Your submission was sent successfully! Close

CVE-2007-3996

Published: 4 September 2007

Multiple integer overflows in libgd in PHP before 5.2.4 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large (1) srcW or (2) srcH value to the (a) gdImageCopyResized function, or a large (3) sy (height) or (4) sx (width) value to the (b) gdImageCreate or the (c) gdImageCreateTrueColor function.

Priority

Medium

Status

Package Release Status
libgd2
Launchpad, Ubuntu, Debian
dapper
Released (2.0.33-2ubuntu5.3)
edgy
Released (2.0.33-4ubuntu2.2)
feisty
Released (2.0.34~rc1-2ubuntu1.2)
gutsy
Released (2.0.34-1ubuntu1.1)
hardy Not vulnerable
(2.0.35.dfsg-3ubuntu1)
intrepid Not vulnerable
(2.0.35.dfsg-3ubuntu1)
upstream
Released (2.0.35)
php5
Launchpad, Ubuntu, Debian
dapper
Released (5.1.2-1ubuntu3.13)
edgy Needed
(reached end-of-life)
feisty Needed
(reached end-of-life)
gutsy
Released (5.2.3-1ubuntu6.5)
hardy Not vulnerable
(5.2.4-2ubuntu3)
intrepid Not vulnerable
(5.2.4-2ubuntu3)
upstream
Released (5.2.4)
Patches:
vendor: http://www.mandriva.com/security/advisories?name=MDKSA-2007:187
upstream: http://cvs.php.net/viewvc.cgi/php-src/ext/gd/gd.c?r1=1.312.2.20.2.28&r2=1.312.2.20.2.29

Notes

AuthorNote
jdstrand
note this is gdImageCreate and gdImageCreateTrueColor
dapper-gutsy libgd2 are affected to varying degrees
php5-gd segfaults on feisty and gutsy before patching libgd2,
and dapper-gutsy segfault after (this is because feisty-gutsy had a partial
fix already in libgd2).  php5-gd is not handling the error condition when
libgd2 fails properly.  Verified that 5.2.4 works with patched libgd2.

References