CVE-2016-8670 : Integer signedness error in the dynamicGetbuf function in gd_io_dp.c in the GD Graphics Library (aka libgd) through 2.2.

Integer signedness error in the dynamicGetbuf function in gd_io_dp.c in the GD Graphics Library (aka libgd) through 2.2.3, as used in PHP before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted imagecreatefromstring call.

Published 2017-01-04 20:59:00

Updated 2017-11-04 01:29:25

Source Debian GNU/Linux

View at NVD, CVE.org

Vulnerability category: OverflowDenial of service

Exploit prediction scoring system (EPSS) score for CVE-2016-8670

Probability of exploitation activity in the next 30 days: 3.87%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 92 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2016-8670

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2016-8670

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-8670

http://www.openwall.com/lists/oss-security/2016/10/15/1

oss-security - CVE Request: libgd: Stack Buffer Overflow in GD dynamicGetbuf
Third Party Advisory
https://github.com/libgd/libgd/commit/53110871935244816bbb9d131da0bccff734bfe9

Avoid potentially dangerous signed to unsigned conversion · libgd/libgd@5311087 · GitHub
Vendor Advisory
http://www.debian.org/security/2016/dsa-3693

Debian -- Security Information -- DSA-3693-1 libgd2

CVEs referencing this url
https://support.f5.com/csp/article/K21336065?utm_source=f5support&utm_medium=RSS

GD Graphics Library vulnerability CVE-2016-8670
http://www.securityfocus.com/bid/93594

PHP LibGD CVE-2016-8670 Stack Buffer Overflow Vulnerability
http://www.php.net/ChangeLog-7.php

PHP: PHP 7 ChangeLog
Release Notes;Vendor Advisory

CVEs referencing this url
https://bugs.php.net/bug.php?id=73280

PHP :: Bug #73280 :: Stack Buffer Overflow in GD dynamicGetbuf
Vendor Advisory
http://www.php.net/ChangeLog-5.php

PHP: PHP 5 ChangeLog
Release Notes;Vendor Advisory

CVEs referencing this url

Products affected by CVE-2016-8670

Libgd » Libgd
Versions up to, including, (<=) 2.2.3
cpe:2.3:a:libgd:libgd:*:*:*:*:*:*:*:*
Matching versions
When used together with: PHP » PHP
When used together with: PHP » PHP » Version: 7.0.0
When used together with: PHP » PHP » Version: 7.0.1
When used together with: PHP » PHP » Version: 7.0.2
When used together with: PHP » PHP » Version: 7.0.3
When used together with: PHP » PHP » Version: 7.0.4
When used together with: PHP » PHP » Version: 7.0.5
When used together with: PHP » PHP » Version: 7.0.6
When used together with: PHP » PHP » Version: 7.0.7
When used together with: PHP » PHP » Version: 7.0.8
When used together with: PHP » PHP » Version: 7.0.9
When used together with: PHP » PHP » Version: 7.0.10
When used together with: PHP » PHP » Version: 7.0.11
When used together with: PHP » PHP » Version: 7.0.12

Vulnerability Details : CVE-2016-8670

Exploit prediction scoring system (EPSS) score for CVE-2016-8670

CVSS scores for CVE-2016-8670

CWE ids for CVE-2016-8670

References for CVE-2016-8670

Products affected by CVE-2016-8670