UBUNTU-CVE-2017-7890

Source
https://ubuntu.com/security/CVE-2017-7890
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2017/UBUNTU-CVE-2017-7890.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2017-7890
Related
Published
2017-08-02T00:00:00Z
Modified
2017-08-02T00:00:00Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

The GIF decoding function gdImageCreateFromGifCtx in gdgifin.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.31 and 7.x before 7.1.7, does not zero colorMap arrays before use. A specially crafted GIF image could use the uninitialized tables to read ~700 bytes from the top of the stack, potentially disclosing sensitive information.

References

Affected packages

Ubuntu:14.04:LTS / libgd2

Package

Name
libgd2
Purl
pkg:deb/ubuntu/libgd2?arch=src?distro=trusty

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.0-3ubuntu0.7

Affected versions

2.*

2.1.0-2
2.1.0-3
2.1.0-3ubuntu0.1
2.1.0-3ubuntu0.2
2.1.0-3ubuntu0.3
2.1.0-3ubuntu0.5
2.1.0-3ubuntu0.6

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "2.1.0-3ubuntu0.7",
            "binary_name": "libgd-dbg"
        },
        {
            "binary_version": "2.1.0-3ubuntu0.7",
            "binary_name": "libgd-dev"
        },
        {
            "binary_version": "2.1.0-3ubuntu0.7",
            "binary_name": "libgd-tools"
        },
        {
            "binary_version": "2.1.0-3ubuntu0.7",
            "binary_name": "libgd-tools-dbgsym"
        },
        {
            "binary_version": "2.1.0-3ubuntu0.7",
            "binary_name": "libgd2-noxpm-dev"
        },
        {
            "binary_version": "2.1.0-3ubuntu0.7",
            "binary_name": "libgd2-xpm-dev"
        },
        {
            "binary_version": "2.1.0-3ubuntu0.7",
            "binary_name": "libgd3"
        },
        {
            "binary_version": "2.1.0-3ubuntu0.7",
            "binary_name": "libgd3-dbgsym"
        }
    ]
}

Ubuntu:16.04:LTS / libgd2

Package

Name
libgd2
Purl
pkg:deb/ubuntu/libgd2?arch=src?distro=xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.1-4ubuntu0.16.04.7

Affected versions

2.*

2.1.1-4build1
2.1.1-4build2
2.1.1-4ubuntu0.16.04.1
2.1.1-4ubuntu0.16.04.2
2.1.1-4ubuntu0.16.04.3
2.1.1-4ubuntu0.16.04.5
2.1.1-4ubuntu0.16.04.6

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "2.1.1-4ubuntu0.16.04.7",
            "binary_name": "libgd-dbg"
        },
        {
            "binary_version": "2.1.1-4ubuntu0.16.04.7",
            "binary_name": "libgd-dev"
        },
        {
            "binary_version": "2.1.1-4ubuntu0.16.04.7",
            "binary_name": "libgd-dev-dbgsym"
        },
        {
            "binary_version": "2.1.1-4ubuntu0.16.04.7",
            "binary_name": "libgd-tools"
        },
        {
            "binary_version": "2.1.1-4ubuntu0.16.04.7",
            "binary_name": "libgd-tools-dbgsym"
        },
        {
            "binary_version": "2.1.1-4ubuntu0.16.04.7",
            "binary_name": "libgd3"
        },
        {
            "binary_version": "2.1.1-4ubuntu0.16.04.7",
            "binary_name": "libgd3-dbgsym"
        }
    ]
}