CVE-2014-9709: Buffer Overflow
First published: Tue Feb 03 2015(Updated: )
Possible buffer read overflow was fixed upstream [1]. This was also reported against PHP: <a href="https://bugs.php.net/bug.php?id=68601">https://bugs.php.net/bug.php?id=68601</a> (bug is private, fixed in PHP 5.6.5) [1]: <a href="https://bitbucket.org/libgd/gd-libgd/commits/47eb44b2e90ca88a08dca9f9a1aa9041e9587f43">https://bitbucket.org/libgd/gd-libgd/commits/47eb44b2e90ca88a08dca9f9a1aa9041e9587f43</a>
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/php | <5.5.21 | 5.5.21 |
| redhat/php | <5.6.5 | 5.6.5 |
| redhat/gd | <2.1.1 | 2.1.1 |
| PHP | >=5.4.0<5.4.40 | |
| PHP | >=5.5.0<5.5.21 | |
| PHP | >=5.6.0<5.6.5 | |
| openSUSE | =13.1 | |
| openSUSE | =13.2 | |
| libgd | <=2.1.1 | |
| Debian GNU/Linux | =7.0 | |
| Debian GNU/Linux | =8.0 | |
| Ubuntu Linux | =12.04 | |
| Ubuntu Linux | =14.04 | |
| Ubuntu Linux | =15.10 | |
| Ubuntu Linux | =16.04 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugs.php.net/bug.php?id=68601
- https://bitbucket.org/libgd/gd-libgd/commits/47eb44b2e90ca88a08dca9f9a1aa9041e9587f43
- http://git.php.net/?p=php-src.git;a=commitdiff;h=07b5896a1389c3e865cbd2fb353806b2cefe4f5c
- http://git.php.net/?p=php-src.git;a=commitdiff;h=5fc2fede9c7c963c950d8b96dcc0f7af88b4d695
- https://rhn.redhat.com/errata/RHSA-2015-1066.html
- https://rhn.redhat.com/errata/RHSA-2015-1053.html
- https://rhn.redhat.com/errata/RHSA-2015-1135.html
- https://rhn.redhat.com/errata/RHSA-2015-1218.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1188639
- http://advisories.mageia.org/MGASA-2015-0040.html
- http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html
- http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00005.html
- http://lists.opensuse.org/opensuse-updates/2015-04/msg00002.html
- http://marc.info/?l=bugtraq&m=143403519711434&w=2
- http://php.net/ChangeLog-5.php
- http://rhn.redhat.com/errata/RHSA-2015-1053.html
- http://rhn.redhat.com/errata/RHSA-2015-1066.html
- http://rhn.redhat.com/errata/RHSA-2015-1135.html
- http://rhn.redhat.com/errata/RHSA-2015-1218.html
- http://www.debian.org/security/2015/dsa-3215
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:153
- http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
- http://www.securityfocus.com/bid/73306
- http://www.securitytracker.com/id/1033703
- http://www.ubuntu.com/usn/USN-2987-1
- https://security.gentoo.org/glsa/201606-10
- https://security.gentoo.org/glsa/201607-04
- https://support.apple.com/HT205267
Frequently Asked Questions
What is the severity of CVE-2014-9709?
CVE-2014-9709 has been classified as a medium severity vulnerability due to its potential for exploitation through a buffer read overflow.
How do I fix CVE-2014-9709?
To fix CVE-2014-9709, upgrade PHP to version 5.6.5 or later, or GD to version 2.1.1 or later.
Which software is affected by CVE-2014-9709?
CVE-2014-9709 affects PHP versions prior to 5.5.21 and 5.6.5, as well as GD versions prior to 2.1.1.
Is CVE-2014-9709 fixed in any distributions?
Yes, CVE-2014-9709 is fixed in various distributions including Red Hat, Ubuntu, and Debian with updated versions of PHP and GD.
What type of vulnerability is CVE-2014-9709?
CVE-2014-9709 is a buffer read overflow vulnerability that can lead to information disclosure.
- collector/redhat-bugzilla
- alias/CVE-2014-9709
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/weakness
- agent/severity
- agent/author
- agent/description
- agent/event
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/php
- canonical/php
- version/php/5.4.0
- version/php/5.5.0
- version/php/5.6.0
- vendor/opensuse
- canonical/opensuse
- version/opensuse/13.1
- version/opensuse/13.2
- vendor/libgd
- canonical/libgd
- version/libgd/2.1.1
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/7.0
- version/debian gnu/linux/8.0
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/12.04
- version/ubuntu linux/14.04
- version/ubuntu linux/15.10
- version/ubuntu linux/16.04