CVE-2007-0455
published 2007-01-30CVE-2007-0455: Buffer overflow in the gdImageStringFTEx function in gdft.c in GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service…
PriorityP339high7.5CVSS 2.0
AVNACLAuNCPIPAP
EPSS
11.69%
95.5th percentile
Buffer overflow in the gdImageStringFTEx function in gdft.c in GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | libgd2 | < libgd2 2.0.35.dfsg-1 (bookworm) | libgd2 2.0.35.dfsg-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| gd_graphics_library_project | gd_graphics_library | <= 2.0.33 | — |
| php | php | >= 4.4.0 < 4.4.7 | 4.4.7 |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_workstation | — | — |
| redhat | enterprise_linux_workstation | — | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5LOW
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v7pw-4467-76mh: Buffer overflow in the gdImageStringFTEx function in gdft
ghsa_unreviewed·2022-05-01
CVE-2007-0455 [HIGH] CWE-119 GHSA-v7pw-4467-76mh: Buffer overflow in the gdImageStringFTEx function in gdft
Buffer overflow in the gdImageStringFTEx function in gdft.c in GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font.
OSV
CVE-2007-0455: Buffer overflow in the gdImageStringFTEx function in gdft
osv·2007-01-30·CVSS 7.5
CVE-2007-0455 [HIGH] CVE-2007-0455: Buffer overflow in the gdImageStringFTEx function in gdft
Buffer overflow in the gdImageStringFTEx function in gdft.c in GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font.
Ubuntu
libgd2 vulnerabilities
vendor_ubuntu·2007-06-12·CVSS 7.5
CVE-2007-0455 [HIGH] libgd2 vulnerabilities
Title: libgd2 vulnerabilities
Summary: libgd2 vulnerabilities
A buffer overflow was discovered in libgd2's font renderer. By tricking
an application using libgd2 into rendering a specially crafted string
with a JIS encoded font, a remote attacker could read heap memory or
crash the application, leading to a denial of service. (CVE-2007-0455)
Xavier Roche discovered that libgd2 did not correctly validate PNG
callback results. If an application were tricked into processing a
specially crafted PNG image, it would monopolize CPU resources. Since
libgd2 is often used in PHP and Perl web applications, this could lead
to a remote denial of service. (CVE-2007-2756)
Instructions: After a standard system upgrade you need to reboot your computer to
effect the necessary changes.
Red Hat
gd: buffer overrun
vendor_redhat·2007-01-26·CVSS 7.5
CVE-2007-0455 [HIGH] gd: buffer overrun
gd: buffer overrun
Buffer overflow in the gdImageStringFTEx function in gdft.c in GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font.
Statement: Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=234312
The Red Hat Product Security has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: https://access.redhat.com/security/updates/classification/
Package: libwmf (Red Hat Enterprise Linux 4) - Will not fix
Package: libwmf (Red Hat Enterprise Linux 5) - Will not fix
Package: libwmf
Debian
CVE-2007-0455: libgd2 - Buffer overflow in the gdImageStringFTEx function in gdft.c in GD Graphics Libra...
vendor_debian·2007·CVSS 7.5
CVE-2007-0455 [HIGH] CVE-2007-0455: libgd2 - Buffer overflow in the gdImageStringFTEx function in gdft.c in GD Graphics Libra...
Buffer overflow in the gdImageStringFTEx function in gdft.c in GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font.
Scope: local
bookworm: resolved (fixed in 2.0.35.dfsg-1)
bullseye: resolved (fixed in 2.0.35.dfsg-1)
forky: resolved (fixed in 2.0.35.dfsg-1)
sid: resolved (fixed in 2.0.35.dfsg-1)
trixie: resolved (fixed in 2.0.35.dfsg-1)
No detection rules found.
No public exploits indexed.
Bugzilla
Embeds vulnerable version of gd prone to many CVEs
bugzilla·2010-12-05·CVSS 7.5
CVE-2007-0455 [HIGH] Embeds vulnerable version of gd prone to many CVEs
Embeds vulnerable version of gd prone to many CVEs
Description of problem:
libwmf embeds an old version of gd (2.0.1beta) which has a number of vulnerabilities associated with it.
CVE-2007-0455 CVE-2007-3472 CVE-2007-3473 CVE-2007-3474 CVE-2007-3475 CVE-2007-3476 CVE-2007-3477 CVE-2007-3478
Cursory inspection of one of the patch diffs shows that no patches have been applied to libwmf.
Version-Release number of selected component (if applicable):
Name: libwmf
Version: 0.2.8.4
Release: 26.fc14
Additional info:
Ideally, the system wide gd library could be used instead of the embedded copy. This would prevent future issues like this from happening.
Discussion:
The reason libgd was ever embedded because the original version back then didn't have a clipping mechanism. The new one does,
Bugzilla
CVE-2007-0455 gd buffer overrun
bugzilla·2007-03-28·CVSS 7.5
CVE-2007-0455 [HIGH] CVE-2007-0455 gd buffer overrun
CVE-2007-0455 gd buffer overrun
+++ This bug was initially created as a clone of Bug #224607 +++
Kees Cook from Ubuntu reported a "off-the-end-of-string increment", which could
theoretically lead ot a buffer overflow.
This flaw would only be exploitable if a JIS-encoded font is used when
processing a special malicious string.
The issue here is that the NULL terminator is incremented, which could lead to
unknown results during the processing of the malicious string.
