CVE-2007-3996
published 2007-09-04CVE-2007-3996: Multiple integer overflows in libgd in PHP before 5.2.4 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary…
PriorityP428medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EPSS
4.22%
89.7th percentile
Multiple integer overflows in libgd in PHP before 5.2.4 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large (1) srcW or (2) srcH value to the (a) gdImageCopyResized function, or a large (3) sy (height) or (4) sx (width) value to the (b) gdImageCreate or the (c) gdImageCreateTrueColor function.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | libgd2 | < libgd2 2.0.35.dfsg-1 (bookworm) | libgd2 2.0.35.dfsg-1 (bookworm) |
| debian | libwmf | < libgd2 2.0.35.dfsg-1 (bookworm) | libgd2 2.0.35.dfsg-1 (bookworm) |
| debian | racket | < libgd2 2.0.35.dfsg-1 (bookworm) | libgd2 2.0.35.dfsg-1 (bookworm) |
| php | php | <= 5.2.3 | — |
| php | php | >= 4.0.0 < 4.4.8 | 4.4.8 |
| php | php | >= 5.0.0 < 5.2.4 | 5.2.4 |
| racket | racket | >= 0 < 5.0.2-1 | 5.0.2-1 |
| racket | racket | >= 0 < 5.0.2-1 | 5.0.2-1 |
| racket | racket | >= 0 < 5.0.2-1 | 5.0.2-1 |
| racket | racket | >= 0 < 5.0.2-1 | 5.0.2-1 |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_ubuntu6.9MEDIUM
vendor_debian6.8MEDIUM
vendor_redhat6.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2009-02-12·CVSS 6.9
CVE-2008-3659 [MEDIUM] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: PHP vulnerabilities
It was discovered that PHP did not properly enforce php_admin_value and
php_admin_flag restrictions in the Apache configuration file. A local attacker
could create a specially crafted PHP script that would bypass intended security
restrictions. This issue only applied to Ubuntu 6.06 LTS, 7.10, and 8.04 LTS.
(CVE-2007-5900)
It was discovered that PHP did not correctly handle certain malformed font
files. If a PHP application were tricked into processing a specially crafted
font file, an attacker may be able to cause a denial of service and possibly
execute arbitrary code with application privileges. (CVE-2008-3658)
It was discovered that PHP did not properly check the delimiter argument to the
explode function. If a script passed u
Ubuntu
GD library vulnerability
vendor_ubuntu·2007-12-18
CVE-2007-3996 GD library vulnerability
Title: GD library vulnerability
Summary: GD library vulnerability
Mattias Bengtsson and Philip Olausson discovered that the GD
library did not properly perform bounds checking when creating
images. An attacker could send specially crafted input to
applications linked against libgd2 and cause a denial of service
or possibly execute arbitrary code.
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Red Hat
php multiple integer overflows in gd
vendor_redhat·2007-08-30·CVSS 6.8
CVE-2007-3996 [MEDIUM] CWE-190 php multiple integer overflows in gd
php multiple integer overflows in gd
Multiple integer overflows in libgd in PHP before 5.2.4 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large (1) srcW or (2) srcH value to the (a) gdImageCopyResized function, or a large (3) sy (height) or (4) sx (width) value to the (b) gdImageCreate or the (c) gdImageCreateTrueColor function.
Debian
CVE-2007-3996: libgd2 - Multiple integer overflows in libgd in PHP before 5.2.4 allow remote attackers t...
vendor_debian·2007·CVSS 6.8
CVE-2007-3996 [MEDIUM] CVE-2007-3996: libgd2 - Multiple integer overflows in libgd in PHP before 5.2.4 allow remote attackers t...
Multiple integer overflows in libgd in PHP before 5.2.4 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large (1) srcW or (2) srcH value to the (a) gdImageCopyResized function, or a large (3) sy (height) or (4) sx (width) value to the (b) gdImageCreate or the (c) gdImageCreateTrueColor function.
