openSUSE-SU-2016:2117

openSUSE-SU-2016:2363

http://packetstormsecurity.com/files/138174/LibGD-2.2.2-Integer-Overflow-Denial-Of-Service.html

RHSA-2016:2750

DSA-3630

20160803 Secunia Research: LibGD "_gdContributionsAlloc()" Integer Overflow Denial of Service Vulnerability

92080

1036535

USN-3060-1

https://bugs.php.net/bug.php?id=72558

https://libgd.github.io/release-2.2.3.html

https://secunia.com/secunia_research/2016-9/

GLSA-201612-09

According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.9. It is, therefore, affected by multiple vulnerabilities :

 - A man-in-the-middle vulnerability exists, known as 'httpoxy', due to a failure to properly resolve namespace conflicts in accordance with RFC 3875 section 4.1.18. The HTTP_PROXY environment variable is set based on untrusted user data in the 'Proxy' header of HTTP requests. The HTTP_PROXY
environment variable is used by some web client libraries to specify a remote proxy server. An unauthenticated, remote attacker can exploit this, via a crafted 'Proxy' header in an HTTP request, to redirect an application's internal HTTP traffic to an arbitrary proxy server where it may be observed
or manipulated. (CVE-2016-5385)

 - An overflow condition exists in the php_bz2iop_read() function within file ext/bz2/bz2.c due to improper handling of error conditions. An unauthenticated, remote attacker can exploit this, via a crafted request, to execute arbitrary code. (CVE-2016-5399)

 - A flaw exists in the GD Graphics Library (libgd), specifically in the gdImageScaleTwoPass() function within file gd_interpolation.c, due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-6207)

 - An integer overflow condition exists in the virtual_file_ex() function within file Zend/zend_virtual_cwd.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-
6289)

 - A use-after-free error exists within the file ext/session/session.c when handling 'var_hash' destruction. An unauthenticated, remote attacker can exploit this to deference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-6290)

 - An out-of-bounds read error exists in the exif_process_IFD_in_MAKERNOTE() function within file ext/exif/exif.c. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or disclose memory contents. (CVE-2016-6291)

 - A NULL pointer dereference flaw exists in the exif_process_user_comment() function within file ext/exif/exif.c. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-6292)

 - Multiple out-of-bounds read errors exist in the locale_accept_from_http() function within file ext/intl/locale/locale_methods.c. An unauthenticated, remote attacker can exploit these to cause a denial of service condition or disclose memory contents. (CVE-2016-6293, CVE-2016-6294)

 - A use-after-free error exists within file ext/snmp/snmp.c when handling garbage collection during deserialization of user-supplied input. An unauthenticated, remote attacker can exploit this to deference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-6295)

 - A heap-based buffer overflow condition exists in the simplestring_addn() function within file simplestring.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016
-6296)

 - An integer overflow condition exists in the php_stream_zip_opener() function within file ext/zip/zip_stream.c due to improper validation of user-supplied input when handling zip streams. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution
of arbitrary code. (CVE-2016-6297)

 - An out-of-bounds read error exists in the GD Graphics Library (libgd), specifically in the gdImageScaleBilinearPalette() function within file gd_interpolation.c, when handling transparent color. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or
disclose memory contents.

 - A heap-based buffer overflow condition exists in the mdecrypt_generic() function within file ext/mcrypt/mcrypt.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code.

 - A flaw exists in the curl_unescape() function within file ext/curl/interface.c when handling string lengths. An unauthenticated, remote attacker can exploit this to cause heap corruption, resulting in a denial of service condition.

 - A heap-based buffer overflow condition exists in the mcrypt_generic() function within file ext/mcrypt/mcrypt.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code.

 - A NULL write flaw exists in the GD Graphics Library (libgd) in the gdImageColorTransparent() function due to improper handling of negative transparent colors. A remote attacker can exploit this to disclose memory contents.

 Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.24. It is, therefore, affected by multiple vulnerabilities :

 - A man-in-the-middle vulnerability exists, known as 'httpoxy', due to a failure to properly resolve namespace conflicts in accordance with RFC 3875 section 4.1.18. The HTTP_PROXY environment variable is set based on untrusted user data in the 'Proxy' header of HTTP requests. The HTTP_PROXY
environment variable is used by some web client libraries to specify a remote proxy server. An unauthenticated, remote attacker can exploit this, via a crafted 'Proxy' header in an HTTP request, to redirect an application's internal HTTP traffic to an arbitrary proxy server where it may be observed
or manipulated. (CVE-2016-5385)

 - An overflow condition exists in the php_bz2iop_read() function within file ext/bz2/bz2.c due to improper handling of error conditions. An unauthenticated, remote attacker can exploit this, via a crafted request, to execute arbitrary code. (CVE-2016-5399)

 - A flaw exists in the GD Graphics Library (libgd), specifically in the gdImageScaleTwoPass() function within file gd_interpolation.c, due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-6207)

