An out-of-bounds read vulnerability in gd was found when encoding gif from malformed input with gd2togif utility.
Created gd tracking bugs for this issue:
Affects: fedora-23 [bug 1353551]
CVSSv3 score adjusted based on the following reasoning:
- the flaw makes it possible for a crafted .gd2 file to read arbitrary amounts of memory when converted to .gif
- the library is often exposed (in php) to web services that process untrusted images
- such services often restrict the file types they accept, and gd2 is normally not whitelisted
- libgd uses gd2 as an intermediate format for conversions, so the code can still be reached.
- in this case, exploitation relies on chaining another vulnerability that allows (semi-controlled) the attacker to trigger creation of an incorrect intermediate .gd2 image
This lies between AC:L and AC:H; I think the overall score fairly well represents the risk exposure.
Created php tracking bugs for this issue:
Affects: fedora-all [bug 1354710]
Red Hat Product Security has rated this issue as having Moderate security
impact. This issue is not currently planned to be addressed in future
updates. For additional information, refer to the Issue Severity