ID CVE-2016-10168
Summary Integer overflow in gd_io.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to have unspecified impact via vectors involving the number of horizontal and vertical chunks in an image.
References
Vulnerable Configurations
  • libgd 2.2.3
    cpe:2.3:a:libgd:libgd:2.2.3
CVSS
Base: 6.8 (as of 16-03-2017 - 10:31)
Impact:
Exploitability:
CWE CWE-190
CAPEC
  • Forced Integer Overflow
    This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-804.NASL
    description Multiple security issues have been found in the GD Graphics Library. They may lead to the execution of arbitrary code or causing application crash. CVE-2016-9317 Signed integer overflow in gd_io.c CVE-2016-10167 Improper handling of issing image data can cause crash CVE-2016-10168 GD2 stores the number of horizontal and vertical chunks as words (i.e. 2 byte unsigned). These values are multiplied and assigned to an int when reading the image, what can cause integer overflows. For Debian 7 'Wheezy', these problems have been fixed in version 2.0.36~rc1~dfsg-6.1+deb7u8. We recommend that you upgrade your libgd2 packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-09
    plugin id 96839
    published 2017-01-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96839
    title Debian DLA-804-1 : libgd2 security update
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2018-120-01.NASL
    description New libwmf packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues.
    last seen 2019-02-21
    modified 2018-05-01
    plugin id 109432
    published 2018-05-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109432
    title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : libwmf (SSA:2018-120-01)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-3221.NASL
    description From Red Hat Security Advisory 2017:3221 : An update for php is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fix(es) : * A NULL pointer dereference flaw was found in libgd. An attacker could use a specially crafted .gd2 file to cause an application linked with libgd to crash, leading to denial of service. (CVE-2016-10167) * An integer overflow flaw, leading to a heap-based buffer overflow was found in the way libgd read some specially crafted gd2 files. A remote attacker could use this flaw to crash an application compiled with libgd or in certain cases execute arbitrary code with the privileges of the user running that application. (CVE-2016-10168)
    last seen 2019-02-21
    modified 2018-07-25
    plugin id 104618
    published 2017-11-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104618
    title Oracle Linux 7 : php (ELSA-2017-3221)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2017-3221.NASL
    description An update for php is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fix(es) : * A NULL pointer dereference flaw was found in libgd. An attacker could use a specially crafted .gd2 file to cause an application linked with libgd to crash, leading to denial of service. (CVE-2016-10167) * An integer overflow flaw, leading to a heap-based buffer overflow was found in the way libgd read some specially crafted gd2 files. A remote attacker could use this flaw to crash an application compiled with libgd or in certain cases execute arbitrary code with the privileges of the user running that application. (CVE-2016-10168)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 104584
    published 2017-11-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104584
    title CentOS 7 : php (CESA-2017:3221)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-0459-1.NASL
    description This update for gd fixes the following security issues : - CVE-2016-9317: The gdImageCreate function in the GD Graphics Library (aka libgd) allowed remote attackers to cause a denial of service (system hang) via an oversized image. (bsc#1022283) - CVE-2016-10167: A denial of service problem in gdImageCreateFromGd2Ctx() could lead to libgd running out of memory even on small files. (bsc#1022264) - CVE-2016-10168: A signed integer overflow in the GD Graphics Library (aka libgd) could lead to memory corruption (bsc#1022265) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 97186
    published 2017-02-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97186
    title SUSE SLES11 Security Update : gd (SUSE-SU-2017:0459-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-304.NASL
