====================================================================== Secunia Research 03/08/2016 LibGD "_gdContributionsAlloc()" Integer Overflow Denial of Service Vulnerability ====================================================================== Table of Contents Affected Software....................................................1 Severity.............................................................2 Description of Vulnerabilities.......................................3 Solution.............................................................4 Time Table...........................................................5 Credits..............................................................6 References...........................................................7 About Secunia........................................................8 Verification.........................................................9 ====================================================================== 1) Affected Software * LibGD version 2.2.2. Prior versions may also be affected. ====================================================================== 2) Severity Rating: Moderately critical Impact: Denial of Service Where: From remote ====================================================================== 3) Description of Vulnerabilities Secunia Research has discovered a vulnerability in LibGD, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an integer overflow error within the "_gdContributionsAlloc()" function (gd_interpolation.c) and can be exploited to cause an out-of-bounds memory write access or exhaust available memory. ====================================================================== 4) Solution Update to version 2.2.3. ====================================================================== 5) Time Table 03/07/2016 - Initial contact with vendor. 03/07/2016 - Vendor responds and confirms the issue and sends a patch. 07/07/2016 - Replied to the vendor the patch is incomplete. 13/07/2016 - CVE requested from Mitre. 13/07/2016 - Mitre assigns CVE-2016-6207 for the issue. 19/07/2016 - Vendor patches the issue in the source code repository. 19/07/2016 - Release of Secunia Advisory SA71416 22/07/2016 - Vendor releases fixed version 2.2.3. 03/08/2016 - Public disclosure of Research Advisory. ====================================================================== 6) Credits Discovered by Kasper Leigh Haabb, Secunia Research at Flexera Software. ====================================================================== 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned the CVE-2016-6207 identifier for the vulnerability. ====================================================================== 8) About Secunia (now part of Flexera Software) In September 2015, Secunia has been acquired by Flexera Software: https://secunia.com/blog/435/ Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/products/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/company/jobs/ ====================================================================== 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2016-9/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ======================================================================