CVE-2016-9933

NameCVE-2016-9933
DescriptionStack consumption vulnerability in the gdImageFillToBorder function in gd.c in the GD Graphics Library (aka libgd) before 2.2.2, as used in PHP before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (segmentation violation) via a crafted imagefilltoborder call that triggers use of a negative color value.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-758-1, DSA-3732-1, DSA-3751-1
Debian Bugs849038

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libgd2 (PTS)jessie, jessie (lts)2.1.0-5+deb8u15fixed
stretch (security)2.2.4-2+deb9u4fixed
stretch (lts), stretch2.2.4-2+deb9u6fixed
buster (security), buster, buster (lts)2.2.5-5.2+deb10u1fixed
bullseye2.3.0-2fixed
bookworm2.3.3-9fixed
sid, trixie2.3.3-12fixed
php5 (PTS)jessie, jessie (lts)5.6.40+dfsg-0+deb8u21fixed
php7.0 (PTS)stretch (security)7.0.33-0+deb9u12fixed
stretch (lts), stretch7.0.33-0+deb9u19fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libgd2sourcewheezy2.0.36~rc1~dfsg-6.1+deb7u7DLA-758-1
libgd2sourcejessie2.1.0-5+deb8u8DSA-3751-1
libgd2source(unstable)2.2.2-29-g3c2b605-1849038
php5sourcejessie5.6.28+dfsg-0+deb8u1DSA-3732-1
php5source(unstable)(unfixed)unimportant
php7.0source(unstable)7.0.13-1unimportant

Notes

This problem could be seen as a programmer fault but the fix is easy and
the effect is rather dramatic so it should be fixed anyway.
https://github.com/libgd/libgd/commit/77f619d48259383628c3ec4654b1ad578e9eb40e (gd-2.2.2)
Scope of CVE is only the missing "color < 0" test in older versions.
GD release info: https://libgd.github.io/release-2.2.2.html
Fixed in PHP 5.6.28, 7.0.13 and 7.1.0
PHP Bug: https://bugs.php.net/bug.php?id=72696
Fixed by: https://github.com/php/php-src/commit/863d37ea66d5c960db08d6f4a2cbd2518f0f80d1
Starting with 5.4.0-1 Debian uses the system copy of libgd
https://www.openwall.com/lists/oss-security/2016/12/12/2

Search for package or bug name: Reporting problems