Your submission was sent successfully! Close

CVE-2017-7890

Published: 2 August 2017

The GIF decoding function gdImageCreateFromGifCtx in gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.31 and 7.x before 7.1.7, does not zero colorMap arrays before use. A specially crafted GIF image could use the uninitialized tables to read ~700 bytes from the top of the stack, potentially disclosing sensitive information.

Priority

Medium

CVSS 3 base score: 6.5

Status

Package Release Status
libgd2
Launchpad, Ubuntu, Debian
precise
Released (2.0.36~rc1~dfsg-6ubuntu2.5)
trusty
Released (2.1.0-3ubuntu0.7)
upstream Needed

xenial
Released (2.1.1-4ubuntu0.16.04.7)
zesty
Released (2.2.4-2ubuntu0.2)
php5
Launchpad, Ubuntu, Debian
precise Not vulnerable
(uses system gd)
trusty Not vulnerable
(uses system gd)
upstream
Released (5.6.31)
xenial Does not exist

zesty Does not exist

php7.0
Launchpad, Ubuntu, Debian
precise Does not exist

trusty Does not exist

upstream
Released (7.0.21)
xenial Not vulnerable
(uses system gd)
zesty Not vulnerable
(uses system gd)
php7.1
Launchpad, Ubuntu, Debian
precise Does not exist

trusty Does not exist

upstream
Released (7.1.7)
xenial Does not exist

zesty Does not exist