    description This update for php7 fixes the following security issues : - CVE-2016-7480: The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP did not verify that a key is an object, which allowed remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data. (bsc#1019568) - CVE-2017-5340: Zend/zend_hash.c in PHP mishandled certain cases that require large array allocations, which allowed remote attackers to execute arbitrary code or cause a denial of service (integer overflow, uninitialized memory access, and use of arbitrary destructor function pointers) via crafted serialized data. (bsc#1019570) - CVE-2016-7479: In all versions of PHP 7, during the unserialization process, resizing the 'properties' hash table of a serialized object may have lead to use-after-free. A remote attacker may exploit this bug to gain arbitrary code execution. (bsc#1019547) - CVE-2016-7478: Zend/zend_exceptions.c in PHP allowed remote attackers to cause a denial of service (infinite loop) via a crafted Exception object in serialized data, a related issue to CVE-2015-8876. (bsc#1019550) - CVE-2016-10159: Integer overflow in the phar_parse_pharfile function in ext/phar/phar.c in PHP allowed remote attackers to cause a denial of service (memory consumption or application crash) via a truncated manifest entry in a PHAR archive. (bsc#1022255) - CVE-2016-10160: Off-by-one error in the phar_parse_pharfile function in ext/phar/phar.c in PHP allowed remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted PHAR archive with an alias mismatch. (bsc#1022257) - CVE-2016-10161: The object_common1 function in ext/standard/var_unserializer.c in PHP allowed remote attackers to cause a denial of service (buffer over-read and application crash) via crafted serialized data that is mishandled in a finish_nested_data call. (bsc#1022260) - CVE-2016-10162: The php_wddx_pop_element function in ext/wddx/wddx.c in PHP 7 allowed remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an inapplicable class name in a wddxPacket XML document, leading to mishandling in a wddx_deserialize call. (bsc#1022262) - CVE-2016-10166: A potential unsigned underflow in gd interpolation functions could lead to memory corruption in the PHP gd module (bsc#1022263) - CVE-2016-10167: A denial of service problem in gdImageCreateFromGd2Ctx() could lead to php out of memory even on small files. (bsc#1022264) - CVE-2016-10168: A signed integer overflow in the gd module could lead to memory corruption (bsc#1022265) - CVE-2016-9138: PHP mishandled property modification during __wakeup processing, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data, as demonstrated by Exception::__toString with DateInterval::__wakeup. (bsc#1008026) This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2017-03-07
    plugin id 97563
    published 2017-03-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97563
    title openSUSE Security Update : php7 (openSUSE-2017-304)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3213-1.NASL
    description Stefan Esser discovered that the GD library incorrectly handled memory when processing certain images. If a user or automated system were tricked into processing a specially crafted image, an attacker could cause a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-10166) It was discovered that the GD library incorrectly handled certain malformed images. If a user or automated system were tricked into processing a specially crafted image, an attacker could cause a denial of service. (CVE-2016-10167) It was discovered that the GD library incorrectly handled certain malformed images. If a user or automated system were tricked into processing a specially crafted image, an attacker could cause a denial of service, or possibly execute arbitrary code. (CVE-2016-10168) Ibrahim El-Sayed discovered that the GD library incorrectly handled certain malformed TGA images. If a user or automated system were tricked into processing a specially crafted TGA image, an attacker could cause a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-6906) Ibrahim El-Sayed discovered that the GD library incorrectly handled certain malformed WebP images. If a user or automated system were tricked into processing a specially crafted WebP image, an attacker could cause a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-6912) It was discovered that the GD library incorrectly handled creating oversized images. If a user or automated system were tricked into creating a specially crafted image, an attacker could cause a denial of service. (CVE-2016-9317) It was discovered that the GD library incorrectly handled filling certain images. If a user or automated system were tricked into filling an image, an attacker could cause a denial of service. (CVE-2016-9933). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 97468
