CVE-2014-9709
published 2015-03-30CVE-2014-9709: The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a denial of…
PriorityP428medium5CVSS 2.0
AVNACLAuNCNINAP
EPSS
15.53%
96.4th percentile
The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | os_x_el_capitan_v10.11 | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | libgd2 | < libgd2 2.1.0-5 (bookworm) | libgd2 2.1.0-5 (bookworm) |
| libgd | libgd | <= 2.1.1 | — |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
| php | php | >= 5.4.0 < 5.4.40 | 5.4.40 |
| php | php | >= 5.5.0 < 5.5.21 | 5.5.21 |
| php | php | >= 5.6.0 < 5.6.5 | 5.6.5 |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0MEDIUM
vendor_redhat5.0MEDIUM
vendor_ubuntu4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p5p8-3769-2g8g: The GetCode_ function in gd_gif_in
ghsa_unreviewed·2022-05-13
CVE-2014-9709 [MEDIUM] CWE-119 GHSA-p5p8-3769-2g8g: The GetCode_ function in gd_gif_in
The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function.
OSV
libgd2 vulnerabilities
osv·2016-05-31·CVSS 4.3
CVE-2014-2497 [MEDIUM] libgd2 vulnerabilities
libgd2 vulnerabilities
It was discovered that the GD library incorrectly handled certain color
tables in XPM images. If a user or automated system were tricked into
processing a specially crafted XPM image, an attacker could cause a denial
of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
(CVE-2014-2497)
It was discovered that the GD library incorrectly handled certain malformed
GIF images. If a user or automated system were tricked into processing a
specially crafted GIF image, an attacker could cause a denial of service.
This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
(CVE-2014-9709)
It was discovered that the GD library incorrectly handled memory when using
gdImageFillToBorder(). A remote attacker could possibly use this issue to
cause a deni
OSV
CVE-2014-9709: The GetCode_ function in gd_gif_in
osv·2015-03-30·CVSS 5.0
CVE-2014-9709 [MEDIUM] CVE-2014-9709: The GetCode_ function in gd_gif_in
The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function.
CISA ICS
Festo Didactic SE MES PC
cisa_ics·2026-01-27·CVSS 7.5
[HIGH] Festo Didactic SE MES PC
ICS Advisory
##
Festo Didactic SE MES PC
Release DateJanuary 27, 2026
Alert CodeICSA-26-027-02
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
MES PCs shipped with Windows 10 come pre-installed with XAMPP. XAMPP is a bundle of third-party open-source applications including the Apache HTTP Server, the MariaDB database and more. From time to time, vulnerabilities in these applications are discovered. These are fixed in newer versions of XAMPP by updating the bundled applications. MES PCs shipped with Windows 10 include a copy of XAMPP which contains around 140 such vulnerabilities listed in this advisory. They can be fixed by replacing XAMPP with Festo Didactic's Factory Control Panel application.
The
Ubuntu
GD library vulnerabilities
vendor_ubuntu·2016-05-31·CVSS 4.3
CVE-2014-2497 [MEDIUM] GD library vulnerabilities
Title: GD library vulnerabilities
Summary: The GD library could be made to crash or run programs if it processed a
specially crafted image file.
It was discovered that the GD library incorrectly handled certain color
tables in XPM images. If a user or automated system were tricked into
processing a specially crafted XPM image, an attacker could cause a denial
of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
(CVE-2014-2497)
It was discovered that the GD library incorrectly handled certain malformed
GIF images. If a user or automated system were tricked into processing a
specially crafted GIF image, an attacker could cause a denial of service.
This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
(CVE-2014-9709)
It was discovered that the GD library i
Red Hat
gd: buffer read overflow in gd_gif_in.c
vendor_redhat·2014-12-13·CVSS 5.0
CVE-2014-9709 [MEDIUM] CWE-119 gd: buffer read overflow in gd_gif_in.c
gd: buffer read overflow in gd_gif_in.c
The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function.
A buffer over-read flaw was found in the GD library. A specially crafted GIF file could cause an application using the gdImageCreateFromGif() function to crash.
Package: gd (Red Hat Enterprise Linux 5) - Not affected
Package: php (Red Hat Enterprise Linux 5) - Not affected
Package: php53 (Red Hat Enterprise Linux 5) - Will not fix
Package: gd (Red Hat Enterprise Linux 6) - Will not fix
Package: gd (Red Hat Enterprise Linux 7) - Will not fix
Package:
Debian
CVE-2014-9709: libgd2 - The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP bef...
vendor_debian·2014·CVSS 5.0
CVE-2014-9709 [MEDIUM] CVE-2014-9709: libgd2 - The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP bef...
The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function.
