CVE-2017-6362
CVSS5.0
发布时间 :2017-09-07 09:29:00
修订时间 :2017-09-13 13:46:27
NMP    

[原文]Double free vulnerability in the gdImagePngPtr function in libgd2 before 2.2.5 allows remote attackers to cause a denial of service via vectors related to a palette with no colors.


[CNNVD]CNNVD数据暂缺。


[机译]译文暂缺.

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-415 [双重释放]

- CPE (受影响的平台与产品)

cpe:/o:debian:debian_linux:8.0
cpe:/o:debian:debian_linux:9.0
cpe:/a:libgd:libgd:2.2.4
cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~
cpe:/o:fedoraproject:fedora:26

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6362
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6362
(官方数据源) NVD

- 其它链接及资源

http://www.debian.org/security/2017/dsa-3961
(VENDOR_ADVISORY)  DEBIAN  DSA-3961
https://github.com/libgd/libgd/issues/381
(VENDOR_ADVISORY)  CONFIRM  https://github.com/libgd/libgd/issues/381
https://github.com/libgd/libgd/releases/tag/gd-2.2.5
(VENDOR_ADVISORY)  CONFIRM  https://github.com/libgd/libgd/releases/tag/gd-2.2.5
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N2BLXX7KNRE7ZVQAKGTHHWS33CUCXVUP/
(VENDOR_ADVISORY)  FEDORA  FEDORA-2017-7cc0e6a5f5

- 漏洞信息 (F144005)

Debian Security Advisory 3961-1 (PacketStormID:F144005)
2017-09-05 00:00:00
Debian  debian.org
advisory,denial of service,arbitrary
linux,debian
CVE-2017-6362
[点击下载]

Debian Linux Security Advisory 3961-1 - A double-free vulnerability was discovered in the gdImagePngPtr() function in libgd2, a library for programmatic graphics creation and manipulation, which may result in denial of service or potentially the execution of arbitrary code if a specially crafted file is processed.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3961-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
September 03, 2017                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libgd2
CVE ID         : CVE-2017-6362

A double-free vulnerability was discovered in the gdImagePngPtr()
function in libgd2, a library for programmatic graphics creation and
manipulation, which may result in denial of service or potentially the
execution of arbitrary code if a specially crafted file is processed.

For the oldstable distribution (jessie), this problem has been fixed
in version 2.1.0-5+deb8u11.

For the stable distribution (stretch), this problem has been fixed in
version 2.2.4-2+deb9u2.

For the unstable distribution (sid), this problem has been fixed in
version 2.2.5-1.

We recommend that you upgrade your libgd2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlmrmqhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0RCTRAAmnzp8ZjtdFVY8Fp4pd6zuQKpyRds+kCQaXEFf0P4SvwqIVPd3hCqz2H+
2bMxbrSAmnXVgqsppafbzybUZm23gCrbTDdzqhEk9HHWm2uL/Tm3aWfGo7FEDXKk
EvTq+seQyhpjf+5e+vGH+Nu1sOApxu+O4l4/8NR6rpwX/KMjP/YNNvL/birRJtuS
IesGK/kZI7JzIo/pVFf/BKQM3YAJ0DtRlPt4lQc/GvLRW7TzpBO5CMUcbwA/8UPk
BI1dEA3nLdTny1v60aj1sam/Op8QijMTxmB3CRZMfrKyhNyVqzvtAs+gmBiycX1A
uytl9eWgKOzgdHYUCY65s2kJBthMY7GbJ56kt0tAPMkBHQCyUcFMayB0ajvA6Wjq
90rOG+0QMgdoze6ziwIVz96xEwZVlDdeOycDtLVf0ZjFtKIfNX6CNr55K4rlu/Nj
u9/HuUukKa8mVVxBF2lfnZx13RcGR6GQiDf4HdRii4xjYwqjUTG4ZpGTYgkpEJgu
1SoXxzKKJsQBNX/QIi5J8sIykVVfSy1RMPf34ttciuovwldlsomVpcEunEs+aW+e
oox6B5A9wg80DQT1fuUPsEknb17XtbXIGS4sAWQcVAWjKhRawHjBdiaulD9mtf0n
7lEZpn79qsJI2jAoujq7gs/sWxQki87lreQL2Hp4sohEnEIihIA=
=uz5S
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F147262)

