CVE-2016-8670: Buffer Overflow
First published: Wed Jan 04 2017(Updated: )
Integer signedness error in the dynamicGetbuf function in gd_io_dp.c in the GD Graphics Library (aka libgd) through 2.2.3, as used in PHP before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted imagecreatefromstring call.
Credit: security@debian.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| libgd | <=2.2.3 | |
| PHP | <=5.6.27 | |
| PHP | =7.0.0 | |
| PHP | =7.0.1 | |
| PHP | =7.0.2 | |
| PHP | =7.0.3 | |
| PHP | =7.0.4 | |
| PHP | =7.0.5 | |
| PHP | =7.0.6 | |
| PHP | =7.0.7 | |
| PHP | =7.0.8 | |
| PHP | =7.0.9 | |
| PHP | =7.0.10 | |
| PHP | =7.0.11 | |
| PHP | =7.0.12 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.debian.org/security/2016/dsa-3693
- http://www.openwall.com/lists/oss-security/2016/10/15/1
- http://www.php.net/ChangeLog-5.php
- http://www.php.net/ChangeLog-7.php
- http://www.securityfocus.com/bid/93594
- https://bugs.php.net/bug.php?id=73280
- https://github.com/libgd/libgd/commit/53110871935244816bbb9d131da0bccff734bfe9
- https://support.f5.com/csp/article/K21336065?utm_source=f5support&utm_medium=RSS
- https://support.f5.com/csp/article/K21336065?utm_source=f5support&%3Butm_medium=RSS
Frequently Asked Questions
What is the severity of CVE-2016-8670?
CVE-2016-8670 has a medium severity level due to its potential to cause denial of service through a stack-based buffer overflow.
How do I fix CVE-2016-8670?
To fix CVE-2016-8670, upgrade the GD Graphics Library to version 2.2.4 or later, and ensure that PHP is updated to version 5.6.28 or 7.0.13 and above.
Which versions of PHP are affected by CVE-2016-8670?
CVE-2016-8670 affects PHP versions prior to 5.6.28 and 7.x prior to 7.0.13.
What are the potential impacts of CVE-2016-8670?
The potential impacts of CVE-2016-8670 include denial of service attacks and possible undefined behaviors leading to further security risks.
Is there any workaround for CVE-2016-8670?
Currently, the best course of action for CVE-2016-8670 is to apply the updates to the affected software rather than relying on workarounds.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/last-modified-date
- agent/severity
- agent/references
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/weakness
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/libgd
- canonical/libgd
- version/libgd/2.2.3
- vendor/php
- canonical/php
- version/php/5.6.27
- version/php/7.0.0
- version/php/7.0.1
- version/php/7.0.2
- version/php/7.0.3
- version/php/7.0.4
- version/php/7.0.5
- version/php/7.0.6
- version/php/7.0.7
- version/php/7.0.8
- version/php/7.0.9
- version/php/7.0.10
- version/php/7.0.11
- version/php/7.0.12