CVE-2016-9317
published 2017-01-26CVE-2016-9317: The gdImageCreate function in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (system hang) via an…
PriorityP422medium5.5CVSS 3.0
AVLACLPRNUIRSUCNINAH
EPSS
3.58%
88.0th percentile
The gdImageCreate function in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (system hang) via an oversized image.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libgd2 | < libgd2 2.2.4-1 (bookworm) | libgd2 2.2.4-1 (bookworm) |
| libgd | libgd | <= 2.2.3 | — |
CVSS provenance
nvdv3.05.5MEDIUMCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv2.07.1HIGHAV:N/AC:M/Au:N/C:N/I:N/A:C
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian5.5MEDIUM
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
GD library vulnerabilities
vendor_ubuntu·2017-02-28·CVSS 9.8
CVE-2016-10166 [CRITICAL] GD library vulnerabilities
Title: GD library vulnerabilities
Summary: The GD library could be made to crash or run programs if it processed a
specially crafted image file.
Stefan Esser discovered that the GD library incorrectly handled memory when
processing certain images. If a user or automated system were tricked into
processing a specially crafted image, an attacker could cause a denial of
service, or possibly execute arbitrary code. This issue only affected
Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-10166)
It was discovered that the GD library incorrectly handled certain malformed
images. If a user or automated system were tricked into processing a
specially crafted image, an attacker could cause a denial of service.
(CVE-2016-10167)
It was discovered that the GD library incorrectly hand
Red Hat
gd: Missing check for oversized images in gdImageCreate()
vendor_redhat·2016-11-12·CVSS 5.5
CVE-2016-9317 [MEDIUM] CWE-20 gd: Missing check for oversized images in gdImageCreate()
gd: Missing check for oversized images in gdImageCreate()
The gdImageCreate function in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (system hang) via an oversized image.
Package: gd (Red Hat Enterprise Linux 5) - Will not fix
Package: libwmf (Red Hat Enterprise Linux 5) - Will not fix
Package: php (Red Hat Enterprise Linux 5) - Not affected
Package: php53 (Red Hat Enterprise Linux 5) - Not affected
Package: gd (Red Hat Enterprise Linux 6) - Will not fix
Package: libwmf (Red Hat Enterprise Linux 6) - Not affected
Package: php (Red Hat Enterprise Linux 6) - Not affected
Package: gd (Red Hat Enterprise Linux 7) - Will not fix
Package: libwmf (Red Hat Enterprise Linux 7) - Not affected
Package: php (Red Hat Enterprise Linux 7
Debian
CVE-2016-9317: libgd2 - The gdImageCreate function in the GD Graphics Library (aka libgd) before 2.2.4 a...
vendor_debian·2016·CVSS 5.5
CVE-2016-9317 [MEDIUM] CVE-2016-9317: libgd2 - The gdImageCreate function in the GD Graphics Library (aka libgd) before 2.2.4 a...
The gdImageCreate function in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (system hang) via an oversized image.
Scope: local
bookworm: resolved (fixed in 2.2.4-1)
bullseye: resolved (fixed in 2.2.4-1)
forky: resolved (fixed in 2.2.4-1)
sid: resolved (fixed in 2.2.4-1)
trixie: resolved (fixed in 2.2.4-1)
VulDB
GD Graphics Library up to 2.2.3 Image gdImageCreate input validation (FEDORA-2017-2717b02630 / Nessus ID 96706)
vuldb·2026-05-14·CVSS 5.5
CVE-2016-9317 [MEDIUM] GD Graphics Library up to 2.2.3 Image gdImageCreate input validation (FEDORA-2017-2717b02630 / Nessus ID 96706)
A vulnerability was found in GD Graphics Library up to 2.2.3 and classified as problematic. Affected by this vulnerability is the function gdImageCreate of the component Image Handler. The manipulation results in improper input validation.
This vulnerability is known as CVE-2016-9317. It is possible to launch the attack remotely. No exploit is available.
It is suggested to upgrade the affected component.
GHSA
GHSA-7pf6-3qr6-mjfr: The gdImageCreate function in the GD Graphics Library (aka libgd) before 2
ghsa_unreviewed·2022-05-17
CVE-2016-9317 [HIGH] CWE-20 GHSA-7pf6-3qr6-mjfr: The gdImageCreate function in the GD Graphics Library (aka libgd) before 2
The gdImageCreate function in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (system hang) via an oversized image.
OSV
libgd2 vulnerabilities
osv·2017-02-28·CVSS 9.8
CVE-2016-10166 [CRITICAL] libgd2 vulnerabilities
libgd2 vulnerabilities
Stefan Esser discovered that the GD library incorrectly handled memory when
processing certain images. If a user or automated system were tricked into
processing a specially crafted image, an attacker could cause a denial of
service, or possibly execute arbitrary code. This issue only affected
Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-10166)
It was discovered that the GD library incorrectly handled certain malformed
images. If a user or automated system were tricked into processing a
specially crafted image, an attacker could cause a denial of service.
(CVE-2016-10167)
It was discovered that the GD library incorrectly handled certain malformed
images. If a user or automated system were tricked into processing a
specially crafted image, an atta
OSV
CVE-2016-9317: The gdImageCreate function in the GD Graphics Library (aka libgd) before 2
osv·2017-01-26·CVSS 5.5
CVE-2016-9317 [MEDIUM] CVE-2016-9317: The gdImageCreate function in the GD Graphics Library (aka libgd) before 2
The gdImageCreate function in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (system hang) via an oversized image.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-10166 CVE-2016-10167 CVE-2016-10168 CVE-2016-6912 CVE-2016-9317 libwmf: various flaws [fedora-all]
bugzilla·2017-02-03·CVSS 9.8
CVE-2016-10166 [CRITICAL] CVE-2016-10166 CVE-2016-10167 CVE-2016-10168 CVE-2016-6912 CVE-2016-9317 libwmf: various flaws [fedora-all]
CVE-2016-10166 CVE-2016-10167 CVE-2016-10168 CVE-2016-6912 CVE-2016-9317 libwmf: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects m
Bugzilla
CVE-2016-9317 gd: Missing check for oversized images in gdImageCreate()
bugzilla·2017-01-31·CVSS 5.5
CVE-2016-9317 [MEDIUM] CVE-2016-9317 gd: Missing check for oversized images in gdImageCreate()
CVE-2016-9317 gd: Missing check for oversized images in gdImageCreate()
The gdImageCreate function in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (system hang) via an oversized image.
Upstream patch:
https://github.com/libgd/libgd/commit/1846f48e5fcdde996e7c27a4bbac5d0aef183e4b
Discussion:
Created libwmf tracking bugs for this issue:
Affects: fedora-all [bug 1418992]
---
There has been no movement on this issue for four months. Is this going to be worked on?
---
(In reply to Carl Song from comment #2)
> There has been no movement on this issue for four months. Is this going to
> be worked on?
Still working on this one, should have the affects by the end of this week.
---
The previous upstream patch described in comment
http://www.debian.org/security/2017/dsa-3777http://www.securityfocus.com/bid/95841https://github.com/libgd/libgd/blob/gd-2.2.4/CHANGELOG.mdhttps://github.com/libgd/libgd/commit/1846f48e5fcdde996e7c27a4bbac5d0aef183e4bhttp://www.debian.org/security/2017/dsa-3777http://www.securityfocus.com/bid/95841https://github.com/libgd/libgd/blob/gd-2.2.4/CHANGELOG.mdhttps://github.com/libgd/libgd/commit/1846f48e5fcdde996e7c27a4bbac5d0aef183e4b
2017-01-26
Published