Slackware Security Advisory - gd Updates (PacketStormID:F147262)
2018-04-19 00:00:00
Slackware Security Team  slackware.com
advisory
linux,slackware
CVE-2017-6362,CVE-2017-7890
[点击下载]

Slackware Security Advisory - New gd packages are available for Slackware 14.2 and -current to fix security issues.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  gd (SSA:2018-108-01)

New gd packages are available for Slackware 14.2 and -current to
fix security issues.


Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
  This update fixes two security issues:
  Double-free in gdImagePngPtr() (denial of service).
  Buffer over-read into uninitialized memory (information leak).
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6362
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7890
  (* Security fix *)
+--------------------------+


Where to find the new packages:
+-----------------------------+

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project!  :-)

Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.

Updated package for Slackware 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/gd-2.2.5-i586-1_slack14.2.txz

Updated package for Slackware x86_64 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/gd-2.2.5-x86_64-1_slack14.2.txz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/gd-2.2.5-i586-1.txz

Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/gd-2.2.5-x86_64-1.txz


MD5 signatures:
+-------------+

Slackware 14.2 package:
00f7ac709aebd7e2d83c106496a67503  gd-2.2.5-i586-1_slack14.2.txz

Slackware x86_64 14.2 package:
55090c6941dea831bdc6ad78d47055d9  gd-2.2.5-x86_64-1_slack14.2.txz

Slackware -current package:
c996a52a4eed3ccc5af79320d27ef9f8  l/gd-2.2.5-i586-1.txz

Slackware x86_64 -current package:
e9a5c2882717f1df8d25c7b1ae03ecb5  l/gd-2.2.5-x86_64-1.txz


Installation instructions:
+------------------------+

Upgrade the package as root:
# upgradepkg gd-2.2.5-i586-1_slack14.2.txz


+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

+------------------------------------------------------------------------+
| To leave the slackware-security mailing list:                          |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back containing instructions to    |
| complete the process.  Please do not reply to this email address.      |
+------------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAlrXseQACgkQakRjwEAQIjN6twCfWo5ETEA92eUD4Mqbjbeq2SZq
h/YAnizReuO85XhlSzQyyTe2KUil/71t
=VRt3
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F147449)

Slackware Security Advisory - libwmf Updates (PacketStormID:F147449)
2018-05-03 00:00:00
Slackware Security Team  slackware.com
advisory
linux,slackware
CVE-2004-0941,CVE-2006-3376,CVE-2007-0455,CVE-2007-2756,CVE-2007-3472,CVE-2007-3473,CVE-2007-3477,CVE-2009-3546,CVE-2015-0848,CVE-2015-4588,CVE-2015-4695,CVE-2015-4696,CVE-2016-10167,CVE-2016-10168,CVE-2016-9011,CVE-2016-9317,CVE-2017-6362
[点击下载]

Slackware Security Advisory - New libwmf packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  libwmf (SSA:2018-120-01)

New libwmf packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,
14.2, and -current to fix security issues.


Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/libwmf-0.2.8.4-i586-7_slack14.1.txz:  Rebuilt.
  Patched denial of service and possible execution of arbitrary code
  security issues.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0941
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3376
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0455
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2756
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3472
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3473
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3477
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3546
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0848
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4588
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4695
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4696
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10167
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10168
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9011
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9317
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6362
  (* Security fix *)
+--------------------------+


Where to find the new packages:
+-----------------------------+

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project!  :-)

Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.

