CVE-2016-9933

NameCVE-2016-9933
DescriptionStack consumption vulnerability in the gdImageFillToBorder function in gd.c in the GD Graphics Library (aka libgd) before 2.2.2, as used in PHP before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (segmentation violation) via a crafted imagefilltoborder call that triggers use of a negative color value.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-758-1, DSA-3732-1, DSA-3751-1
NVD severitymedium (attack range: remote)
Debian Bugs849038

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libgd2 (PTS)wheezy2.0.36~rc1~dfsg-6.1+deb7u2vulnerable
wheezy (security)2.0.36~rc1~dfsg-6.1+deb7u9fixed
jessie2.1.0-5+deb8u9fixed
jessie (security)2.1.0-5+deb8u10fixed
buster, sid, stretch2.2.4-2fixed
stretch (security)2.2.4-2+deb9u1fixed
php5 (PTS)wheezy5.4.45-0+deb7u2vulnerable
wheezy (security)5.4.45-0+deb7u9vulnerable
jessie (security), jessie5.6.30+dfsg-0+deb8u1fixed
php7.0 (PTS)stretch7.0.19-1fixed
buster, sid7.0.22-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libgd2source(unstable)2.2.2-29-g3c2b605-1medium849038
libgd2sourcejessie2.1.0-5+deb8u8mediumDSA-3751-1
libgd2sourcewheezy2.0.36~rc1~dfsg-6.1+deb7u7mediumDLA-758-1
php5source(unstable)(unfixed)unimportant
php5sourcejessie5.6.28+dfsg-0+deb8u1mediumDSA-3732-1
php7.0source(unstable)7.0.13-1unimportant

Notes

This problem could be seen as a programmer fault but the fix is easy and
the effect is rather dramatic so it should be fixed anyway.
https://github.com/libgd/libgd/commit/77f619d48259383628c3ec4654b1ad578e9eb40e (gd-2.2.2)
Scope of CVE is only the missing "color < 0" test in older versions.
GD release info: https://libgd.github.io/release-2.2.2.html
Fixed in PHP 5.6.28, 7.0.13 and 7.1.0
PHP Bug: https://bugs.php.net/bug.php?id=72696
Fixed by: https://github.com/php/php-src/commit/863d37ea66d5c960db08d6f4a2cbd2518f0f80d1
Starting with 5.4.0-1 Debian uses the system copy of libgd
http://www.openwall.com/lists/oss-security/2016/12/12/2

Search for package or bug name: Reporting problems