Unrated severityOSV Advisory· Published Jan 27, 2019· Updated Aug 4, 2024
CVE-2019-6977
CVE-2019-6977
Description
gdImageColorMatch in gd_color_match.c in the GD Graphics Library (aka LibGD) 2.2.5, as used in the imagecolormatch function in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1, has a heap-based buffer overflow. This can be exploited by an attacker who is able to trigger imagecolormatch calls with crafted image data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
29- Range: <5.6.40, >=7.0.0 <7.1.26, >=7.2.0 <7.2.14, >=7.3.0 <7.3.1
- osv-coords26 versionspkg:rpm/almalinux/gdpkg:rpm/almalinux/gd-develpkg:rpm/opensuse/gd&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/gd&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/perl-GD&distro=openSUSE%20Tumbleweedpkg:rpm/suse/gd&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/gd&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/gd&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015pkg:rpm/suse/gd&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015pkg:rpm/suse/gd&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/gd&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/gd&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/gd&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/gd&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/gd&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/gd&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP3pkg:rpm/suse/gd&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP4pkg:rpm/suse/php53&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/php53&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4pkg:rpm/suse/php53&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4pkg:rpm/suse/php5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/php5&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/php5&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/php7&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/php7&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/php7&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4
< 2.2.5-7.el8+ 25 more
- (no CPE)range: < 2.2.5-7.el8
- (no CPE)range: < 2.2.5-7.el8
- (no CPE)range: < 2.2.5-lp150.8.1
- (no CPE)range: < 2.3.3-1.1
- (no CPE)range: < 2.76-1.1
- (no CPE)range: < 2.1.0-24.12.1
- (no CPE)range: < 2.1.0-24.12.1
- (no CPE)range: < 2.2.5-4.6.1
- (no CPE)range: < 2.2.5-4.6.1
- (no CPE)range: < 2.1.0-24.12.1
- (no CPE)range: < 2.1.0-24.12.1
- (no CPE)range: < 2.1.0-24.12.1
- (no CPE)range: < 2.1.0-24.12.1
- (no CPE)range: < 2.1.0-24.12.1
- (no CPE)range: < 2.1.0-24.12.1
- (no CPE)range: < 2.1.0-24.12.1
- (no CPE)range: < 2.1.0-24.12.1
- (no CPE)range: < 5.3.17-112.53.1
- (no CPE)range: < 5.3.17-112.53.1
- (no CPE)range: < 5.3.17-112.53.1
- (no CPE)range: < 5.5.14-109.48.1
- (no CPE)range: < 5.5.14-109.48.1
- (no CPE)range: < 5.5.14-109.48.1
- (no CPE)range: < 7.0.7-50.63.1
- (no CPE)range: < 7.0.7-50.63.1
- (no CPE)range: < 7.0.7-50.63.1
Patches
Vulnerability mechanics
References
19- www.exploit-db.com/exploits/46677/mitreexploitx_refsource_EXPLOIT-DB
- lists.opensuse.org/opensuse-security-announce/2019-04/msg00025.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2019-04/msg00031.htmlmitrevendor-advisoryx_refsource_SUSE
- access.redhat.com/errata/RHSA-2019:2519mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2019:3299mitrevendor-advisoryx_refsource_REDHAT
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CZ2QADQTKRHTGB2AHD7J4QQNDLBEMM6/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3WRUPZVT2MWFUEMVGTRAGDOBHLNMGK5R/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEYUUOW75YD3DENIPYMO263E6NL2NFHI/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TTXSLRZI5BCQT3H5KALG3DHUWUMNPDX2/mitrevendor-advisoryx_refsource_FEDORA
- security.gentoo.org/glsa/201903-18mitrevendor-advisoryx_refsource_GENTOO
- usn.ubuntu.com/3900-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2019/dsa-4384mitrevendor-advisoryx_refsource_DEBIAN
- packetstormsecurity.com/files/152459/PHP-7.2-imagecolormatch-Out-Of-Band-Heap-Write.htmlmitrex_refsource_MISC
- php.net/ChangeLog-5.phpmitrex_refsource_MISC
- php.net/ChangeLog-7.phpmitrex_refsource_MISC
- www.securityfocus.com/bid/106731mitrevdb-entryx_refsource_BID
- bugs.php.net/bug.phpmitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2019/01/msg00028.htmlmitremailing-listx_refsource_MLIST
- security.netapp.com/advisory/ntap-20190315-0003/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.