CVE-2016-5116
Description
gd_xbm.c in the GD Graphics Library (aka libgd) before 2.2.0, as used in certain custom PHP 5.5.x configurations, allows context-dependent attackers to obtain sensitive information from process memory or cause a denial of service (stack-based buffer under-read and application crash) via a long name.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
SUSE Affected 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 42.1 | Affected | โ |
| โ | Affected | โ |
Debian Mixed 6 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 2.2.1-1 |
| sid | Fixed | 2.2.1-1 |
| forky | Fixed | 2.2.1-1 |
| bullseye | Fixed | 2.2.1-1 |
| bookworm | Fixed | 2.2.1-1 |
| 8.0 | Affected | โ |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| libgd | libgd | {"endIncluding":"2.2.1"} | |
| php | php | 5.5.0 | |
| php | php | 5.5.1 | |
| php | php | 5.5.2 | |
| php | php | 5.5.3 | |
| php | php | 5.5.4 | |
| php | php | 5.5.5 | |
| php | php | 5.5.6 | |
| php | php | 5.5.7 | |
| php | php | 5.5.8 | |
| php | php | 5.5.9 | |
| php | php | 5.5.10 | |
| php | php | 5.5.11 | |
| php | php | 5.5.12 | |
| php | php | 5.5.13 | |
| php | php | 5.5.14 | |
| php | php | 5.5.18 | |
| php | php | 5.5.19 | |
| php | php | 5.5.20 | |
| php | php | 5.5.21 | |
| php | php | 5.5.22 | |
| php | php | 5.5.23 | |
| php | php | 5.5.24 | |
| php | php | 5.5.25 | |
| php | php | 5.5.26 | |
| php | php | 5.5.27 | |
| php | php | 5.5.28 | |
| php | php | 5.5.29 | |
| php | php | 5.5.30 | |
| php | php | 5.5.31 | |
| php | php | 5.5.32 | |
| php | php | 5.5.33 | |
| php | php | 5.5.34 | |
| php | php | 5.5.35 | |
| php | php | 5.5.37 | |
References
- https://www.suse.com/security/cve/CVE-2016-5116.html
- http://lists.opensuse.org/opensuse-updates/2016-09/msg00078.html
- http://www.debian.org/security/2016/dsa-3619
- http://www.openwall.com/lists/oss-security/2016/05/29/5
- http://www.ubuntu.com/usn/USN-3030-1
- https://github.com/libgd/libgd/commit/4dc1a2d7931017d3625f2d7cff70a17ce58b53b4
- https://github.com/libgd/libgd/issues/211
- https://security-tracker.debian.org/tracker/CVE-2016-5116
CWEs
CWE-119
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.