    published 2017-03-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97468
    title Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : libgd2 vulnerabilities (USN-3213-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-0534-1.NASL
    description This update for php7 fixes the following security issues : - CVE-2016-7480: The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP did not verify that a key is an object, which allowed remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data. (bsc#1019568) - CVE-2017-5340: Zend/zend_hash.c in PHP mishandled certain cases that require large array allocations, which allowed remote attackers to execute arbitrary code or cause a denial of service (integer overflow, uninitialized memory access, and use of arbitrary destructor function pointers) via crafted serialized data. (bsc#1019570) - CVE-2016-7479: In all versions of PHP 7, during the unserialization process, resizing the 'properties' hash table of a serialized object may have lead to use-after-free. A remote attacker may exploit this bug to gain arbitrary code execution. (bsc#1019547) - CVE-2016-7478: Zend/zend_exceptions.c in PHP allowed remote attackers to cause a denial of service (infinite loop) via a crafted Exception object in serialized data, a related issue to CVE-2015-8876. (bsc#1019550) - CVE-2016-10159: Integer overflow in the phar_parse_pharfile function in ext/phar/phar.c in PHP allowed remote attackers to cause a denial of service (memory consumption or application crash) via a truncated manifest entry in a PHAR archive. (bsc#1022255) - CVE-2016-10160: Off-by-one error in the phar_parse_pharfile function in ext/phar/phar.c in PHP allowed remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted PHAR archive with an alias mismatch. (bsc#1022257) - CVE-2016-10161: The object_common1 function in ext/standard/var_unserializer.c in PHP allowed remote attackers to cause a denial of service (buffer over-read and application crash) via crafted serialized data that is mishandled in a finish_nested_data call. (bsc#1022260) - CVE-2016-10162: The php_wddx_pop_element function in ext/wddx/wddx.c in PHP 7 allowed remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an inapplicable class name in a wddxPacket XML document, leading to mishandling in a wddx_deserialize call. (bsc#1022262) - CVE-2016-10166: A potential unsigned underflow in gd interpolation functions could lead to memory corruption in the PHP gd module (bsc#1022263) - CVE-2016-10167: A denial of service problem in gdImageCreateFromGd2Ctx() could lead to php out of memory even on small files. (bsc#1022264) - CVE-2016-10168: A signed integer overflow in the gd module could lead to memory corruption (bsc#1022265) - CVE-2016-9138: PHP mishandled property modification during __wakeup processing, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data, as demonstrated by Exception::__toString with DateInterval::__wakeup. (bsc#1008026) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 119993
    published 2019-01-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119993
    title SUSE SLES12 Security Update : php7 (SUSE-SU-2017:0534-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-0468-1.NASL
    description This update for gd fixes the following security issues : - CVE-2016-6906: An out-of-bounds read in TGA decompression was fixed which could have lead to crashes. (bsc#1022553) - CVE-2016-6912: Double free vulnerability in the gdImageWebPtr function in the GD Graphics Library (aka libgd) allowed remote attackers to have unspecified impact via large width and height values. (bsc#1022284) - CVE-2016-9317: The gdImageCreate function in the GD Graphics Library (aka libgd) allowed remote attackers to cause a denial of service (system hang) via an oversized image. (bsc#1022283) - CVE-2016-10166: A potential unsigned underflow in gd interpolation functions could lead to memory corruption in the GD Graphics Library (aka libgd) (bsc#1022263) - CVE-2016-10167: A denial of service problem in gdImageCreateFromGd2Ctx() could lead to libgd running out of memory even on small files. (bsc#1022264) - CVE-2016-10168: A signed integer overflow in the GD Graphics Library (aka libgd) could lead to memory corruption (bsc#1022265) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 97203
    published 2017-02-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97203
    title SUSE SLED12 / SLES12 Security Update : gd (SUSE-SU-2017:0468-1)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2017-199-02.NASL
    description New gd packages are available for Slackware 14.2 and -current to fix security issues.
