The GIF decoding function gdImageCreateFromGifCtx in gdgifin.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.31 and 7.x before 7.1.7, does not zero colorMap arrays before use. A specially crafted GIF image could use the uninitialized tables to read ~700 bytes from the top of the stack, potentially disclosing sensitive information.
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_version": "2.1.0-3ubuntu0.7", "binary_name": "libgd-dbg" }, { "binary_version": "2.1.0-3ubuntu0.7", "binary_name": "libgd-dev" }, { "binary_version": "2.1.0-3ubuntu0.7", "binary_name": "libgd-tools" }, { "binary_version": "2.1.0-3ubuntu0.7", "binary_name": "libgd-tools-dbgsym" }, { "binary_version": "2.1.0-3ubuntu0.7", "binary_name": "libgd2-noxpm-dev" }, { "binary_version": "2.1.0-3ubuntu0.7", "binary_name": "libgd2-xpm-dev" }, { "binary_version": "2.1.0-3ubuntu0.7", "binary_name": "libgd3" }, { "binary_version": "2.1.0-3ubuntu0.7", "binary_name": "libgd3-dbgsym" } ] }
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_version": "2.1.1-4ubuntu0.16.04.7", "binary_name": "libgd-dbg" }, { "binary_version": "2.1.1-4ubuntu0.16.04.7", "binary_name": "libgd-dev" }, { "binary_version": "2.1.1-4ubuntu0.16.04.7", "binary_name": "libgd-dev-dbgsym" }, { "binary_version": "2.1.1-4ubuntu0.16.04.7", "binary_name": "libgd-tools" }, { "binary_version": "2.1.1-4ubuntu0.16.04.7", "binary_name": "libgd-tools-dbgsym" }, { "binary_version": "2.1.1-4ubuntu0.16.04.7", "binary_name": "libgd3" }, { "binary_version": "2.1.1-4ubuntu0.16.04.7", "binary_name": "libgd3-dbgsym" } ] }