Scope: local
bookworm: resolved (fixed in 2.0.35.dfsg-1)
bullseye: resolved (fixed in 2.0.35.dfsg-1)
forky: resolved (fixed in 2.0.35.dfsg-1)
sid: resolved (fixed in 2.0.35.dfsg-1)
trixie: resolved (fixed in 2.0.35.dfsg-1)
Red Hat
php integer overflow in strspn/strcspn
vendor_redhat·CVSS 6.8
CVE-2007-4657 [MEDIUM] php integer overflow in strspn/strcspn
php integer overflow in strspn/strcspn
Multiple integer overflows in PHP 4 before 4.4.8, and PHP 5 before 5.2.4, allow remote attackers to obtain sensitive information (memory contents) or cause a denial of service (thread crash) via a large len value to the (1) strspn or (2) strcspn function, which triggers an out-of-bounds read. NOTE: this affects different product versions than CVE-2007-3996.
Statement: The only effect of this bug is to cause the process to read from a random segment of memory, if a large "length" parameter is passed to the strspn/strcspn function, which is under the control of the script author. This bug has no security impact.
GHSA
GHSA-43ww-xqjh-ppmf: Multiple integer overflows in PHP 4 before 4
ghsa_unreviewed·2022-05-01·CVSS 6.8
CVE-2007-4657 [MEDIUM] CWE-119 GHSA-43ww-xqjh-ppmf: Multiple integer overflows in PHP 4 before 4
Multiple integer overflows in PHP 4 before 4.4.8, and PHP 5 before 5.2.4, allow remote attackers to obtain sensitive information (memory contents) or cause a denial of service (thread crash) via a large len value to the (1) strspn or (2) strcspn function, which triggers an out-of-bounds read. NOTE: this affects different product versions than CVE-2007-3996.
GHSA
GHSA-8378-c84x-wpqv: Multiple integer overflows in libgd in PHP before 5
ghsa_unreviewed·2022-05-01
CVE-2007-3996 [MEDIUM] GHSA-8378-c84x-wpqv: Multiple integer overflows in libgd in PHP before 5
Multiple integer overflows in libgd in PHP before 5.2.4 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large (1) srcW or (2) srcH value to the (a) gdImageCopyResized function, or a large (3) sy (height) or (4) sx (width) value to the (b) gdImageCreate or the (c) gdImageCreateTrueColor function.
OSV
CVE-2007-3996: Multiple integer overflows in libgd in PHP before 5
osv·2007-09-04·CVSS 6.8
CVE-2007-3996 [MEDIUM] CVE-2007-3996: Multiple integer overflows in libgd in PHP before 5
Multiple integer overflows in libgd in PHP before 5.2.4 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large (1) srcW or (2) srcH value to the (a) gdImageCopyResized function, or a large (3) sy (height) or (4) sx (width) value to the (b) gdImageCreate or the (c) gdImageCreateTrueColor function.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2007-3996 php multiple integer overflows in gd
bugzilla·2007-09-05·CVSS 6.8
CVE-2007-3996 [MEDIUM] CVE-2007-3996 php multiple integer overflows in gd
CVE-2007-3996 php multiple integer overflows in gd
http://www.php.net/releases/5_2_4.php
* Fixed several integer overflows inside the GD extension (Reported
by Mattias Bengtsson)
Discussion:
All children bugs have been closed, parent is no longer needed.
Bugzilla
CVE-2007-3472 libgd Integer overflow in TrueColor code
bugzilla·2007-09-04·CVSS 4.3
CVE-2007-3472 [MEDIUM] CVE-2007-3472 libgd Integer overflow in TrueColor code
CVE-2007-3472 libgd Integer overflow in TrueColor code
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-3472 to the following vulnerability:
Integer overflow in gdImageCreateTrueColor function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers has unspecified attack vectors and impact.
References:
http://bugs.libgd.org/?do=details&task_id=89
Discussion:
This just leads to unsuccessful attempt to allocate huge amount of memory and a
NULL dereference in turn. Just a crash.
---
(In reply to comment #1)
> This just leads to unsuccessful attempt to allocate huge amount of memory
> and a NULL dereference in turn. Just a crash.