 - An integer overflow condition exists in the virtual_file_ex() function within file Zend/zend_virtual_cwd.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-
6289)

 - A use-after-free error exists within the file ext/session/session.c when handling 'var_hash' destruction. An unauthenticated, remote attacker can exploit this to deference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-6290)

 - An out-of-bounds read error exists in the exif_process_IFD_in_MAKERNOTE() function within file ext/exif/exif.c. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or disclose memory contents. (CVE-2016-6291)

 - A NULL pointer dereference flaw exists in the exif_process_user_comment() function within file ext/exif/exif.c. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-6292)

 - Multiple out-of-bounds read errors exist in the locale_accept_from_http() function within file ext/intl/locale/locale_methods.c. An unauthenticated, remote attacker can exploit these to cause a denial of service condition or disclose memory contents. (CVE-2016-6293, CVE-2016-6294)

 - A use-after-free error exists within file ext/snmp/snmp.c when handling garbage collection during deserialization of user-supplied input. An unauthenticated, remote attacker can exploit this to deference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-6295)

 - A heap-based buffer overflow condition exists in the simplestring_addn() function within file simplestring.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016
-6296)

 - An integer overflow condition exists in the php_stream_zip_opener() function within file ext/zip/zip_stream.c due to improper validation of user-supplied input when handling zip streams. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution
of arbitrary code. (CVE-2016-6297)

 - An out-of-bounds read error exists in the GD Graphics Library (libgd), specifically in the gdImageScaleBilinearPalette() function within file gd_interpolation.c, when handling transparent color. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or
disclose memory contents.

 - A heap-based buffer overflow condition exists in the mdecrypt_generic() function within file ext/mcrypt/mcrypt.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code.

 - A NULL write flaw exists in the GD Graphics Library (libgd) in the gdImageColorTransparent() function due to improper handling of negative transparent colors. A remote attacker can exploit this to disclose memory contents.

 Note that the scanner has not attempted to exploit this issue but has instead relied only on the application's self-reported version number.

This update for php7 fixes the following security issues :

  - CVE-2016-6128: Invalid color index not properly handled     [bsc#987580]

  - CVE-2016-6161: global out of bounds read when encoding     gif from malformed input withgd2togif [bsc#988032]

  - CVE-2016-6292: NULL pointer dereference in     exif_process_user_comment [bsc#991422]

  - CVE-2016-6295: Use after free in SNMP with GC and     unserialize() [bsc#991424]

  - CVE-2016-6297: Stack-based buffer overflow vulnerability     in php_stream_zip_opener [bsc#991426]

  - CVE-2016-6291: Out-of-bounds access in     exif_process_IFD_in_MAKERNOTE [bsc#991427]

  - CVE-2016-6289: Integer overflow leads to buffer overflow     in virtual_file_ex [bsc#991428]

  - CVE-2016-6290: Use after free in unserialize() with     Unexpected Session Deserialization [bsc#991429]

  - CVE-2016-5399: Improper error handling in bzread()     [bsc#991430]

  - CVE-2016-6296: Heap buffer overflow vulnerability in     simplestring_addn in simplestring.c [bsc#991437]

  - CVE-2016-6207: Integer overflow error within
    _gdContributionsAlloc() [bsc#991434]

  - CVE-2016-4473: Invalid free() instead of efree() in     phar_extract_file()

  - CVE-2016-7124: Create an Unexpected Object and Don't     Invoke __wakeup() in Deserialization

  - CVE-2016-7125: PHP Session Data Injection Vulnerability

  - CVE-2016-7126: select_colors write out-of-bounds

  - CVE-2016-7127: imagegammacorrect allowed arbitrary write     access

  - CVE-2016-7128: Memory Leakage In     exif_process_IFD_in_TIFF

  - CVE-2016-7129: wddx_deserialize allowed illegal memory     access

  - CVE-2016-7131: wddx_deserialize null dereference with     invalid xml

  - CVE-2016-7132: wddx_deserialize null dereference in     php_wddx_pop_element

  - CVE-2016-7133: memory allocator fails to realloc small     block to large one

  - CVE-2016-7134: Heap overflow in the function curl_escape

  - CVE-2016-7130: wddx_deserialize null dereference

  - CVE-2016-7413: Use after free in wddx_deserialize

  - CVE-2016-7412: Heap overflow in mysqlnd when not     receiving UNSIGNED_FLAG in BIT field

  - CVE-2016-7417: Missing type check when unserializing     SplArray

  - CVE-2016-7416: Stack based buffer overflow in     msgfmt_format_message

  - CVE-2016-7418: NULL pointer dereference in     php_wddx_push_element

  - CVE-2016-7414: Out of bounds heap read when verifying     signature of zip phar in phar_parse_zipfile

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for php5 fixes the following security issues :