    last seen 2019-02-21
    modified 2017-09-21
    plugin id 101790
    published 2017-07-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101790
    title Slackware 14.2 / current : gd (SSA:2017-199-02)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20171115_PHP_ON_SL7_X.NASL
    description Security Fix(es) : - A NULL pointer dereference flaw was found in libgd. An attacker could use a specially crafted .gd2 file to cause an application linked with libgd to crash, leading to denial of service. (CVE-2016-10167) - An integer overflow flaw, leading to a heap-based buffer overflow was found in the way libgd read some specially crafted gd2 files. A remote attacker could use this flaw to crash an application compiled with libgd or in certain cases execute arbitrary code with the privileges of the user running that application. (CVE-2016-10168)
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 104624
    published 2017-11-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104624
    title Scientific Linux Security Update : php on SL7.x x86_64
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-3221.NASL
    description An update for php is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fix(es) : * A NULL pointer dereference flaw was found in libgd. An attacker could use a specially crafted .gd2 file to cause an application linked with libgd to crash, leading to denial of service. (CVE-2016-10167) * An integer overflow flaw, leading to a heap-based buffer overflow was found in the way libgd read some specially crafted gd2 files. A remote attacker could use this flaw to crash an application compiled with libgd or in certain cases execute arbitrary code with the privileges of the user running that application. (CVE-2016-10168)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 104568
    published 2017-11-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104568
    title RHEL 7 : php (RHSA-2017:3221)
  • NASL family Virtuozzo Local Security Checks
    NASL id VIRTUOZZO_VZLSA-2017-3221.NASL
    description An update for php is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fix(es) : * A NULL pointer dereference flaw was found in libgd. An attacker could use a specially crafted .gd2 file to cause an application linked with libgd to crash, leading to denial of service. (CVE-2016-10167) * An integer overflow flaw, leading to a heap-based buffer overflow was found in the way libgd read some specially crafted gd2 files. A remote attacker could use this flaw to crash an application compiled with libgd or in certain cases execute arbitrary code with the privileges of the user running that application. (CVE-2016-10168) Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-17
    plugin id 104674
    published 2017-11-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104674
    title Virtuozzo 7 : php / php-bcmath / php-cli / php-common / php-dba / etc (VZLSA-2017-3221)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3777.NASL
    description Multiple vulnerabilities have been discovered in libgd2, a library for programmatic graphics creation and manipulation, which may result in denial of service or potentially the execution of arbitrary code if a malformed file is processed.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 96912
    published 2017-02-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96912
    title Debian DSA-3777-1 : libgd2 - security update
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1302.NASL
    description According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A null pointer dereference flaw was found in libgd. An attacker could use a specially-crafted .gd2 file to cause an application linked with libgd to crash, leading to denial of service. (CVE-2016-10167) - An integer overflow flaw, leading to a heap-based buffer overflow was found in the way libgd read some specially-crafted gd2 files. A remote attacker could use this flaw to crash an application compiled with libgd or in certain cases execute arbitrary code with the privileges of the user running that application. (CVE-2016-10168) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 104920
    published 2017-12-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104920
    title EulerOS 2.0 SP2 : php (EulerOS-SA-2017-1302)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2017-812.NASL
