1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
PublicDateAtUSN: 2014-03-21
Candidate: CVE-2014-2497
PublicDate: 2014-03-21
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2497
http://net-ninja-mr.me/2014/03/14/php-gd-v5-4-17-2-color-visual-null-pointer-dereference/
http://www.ubuntu.com/usn/usn-2987-1
Description:
The gdImageCreateFromXpm function in gdxpm.c in libgd, as used in PHP
5.4.26 and earlier, allows remote attackers to cause a denial of service
(NULL pointer dereference and application crash) via a crafted color table
in an XPM file.
Ubuntu-Description:
Notes:
mdeslaur> php5 uses the system libgd2
mdeslaur> php5 in quantal and earlier aren't built with xpm support
Bugs:
https://bugs.php.net/bug.php?id=66901
Priority: low
Discovered-by:
Assigned-to: mdeslaur
Patches_libgd2:
upstream: https://bitbucket.org/libgd/gd-libgd/commits/463c3bd09bfe8e924e19acad7a2a6af16953a704
upstream_libgd2: released (2.1.0-4)
lucid_libgd2: ignored (reached end-of-life)
precise_libgd2: released (2.0.36~rc1~dfsg-6ubuntu2.1)
quantal_libgd2: ignored (reached end-of-life)
saucy_libgd2: ignored (reached end-of-life)
trusty_libgd2: released (2.1.0-3ubuntu0.1)
utopic_libgd2: ignored (reached end-of-life)
vivid_libgd2: not-affected (2.1.0-5)
vivid/stable-phone-overlay_libgd2: DNE
vivid/ubuntu-core_libgd2: DNE
wily_libgd2: not-affected (2.1.0-5)
xenial_libgd2: not-affected (2.1.0-5)
devel_libgd2: not-affected (2.1.0-5)
Patches_php5:
upstream_php5: needs-triage
lucid_php5: not-affected (uses system gd)
precise_php5: not-affected (uses system gd)
quantal_php5: not-affected (uses system gd)
saucy_php5: not-affected (uses system gd)
trusty_php5: not-affected (uses system gd)
utopic_php5: not-affected (uses system gd)
vivid_php5: not-affected (uses system gd)
vivid/stable-phone-overlay_php5: DNE
vivid/ubuntu-core_php5: DNE
wily_php5: not-affected (uses system gd)
xenial_php5: DNE
devel_php5: DNE
|