Bug 276751 (CVE-2007-3472) - CVE-2007-3472 libgd Integer overflow in TrueColor code
Summary: CVE-2007-3472 libgd Integer overflow in TrueColor code
Alias: CVE-2007-3472
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Depends On: 277411 277421 432784 432785 432786 432787 833899
TreeView+ depends on / blocked
Reported: 2007-09-04 17:16 UTC by Lubomir Kundrak
Modified: 2021-02-25 18:00 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-02-17 15:17:49 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0146 0 normal SHIPPED_LIVE Moderate: gd security update 2008-02-28 09:59:17 UTC

Description Lubomir Kundrak 2007-09-04 17:16:54 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-3472 to the following vulnerability:

Integer overflow in gdImageCreateTrueColor function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers has unspecified attack vectors and impact.



Comment 1 Lubomir Kundrak 2007-09-04 20:34:07 UTC
This just leads to unsuccessful attempt to allocate huge amount of memory and a
NULL dereference in turn. Just a crash.

Comment 3 Tomas Hoger 2008-02-08 16:55:42 UTC
(In reply to comment #1)
> This just leads to unsuccessful attempt to allocate huge amount of memory
> and a NULL dereference in turn. Just a crash.

What you refer to here is more likely:

Return values of various *alloc functions were not properly checked.  In the
case described in gd bug 89 -- im->tpixels[i] -- possibly being NULL, it depends
on specific use.  If attacker may control index used as second array index, he
may possibly read / modify arbitrary memory address.  Looking into gd_png and
gd_jpeg (just a few places where gdImageCreateTrueColor is used), it seems that
im->tpixels[i][] is traversed from lower indexes, so likely leading to SEGV soon.

Upstream CVS commit for gd bug 89:

Additionally, this seems to be same as CVE-2007-3996, part (b) reported for
php-gd, described in:

(Text does not seem to be correct in claim that gdImageCreate if affected by
overflow too, as char items are allocated.)

Comment 4 Tomas Hoger 2008-02-08 17:04:01 UTC
SecWeb advisory equivalent for gd:


Comment 6 Tomas Hoger 2008-02-08 17:46:46 UTC
SecWeb advisory is somewhat misleading, as it describes integer overflow in
gdImageCreateTrueColor, but in example PoC uses gdImageCreateFromXbm, which does
not use gdImageCreateTrueColor, but gdImageCreate.  Crash caused by that PoC
seems to be what is known as CVE-2007-3473 (see bug bug #276791).

Comment 7 Tomas Hoger 2008-02-13 17:44:12 UTC
This issue does not affect versions of gd as shipped in Red Hat Enterprise Linux
2.1 and 3, as they do not provide affected gdImageCreateTrueColor() function.

Comment 10 Red Hat Product Security 2008-02-28 10:53:38 UTC
This issue was addressed in:

Red Hat Enterprise Linux:


Comment 11 Vincent Danen 2015-02-17 15:17:49 UTC

Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates to libwmf on Red Hat Enterprise Linux 5 and 6. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Note You need to log in before you can comment on or make changes to this bug.