  - CVE-2016-6128: Invalid color index not properly handled     [bsc#987580]

  - CVE-2016-6161: global out of bounds read when encoding     gif from malformed input withgd2togif [bsc#988032]

  - CVE-2016-6292: NULL pointer dereference in     exif_process_user_comment [bsc#991422]

  - CVE-2016-6295: Use after free in SNMP with GC and     unserialize() [bsc#991424]

  - CVE-2016-6297: Stack-based buffer overflow vulnerability     in php_stream_zip_opener [bsc#991426]

  - CVE-2016-6291: Out-of-bounds access in     exif_process_IFD_in_MAKERNOTE [bsc#991427]

  - CVE-2016-6289: Integer overflow leads to buffer overflow     in virtual_file_ex [bsc#991428]

  - CVE-2016-6290: Use after free in unserialize() with     Unexpected Session Deserialization [bsc#991429]

  - CVE-2016-5399: Improper error handling in bzread()     [bsc#991430]

  - CVE-2016-6296: Heap buffer overflow vulnerability in     simplestring_addn in simplestring.c [bsc#991437]

  - CVE-2016-6207: Integer overflow error within
    _gdContributionsAlloc() [bsc#991434]

  - CVE-2014-3587: Integer overflow in the     cdf_read_property_info affecting SLES11 SP3 [bsc#987530]

  - CVE-2016-6288: Buffer over-read in php_url_parse_ex     [bsc#991433]

  - CVE-2016-7124: Create an Unexpected Object and Don't     Invoke __wakeup() in Deserialization

  - CVE-2016-7125: PHP Session Data Injection Vulnerability

  - CVE-2016-7126: select_colors write out-of-bounds

  - CVE-2016-7127: imagegammacorrect allowed arbitrary write     access

  - CVE-2016-7128: Memory Leakage In     exif_process_IFD_in_TIFF

  - CVE-2016-7129: wddx_deserialize allowed illegal memory     access

  - CVE-2016-7130: wddx_deserialize null dereference

  - CVE-2016-7131: wddx_deserialize null dereference with     invalid xml

  - CVE-2016-7132: wddx_deserialize null dereference in     php_wddx_pop_element

  - CVE-2016-7134: Heap overflow in the function curl_escape

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201612-09 (GD: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in GD. Please review the       CVE identifiers referenced below for details.
  Impact :

    A remote attacker could possibly execute arbitrary code with the       privileges of the process, or cause a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

Security fix for gd.

----

Security fix for CVE-2016-6161

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for php5 fixes the following security issues :

  - CVE-2016-6128: Invalid color index not properly handled     [bsc#987580]

  - CVE-2016-6161: global out of bounds read when encoding     gif from malformed input withgd2togif [bsc#988032]

  - CVE-2016-6292: NULL pointer dereference in     exif_process_user_comment [bsc#991422]

  - CVE-2016-6295: Use after free in SNMP with GC and     unserialize() [bsc#991424]

  - CVE-2016-6297: Stack-based buffer overflow vulnerability     in php_stream_zip_opener [bsc#991426]

  - CVE-2016-6291: Out-of-bounds access in     exif_process_IFD_in_MAKERNOTE [bsc#991427]

  - CVE-2016-6289: Integer overflow leads to buffer overflow     in virtual_file_ex [bsc#991428]

  - CVE-2016-6290: Use after free in unserialize() with     Unexpected Session Deserialization [bsc#991429]

  - CVE-2016-5399: Improper error handling in bzread()     [bsc#991430]

  - CVE-2016-6296: Heap buffer overflow vulnerability in     simplestring_addn in simplestring.c [bsc#991437]

  - CVE-2016-6207: Integer overflow error within
    _gdContributionsAlloc() [bsc#991434]

  - CVE-2014-3587: Integer overflow in the     cdf_read_property_info affecting SLES11 SP3 [bsc#987530]

  - CVE-2016-6288: Buffer over-read in php_url_parse_ex     [bsc#991433]

  - CVE-2016-7124: Create an Unexpected Object and Don't     Invoke __wakeup() in Deserialization

  - CVE-2016-7125: PHP Session Data Injection Vulnerability

  - CVE-2016-7126: select_colors write out-of-bounds

  - CVE-2016-7127: imagegammacorrect allowed arbitrary write     access

  - CVE-2016-7128: Memory Leakage In     exif_process_IFD_in_TIFF

  - CVE-2016-7129: wddx_deserialize allowed illegal memory     access

  - CVE-2016-7130: wddx_deserialize null dereference

  - CVE-2016-7131: wddx_deserialize null dereference with     invalid xml

  - CVE-2016-7132: wddx_deserialize null dereference in     php_wddx_pop_element

  - CVE-2016-7134: Heap overflow in the function curl_escape

This update was imported from the SUSE:SLE-12:Update update project.

