CVE-2018-5711

NameCVE-2018-5711
Descriptiongd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1, has an integer signedness error that leads to an infinite loop via a crafted GIF file, as demonstrated by a call to the imagecreatefromgif or imagecreatefromstring PHP function. This is related to GetCode_ and gdImageCreateFromGifCtx.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1248-1, DSA-4080-1, DSA-4081-1
NVD severitymedium (attack range: remote)
Debian Bugs887485

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
hhvm (PTS)sid3.24.7+dfsg-2fixed
libgd2 (PTS)jessie (security), jessie2.1.0-5+deb8u11vulnerable
stretch (security), stretch2.2.4-2+deb9u2vulnerable
buster, sid2.2.5-4.1fixed
php5 (PTS)jessie5.6.33+dfsg-0+deb8u1fixed
jessie (security)5.6.38+dfsg-0+deb8u1fixed
php7.0 (PTS)stretch (security), stretch7.0.30-0+deb9u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
hhvmsource(unstable)3.24.7+dfsg-1medium
libgd2source(unstable)2.2.5-4.1medium887485
libgd2sourcewheezy2.0.36~rc1~dfsg-6.1+deb7u11mediumDLA-1248-1
php5source(unstable)(unfixed)unimportant
php5sourcejessie5.6.33+dfsg-0+deb8u1mediumDSA-4081-1
php7.0source(unstable)7.0.27-1unimportant
php7.0sourcestretch7.0.27-0+deb9u1mediumDSA-4080-1
php7.1source(unstable)7.1.13-1unimportant

Notes

Fixed in 5.6.33, 7.0.27, 7.1.13, 7.2.1
PHP Bug: https://bugs.php.net/bug.php?id=75571
https://hhvm.com/blog/2018/05/04/hhvm-3.25.3.html
[stretch] - libgd2 <no-dsa> (Minor issue, will be fixed via point release)
[jessie] - libgd2 <postponed> (Minor issue, can be fixed along in a future update)
https://github.com/libgd/libgd/issues/420
https://github.com/libgd/libgd/commit/a11f47475e6443b7f32d21f2271f28f417e2ac04

Search for package or bug name: Reporting problems