    description Integer overflow in gd_io.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to have unspecified impact via vectors involving the number of horizontal and vertical chunks in an image. (CVE-2016-10168) In all versions of PHP 7, during the unserialization process, resizing the 'properties'; hash table of a serialized object may lead to use-after-free. A remote attacker may exploit this bug to gain arbitrary code execution. (CVE-2016-7479) The object_common1 function in ext/standard/var_unserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (buffer over-read and application crash) via crafted serialized data that is mishandled in a finish_nested_data call. (CVE-2016-10161) Off-by-one error in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted PHAR archive with an alias mismatch. (CVE-2016-10160) The php_wddx_pop_element function in ext/wddx/wddx.c in PHP 7.0.x before 7.0.15 and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an inapplicable class name in a wddxPacket XML document, leading to mishandling in a wddx_deserialize call. (CVE-2016-10162) It was found that the exif_convert_any_to_int() function in PHP was vulnerable to floating point exceptions when parsing tags in image files. A remote attacker with the ability to upload a malicious image could crash PHP, causing a Denial of Service. (CVE-2016-10158) Integer overflow in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory consumption or application crash) via a truncated manifest entry in a PHAR archive. (CVE-2016-10159) The gdImageCreateFromGd2Ctx function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted image file. (CVE-2016-10167) Zend/zend_hash.c in PHP before 7.0.15 and 7.1.x before 7.1.1 mishandles certain cases that require large array allocations, which allows remote attackers to execute arbitrary code or cause a denial of service (integer overflow, uninitialized memory access, and use of arbitrary destructor function pointers) via crafted serialized data.(CVE-2017-5340)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 99039
    published 2017-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99039
    title Amazon Linux AMI : php70 (ALAS-2017-812)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2017-808.NASL
    description Integer overflow in gd_io.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to have unspecified impact via vectors involving the number of horizontal and vertical chunks in an image.(CVE-2016-10168) The object_common1 function in ext/standard/var_unserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (buffer over-read and application crash) via crafted serialized data that is mishandled in a finish_nested_data call.(CVE-2016-10161) Off-by-one error in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted PHAR archive with an alias mismatch.(CVE-2016-10160) It was found that the exif_convert_any_to_int() function in PHP was vulnerable to floating point exceptions when parsing tags in image files. A remote attacker with the ability to upload a malicious image could crash PHP, causing a Denial of Service.(CVE-2016-10158) Integer overflow in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory consumption or application crash) via a truncated manifest entry in a PHAR archive.(CVE-2016-10159) The gdImageCreateFromGd2Ctx function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted image file.(CVE-2016-10167)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 99035
    published 2017-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99035
    title Amazon Linux AMI : php56 (ALAS-2017-808)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1301.NASL
    description According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A null pointer dereference flaw was found in libgd. An attacker could use a specially-crafted .gd2 file to cause an application linked with libgd to crash, leading to denial of service. (CVE-2016-10167) - An integer overflow flaw, leading to a heap-based buffer overflow was found in the way libgd read some specially-crafted gd2 files. A remote attacker could use this flaw to crash an application compiled with libgd or in certain cases execute arbitrary code with the privileges of the user running that application. (CVE-2016-10168) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 104919
    published 2017-12-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104919
    title EulerOS 2.0 SP1 : php (EulerOS-SA-2017-1301)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2017-041-03.NASL
    description New php packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.
    last seen 2018-09-01
    modified 2017-09-21
    plugin id 97103
    published 2017-02-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97103
    title Slackware 14.0 / 14.1 / 14.2 / current : php (SSA:2017-041-03)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-289.NASL
