in PHP's gd library. A specially crafted GD image file could cause the PHP interpreter to crash or, possibly, execute arbitrary code when opened. (CVE-2009-3546) It was discovered that PHP did not limit the maximum number of files that can be uploaded in one request. A remote attacker could use this flaw to instigate a denial of service by causing the PHP interpreter to use lots of system resources dealing with requests containing large amounts of files to be uploaded. This vulnerability depends on file uploads being enabled (which it is, in the default PHP configuration). (CVE-2009-4017) Note: This update introduces a new configuration option, max_file_uploads, used for limiting the number of files that can be uploaded in one request. By default, the limit is 20 files per request. It was discovered that PHP was affected by the previously published 'null prefix attack', caused by incorrect handling of NUL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse PHP into accepting it by mistake. (CVE-2009-3291) It was discovered that PHP's htmlspecialchars() function did not properly recognize partial multi-byte sequences for some multi-byte encodings, sending them to output without them being escaped. An attacker could use this flaw to perform a cross-site scripting attack. (CVE-2009-4142) All php users should upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67986
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67986
    title Oracle Linux 3 / 4 / 5 : php (ELSA-2010-0040)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_0_APACHE2-MOD_PHP5-100212.NASL
    description This update of php5 fixes: CVE-2008-5624: CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P): Permissions, Privileges, and Access Control (CWE-264) CVE-2008-5625: CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P): Permissions, Privileges, and Access Control (CWE-264) CVE-2008-5814: CVSS v2 Base Score: 2.6 (LOW) (AV:N/AC:H/Au:N/C:N/I:P/A:N): Cross-Site Scripting (XSS) (CWE-79) CVE-2009-2626: CVSS v2 Base Score: 6.4 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:P): Other (CWE-Other) CVE-2009-2687: CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P): Input Validation (CWE-20) CVE-2009-3546: CVSS v2 Base Score: 4.4 (moderate) (AV:L/AC:M/Au:N/C:P/I:P/A:P): Other (CWE-Other) CVE-2009-4017: CVSS v2 Base Score: 5.0 (moderate) (AV:N/AC:L/Au:N/C:N/I:N/A:P): Other (CWE-Other) CVE-2009-4142: CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N): Cross-Site Scripting (XSS) (CWE-79)
    last seen 2019-02-21
    modified 2016-12-21
    plugin id 44678
    published 2010-02-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44678
    title openSUSE Security Update : apache2-mod_php5 (apache2-mod_php5-1993)
oval via4
accepted 2013-04-29T04:12:16.577-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before 5.3.1, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293. NOTE: some of these details are obtained from third party information.
family unix
id oval:org.mitre.oval:def:11199
status accepted
submitted 2010-07-09T03:56:16-04:00
title The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before 5.3.1, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293. NOTE: some of these details are obtained from third party information.
version 24
redhat via4
advisories
bugzilla
id 529213
title CVE-2009-3546 gd: insufficient input validation in _gdGetColors()
oval
OR
  • AND
    • comment Red Hat Enterprise Linux 4 is installed
      oval oval:com.redhat.rhba:tst:20070304001
    • OR
      • AND
        • comment gd is earlier than 0:2.0.28-5.4E.el4_8.1
          oval oval:com.redhat.rhsa:tst:20100003002
        • comment gd is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20080146003
      • AND
        • comment gd-devel is earlier than 0:2.0.28-5.4E.el4_8.1
          oval oval:com.redhat.rhsa:tst:20100003004
        • comment gd-devel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20080146007
      • AND
        • comment gd-progs is earlier than 0:2.0.28-5.4E.el4_8.1
          oval oval:com.redhat.rhsa:tst:20100003006
        • comment gd-progs is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20080146005
  • AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhba:tst:20070331001
    • OR
      • AND
        • comment gd is earlier than 0:2.0.33-9.4.el5_4.2
          oval oval:com.redhat.rhsa:tst:20100003009
        • comment gd is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080146010
      • AND
        • comment gd-devel is earlier than 0:2.0.33-9.4.el5_4.2
          oval oval:com.redhat.rhsa:tst:20100003013
        • comment gd-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080146012
      • AND
        • comment gd-progs is earlier than 0:2.0.33-9.4.el5_4.2
          oval oval:com.redhat.rhsa:tst:20100003011
        • comment gd-progs is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080146014
rhsa
id RHSA-2010:0003
released 2010-01-04
severity Moderate
title RHSA-2010:0003: gd security update (Moderate)
rpms
  • gd-0:2.0.28-5.4E.el4_8.1
  • gd-devel-0:2.0.28-5.4E.el4_8.1
  • gd-progs-0:2.0.28-5.4E.el4_8.1
  • gd-0:2.0.33-9.4.el5_4.2
  • gd-devel-0:2.0.33-9.4.el5_4.2
  • gd-progs-0:2.0.33-9.4.el5_4.2
  • php-0:4.3.2-54.ent
  • php-devel-0:4.3.2-54.ent
  • php-imap-0:4.3.2-54.ent
  • php-ldap-0:4.3.2-54.ent
  • php-mysql-0:4.3.2-54.ent
  • php-odbc-0:4.3.2-54.ent
  • php-pgsql-0:4.3.2-54.ent
  • php-0:4.3.9-3.29
  • php-devel-0:4.3.9-3.29
  • php-domxml-0:4.3.9-3.29
  • php-gd-0:4.3.9-3.29
  • php-imap-0:4.3.9-3.29
  • php-ldap-0:4.3.9-3.29
  • php-mbstring-0:4.3.9-3.29
  • php-mysql-0:4.3.9-3.29
  • php-ncurses-0:4.3.9-3.29
  • php-odbc-0:4.3.9-3.29
  • php-pear-0:4.3.9-3.29
  • php-pgsql-0:4.3.9-3.29
  • php-snmp-0:4.3.9-3.29
  • php-xmlrpc-0:4.3.9-3.29
  • php-0:5.1.6-24.el5_4.5
  • php-bcmath-0:5.1.6-24.el5_4.5
  • php-cli-0:5.1.6-24.el5_4.5
  • php-common-0:5.1.6-24.el5_4.5
  • php-dba-0:5.1.6-24.el5_4.5
  • php-devel-0:5.1.6-24.el5_4.5
  • php-gd-0:5.1.6-24.el5_4.5
  • php-imap-0:5.1.6-24.el5_4.5
  • php-ldap-0:5.1.6-24.el5_4.5
  • php-mbstring-0:5.1.6-24.el5_4.5
  • php-mysql-0:5.1.6-24.el5_4.5
  • php-ncurses-0:5.1.6-24.el5_4.5
  • php-odbc-0:5.1.6-24.el5_4.5
  • php-pdo-0:5.1.6-24.el5_4.5
  • php-pgsql-0:5.1.6-24.el5_4.5
  • php-snmp-0:5.1.6-24.el5_4.5
  • php-soap-0:5.1.6-24.el5_4.5
  • php-xml-0:5.1.6-24.el5_4.5
  • php-xmlrpc-0:5.1.6-24.el5_4.5
refmap via4
bid 36712
confirm http://svn.php.net/viewvc?view=revision&revision=289557
mandriva MDVSA-2009:285
mlist
  • [oss-security] 20091015 Re: CVE Request -- PHP 5 - 5.2.11
  • [oss-security] 20091120 Re: CVE request: php 5.3.1 update
secunia
  • 37069
  • 37080
  • 38055
vupen
  • ADV-2009-2929
  • ADV-2009-2930
Last major update 25-08-2011 - 00:00
Published 19-10-2009 - 16:00
Last modified 18-09-2017 - 21:29
Back to Top