CVE-2016-3074
published 2016-04-26CVE-2016-3074: Integer signedness error in GD Graphics Library 2.1.1 (aka libgd or libgd2) allows remote attackers to cause a denial of service (crash) or potentially execute…
PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
36.97%
98.3th percentile
Integer signedness error in GD Graphics Library 2.1.1 (aka libgd or libgd2) allows remote attackers to cause a denial of service (crash) or potentially execute arbitrary code via crafted compressed gd2 data, which triggers a heap-based buffer overflow.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | libgd2 | < libgd2 2.1.1-4.1 (bookworm) | libgd2 2.1.1-4.1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| libgd | libgd | — | — |
| opensuse | opensuse | — | — |
| php | php | >= 5.5.0 < 5.5.35 | 5.5.35 |
| php | php | >= 5.6.0 < 5.6.21 | 5.6.21 |
| php | php | >= 7.0.0 < 7.0.6 | 7.0.6 |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger is a crafted compressed gd2 image file with a negative/oversized signed integer in the chunk index size field of the GD2 header, causing heap overflow via gdCalloc(compMax, 1) with a wrapped large value. ↗
- →The vulnerable code path is in _gd2GetHeader() in gd_gd2.c: the chunk index size is stored as a signed int (t_chunk_info.size), and a negative value passes the compMax check, then compMax++ wraps to a large positive value used in gdCalloc(), allocating a tiny buffer that is subsequently overflowed. ↗
- →Monitor PHP-FPM processes (php5-fpm / php-fpm) processing user-supplied GD2 image uploads for heap corruption crashes or unexpected code execution under www-data context. ↗
- →The exploit PoC uses a bind-shell technique over a configurable port (e.g. 5555); monitor for unexpected outbound/inbound connections from web server worker processes after image upload requests. ↗
- →Inspect uploaded files for the .gd2 / compressed GD2 format magic bytes being submitted to PHP endpoints that invoke GD image processing functions (e.g. imagecreatefromgd2()). ↗
- ·The exploit PoC was demonstrated specifically against Ubuntu 15.10 amd64 with nginx + php5-fpm + php5-gd; exploitability and offset values will differ on other distributions, architectures, or PHP versions. ↗
- ·The bind-port used in the PoC (5555) is a configurable parameter and not a fixed indicator; attackers may use any port. ↗
- ·Red Hat marked all affected packages (php, gd on RHEL 5/6/7 and php54-php/php55-php in RHSC) as 'Will not fix', so patched RPMs are not available from Red Hat for those platforms. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cqf2-847w-787m: Integer signedness error in GD Graphics Library 2
ghsa_unreviewed·2022-05-14
CVE-2016-3074 [CRITICAL] CWE-681 GHSA-cqf2-847w-787m: Integer signedness error in GD Graphics Library 2
Integer signedness error in GD Graphics Library 2.1.1 (aka libgd or libgd2) allows remote attackers to cause a denial of service (crash) or potentially execute arbitrary code via crafted compressed gd2 data, which triggers a heap-based buffer overflow.
OSV
libgd2 vulnerabilities
osv·2016-05-31·CVSS 4.3
CVE-2014-2497 [MEDIUM] libgd2 vulnerabilities
libgd2 vulnerabilities
It was discovered that the GD library incorrectly handled certain color
tables in XPM images. If a user or automated system were tricked into
processing a specially crafted XPM image, an attacker could cause a denial
of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
(CVE-2014-2497)
It was discovered that the GD library incorrectly handled certain malformed
GIF images. If a user or automated system were tricked into processing a
specially crafted GIF image, an attacker could cause a denial of service.
This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
(CVE-2014-9709)
It was discovered that the GD library incorrectly handled memory when using
gdImageFillToBorder(). A remote attacker could possibly use this issue to
cause a deni
OSV
CVE-2016-3074: Integer signedness error in GD Graphics Library 2
osv·2016-04-26·CVSS 9.8
CVE-2016-3074 [CRITICAL] CVE-2016-3074: Integer signedness error in GD Graphics Library 2
Integer signedness error in GD Graphics Library 2.1.1 (aka libgd or libgd2) allows remote attackers to cause a denial of service (crash) or potentially execute arbitrary code via crafted compressed gd2 data, which triggers a heap-based buffer overflow.
Ubuntu
GD library vulnerabilities
vendor_ubuntu·2016-05-31·CVSS 4.3
CVE-2014-2497 [MEDIUM] GD library vulnerabilities
Title: GD library vulnerabilities
Summary: The GD library could be made to crash or run programs if it processed a
specially crafted image file.
It was discovered that the GD library incorrectly handled certain color
tables in XPM images. If a user or automated system were tricked into
processing a specially crafted XPM image, an attacker could cause a denial
of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
(CVE-2014-2497)
It was discovered that the GD library incorrectly handled certain malformed
GIF images. If a user or automated system were tricked into processing a
specially crafted GIF image, an attacker could cause a denial of service.
