Vigil@nce: LibGd, PHP, memory corruption via gdGetColors
October 2009 by Vigil@nce
An attacker can use an application linked to the GD library, in
order to corrupt the memory, which generates a denial of service,
and can eventually lead to code execution.
– Severity: 2/4
– Consequences: privileged access/rights, denial of service of
service
– Provenance: user account
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 15/10/2009
IMPACTED PRODUCTS
– Mandriva Corporate
– Mandriva Enterprise Server
– Mandriva Linux
– Mandriva Multi Network Firewall
– PHP
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The GD library is used to handle images. It is contained in PHP.
The gdGetColors() function of LibGD manages colours used by an
image. However, this function does not correctly check the maximal
number of colours, which creates an overflow.
An attacker can therefore use an application linked to the GD
library, in order to corrupt the memory, which generates a denial
of service, and can eventually lead to code execution.
In order to exploit this vulnerability in PHP, the attacker has to
call the PHP imagecreatefromgd() function, and then the PHP
imagecolorallocate() function.
CHARACTERISTICS
– Identifiers: BID-36712, CVE-2009-3546, MDVSA-2009:284,
MDVSA-2009:285, VIGILANCE-VUL-9098
– Url: http://vigilance.fr/vulnerability/LibGd-PHP-memory-corruption-via-gdGetColors-9098