This update for gd fixes the following issues :

  - CVE-2016-6214: Buffer over-read issue when parsing     crafted TGA file [bsc#991436]

  - CVE-2016-6132: read out-of-bands was found in the     parsing of TGA files using libgd [bsc#987577]

  - CVE-2016-6128: Invalid color index not properly handled     [bsc#991710]

  - CVE-2016-6207: Integer overflow error within
    _gdContributionsAlloc() [bsc#991622]

  - CVE-2016-6161: global out of bounds read when encoding     gif from malformed input withgd2togif [bsc#988032]

  - CVE-2016-5116: avoid stack overflow (read) with large     names [bsc#982176]

  - CVE-2016-6905: Out-of-bounds read in function     read_image_tga in gd_tga.c [bsc#995034]

This update was imported from the SUSE:SLE-12:Update update project.

This update for gd fixes the following issues :

  - CVE-2016-6214: Buffer over-read issue when parsing     crafted TGA file [bsc#991436]

  - CVE-2016-6132: read out-of-bands was found in the     parsing of TGA files using libgd [bsc#987577]

  - CVE-2016-6128: Invalid color index not properly handled     [bsc#991710]

  - CVE-2016-6207: Integer overflow error within
    _gdContributionsAlloc() [bsc#991622]

  - CVE-2016-6161: global out of bounds read when encoding     gif from malformed input withgd2togif [bsc#988032]

  - CVE-2016-5116: avoid stack overflow (read) with large     names [bsc#982176]

  - CVE-2016-6905: Out-of-bounds read in function     read_image_tga in gd_tga.c [bsc#995034]

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for gd fixes the following issues :

  - CVE-2016-6214: Buffer over-read issue when parsing     crafted TGA file [bsc#991436]

  - CVE-2016-6132: read out-of-bands was found in the     parsing of TGA files using libgd [bsc#987577]

  - CVE-2016-6128: Invalid color index not properly handled     [bsc#991710]

  - CVE-2016-6207: Integer overflow error within
    _gdContributionsAlloc() [bsc#991622]

  - CVE-2016-6161: global out of bounds read when encoding     gif from malformed input withgd2togif [bsc#988032]

This update for php5 fixes the following issues :

  - security update :

  - CVE-2016-6128: Invalid color index not properly handled     [bsc#987580]

  - CVE-2016-6161: global out of bounds read when encoding     gif from malformed input withgd2togif [bsc#988032]

  - CVE-2016-6292: NULL pointer dereference in     exif_process_user_comment [bsc#991422]

  - CVE-2016-6295: Use after free in SNMP with GC and     unserialize() [bsc#991424]

  - CVE-2016-6297: Stack-based buffer overflow vulnerability     in php_stream_zip_opener [bsc#991426]

  - CVE-2016-6291: Out-of-bounds access in     exif_process_IFD_in_MAKERNOTE [bsc#991427]

  - CVE-2016-6289: Integer overflow leads to buffer overflow     in virtual_file_ex [bsc#991428]

  - CVE-2016-6290: Use after free in unserialize() with     Unexpected Session Deserialization [bsc#991429]

  - CVE-2016-5399: Improper error handling in bzread()     [bsc#991430]

  - CVE-2016-6296: Heap buffer overflow vulnerability in     simplestring_addn in simplestring.c [bsc#991437]

  - CVE-2016-6207: Integer overflow error within
    _gdContributionsAlloc() [bsc#991434]

  - CVE-2016-6288: Buffer over-read in php_url_parse_ex     [bsc#991433]

It was discovered that the GD library incorrectly handled certain malformed TGA images. If a user or automated system were tricked into processing a specially crafted TGA image, an attacker could cause a denial of service. (CVE-2016-6132, CVE-2016-6214)

It was discovered that the GD library incorrectly handled memory when using gdImageScale(). A remote attacker could possibly use this issue to cause a denial of service or possibly execute arbitrary code.
(CVE-2016-6207).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Pierre Joye reports :

- fix php bug 72339, Integer Overflow in _gd2GetHeader (CVE-2016-5766)

- gd: Buffer over-read issue when parsing crafted TGA file (CVE-2016-6132)

- Integer overflow error within _gdContributionsAlloc() (CVE-2016-6207)

- fix php bug 72494, invalid color index not handled, can lead to crash ( CVE-2016-6128)

Versions of PHP 5.5.x prior to 5.5.38, or 5.6.x prior to 5.6.24, or 7.0.x prior to 7.0.9 are vulnerable to the following issues :