    description This update for gd fixes the following security issues : - CVE-2016-6906: An out-of-bounds read in TGA decompression was fixed which could have lead to crashes. (bsc#1022553) - CVE-2016-6912: Double free vulnerability in the gdImageWebPtr function in the GD Graphics Library (aka libgd) allowed remote attackers to have unspecified impact via large width and height values. (bsc#1022284) - CVE-2016-9317: The gdImageCreate function in the GD Graphics Library (aka libgd) allowed remote attackers to cause a denial of service (system hang) via an oversized image. (bsc#1022283) - CVE-2016-10166: A potential unsigned underflow in gd interpolation functions could lead to memory corruption in the GD Graphics Library (aka libgd) (bsc#1022263) - CVE-2016-10167: A denial of service problem in gdImageCreateFromGd2Ctx() could lead to libgd running out of memory even on small files. (bsc#1022264) - CVE-2016-10168: A signed integer overflow in the GD Graphics Library (aka libgd) could lead to memory corruption (bsc#1022265) This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2017-02-24
    plugin id 97369
    published 2017-02-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97369
    title openSUSE Security Update : gd (openSUSE-2017-289)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-0568-1.NASL
    description This update for php53 fixes the following security issues : - CVE-2016-7478: When unserializing untrusted input data, PHP could end up in an infinite loop, causing denial of service (bsc#1019550) - CVE-2016-10158: The exif_convert_any_to_int function in ext/exif/exif.c in PHP allowed remote attackers to cause a denial of service (application crash) via crafted EXIF data that triggers an attempt to divide the minimum representable negative integer by -1. (bsc#1022219) - CVE-2016-10159: Integer overflow in the phar_parse_pharfile function in ext/phar/phar.c in PHP allowed remote attackers to cause a denial of service (memory consumption or application crash) via a truncated manifest entry in a PHAR archive. (bsc#1022255) - CVE-2016-10160: Off-by-one error in the phar_parse_pharfile function in ext/phar/phar.c in PHP allowed remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted PHAR archive with an alias mismatch. (bsc#1022257) - CVE-2016-10161: The object_common1 function in ext/standard/var_unserializer.c in PHP allowed remote attackers to cause a denial of service (buffer over-read and application crash) via crafted serialized data that is mishandled in a finish_nested_data call. (bsc#1022260) - CVE-2016-10166: A potential unsigned underflow in gd interpolation functions could lead to memory corruption in the PHP gd module (bsc#1022263) - CVE-2016-10167: A denial of service problem in gdImageCreateFromGd2Ctx() could lead to php out of memory even on small files. (bsc#1022264) - CVE-2016-10168: A signed integer overflow in the gd module could lead to memory corruption (bsc#1022265) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 97431
    published 2017-02-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97431
    title SUSE SLES11 Security Update : php53 (SUSE-SU-2017:0568-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-0556-1.NASL
    description This update for php5 fixes the following issues : - CVE-2016-7478: When unserializing untrusted input data, PHP could end up in an infinite loop, causing denial of service (bsc#1019550) - CVE-2016-10158: The exif_convert_any_to_int function in ext/exif/exif.c in PHP allowed remote attackers to cause a denial of service (application crash) via crafted EXIF data that triggers an attempt to divide the minimum representable negative integer by -1. (bsc#1022219) - CVE-2016-10159: Integer overflow in the phar_parse_pharfile function in ext/phar/phar.c in PHP allowed remote attackers to cause a denial of service (memory consumption or application crash) via a truncated manifest entry in a PHAR archive. (bsc#1022255) - CVE-2016-10160: Off-by-one error in the phar_parse_pharfile function in ext/phar/phar.c in PHP allowed remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted PHAR archive with an alias mismatch. (bsc#1022257) - CVE-2016-10161: The object_common1 function in ext/standard/var_unserializer.c in PHP allowed remote attackers to cause a denial of service (buffer over-read and application crash) via crafted serialized data that is mishandled in a finish_nested_data call. (bsc#1022260) - CVE-2016-10166: A potential unsigned underflow in gd interpolation functions could lead to memory corruption in the PHP gd module (bsc#1022263) - CVE-2016-10167: A denial of service problem in gdImageCreateFromGd2Ctx() could lead to php out of memory even on small files. (bsc#1022264) - CVE-2016-10168: A signed integer overflow in the gd module could lead to memory corruption (bsc#1022265) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 119994
    published 2019-01-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119994
