Security update for gd SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:0548-1 Final 1 1 2017-02-22T16:08:52Z current 2017-02-22T16:08:52Z 2017-02-22T16:08:52Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for gd This update for gd fixes the following security issues: - CVE-2016-6906: An out-of-bounds read in TGA decompression was fixed which could have lead to crashes. (bsc#1022553) - CVE-2016-6912: Double free vulnerability in the gdImageWebPtr function in the GD Graphics Library (aka libgd) allowed remote attackers to have unspecified impact via large width and height values. (bsc#1022284) - CVE-2016-9317: The gdImageCreate function in the GD Graphics Library (aka libgd) allowed remote attackers to cause a denial of service (system hang) via an oversized image. (bsc#1022283) - CVE-2016-10166: A potential unsigned underflow in gd interpolation functions could lead to memory corruption in the GD Graphics Library (aka libgd) (bsc#1022263) - CVE-2016-10167: A denial of service problem in gdImageCreateFromGd2Ctx() could lead to libgd running out of memory even on small files. (bsc#1022264) - CVE-2016-10168: A signed integer overflow in the GD Graphics Library (aka libgd) could lead to memory corruption (bsc#1022265) This update was imported from the SUSE:SLE-12:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2017-02/msg00101.html E-Mail link for openSUSE-SU-2017:0548-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 openSUSE Leap 42.2 gd-2.1.0-16.1 gd-32bit-2.1.0-16.1 gd-devel-2.1.0-16.1 gd-2.1.0-16.1 as a component of openSUSE Leap 42.1 gd-32bit-2.1.0-16.1 as a component of openSUSE Leap 42.1 gd-devel-2.1.0-16.1 as a component of openSUSE Leap 42.1 gd-2.1.0-16.1 as a component of openSUSE Leap 42.2 gd-32bit-2.1.0-16.1 as a component of openSUSE Leap 42.2 gd-devel-2.1.0-16.1 as a component of openSUSE Leap 42.2 Integer underflow in the _gdContributionsAlloc function in gd_interpolation.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to have unspecified impact via vectors related to decrementing the u variable. CVE-2016-10166 openSUSE Leap 42.1:gd-2.1.0-16.1 openSUSE Leap 42.1:gd-32bit-2.1.0-16.1 openSUSE Leap 42.1:gd-devel-2.1.0-16.1 openSUSE Leap 42.2:gd-2.1.0-16.1 openSUSE Leap 42.2:gd-32bit-2.1.0-16.1 openSUSE Leap 42.2:gd-devel-2.1.0-16.1 moderate 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-02/msg00101.html https://www.suse.com/security/cve/CVE-2016-10166.html CVE-2016-10166 https://bugzilla.suse.com/1022069 SUSE Bug 1022069 https://bugzilla.suse.com/1022263 SUSE Bug 1022263 The gdImageCreateFromGd2Ctx function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted image file. CVE-2016-10167 openSUSE Leap 42.1:gd-2.1.0-16.1 openSUSE Leap 42.1:gd-32bit-2.1.0-16.1 openSUSE Leap 42.1:gd-devel-2.1.0-16.1 openSUSE Leap 42.2:gd-2.1.0-16.1 openSUSE Leap 42.2:gd-32bit-2.1.0-16.1 openSUSE Leap 42.2:gd-devel-2.1.0-16.1 moderate 1.9 AV:L/AC:M/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-02/msg00101.html https://www.suse.com/security/cve/CVE-2016-10167.html CVE-2016-10167 https://bugzilla.suse.com/1022069 SUSE Bug 1022069 https://bugzilla.suse.com/1022264 SUSE Bug 1022264 Integer overflow in gd_io.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to have unspecified impact via vectors involving the number of horizontal and vertical chunks in an image. CVE-2016-10168 openSUSE Leap 42.1:gd-2.1.0-16.1 openSUSE Leap 42.1:gd-32bit-2.1.0-16.1 openSUSE Leap 42.1:gd-devel-2.1.0-16.1 openSUSE Leap 42.2:gd-2.1.0-16.1 openSUSE Leap 42.2:gd-32bit-2.1.0-16.1 openSUSE Leap 42.2:gd-devel-2.1.0-16.1 moderate 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-02/msg00101.html https://www.suse.com/security/cve/CVE-2016-10168.html CVE-2016-10168 https://bugzilla.suse.com/1022069 SUSE Bug 1022069 https://bugzilla.suse.com/1022265 SUSE Bug 1022265 The read_image_tga function in gd_tga.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted TGA file, related to the decompression buffer. CVE-2016-6906 openSUSE Leap 42.1:gd-2.1.0-16.1 openSUSE Leap 42.1:gd-32bit-2.1.0-16.1 openSUSE Leap 42.1:gd-devel-2.1.0-16.1 openSUSE Leap 42.2:gd-2.1.0-16.1 openSUSE Leap 42.2:gd-32bit-2.1.0-16.1 openSUSE Leap 42.2:gd-devel-2.1.0-16.1 low 1.9 AV:L/AC:M/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-02/msg00101.html https://www.suse.com/security/cve/CVE-2016-6906.html CVE-2016-6906 https://bugzilla.suse.com/1022553 SUSE Bug 1022553 Double free vulnerability in the gdImageWebPtr function in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to have unspecified impact via large width and height values. CVE-2016-6912 openSUSE Leap 42.1:gd-2.1.0-16.1 openSUSE Leap 42.1:gd-32bit-2.1.0-16.1 openSUSE Leap 42.1:gd-devel-2.1.0-16.1 openSUSE Leap 42.2:gd-2.1.0-16.1 openSUSE Leap 42.2:gd-32bit-2.1.0-16.1 openSUSE Leap 42.2:gd-devel-2.1.0-16.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-02/msg00101.html https://www.suse.com/security/cve/CVE-2016-6912.html CVE-2016-6912 https://bugzilla.suse.com/1022284 SUSE Bug 1022284 The gdImageCreate function in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (system hang) via an oversized image. CVE-2016-9317 openSUSE Leap 42.1:gd-2.1.0-16.1 openSUSE Leap 42.1:gd-32bit-2.1.0-16.1 openSUSE Leap 42.1:gd-devel-2.1.0-16.1 openSUSE Leap 42.2:gd-2.1.0-16.1 openSUSE Leap 42.2:gd-32bit-2.1.0-16.1 openSUSE Leap 42.2:gd-devel-2.1.0-16.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-02/msg00101.html https://www.suse.com/security/cve/CVE-2016-9317.html CVE-2016-9317 https://bugzilla.suse.com/1022283 SUSE Bug 1022283