 - A NULL pointer dereference flaw within the '_gdScaleVert()' function inside of 'ext/gd/libgd/gd_interpolation.c' is triggered during the handling of '_gdContributionsCalc' return values. This may allow a remote attacker to cause a denial of service in a process linked against PHP.
 - A flaw related to missing protection against 'RFC 3875 section 4.1.18' namespace conflicts is triggered when handling requests containing 'Proxy' HTTP headers. These may be stored in the 'HTTP_PROXY' environment variable also commonly used to configure an outbound HTTP proxy for applications. With a specially crafted request, a remote attacker can specify an arbitrary HTTP proxy server to be used by applications relying on the HTTP_PROXY environment variable. (CVE-2016-5385)
 - An out-of-bounds read flaw within the 'gdImageScaleBilinearPalette()' function inside of 'gd_interpolation.c' is triggered when handling transparent colors. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
 - A flaw within the 'gdImageScaleTwoPass()' function inside of 'gd_interpolation.c' is triggered as certain input is not properly validated. This may allow a context-dependent attacker to crash a process linked against the library. (CVE-2016-6207)
 - A use-after-free error within 'ext/snmp/snmp.c' is triggered during the unserialization of user-supplied input when handling garbage collection. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-6295)
 - An out-of-bounds read flaw within the 'uloc_acceptLanguageFromHTTP()' function inside of 'common/uloc.cpp' may allow a remote attacker to crash a program using the language or potentially disclose memory contents. (CVE-2016-6293, CVE-2016-6294)
 - A use-after-free error within 'ext/session/session.c' is triggered during the handling of 'var_hash destruction'. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-6290)
 - An out-of-bounds read flaw within the 'exif_process_IFD_in_MAKERNOTE()' function inside of 'ext/exif/exif.c' may allow a remote attacker to crash a program using the language or potentially disclose memory contents. (CVE-2016-6291)
 - An overflow condition within the 'php_bz2iop_read()' function inside of 'ext/bz2/bz2.c' is triggered as error conditions are not properly handled. With a specially crafted request, a remote attacker can cause a buffer overflow and potentially execute arbitrary code. (CVE-2016-5399)
 - An overflow condition within the 'mdecrypt_generic()' function inside of 'ext/mcrypt/mcrypt.c' is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, crashing a program using the language or potentially allowing the execution of arbitrary code.
 - A NULL pointer dereference flaw within the 'exif_process_user_comment()' function inside of 'ext/exif/exif.c' may allow a remote attacker to crash a program using the language. (CVE-2016-6292)
 - A flaw within the 'curl_unescape()' function inside of 'ext/curl/interface.c' is triggered during the handling of string lengths. This may allow a remote attacker to trigger heap corruption and crash a program using the language.
 - An overflow condition within the 'mcrypt_generic()' function inside of 'ext/mcrypt/mcrypt.c' is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.
 - An integer overflow condition within the 'php_stream_zip_opener()' function inside of 'ext/zip/zip_stream.c' is triggered as user-supplied input is not properly validated when handling zip streams. This may allow a remote attacker to cause a stack-based buffer overflow, crashing a program using the language or potentially allowing the execution of arbitrary code. (CVE-2016-6297)
 - An integer overflow condition within the 'virtual_file_ex()' function inside of 'Zend/zend_virtual_cwd.c' is triggered as user-supplied input is not properly validated when handling variables. This may allow a remote attacker to cause a stack-based buffer overflow, crashing a program using the language or potentially allowing the execution of arbitrary code. (CVE-2016-6289)
 - An overflow condition within the 'simplestring_addn()' function inside of 'simplestring.c.' is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to cause a heap-based buffer overflow, resulting in a denial of service in a process linked against the library or potentially allowing the execution of arbitrary code. (CVE-2016-6296)
 - A NULL write flaw within the 'gdImageColorTransparent()' function inside of 'gd.c' is triggered during the handling of negative transparent colors. This may allow a context-dependent attacker to disclose memory.
 - An overflow condition within the 'php_url_prase_ex()' function inside of 'ext/standard/url.c' is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a buffer overflow, potentially resulting in a denial of service in a process utilizing the language. (CVE-2016-6288)

Secunia Research at Flexera Software discovered an integer overflow vulnerability within the _gdContributionsAlloc() function in libgd2, a library for programmatic graphics creation and manipulation. A remote attacker can take advantage of this flaw to cause a denial-of-service against an application using the libgd2 library.

According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.9. It is, therefore, affected by multiple vulnerabilities :

  - A man-in-the-middle vulnerability exists, known as     'httpoxy', due to a failure to properly resolve     namespace conflicts in accordance with RFC 3875 section     4.1.18. The HTTP_PROXY environment variable is set based     on untrusted user data in the 'Proxy' header of HTTP     requests. The HTTP_PROXY environment variable is used by     some web client libraries to specify a remote proxy     server. An unauthenticated, remote attacker can exploit     this, via a crafted 'Proxy' header in an HTTP request,     to redirect an application's internal HTTP traffic to an     arbitrary proxy server where it may be observed or     manipulated. (CVE-2016-5385)

  - An overflow condition exists in the php_bz2iop_read()     function within file ext/bz2/bz2.c due to improper     handling of error conditions. An unauthenticated, remote     attacker can exploit this, via a crafted request, to     execute arbitrary code. (CVE-2016-5399)

