CVE-2021-40145

Published: 26 August 2021

** DISPUTED ** gdImageGd2Ptr in gd_gd2.c in the GD Graphics Library (aka LibGD) through 2.3.2 has a double free. NOTE: the vendor's position is "The GD2 image format is a proprietary image format of libgd. It has to be regarded as being obsolete, and should only be used for development and testing purposes."

Priority

CVSS 3 base score: 7.5

Status

Package	Release	Status
libgd2 Launchpad, Ubuntu, Debian	bionic	Released (2.2.5-4ubuntu0.5)
	focal	Released (2.2.5-5.2ubuntu2.1)
	hirsute	Released (2.3.0-2ubuntu0.1)
	impish	Released (2.3.0-2ubuntu1)
	jammy	Released (2.3.0-2ubuntu1)
	trusty	Released (2.1.0-3ubuntu0.11+esm2)
	upstream	Needs triage
	xenial	Released (2.1.1-4ubuntu0.16.04.12+esm1)
php5 Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Does not exist
	hirsute	Does not exist
	impish	Does not exist
	jammy	Does not exist
	trusty	Not vulnerable (uses system gd)
	upstream	Needs triage
	xenial	Does not exist
php7.0 Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Does not exist
	hirsute	Does not exist
	impish	Does not exist
	jammy	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Not vulnerable (uses system gd)
php7.2 Launchpad, Ubuntu, Debian	bionic	Not vulnerable (uses system gd)
	focal	Does not exist
	hirsute	Does not exist
	impish	Does not exist
	jammy	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist
php7.3 Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Does not exist
	hirsute	Does not exist
	impish	Does not exist
	jammy	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist

Notes

Author	Note
mdeslaur	php uses the system libgd2

CVE-2021-40145

Medium

Status

Notes

References

Bugs

Join the discussion

Canonical is offering Extended Security Maintenance

Further reading