| Name | CVE-2016-9933 |
| Description | Stack consumption vulnerability in the gdImageFillToBorder function in gd.c in the GD Graphics Library (aka libgd) before 2.2.2, as used in PHP before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (segmentation violation) via a crafted imagefilltoborder call that triggers use of a negative color value. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-758-1, DSA-3732-1, DSA-3751-1 |
| Debian Bugs | 849038 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| libgd2 (PTS) | bullseye | 2.3.0-2 | fixed |
| bookworm | 2.3.3-9 | fixed | |
| trixie, sid | 2.3.3-12 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| libgd2 | source | wheezy | 2.0.36~rc1~dfsg-6.1+deb7u7 | DLA-758-1 | ||
| libgd2 | source | jessie | 2.1.0-5+deb8u8 | DSA-3751-1 | ||
| libgd2 | source | (unstable) | 2.2.2-29-g3c2b605-1 | 849038 | ||
| php5 | source | jessie | 5.6.28+dfsg-0+deb8u1 | DSA-3732-1 | ||
| php5 | source | (unstable) | (unfixed) | unimportant | ||
| php7.0 | source | (unstable) | 7.0.13-1 | unimportant |
This problem could be seen as a programmer fault but the fix is easy and
the effect is rather dramatic so it should be fixed anyway.
https://github.com/libgd/libgd/commit/77f619d48259383628c3ec4654b1ad578e9eb40e (gd-2.2.2)
Scope of CVE is only the missing "color < 0" test in older versions.
GD release info: https://libgd.github.io/release-2.2.2.html
Fixed in PHP 5.6.28, 7.0.13 and 7.1.0
PHP Bug: https://bugs.php.net/bug.php?id=72696
Fixed by: https://github.com/php/php-src/commit/863d37ea66d5c960db08d6f4a2cbd2518f0f80d1
Starting with 5.4.0-1 Debian uses the system copy of libgd
https://www.openwall.com/lists/oss-security/2016/12/12/2