    title SUSE SLES12 Security Update : php5 (SUSE-SU-2017:0556-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2522-1.NASL
    description This update for php53 fixes the several issues. These security issues were fixed : - CVE-2017-12933: The finish_nested_data function in ext/standard/var_unserializer.re was prone to a buffer over-read while unserializing untrusted data. Exploitation of this issue could have had an unspecified impact on the integrity of PHP (bsc#1054430). - CVE-2017-11628: Stack-based buffer overflow in the zend_ini_do_op() function in Zend/zend_ini_parser.c could have caused a denial of service or potentially allowed executing code (bsc#1050726). - CVE-2017-7890: The GIF decoding function gdImageCreateFromGifCtx in the GD Graphics Library did not zero colorMap arrays use. A specially crafted GIF image could use the uninitialized tables to read ~700 bytes from the top of the stack, potentially disclosing sensitive information (bsc#1050241). - CVE-2016-5766: Integer overflow in the _gd2GetHeader in the GD Graphics Library (aka libgd) allowed remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via crafted chunk dimensions in an image (bsc#986386). - CVE-2017-11145: An error in the date extension's timelib_meridian parsing code could have been used by attackers able to supply date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date function (bsc#1048112). - CVE-2017-11146: Lack of bounds checks in timelib_meridian parse code could have lead to information leak [bsc#1048111] - CVE-2016-10397: Incorrect handling of various URI components in the URL parser could have been used by attackers to bypass hostname-specific URL checks (bsc#1047454). - CVE-2017-11147: The PHAR archive handler could have been used by attackers supplying malicious archive files to crash the PHP interpreter or potentially disclose information due to a buffer over-read in the phar_parse_pharfile function (bsc#1048094). - CVE-2017-11144: The openssl extension PEM sealing code did not check the return value of the OpenSSL sealing function, which could have lead to a crash of the PHP interpreter (bsc#1048096). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 103317
    published 2017-09-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103317
    title SUSE SLES11 Security Update : php53 (SUSE-SU-2017:2522-1)
redhat via4
advisories
  • bugzilla
    id 1418986
    title CVE-2016-10168 gd: Integer overflow in gd_io.c
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhba:tst:20150364001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhba:tst:20150364002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhba:tst:20150364003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20150364004
    • OR
      • AND
        • comment php is earlier than 0:5.4.16-43.el7_4
          oval oval:com.redhat.rhsa:tst:20173221015
        • comment php is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195006
      • AND
        • comment php-bcmath is earlier than 0:5.4.16-43.el7_4
          oval oval:com.redhat.rhsa:tst:20173221047
        • comment php-bcmath is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195048
      • AND
        • comment php-cli is earlier than 0:5.4.16-43.el7_4
          oval oval:com.redhat.rhsa:tst:20173221025
        • comment php-cli is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195044
      • AND
        • comment php-common is earlier than 0:5.4.16-43.el7_4
          oval oval:com.redhat.rhsa:tst:20173221041
        • comment php-common is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195010
      • AND
        • comment php-dba is earlier than 0:5.4.16-43.el7_4
          oval oval:com.redhat.rhsa:tst:20173221009
        • comment php-dba is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195054
      • AND
        • comment php-devel is earlier than 0:5.4.16-43.el7_4
          oval oval:com.redhat.rhsa:tst:20173221023
        • comment php-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195032
      • AND
        • comment php-embedded is earlier than 0:5.4.16-43.el7_4
          oval oval:com.redhat.rhsa:tst:20173221005
        • comment php-embedded is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195038
      • AND
        • comment php-enchant is earlier than 0:5.4.16-43.el7_4
          oval oval:com.redhat.rhsa:tst:20173221045
        • comment php-enchant is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195026
      • AND
        • comment php-fpm is earlier than 0:5.4.16-43.el7_4
          oval oval:com.redhat.rhsa:tst:20173221029
        • comment php-fpm is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20130514036
      • AND
        • comment php-gd is earlier than 0:5.4.16-43.el7_4
          oval oval:com.redhat.rhsa:tst:20173221043