  - A flaw exists in the GD Graphics Library (libgd),     specifically in the gdImageScaleTwoPass() function     within file gd_interpolation.c, due to improper     validation of user-supplied input. An unauthenticated,     remote attacker can exploit this to cause a denial of     service condition. (CVE-2016-6207)

  - An integer overflow condition exists in the     virtual_file_ex() function within file     Zend/zend_virtual_cwd.c due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to cause a denial of service condition     or the execution of arbitrary code. (CVE-2016-6289)

  - A use-after-free error exists within the file     ext/session/session.c when handling 'var_hash'     destruction. An unauthenticated, remote attacker can     exploit this to deference already freed memory,     resulting in the execution of arbitrary code.
    (CVE-2016-6290)

  - An out-of-bounds read error exists in the     exif_process_IFD_in_MAKERNOTE() function within file     ext/exif/exif.c. An unauthenticated, remote attacker can     exploit this to cause a denial of service condition or     disclose memory contents. (CVE-2016-6291)

  - A NULL pointer dereference flaw exists in the     exif_process_user_comment() function within file     ext/exif/exif.c. An unauthenticated, remote attacker can     exploit this to cause a denial of service condition.
    (CVE-2016-6292)

  - Multiple out-of-bounds read errors exist in the     locale_accept_from_http() function within file     ext/intl/locale/locale_methods.c. An unauthenticated,     remote attacker can exploit these to cause a denial of     service condition or disclose memory contents.
    (CVE-2016-6293, CVE-2016-6294)

  - A use-after-free error exists within file     ext/snmp/snmp.c when handling garbage collection during     deserialization of user-supplied input. An     unauthenticated, remote attacker can exploit this to     deference already freed memory, resulting in the     execution of arbitrary code. (CVE-2016-6295)

  - A heap-based buffer overflow condition exists in the     simplestring_addn() function within file simplestring.c     due to improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2016-6296)

  - An integer overflow condition exists in the     php_stream_zip_opener() function within file     ext/zip/zip_stream.c due to improper validation of     user-supplied input when handling zip streams. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2016-6297)

  - An out-of-bounds read error exists in the GD Graphics     Library (libgd), specifically in the     gdImageScaleBilinearPalette() function within file     gd_interpolation.c, when handling transparent color. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or disclose     memory contents.

  - A heap-based buffer overflow condition exists in the     mdecrypt_generic() function within file     ext/mcrypt/mcrypt.c due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to cause a denial of service condition     or the execution of arbitrary code.

  - A flaw exists in the curl_unescape() function within     file ext/curl/interface.c when handling string lengths.
    An unauthenticated, remote attacker can exploit this to     cause heap corruption, resulting in a denial of service     condition.

  - A heap-based buffer overflow condition exists in the     mcrypt_generic() function within file     ext/mcrypt/mcrypt.c due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to cause a denial of service condition     or the execution of arbitrary code.

  - A NULL write flaw exists in the GD Graphics Library     (libgd) in the gdImageColorTransparent() function due to     improper handling of negative transparent colors. A     remote attacker can exploit this to disclose memory     contents.

According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.24. It is, therefore, affected by multiple vulnerabilities :

  - A man-in-the-middle vulnerability exists, known as     'httpoxy', due to a failure to properly resolve     namespace conflicts in accordance with RFC 3875 section     4.1.18. The HTTP_PROXY environment variable is set based     on untrusted user data in the 'Proxy' header of HTTP     requests. The HTTP_PROXY environment variable is used by     some web client libraries to specify a remote proxy     server. An unauthenticated, remote attacker can exploit     this, via a crafted 'Proxy' header in an HTTP request,     to redirect an application's internal HTTP traffic to an     arbitrary proxy server where it may be observed or     manipulated. (CVE-2016-5385)

  - An overflow condition exists in the php_bz2iop_read()     function within file ext/bz2/bz2.c due to improper     handling of error conditions. An unauthenticated, remote     attacker can exploit this, via a crafted request, to     execute arbitrary code. (CVE-2016-5399)

  - A flaw exists in the GD Graphics Library (libgd),     specifically in the gdImageScaleTwoPass() function     within file gd_interpolation.c, due to improper     validation of user-supplied input. An unauthenticated,     remote attacker can exploit this to cause a denial of     service condition. (CVE-2016-6207)

  - An integer overflow condition exists in the     virtual_file_ex() function within file     Zend/zend_virtual_cwd.c due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to cause a denial of service condition     or the execution of arbitrary code. (CVE-2016-6289)

  - A use-after-free error exists within the file     ext/session/session.c when handling 'var_hash'     destruction. An unauthenticated, remote attacker can     exploit this to deference already freed memory,     resulting in the execution of arbitrary code.
    (CVE-2016-6290)

