Main Vulnerability Database SB2017111512

SB2017111512 - Red Hat update for libgd

Published: November 15, 2017

Security Bulletin ID SB2017111512

Severity

High

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper input validation (CVE-ID: CVE-2016-10167)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation when processing images in gdImageCreateFromGd2Ctx() function in gd_gd2.c. A remote attacker can supply a malformed image and crash the application, using the affected library.

2) Integer overflow (CVE-ID: CVE-2016-10168)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack and potentially compromise vulnerable system.

The vulnerability exists due to integer overflow when processing the number of horizontal and vertical chunks in an image in gd_io.c. A remote attacker create a specially crafted image file, trigger memory corruption and crash the affected application or execute arbitrary code on the target system.

Remediation

Install update from vendor's website.

References

https://access.redhat.com/errata/RHSA-2017:3221