        • comment php-gd is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195056
      • AND
        • comment php-intl is earlier than 0:5.4.16-43.el7_4
          oval oval:com.redhat.rhsa:tst:20173221019
        • comment php-intl is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195030
      • AND
        • comment php-ldap is earlier than 0:5.4.16-43.el7_4
          oval oval:com.redhat.rhsa:tst:20173221007
        • comment php-ldap is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195046
      • AND
        • comment php-mbstring is earlier than 0:5.4.16-43.el7_4
          oval oval:com.redhat.rhsa:tst:20173221039
        • comment php-mbstring is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195042
      • AND
        • comment php-mysql is earlier than 0:5.4.16-43.el7_4
          oval oval:com.redhat.rhsa:tst:20173221017
        • comment php-mysql is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195008
      • AND
        • comment php-mysqlnd is earlier than 0:5.4.16-43.el7_4
          oval oval:com.redhat.rhsa:tst:20173221031
        • comment php-mysqlnd is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141013028
      • AND
        • comment php-odbc is earlier than 0:5.4.16-43.el7_4
          oval oval:com.redhat.rhsa:tst:20173221035
        • comment php-odbc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195020
      • AND
        • comment php-pdo is earlier than 0:5.4.16-43.el7_4
          oval oval:com.redhat.rhsa:tst:20173221033
        • comment php-pdo is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195018
      • AND
        • comment php-pgsql is earlier than 0:5.4.16-43.el7_4
          oval oval:com.redhat.rhsa:tst:20173221027
        • comment php-pgsql is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195014
      • AND
        • comment php-process is earlier than 0:5.4.16-43.el7_4
          oval oval:com.redhat.rhsa:tst:20173221051
        • comment php-process is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195016
      • AND
        • comment php-pspell is earlier than 0:5.4.16-43.el7_4
          oval oval:com.redhat.rhsa:tst:20173221021
        • comment php-pspell is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195028
      • AND
        • comment php-recode is earlier than 0:5.4.16-43.el7_4
          oval oval:com.redhat.rhsa:tst:20173221049
        • comment php-recode is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195050
      • AND
        • comment php-snmp is earlier than 0:5.4.16-43.el7_4
          oval oval:com.redhat.rhsa:tst:20173221011
        • comment php-snmp is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195036
      • AND
        • comment php-soap is earlier than 0:5.4.16-43.el7_4
          oval oval:com.redhat.rhsa:tst:20173221013
        • comment php-soap is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195024
      • AND
        • comment php-xml is earlier than 0:5.4.16-43.el7_4
          oval oval:com.redhat.rhsa:tst:20173221053
        • comment php-xml is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195022
      • AND
        • comment php-xmlrpc is earlier than 0:5.4.16-43.el7_4
          oval oval:com.redhat.rhsa:tst:20173221037
        • comment php-xmlrpc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195052
    rhsa
    id RHSA-2017:3221
    released 2017-11-15
    severity Moderate
    title RHSA-2017:3221: php security update (Moderate)
  • rhsa
    id RHSA-2018:1296
rpms
  • php-0:5.4.16-43.el7_4
  • php-bcmath-0:5.4.16-43.el7_4
  • php-cli-0:5.4.16-43.el7_4
  • php-common-0:5.4.16-43.el7_4
  • php-dba-0:5.4.16-43.el7_4
  • php-devel-0:5.4.16-43.el7_4
  • php-embedded-0:5.4.16-43.el7_4
  • php-enchant-0:5.4.16-43.el7_4
  • php-fpm-0:5.4.16-43.el7_4
  • php-gd-0:5.4.16-43.el7_4
  • php-intl-0:5.4.16-43.el7_4
  • php-ldap-0:5.4.16-43.el7_4
  • php-mbstring-0:5.4.16-43.el7_4
  • php-mysql-0:5.4.16-43.el7_4
  • php-mysqlnd-0:5.4.16-43.el7_4
  • php-odbc-0:5.4.16-43.el7_4
  • php-pdo-0:5.4.16-43.el7_4
  • php-pgsql-0:5.4.16-43.el7_4
  • php-process-0:5.4.16-43.el7_4
  • php-pspell-0:5.4.16-43.el7_4
  • php-recode-0:5.4.16-43.el7_4
  • php-snmp-0:5.4.16-43.el7_4
  • php-soap-0:5.4.16-43.el7_4
  • php-xml-0:5.4.16-43.el7_4
  • php-xmlrpc-0:5.4.16-43.el7_4
refmap via4
bid 95869
confirm
debian DSA-3777
mlist
  • [oss-security] 20170126 CVE Requests: libgd: potential unsigned onderflow, denial-of-service in gdImageCreateFromGd2Ctx and signed overflow in gd_io.c
  • [oss-security] 20170128 Re: CVE Requests: libgd: potential unsigned onderflow, denial-of-service in gdImageCreateFromGd2Ctx and signed overflow in gd_io.c
sectrack 1037659
Last major update 16-03-2017 - 14:31
Published 15-03-2017 - 11:59
Last modified 03-05-2018 - 21:29
Back to Top