CVE-2017-6362
published 2017-09-07CVE-2017-6362: Double free vulnerability in the gdImagePngPtr function in libgd2 before 2.2.5 allows remote attackers to cause a denial of service via vectors related to a…
PriorityP337high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EPSS
5.10%
91.3th percentile
Double free vulnerability in the gdImagePngPtr function in libgd2 before 2.2.5 allows remote attackers to cause a denial of service via vectors related to a palette with no colors.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | libgd2 | < libgd2 2.2.5-1 (bookworm) | libgd2 2.2.5-1 (bookworm) |
| fedoraproject | fedora | — | — |
| libgd | libgd | — | — |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
GD library vulnerability
vendor_ubuntu·2017-09-05
CVE-2017-6362 GD library vulnerability
Title: GD library vulnerability
Summary: GD library could be made to crash if it opened a specially crafted
file.
It was discovered that the GD Graphics Library (aka libgd) incorrectly handled
certain malformed PNG images. A remote attacker could use this issue to cause the GD Graphics Library
to crash, resulting in a denial of service, or possibly execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
GD library vulnerability
vendor_ubuntu·2017-09-05
CVE-2017-6362 GD library vulnerability
Title: GD library vulnerability
Summary: GD library could be made to crash if it opened a specially crafted file.
USN-3410-1 fixed a vulnerability in GD Graphics Library.
This update provides the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
It was discovered that the GD Graphics Library (aka libgd) incorrectly handled
certain malformed PNG images. A remote attacker could use this issue to cause
the GD Graphics Library to crash, resulting in a denial of service, or possibly
execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
gd: Double free in the gdImagePngPtr function
vendor_redhat·2017-08-30·CVSS 7.5
CVE-2017-6362 [HIGH] CWE-416 gd: Double free in the gdImagePngPtr function
gd: Double free in the gdImagePngPtr function
Double free vulnerability in the gdImagePngPtr function in libgd2 before 2.2.5 allows remote attackers to cause a denial of service via vectors related to a palette with no colors.
Package: gd (Red Hat Enterprise Linux 5) - Will not fix
Package: libwmf (Red Hat Enterprise Linux 5) - Will not fix
Package: php (Red Hat Enterprise Linux 5) - Will not fix
Package: php53 (Red Hat Enterprise Linux 5) - Will not fix
Package: gd (Red Hat Enterprise Linux 6) - Will not fix
Package: libwmf (Red Hat Enterprise Linux 6) - Will not fix
Package: php (Red Hat Enterprise Linux 6) - Will not fix
Package: gd (Red Hat Enterprise Linux 7) - Will not fix
Package: libwmf (Red Hat Enterprise Linux 7) - Will not fix
Package: php (Red Hat Enterprise Linux 7)
Debian
CVE-2017-6362: libgd2 - Double free vulnerability in the gdImagePngPtr function in libgd2 before 2.2.5 a...
vendor_debian·2017·CVSS 7.5
CVE-2017-6362 [HIGH] CVE-2017-6362: libgd2 - Double free vulnerability in the gdImagePngPtr function in libgd2 before 2.2.5 a...
Double free vulnerability in the gdImagePngPtr function in libgd2 before 2.2.5 allows remote attackers to cause a denial of service via vectors related to a palette with no colors.
Scope: local
bookworm: resolved (fixed in 2.2.5-1)
bullseye: resolved (fixed in 2.2.5-1)
forky: resolved (fixed in 2.2.5-1)
sid: resolved (fixed in 2.2.5-1)
trixie: resolved (fixed in 2.2.5-1)
GHSA
GHSA-hc3p-jvff-jfw5: Double free vulnerability in the gdImagePngPtr function in libgd2 before 2
ghsa_unreviewed·2022-05-17
CVE-2017-6362 [HIGH] CWE-415 GHSA-hc3p-jvff-jfw5: Double free vulnerability in the gdImagePngPtr function in libgd2 before 2
Double free vulnerability in the gdImagePngPtr function in libgd2 before 2.2.5 allows remote attackers to cause a denial of service via vectors related to a palette with no colors.
OSV
CVE-2017-6362: Double free vulnerability in the gdImagePngPtr function in libgd2 before 2
osv·2017-09-07·CVSS 7.5
CVE-2017-6362 [HIGH] CVE-2017-6362: Double free vulnerability in the gdImagePngPtr function in libgd2 before 2
Double free vulnerability in the gdImagePngPtr function in libgd2 before 2.2.5 allows remote attackers to cause a denial of service via vectors related to a palette with no colors.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-6362 gd: Double free in the gdImagePngPtr function
bugzilla·2017-09-08·CVSS 7.5
CVE-2017-6362 [HIGH] CVE-2017-6362 gd: Double free in the gdImagePngPtr function
CVE-2017-6362 gd: Double free in the gdImagePngPtr function
Double free vulnerability in the gdImagePngPtr function in libgd2 before 2.2.5 allows remote attackers to cause a denial of service via vectors related to a palette with no colors.
Upstream issue:
https://github.com/libgd/libgd/issues/381
Upstream patch:
https://github.com/libgd/libgd/commit/56ce6ef068b954ad28379e83cca04feefc51320c
Discussion:
Created libwmf tracking bugs for this issue:
Affects: fedora-all [bug 1489844]
Bugzilla
CVE-2017-6362 libwmf: gd: Double free in the gdImagePngPtr function [fedora-all]
bugzilla·2017-09-08·CVSS 7.5
CVE-2017-6362 [HIGH] CVE-2017-6362 libwmf: gd: Double free in the gdImagePngPtr function [fedora-all]
CVE-2017-6362 libwmf: gd: Double free in the gdImagePngPtr function [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versi
http://www.debian.org/security/2017/dsa-3961https://github.com/libgd/libgd/issues/381https://github.com/libgd/libgd/releases/tag/gd-2.2.5https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N2BLXX7KNRE7ZVQAKGTHHWS33CUCXVUP/http://www.debian.org/security/2017/dsa-3961https://github.com/libgd/libgd/issues/381https://github.com/libgd/libgd/releases/tag/gd-2.2.5https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N2BLXX7KNRE7ZVQAKGTHHWS33CUCXVUP/
2017-09-07
Published