Updated package for Slackware 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/libwmf-0.2.8.4-i486-5_slack13.0.txz

Updated package for Slackware x86_64 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/libwmf-0.2.8.4-x86_64-5_slack13.0.txz

Updated package for Slackware 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/libwmf-0.2.8.4-i486-6_slack13.1.txz

Updated package for Slackware x86_64 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/libwmf-0.2.8.4-x86_64-6_slack13.1.txz

Updated package for Slackware 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/libwmf-0.2.8.4-i486-6_slack13.37.txz

Updated package for Slackware x86_64 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/libwmf-0.2.8.4-x86_64-6_slack13.37.txz

Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/libwmf-0.2.8.4-i486-6_slack14.0.txz

Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/libwmf-0.2.8.4-x86_64-6_slack14.0.txz

Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/libwmf-0.2.8.4-i486-6_slack14.1.txz

Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/libwmf-0.2.8.4-x86_64-6_slack14.1.txz

Updated package for Slackware 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/libwmf-0.2.8.4-i586-7_slack14.1.txz

Updated package for Slackware x86_64 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/libwmf-0.2.8.4-x86_64-7_slack14.1.txz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/libwmf-0.2.8.4-i586-8.txz

Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/libwmf-0.2.8.4-x86_64-8.txz


MD5 signatures:
+-------------+

Slackware 13.0 package:
6d0143e7e105188714f767aea522f4cb  libwmf-0.2.8.4-i486-5_slack13.0.txz

Slackware x86_64 13.0 package:
3f47383d824d93c4518f8fc738c0c820  libwmf-0.2.8.4-x86_64-5_slack13.0.txz

Slackware 13.1 package:
871f2ed8d5b43a139607a4d6f959ff93  libwmf-0.2.8.4-i486-6_slack13.1.txz

Slackware x86_64 13.1 package:
a8cff7e3b53153589eab0a0bab9209de  libwmf-0.2.8.4-x86_64-6_slack13.1.txz

Slackware 13.37 package:
5db38178040f541080caf9776256331d  libwmf-0.2.8.4-i486-6_slack13.37.txz

Slackware x86_64 13.37 package:
5d308a63d03d940622ec21d870b01cde  libwmf-0.2.8.4-x86_64-6_slack13.37.txz

Slackware 14.0 package:
c806e42bd0498db0f3b70957c7c3a401  libwmf-0.2.8.4-i486-6_slack14.0.txz

Slackware x86_64 14.0 package:
376835bf78178bb15bb3c56cee454eb4  libwmf-0.2.8.4-x86_64-6_slack14.0.txz

Slackware 14.1 package:
8a30446ddb36004db6d5ce10728807af  libwmf-0.2.8.4-i486-6_slack14.1.txz

Slackware x86_64 14.1 package:
ceb7fa835645c9d55c3ad5eac9eab754  libwmf-0.2.8.4-x86_64-6_slack14.1.txz

Slackware 14.2 package:
4d98c4cad02f173e00570dccccba226a  libwmf-0.2.8.4-i586-7_slack14.1.txz

Slackware x86_64 14.2 package:
0750711520b0cf4ff5a9a6e363815702  libwmf-0.2.8.4-x86_64-7_slack14.1.txz

Slackware -current package:
ac7070e538cf1d1bb08b68cf7883de6d  l/libwmf-0.2.8.4-i586-8.txz

Slackware x86_64 -current package:
5a60b94c51180b5a2d53dba2fe430379  l/libwmf-0.2.8.4-x86_64-8.txz


Installation instructions:
+------------------------+

Upgrade the package as root:
# upgradepkg libwmf-0.2.8.4-i586-7_slack14.1.txz


+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

+------------------------------------------------------------------------+
| To leave the slackware-security mailing list:                          |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back containing instructions to    |
| complete the process.  Please do not reply to this email address.      |
+------------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAlrnmukACgkQakRjwEAQIjPNXgCeMvoMF3+o5j2NjGNL4XYJDfof
jZIAn2DRjyfoNZn7I6obni8P13FuyPek
=hcxT
-----END PGP SIGNATURE-----
    
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站