What you refer to here is more likely:
http://bugs.libgd.org/?do=details&task_id=14
http://cvs.php.net/vie
http://bugs.gentoo.org/show_bug.cgi?id=201546http://lists.opensuse.org/opensuse-security-announce/2008-01/msg00006.htmlhttp://rhn.redhat.com/errata/RHSA-2007-0889.htmlhttp://secunia.com/advisories/26642http://secunia.com/advisories/26822http://secunia.com/advisories/26838http://secunia.com/advisories/26871http://secunia.com/advisories/26895http://secunia.com/advisories/26930http://secunia.com/advisories/26967http://secunia.com/advisories/27102http://secunia.com/advisories/27351http://secunia.com/advisories/27377http://secunia.com/advisories/27545http://secunia.com/advisories/28009http://secunia.com/advisories/28147http://secunia.com/advisories/28658http://secunia.com/advisories/31168http://security.gentoo.org/glsa/glsa-200712-13.xmlhttp://securityreason.com/securityalert/3103http://secweb.se/en/advisories/php-imagecopyresized-integer-overflow/http://secweb.se/en/advisories/php-imagecreatetruecolor-integer-overflow/http://support.avaya.com/elmodocs2/security/ASA-2007-449.htmhttp://www.debian.org/security/2008/dsa-1613http://www.gentoo.org/security/en/glsa/glsa-200710-02.xmlhttp://www.mandriva.com/security/advisories?name=MDKSA-2007:187http://www.php.net/ChangeLog-5.php#5.2.4http://www.php.net/releases/5_2_4.phphttp://www.redhat.com/support/errata/RHSA-2007-0888.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0890.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0891.htmlhttp://www.trustix.org/errata/2007/0026/http://www.ubuntu.com/usn/usn-557-1http://www.vupen.com/english/advisories/2007/3023https://exchange.xforce.ibmcloud.com/vulnerabilities/36382https://exchange.xforce.ibmcloud.com/vulnerabilities/36383https://issues.rpath.com/browse/RPL-1693https://issues.rpath.com/browse/RPL-1702https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11147https://www.redhat.com/archives/fedora-package-announce/2007-September/msg00354.htmlhttp://bugs.gentoo.org/show_bug.cgi?id=201546http://lists.opensuse.org/opensuse-security-announce/2008-01/msg00006.htmlhttp://rhn.redhat.com/errata/RHSA-2007-0889.htmlhttp://secunia.com/advisories/26642http://secunia.com/advisories/26822http://secunia.com/advisories/26838http://secunia.com/advisories/26871http://secunia.com/advisories/26895http://secunia.com/advisories/26930http://secunia.com/advisories/26967http://secunia.com/advisories/27102http://secunia.com/advisories/27351http://secunia.com/advisories/27377http://secunia.com/advisories/27545http://secunia.com/advisories/28009http://secunia.com/advisories/28147http://secunia.com/advisories/28658http://secunia.com/advisories/31168http://security.gentoo.org/glsa/glsa-200712-13.xmlhttp://securityreason.com/securityalert/3103http://secweb.se/en/advisories/php-imagecopyresized-integer-overflow/http://secweb.se/en/advisories/php-imagecreatetruecolor-integer-overflow/http://support.avaya.com/elmodocs2/security/ASA-2007-449.htmhttp://www.debian.org/security/2008/dsa-1613http://www.gentoo.org/security/en/glsa/glsa-200710-02.xmlhttp://www.mandriva.com/security/advisories?name=MDKSA-2007:187http://www.php.net/ChangeLog-5.php#5.2.4http://www.php.net/releases/5_2_4.phphttp://www.redhat.com/support/errata/RHSA-2007-0888.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0890.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0891.htmlhttp://www.trustix.org/errata/2007/0026/http://www.ubuntu.com/usn/usn-557-1http://www.vupen.com/english/advisories/2007/3023https://exchange.xforce.ibmcloud.com/vulnerabilities/36382https://exchange.xforce.ibmcloud.com/vulnerabilities/36383https://issues.rpath.com/browse/RPL-1693https://issues.rpath.com/browse/RPL-1702https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11147https://www.redhat.com/archives/fedora-package-announce/2007-September/msg00354.html
2007-09-04
Published