  - An out-of-bounds read error exists in the     exif_process_IFD_in_MAKERNOTE() function within file     ext/exif/exif.c. An unauthenticated, remote attacker can     exploit this to cause a denial of service condition or     disclose memory contents. (CVE-2016-6291)

  - A NULL pointer dereference flaw exists in the     exif_process_user_comment() function within file     ext/exif/exif.c. An unauthenticated, remote attacker can     exploit this to cause a denial of service condition.
    (CVE-2016-6292)

  - Multiple out-of-bounds read errors exist in the     locale_accept_from_http() function within file     ext/intl/locale/locale_methods.c. An unauthenticated,     remote attacker can exploit these to cause a denial of     service condition or disclose memory contents.
    (CVE-2016-6293, CVE-2016-6294)

  - A use-after-free error exists within file     ext/snmp/snmp.c when handling garbage collection during     deserialization of user-supplied input. An     unauthenticated, remote attacker can exploit this to     deference already freed memory, resulting in the     execution of arbitrary code. (CVE-2016-6295)

  - A heap-based buffer overflow condition exists in the     simplestring_addn() function within file simplestring.c     due to improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2016-6296)

  - An integer overflow condition exists in the     php_stream_zip_opener() function within file     ext/zip/zip_stream.c due to improper validation of     user-supplied input when handling zip streams. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2016-6297)

  - An out-of-bounds read error exists in the GD Graphics     Library (libgd), specifically in the     gdImageScaleBilinearPalette() function within file     gd_interpolation.c, when handling transparent color. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or disclose     memory contents.

  - A heap-based buffer overflow condition exists in the     mdecrypt_generic() function within file     ext/mcrypt/mcrypt.c due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to cause a denial of service condition     or the execution of arbitrary code.

  - A NULL write flaw exists in the GD Graphics Library     (libgd) in the gdImageColorTransparent() function due to     improper handling of negative transparent colors. A     remote attacker can exploit this to disclose memory     contents.

According to its banner, the version of PHP running on the remote web server is 5.5.x prior to 5.5.38. It is, therefore, affected by multiple vulnerabilities :

  - A Segfault condition occurs when accessing     nvarchar(max) defined columns. (CVE-2015-8879)

  - A man-in-the-middle vulnerability exists, known as     'httpoxy', due to a failure to properly resolve     namespace conflicts in accordance with RFC 3875 section     4.1.18. The HTTP_PROXY environment variable is set based     on untrusted user data in the 'Proxy' header of HTTP     requests. The HTTP_PROXY environment variable is used by     some web client libraries to specify a remote proxy     server. An unauthenticated, remote attacker can exploit     this, via a crafted 'Proxy' header in an HTTP request,     to redirect an application's internal HTTP traffic to an     arbitrary proxy server where it may be observed or     manipulated. (CVE-2016-5385)

  - An overflow condition exists in the php_bz2iop_read()     function within file ext/bz2/bz2.c due to improper     handling of error conditions. An unauthenticated, remote     attacker can exploit this, via a crafted request, to     execute arbitrary code. (CVE-2016-5399)

  - A flaw exists in the GD Graphics Library (libgd),     specifically in the gdImageScaleTwoPass() function     within file gd_interpolation.c, due to improper     validation of user-supplied input. An unauthenticated,     remote attacker can exploit this to cause a denial of     service condition. (CVE-2016-6207)

  - A buffer overflow condition exists in the     php_url_parse_ex() function. (CVE-2016-6288)

  - An integer overflow condition exists in the     virtual_file_ex() function within file     Zend/zend_virtual_cwd.c due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to cause a denial of service condition     or the execution of arbitrary code. (CVE-2016-6289)

  - A use-after-free error exists within the file     ext/session/session.c when handling 'var_hash'     destruction. An unauthenticated, remote attacker can     exploit this to deference already freed memory,     resulting in the execution of arbitrary code.
    (CVE-2016-6290)

  - An out-of-bounds read error exists in the     exif_process_IFD_in_MAKERNOTE() function within file     ext/exif/exif.c. An unauthenticated, remote attacker can     exploit this to cause a denial of service condition or     disclose memory contents. (CVE-2016-6291)

  - A NULL pointer dereference flaw exists in the     exif_process_user_comment() function within file     ext/exif/exif.c. An unauthenticated, remote attacker can     exploit this to cause a denial of service condition.
    (CVE-2016-6292)

  - Multiple out-of-bounds read errors exist in the     locale_accept_from_http() function within file     ext/intl/locale/locale_methods.c. An unauthenticated,     remote attacker can exploit these to cause a denial of     service condition or disclose memory contents.
    (CVE-2016-6293, CVE-2016-6294)

  - A use-after-free error exists within file     ext/snmp/snmp.c when handling garbage collection during     deserialization of user-supplied input. An     unauthenticated, remote attacker can exploit this to     deference already freed memory, resulting in the     execution of arbitrary code. (CVE-2016-6295)

  - A heap-based buffer overflow condition exists in the     simplestring_addn() function within file simplestring.c     due to improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2016-6296)

  - An integer overflow condition exists in the     php_stream_zip_opener() function within file     ext/zip/zip_stream.c due to improper validation of     user-supplied input when handling zip streams. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2016-6297)

  - An out-of-bounds read error exists in the GD Graphics     Library (libgd), specifically in the     gdImageScaleBilinearPalette() function within file     gd_interpolation.c, when handling transparent color. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or disclose     memory contents.