Scope: local
bookworm: resolved (fixed in 2.1.0-5)
bullseye: resolved (fixed in 2.1.0-5)
forky: resolved (fixed in 2.1.0-5)
sid: resolved (fixed in 2.1.0-5)
trixie: resolved (fixed in 2.1.0-5)
Apple
CVE-2014-9709: OS X El Capitan v10.11
vendor_apple·CVSS 5.0
CVE-2014-9709 [MEDIUM] CVE-2014-9709: OS X El Capitan v10.11
Apple Security Update: About the security content of OS X El Capitan v10.11
Product: OS X El Capitan v10.11
CVE: CVE-2014-9709
Component: CVE-2014-9709
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2014-9709 gd: buffer read overflow in gd_gif_in.c
bugzilla·2015-02-03·CVSS 5.0
CVE-2014-9709 [MEDIUM] CVE-2014-9709 gd: buffer read overflow in gd_gif_in.c
CVE-2014-9709 gd: buffer read overflow in gd_gif_in.c
Possible buffer read overflow was fixed upstream [1].
This was also reported against PHP:
https://bugs.php.net/bug.php?id=68601 (bug is private, fixed in PHP 5.6.5)
[1]: https://bitbucket.org/libgd/gd-libgd/commits/47eb44b2e90ca88a08dca9f9a1aa9041e9587f43
Discussion:
PHP Commits
http://git.php.net/?p=php-src.git;a=commitdiff;h=07b5896a1389c3e865cbd2fb353806b2cefe4f5c
http://git.php.net/?p=php-src.git;a=commitdiff;h=5fc2fede9c7c963c950d8b96dcc0f7af88b4d695
---
Fixed in 5.5.21 and 5.6.5
---
This issue has been addressed in the following products:
Red Hat Software Collections for Red Hat Enterprise Linux 7
Red Hat Software Collections for Red Hat Enterprise Linux 6
Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EU
Bugzilla
CVE-2014-3916 ruby: DoS via long string in str_buf_cat()
bugzilla·2014-11-17·CVSS 5.0
CVE-2014-3916 [MEDIUM] CVE-2014-3916 ruby: DoS via long string in str_buf_cat()
CVE-2014-3916 ruby: DoS via long string in str_buf_cat()
Common Vulnerabilities and Exposures assigned an identifier CVE-2014-3916 to
the following vulnerability:
Name: CVE-2014-3916
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3916
Assigned: 20140529
Reference: http://seclists.org/oss-sec/2014/q2/362
Reference: http://seclists.org/oss-sec/2014/q2/375
Reference: https://bugs.ruby-lang.org/issues/9709
Reference: http://www.securityfocus.com/bid/67705
Reference: http://xforce.iss.net/xforce/xfdb/93505
The str_buf_cat function in string.c in Ruby 1.9.3, 2.0.0, and 2.1
allows context-dependent attackers to cause a denial of service
(segmentation fault and crash) via a long string.
Statement:
This issue did not affect the versions of ruby as shipped with Red Hat Enterprise
http://advisories.mageia.org/MGASA-2015-0040.htmlhttp://lists.apple.com/archives/security-announce/2015/Sep/msg00008.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-05/msg00005.htmlhttp://lists.opensuse.org/opensuse-updates/2015-04/msg00002.htmlhttp://marc.info/?l=bugtraq&m=143403519711434&w=2http://php.net/ChangeLog-5.phphttp://rhn.redhat.com/errata/RHSA-2015-1053.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1066.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1135.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1218.htmlhttp://www.debian.org/security/2015/dsa-3215http://www.mandriva.com/security/advisories?name=MDVSA-2015:153http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.htmlhttp://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.htmlhttp://www.securityfocus.com/bid/73306http://www.securitytracker.com/id/1033703http://www.ubuntu.com/usn/USN-2987-1https://bitbucket.org/libgd/gd-libgd/commits/47eb44b2e90ca88a08dca9f9a1aa9041e9587f43https://bugs.php.net/bug.php?id=68601https://bugzilla.redhat.com/show_bug.cgi?id=1188639https://security.gentoo.org/glsa/201606-10https://security.gentoo.org/glsa/201607-04https://support.apple.com/HT205267http://advisories.mageia.org/MGASA-2015-0040.htmlhttp://lists.apple.com/archives/security-announce/2015/Sep/msg00008.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-05/msg00005.htmlhttp://lists.opensuse.org/opensuse-updates/2015-04/msg00002.htmlhttp://marc.info/?l=bugtraq&m=143403519711434&w=2http://php.net/ChangeLog-5.phphttp://rhn.redhat.com/errata/RHSA-2015-1053.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1066.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1135.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1218.htmlhttp://www.debian.org/security/2015/dsa-3215http://www.mandriva.com/security/advisories?name=MDVSA-2015:153http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.htmlhttp://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.htmlhttp://www.securityfocus.com/bid/73306http://www.securitytracker.com/id/1033703http://www.ubuntu.com/usn/USN-2987-1https://bitbucket.org/libgd/gd-libgd/commits/47eb44b2e90ca88a08dca9f9a1aa9041e9587f43https://bugs.php.net/bug.php?id=68601https://bugzilla.redhat.com/show_bug.cgi?id=1188639https://security.gentoo.org/glsa/201606-10https://security.gentoo.org/glsa/201607-04https://support.apple.com/HT205267
2015-03-30
Published