It was found that gdImageTrueColorToPaletteBody doesn't check for negative transparent colors while converting the image that can lead to arbitrary null write and information leak.
Created gd tracking bugs for this issue:
Affects: fedora-all [bug 1359839]
Created php tracking bugs for this issue:
Affects: fedora-all [bug 1359837]
As per upstream:
"Not sure how exploitable this is... theoretically could be if somebody had online image editor, etc. though it's a bit far-reaching by this point..."
This flaw can only be exploited, if some kind of special image wrangling is done by the PHP script, based on attacker input.
Based on the above, Red Hat Product Security Team, does not consider this as a security flaw.