CVE-2007-3996

2007-09-0400:00:00

ubuntu.com

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.056 Low

EPSS

Percentile

93.2%

JSON

Multiple integer overflows in libgd in PHP before 5.2.4 allow remote
attackers to cause a denial of service (application crash) and possibly
execute arbitrary code via a large (1) srcW or (2) srcH value to the (a)
gdImageCopyResized function, or a large (3) sy (height) or (4) sx (width)
value to the (b) gdImageCreate or the © gdImageCreateTrueColor function.

Notes

Author	Note
jdstrand	note this is gdImageCreate and gdImageCreateTrueColor dapper-gutsy libgd2 are affected to varying degrees php5-gd segfaults on feisty and gutsy before patching libgd2, and dapper-gutsy segfault after (this is because feisty-gutsy had a partial fix already in libgd2). php5-gd is not handling the error condition when libgd2 fails properly. Verified that 5.2.4 works with patched libgd2.

OSVersionArchitecturePackageVersionFilename
ubuntu6.06noarchlibgd2< 2.0.33-2ubuntu5.3UNKNOWN
ubuntu6.10noarchlibgd2< 2.0.33-4ubuntu2.2UNKNOWN
ubuntu7.04noarchlibgd2< 2.0.34~rc1-2ubuntu1.2UNKNOWN
ubuntu7.10noarchlibgd2< 2.0.34-1ubuntu1.1UNKNOWN
ubuntu6.06noarchphp5< 5.1.2-1ubuntu3.13UNKNOWN
ubuntu7.10noarchphp5< 5.2.3-1ubuntu6.5UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	6.06	noarch	libgd2	< 2.0.33-2ubuntu5.3	UNKNOWN
ubuntu	6.10	noarch	libgd2	< 2.0.33-4ubuntu2.2	UNKNOWN
ubuntu	7.04	noarch	libgd2	< 2.0.34~rc1-2ubuntu1.2	UNKNOWN
ubuntu	7.10	noarch	libgd2	< 2.0.34-1ubuntu1.1	UNKNOWN
ubuntu	6.06	noarch	php5	< 5.1.2-1ubuntu3.13	UNKNOWN
ubuntu	7.10	noarch	php5	< 5.2.3-1ubuntu6.5	UNKNOWN