Index: gdft.c
RCS file: /repository/gd/libgd/gdft.c,v
retrieving revision 1.28
diff -u -p -r1.28 gdft.c
--- gdft.c 3 Jan 2007 21:21:21 -0000 1.28
+++ gdft.c 24 Jan 2007 23:00:55 -0000
@@ -1178,7 +1178,7 @@ fprintf(stderr,"dpi=%d,%d metric_res=%d
{
ch = c & 0xFF; /* don't extend sign */
}
- next++;
+ if (*next) next++;
}
bre
Bugzilla
CVE-2007-0455 gd buffer overrun
bugzilla·2007-01-26·CVSS 7.5
CVE-2007-0455 [HIGH] CVE-2007-0455 gd buffer overrun
CVE-2007-0455 gd buffer overrun
+++ This bug was initially created as a clone of Bug #224607 +++
Kees Cook from Ubuntu reported a "off-the-end-of-string increment", which could
theoretically lead ot a buffer overflow.
This flaw would only be exploitable if a JIS-encoded font is used when
processing a special malicious string.
The issue here is that the NULL terminator is incremented, which could lead to
unknown results during the processing of the malicious string.
Index: gdft.c
RCS file: /repository/gd/libgd/gdft.c,v
retrieving revision 1.28
diff -u -p -r1.28 gdft.c
--- gdft.c 3 Jan 2007 21:21:21 -0000 1.28
+++ gdft.c 24 Jan 2007 23:00:55 -0000
@@ -1178,7 +1178,7 @@ fprintf(stderr,"dpi=%d,%d metric_res=%d
{
ch = c & 0xFF; /* don't extend sign */
}
- next++;
+ if (*next) next++;
}
bre
Bugzilla
CVE-2007-0455 gd: buffer overrun
bugzilla·2007-01-26·CVSS 7.5
CVE-2007-0455 [HIGH] CVE-2007-0455 gd: buffer overrun
CVE-2007-0455 gd: buffer overrun
Kees Cook from Ubuntu reported a "off-the-end-of-string increment", which could
theoretically lead ot a buffer overflow.
This flaw would only be exploitable if a JIS-encoded font is used when
processing a special malicious string.
The issue here is that the NULL terminator is incremented, which could lead to
unknown results during the processing of the malicious string.
Index: gdft.c
RCS file: /repository/gd/libgd/gdft.c,v
retrieving revision 1.28
diff -u -p -r1.28 gdft.c
--- gdft.c 3 Jan 2007 21:21:21 -0000 1.28
+++ gdft.c 24 Jan 2007 23:00:55 -0000
@@ -1178,7 +1178,7 @@ fprintf(stderr,"dpi=%d,%d metric_res=%d
{
ch = c & 0xFF; /* don't extend sign */
}
- next++;
+ if (*next) next++;
}
break;
case gdFTEX_Big5:
Discussion:
This flaw does not affect gd
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=224607http://fedoranews.org/cms/node/2631http://lists.fedoraproject.org/pipermail/package-announce/2011-January/052848.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-January/052854.htmlhttp://lists.rpath.com/pipermail/security-announce/2007-February/000145.htmlhttp://rhn.redhat.com/errata/RHSA-2007-0155.htmlhttp://secunia.com/advisories/23916http://secunia.com/advisories/24022http://secunia.com/advisories/24052http://secunia.com/advisories/24053http://secunia.com/advisories/24107http://secunia.com/advisories/24143http://secunia.com/advisories/24151http://secunia.com/advisories/24924http://secunia.com/advisories/24945http://secunia.com/advisories/24965http://secunia.com/advisories/25575http://secunia.com/advisories/29157http://secunia.com/advisories/42813http://www.mandriva.com/security/advisories?name=MDKSA-2007:035http://www.mandriva.com/security/advisories?name=MDKSA-2007:036http://www.mandriva.com/security/advisories?name=MDKSA-2007:038http://www.mandriva.com/security/advisories?name=MDKSA-2007:109http://www.redhat.com/support/errata/RHSA-2007-0153.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0162.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0146.htmlhttp://www.securityfocus.com/archive/1/466166/100/0/threadedhttp://www.securityfocus.com/bid/22289http://www.trustix.org/errata/2007/0007http://www.ubuntu.com/usn/usn-473-1http://www.vupen.com/english/advisories/2007/0400http://www.vupen.com/english/advisories/2011/0022https://issues.rpath.com/browse/RPL-1030https://issues.rpath.com/browse/RPL-1268https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11303http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=224607http://fedoranews.org/cms/node/2631http://lists.fedoraproject.org/pipermail/package-announce/2011-January/052848.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-January/052854.htmlhttp://lists.rpath.com/pipermail/security-announce/2007-February/000145.htmlhttp://rhn.redhat.com/errata/RHSA-2007-0155.htmlhttp://secunia.com/advisories/23916http://secunia.com/advisories/24022http://secunia.com/advisories/24052http://secunia.com/advisories/24053http://secunia.com/advisories/24107http://secunia.com/advisories/24143http://secunia.com/advisories/24151http://secunia.com/advisories/24924http://secunia.com/advisories/24945http://secunia.com/advisories/24965http://secunia.com/advisories/25575http://secunia.com/advisories/29157http://secunia.com/advisories/42813http://www.mandriva.com/security/advisories?name=MDKSA-2007:035http://www.mandriva.com/security/advisories?name=MDKSA-2007:036http://www.mandriva.com/security/advisories?name=MDKSA-2007:038http://www.mandriva.com/security/advisories?name=MDKSA-2007:109http://www.redhat.com/support/errata/RHSA-2007-0153.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0162.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0146.htmlhttp://www.securityfocus.com/archive/1/466166/100/0/threadedhttp://www.securityfocus.com/bid/22289http://www.trustix.org/errata/2007/0007http://www.ubuntu.com/usn/usn-473-1http://www.vupen.com/english/advisories/2007/0400http://www.vupen.com/english/advisories/2011/0022https://issues.rpath.com/browse/RPL-1030https://issues.rpath.com/browse/RPL-1268https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11303
2007-01-30
Published