Your submission was sent successfully! Close

CVE-2007-3996

Published: 4 September 2007

Multiple integer overflows in libgd in PHP before 5.2.4 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large (1) srcW or (2) srcH value to the (a) gdImageCopyResized function, or a large (3) sy (height) or (4) sx (width) value to the (b) gdImageCreate or the (c) gdImageCreateTrueColor function.

Notes

AuthorNote
jdstrand
note this is gdImageCreate and gdImageCreateTrueColor
dapper-gutsy libgd2 are affected to varying degrees
php5-gd segfaults on feisty and gutsy before patching libgd2,
and dapper-gutsy segfault after (this is because feisty-gutsy had a partial
fix already in libgd2).  php5-gd is not handling the error condition when
libgd2 fails properly.  Verified that 5.2.4 works with patched libgd2.
Priority

Medium

Status

Package Release Status
libgd2
Launchpad, Ubuntu, Debian
dapper
Released (2.0.33-2ubuntu5.3)
edgy
Released (2.0.33-4ubuntu2.2)
feisty
Released (2.0.34~rc1-2ubuntu1.2)
gutsy
Released (2.0.34-1ubuntu1.1)
hardy Not vulnerable
(2.0.35.dfsg-3ubuntu1)
intrepid Not vulnerable
(2.0.35.dfsg-3ubuntu1)
upstream
Released (2.0.35)
php5
Launchpad, Ubuntu, Debian
dapper
Released (5.1.2-1ubuntu3.13)
edgy Needed
(reached end-of-life)
feisty Needed
(reached end-of-life)
gutsy
Released (5.2.3-1ubuntu6.5)
hardy Not vulnerable
(5.2.4-2ubuntu3)
intrepid Not vulnerable
(5.2.4-2ubuntu3)
upstream
Released (5.2.4)
Patches:
vendor: http://www.mandriva.com/security/advisories?name=MDKSA-2007:187
upstream: http://cvs.php.net/viewvc.cgi/php-src/ext/gd/gd.c?r1=1.312.2.20.2.28&r2=1.312.2.20.2.29