  - A heap-based buffer overflow condition exists in the     mdecrypt_generic() function within file     ext/mcrypt/mcrypt.c due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to cause a denial of service condition     or the execution of arbitrary code.

  - A NULL write flaw exists in the GD Graphics Library     (libgd) in the gdImageColorTransparent() function due to     improper handling of negative transparent colors. A     remote attacker can exploit this to disclose memory     contents.

  - An overflow condition exists in the php_url_prase_ex()     function due to improper validation of user-supplied     input. A remote attacker can exploit this to cause a     buffer overflow, resulting in a denial of service     condition.

**LibGD 2.2.3 release**

Security related fixes: This flaw is caused by loading data from external sources (file, custom ctx, etc) and are hard to validate before calling libgd APIs :

  - fix php bug php#72339, Integer Overflow in _gd2GetHeader     (CVE-2016-5766)

  - bug #248, fix Out-Of-Bounds Read in read_image_tga

Using application provided parameters, in these cases invalid data causes the issues :

  - Integer overflow error within _gdContributionsAlloc()     (CVE-2016-6207)

  - fix php bug php#72494, invalid color index not handled,     can lead to crash

  - improve color check for CropThreshold

Important update :

  - gdImageCopyResampled has been improved. Better handling     of images with alpha channel, also brings libgd in sync     with php's bundled gd.

This is a recommended update.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New php packages are available for Slackware 14.0, 14.1, 14.2, and
-current to fix security issues.

ID	Name	Product	Family	Severity
98855	PHP 7.0.x < 7.0.9 Multiple Vulnerabilities (httpoxy)	Web Application Scanning	Component Vulnerability	high
98814	PHP 5.6.x < 5.6.24 Multiple Vulnerabilities (httpoxy)	Web Application Scanning	Component Vulnerability	high
119981	SUSE SLES12 Security Update : php7 (SUSE-SU-2016:2460-1)	Nessus	SuSE Local Security Checks	high
119979	SUSE SLES12 Security Update : php5 (SUSE-SU-2016:2408-1)	Nessus	SuSE Local Security Checks	high
95524	GLSA-201612-09 : GD: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
93872	Fedora 23 : gd (2016-0de0e0ee0c)	Nessus	Fedora Local Security Checks	medium
93856	openSUSE Security Update : php5 (openSUSE-2016-1156)	Nessus	SuSE Local Security Checks	high
93701	openSUSE Security Update : gd (openSUSE-2016-1108)	Nessus	SuSE Local Security Checks	medium
93506	SUSE SLED12 / SLES12 Security Update : gd (SUSE-SU-2016:2303-1)	Nessus	SuSE Local Security Checks	medium
93063	openSUSE Security Update : gd (openSUSE-2016-1003)	Nessus	SuSE Local Security Checks	medium
92982	openSUSE Security Update : php5 (openSUSE-2016-985)	Nessus	SuSE Local Security Checks	high
92869	Ubuntu 14.04 LTS / 16.04 LTS : libgd2 vulnerabilities (USN-3060-1)	Nessus	Ubuntu Local Security Checks	medium
92740	FreeBSD : gd -- multiple vulnerabilities (556d2286-5a51-11e6-a6c3-14dae9d210b8)	Nessus	FreeBSD Local Security Checks	medium
9460	PHP 5.5.x < 5.5.38 / 5.6.x < 5.6.24 / 7.0.x < 7.0.9 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
92572	Debian DSA-3630-1 : libgd2 - security update	Nessus	Debian Local Security Checks	medium
92556	PHP 7.0.x < 7.0.9 Multiple Vulnerabilities (httpoxy)	Nessus	CGI abuses	high
92555	PHP 5.6.x < 5.6.24 Multiple Vulnerabilities (httpoxy)	Nessus	CGI abuses	high
92554	PHP 5.5.x < 5.5.38 Multiple Vulnerabilities (httpoxy)	Nessus	CGI abuses	high
92532	Fedora 24 : gd (2016-615f3bf06e)	Nessus	Fedora Local Security Checks	medium
92499	Slackware 14.0 / 14.1 / 14.2 / current : php (SSA:2016-203-02) (httpoxy)	Nessus	Slackware Local Security Checks	medium

CVE-2016-6207

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins