CVE-2009-3546
published 2009-10-19CVE-2009-3546: The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before 5.3.1, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal…
PriorityP340critical9.3CVSS 2.0
AVNACMAuNCCICAC
EPSS
10.21%
95.1th percentile
The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before 5.3.1, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293. NOTE: some of these details are obtained from third party information.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libgd2 | < libgd2 2.0.36~rc1~dfsg-3.1 (bookworm) | libgd2 2.0.36~rc1~dfsg-3.1 (bookworm) |
| debian | libwmf | < libgd2 2.0.36~rc1~dfsg-3.1 (bookworm) | libgd2 2.0.36~rc1~dfsg-3.1 (bookworm) |
| debian | racket | < libgd2 2.0.36~rc1~dfsg-3.1 (bookworm) | libgd2 2.0.36~rc1~dfsg-3.1 (bookworm) |
| libgd | gd_graphics_library | — | — |
| libgd | gd_graphics_library | — | — |
| libgd | gd_graphics_library | — | — |
| libgd | gd_graphics_library | — | — |
| php | php | — | — |
| php | php | — | — |
| racket | racket | >= 0 < 5.0.2-1 | 5.0.2-1 |
| racket | racket | >= 0 < 5.0.2-1 | 5.0.2-1 |
| racket | racket | >= 0 < 5.0.2-1 | 5.0.2-1 |
| racket | racket | >= 0 < 5.0.2-1 | 5.0.2-1 |
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv7.5HIGH
vendor_debian7.5MEDIUM
vendor_redhat7.5HIGH
vendor_ubuntu4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
GD library vulnerabilities
vendor_ubuntu·2009-11-05·CVSS 4.3
CVE-2007-3476 [MEDIUM] GD library vulnerabilities
Title: GD library vulnerabilities
Summary: GD library vulnerabilities
Tomas Hoger discovered that the GD library did not properly handle the
number of colors in certain malformed GD images. If a user or automated
system were tricked into processing a specially crafted GD image, an
attacker could cause a denial of service or possibly execute arbitrary
code. (CVE-2009-3546)
It was discovered that the GD library did not properly handle incorrect
color indexes. An attacker could send specially crafted input to
applications linked against libgd2 and cause a denial of service or
possibly execute arbitrary code. This issue only affected Ubuntu 6.06 LTS.
(CVE-2009-3293)
It was discovered that the GD library did not properly handle certain
malformed GIF images. If a user or automated system wer
Red Hat
gd: insufficient input validation in _gdGetColors()
vendor_redhat·2009-10-12·CVSS 7.5
CVE-2009-3546 [HIGH] CWE-20 gd: insufficient input validation in _gdGetColors()
gd: insufficient input validation in _gdGetColors()
The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before 5.3.1, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293. NOTE: some of these details are obtained from third party information.
Package: libwmf (Red Hat Enterprise Linux 4) - Will not fix
Package: libwmf (Red Hat Enterprise Linux 5) - Will not fix
Package: gd (Red Hat Enterprise Linux 6) - Affected
Package: libwmf (Red Hat Enterprise Linux 6) - Will not fix
Debian
CVE-2009-3546: libgd2 - The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before 5.3.1, and t...
vendor_debian·2009·CVSS 7.5
CVE-2009-3546 [HIGH] CVE-2009-3546: libgd2 - The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before 5.3.1, and t...
The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before 5.3.1, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293. NOTE: some of these details are obtained from third party information.
Scope: local
bookworm: resolved (fixed in 2.0.36~rc1~dfsg-3.1)
bullseye: resolved (fixed in 2.0.36~rc1~dfsg-3.1)
forky: resolved (fixed in 2.0.36~rc1~dfsg-3.1)
sid: resolved (fixed in 2.0.36~rc1~dfsg-3.1)
trixie: resolved (fixed in 2.0.36~rc1~dfsg-3.1)
GHSA
GHSA-w7xp-2c87-fchc: The _gdGetColors function in gd_gd
ghsa_unreviewed·2022-05-02·CVSS 7.5
CVE-2009-3546 [HIGH] CWE-119 GHSA-w7xp-2c87-fchc: The _gdGetColors function in gd_gd
The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before 5.3.1, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293. NOTE: some of these details are obtained from third party information.