This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
(CVE-2014-9709)
It was discovered that the GD library i
Red Hat
php: Signedness vulnerability causing heap overflow in libgd
vendor_redhat·2016-04-22·CVSS 9.8
CVE-2016-3074 [CRITICAL] CWE-122 php: Signedness vulnerability causing heap overflow in libgd
php: Signedness vulnerability causing heap overflow in libgd
Integer signedness error in GD Graphics Library 2.1.1 (aka libgd or libgd2) allows remote attackers to cause a denial of service (crash) or potentially execute arbitrary code via crafted compressed gd2 data, which triggers a heap-based buffer overflow.
Package: php (Red Hat Enterprise Linux 5) - Will not fix
Package: php53 (Red Hat Enterprise Linux 5) - Will not fix
Package: gd (Red Hat Enterprise Linux 6) - Will not fix
Package: php (Red Hat Enterprise Linux 6) - Will not fix
Package: gd (Red Hat Enterprise Linux 7) - Will not fix
Package: php (Red Hat Enterprise Linux 7) - Will not fix
Package: php54-php (Red Hat Software Collections) - Will not fix
Package: php55-php (Red Hat Software Collections) - Will not fix
Debian
CVE-2016-3074: libgd2 - Integer signedness error in GD Graphics Library 2.1.1 (aka libgd or libgd2) allo...
vendor_debian·2016·CVSS 9.8
CVE-2016-3074 [CRITICAL] CVE-2016-3074: libgd2 - Integer signedness error in GD Graphics Library 2.1.1 (aka libgd or libgd2) allo...
Integer signedness error in GD Graphics Library 2.1.1 (aka libgd or libgd2) allows remote attackers to cause a denial of service (crash) or potentially execute arbitrary code via crafted compressed gd2 data, which triggers a heap-based buffer overflow.
Scope: local
bookworm: resolved (fixed in 2.1.1-4.1)
bullseye: resolved (fixed in 2.1.1-4.1)
forky: resolved (fixed in 2.1.1-4.1)
sid: resolved (fixed in 2.1.1-4.1)
trixie: resolved (fixed in 2.1.1-4.1)
No detection rules found.
Bugzilla
CVE-2016-3074 gd: php: Signedness vulnerability causing heap overflow in libgd [fedora-all]
bugzilla·2016-04-22·CVSS 9.8
CVE-2016-3074 [CRITICAL] CVE-2016-3074 gd: php: Signedness vulnerability causing heap overflow in libgd [fedora-all]
CVE-2016-3074 gd: php: Signedness vulnerability causing heap overflow in libgd [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supporte
Bugzilla
CVE-2016-3074 php: Signedness vulnerability causing heap overflow in libgd [fedora-all]
bugzilla·2016-04-22·CVSS 9.8
CVE-2016-3074 [CRITICAL] CVE-2016-3074 php: Signedness vulnerability causing heap overflow in libgd [fedora-all]
CVE-2016-3074 php: Signedness vulnerability causing heap overflow in libgd [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported ve
Bugzilla
CVE-2016-3074 php: Signedness vulnerability causing heap overflow in libgd
bugzilla·2016-03-29·CVSS 9.8
CVE-2016-3074 [CRITICAL] CVE-2016-3074 php: Signedness vulnerability causing heap overflow in libgd
CVE-2016-3074 php: Signedness vulnerability causing heap overflow in libgd
A signedness vulnerability was found in libgd 2.1.1 which may result into heap overflow when processing maliciously crafted .gd2 files.
Discussion:
Acknowledgments:
Name: Hans Jerry Illikainen
---
=> https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19
---
Created gd tracking bugs for this issue:
Affects: fedora-all [bug 1329564]
---
Created php tracking bugs for this issue:
Affects: fedora-all [bug 1329563]
---
Public via:
http://seclists.org/oss-sec/2016/q2/128
---
gd-2.1.1-5.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
---
gd-2.1.1-7.fc24 has been pushed to the Fedora 24 stable repository
http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183263.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2016-May/183724.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-05/msg00031.htmlhttp://packetstormsecurity.com/files/136757/libgd-2.1.1-Signedness.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2750.htmlhttp://seclists.org/fulldisclosure/2016/Apr/72http://www.debian.org/security/2016/dsa-3556http://www.debian.org/security/2016/dsa-3602http://www.securityfocus.com/archive/1/538160/100/0/threadedhttp://www.securityfocus.com/bid/87087http://www.securitytracker.com/id/1035659http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.383127http://www.ubuntu.com/usn/USN-2987-1https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731https://security.gentoo.org/glsa/201607-04https://security.gentoo.org/glsa/201611-22https://www.exploit-db.com/exploits/39736/http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183263.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2016-May/183724.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-05/msg00031.htmlhttp://packetstormsecurity.com/files/136757/libgd-2.1.1-Signedness.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2750.htmlhttp://seclists.org/fulldisclosure/2016/Apr/72http://www.debian.org/security/2016/dsa-3556http://www.debian.org/security/2016/dsa-3602http://www.securityfocus.com/archive/1/538160/100/0/threadedhttp://www.securityfocus.com/bid/87087http://www.securitytracker.com/id/1035659http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.383127http://www.ubuntu.com/usn/USN-2987-1https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731https://security.gentoo.org/glsa/201607-04https://security.gentoo.org/glsa/201611-22https://www.exploit-db.com/exploits/39736/
2016-04-26
Published