#VU32248 Out-of-bounds read in libgd - CVE-2016-6132

Cybersecurity Help s.r.o.

Published: 2016-08-12 | Updated: 2020-07-28

Vulnerability identifier: #VU32248

Vulnerability risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2016-6132

CWE-ID: CWE-125

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
libgd
Universal components / Libraries / Libraries used by multiple products

Vendor: GD Software

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The gdImageCreateFromTgaCtx function in the GD Graphics Library (aka libgd) before 2.2.3 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted TGA file.

Mitigation
Install update from vendor's website.

Vulnerable software versions

libgd: 2.2.0 - 2.2.2

External links
https://lists.opensuse.org/opensuse-updates/2016-08/msg00086.html
https://lists.opensuse.org/opensuse-updates/2016-09/msg00078.html
https://www.debian.org/security/2016/dsa-3619
https://www.openwall.com/lists/oss-security/2016/06/30/10
https://www.openwall.com/lists/oss-security/2016/06/30/6
https://www.securityfocus.com/bid/91520
https://www.ubuntu.com/usn/USN-3060-1
https://github.com/libgd/libgd/issues/247
https://libgd.github.io/release-2.2.3.html
https://security.gentoo.org/glsa/201612-09

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for GD

Out-of-bounds read in gd (Alpine package)

Out-of-bounds read in libgd