OSV
CVE-2009-3546: The _gdGetColors function in gd_gd
osv·2009-10-19·CVSS 7.5
CVE-2009-3546 [HIGH] CVE-2009-3546: The _gdGetColors function in gd_gd
The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before 5.3.1, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293. NOTE: some of these details are obtained from third party information.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2009-3546 gd: insufficient input validation in _gdGetColors() [fedora-all]
bugzilla·2012-06-11·CVSS 9.3
CVE-2009-3546 [CRITICAL] CVE-2009-3546 gd: insufficient input validation in _gdGetColors() [fedora-all]
CVE-2009-3546 gd: insufficient input validation in _gdGetColors() [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=secur
Bugzilla
Embeds vulnerable version of gd prone to many CVEs
bugzilla·2010-12-05·CVSS 7.5
CVE-2007-0455 [HIGH] Embeds vulnerable version of gd prone to many CVEs
Embeds vulnerable version of gd prone to many CVEs
Description of problem:
libwmf embeds an old version of gd (2.0.1beta) which has a number of vulnerabilities associated with it.
CVE-2007-0455 CVE-2007-3472 CVE-2007-3473 CVE-2007-3474 CVE-2007-3475 CVE-2007-3476 CVE-2007-3477 CVE-2007-3478
Cursory inspection of one of the patch diffs shows that no patches have been applied to libwmf.
Version-Release number of selected component (if applicable):
Name: libwmf
Version: 0.2.8.4
Release: 26.fc14
Additional info:
Ideally, the system wide gd library could be used instead of the embedded copy. This would prevent future issues like this from happening.
Discussion:
The reason libgd was ever embedded because the original version back then didn't have a clipping mechanism. The new one does,
Bugzilla
CVE-2009-3546 gd: insufficient input validation in _gdGetColors()
bugzilla·2009-10-15·CVSS 7.5
CVE-2009-3546 [HIGH] CVE-2009-3546 gd: insufficient input validation in _gdGetColors()
CVE-2009-3546 gd: insufficient input validation in _gdGetColors()
While investigating CVE-2009-3293 (bug #524217) fixed in PHP 5.2.11, it was discovered that _gdGetColors() (in libgd/gd_gd.c) does not properly check values read from the input GD file, making it possible to set im->colorsTotal to a value greater than gdMaxColors. GD code assumes that colorsTotal is always less than or equal to gdMaxColors, as it is used as an upper bound when accessing arrays with gdMaxColors size. Higher colorsTotal value can lead to buffer over-reads or over-writes on multiple places.
Issue was reported and fixed upstream:
http://svn.php.net/viewvc?view=revision&revision=289557
Fix should get include in the future PHP and GD versions.
Note: GD image format is not meant for general purpose use and shou
http://marc.info/?l=oss-security&m=125562113503923&w=2http://secunia.com/advisories/37069http://secunia.com/advisories/37080http://secunia.com/advisories/38055http://svn.php.net/viewvc?view=revision&revision=289557http://www.mandriva.com/security/advisories?name=MDVSA-2009:285http://www.openwall.com/lists/oss-security/2009/11/20/5http://www.redhat.com/support/errata/RHSA-2010-0003.htmlhttp://www.securityfocus.com/bid/36712http://www.vupen.com/english/advisories/2009/2929http://www.vupen.com/english/advisories/2009/2930https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11199http://marc.info/?l=oss-security&m=125562113503923&w=2http://secunia.com/advisories/37069http://secunia.com/advisories/37080http://secunia.com/advisories/38055http://svn.php.net/viewvc?view=revision&revision=289557http://www.mandriva.com/security/advisories?name=MDVSA-2009:285http://www.openwall.com/lists/oss-security/2009/11/20/5http://www.redhat.com/support/errata/RHSA-2010-0003.htmlhttp://www.securityfocus.com/bid/36712http://www.vupen.com/english/advisories/2009/2929http://www.vupen.com/english/advisories/2009/2930https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11199
2009-10-19
Published