CVE-2016-6132 : The gdImageCreateFromTgaCtx function in the GD Graphics Library (aka libgd) before 2.2.3 allows remote attackers to caus

The gdImageCreateFromTgaCtx function in the GD Graphics Library (aka libgd) before 2.2.3 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted TGA file.

Published 2016-08-12 15:59:00

Updated 2018-10-30 16:27:32

Source MITRE

View at NVD, CVE.org

Vulnerability category: Denial of service

Exploit prediction scoring system (EPSS) score for CVE-2016-6132

Probability of exploitation activity in the next 30 days: 1.54%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 86 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2016-6132

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:N/A:P	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
6.5	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H	2.8	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2016-6132

CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-6132

http://www.openwall.com/lists/oss-security/2016/06/30/6

oss-security - CVE Request: A read out-of-bands was found in the parsing of TGA files using libgd
Mailing List;Third Party Advisory
https://security.gentoo.org/glsa/201612-09

GD: Multiple vulnerabilities (GLSA 201612-09) — Gentoo security

CVEs referencing this url
https://github.com/libgd/libgd/issues/247

[CVE-2016-6132]: A read out-of-bands was found in the parsing of TGA files · Issue #247 · libgd/libgd · GitHub
Patch;Third Party Advisory
http://www.debian.org/security/2016/dsa-3619

Debian -- Security Information -- DSA-3619-1 libgd2
Third Party Advisory

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2016/06/30/10

oss-security - Re: CVE Request: A read out-of-bands was found in the parsing of TGA files using libgd
Mailing List;Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2016-08/msg00086.html

openSUSE-SU-2016:2117-1: moderate: Security update for gd

CVEs referencing this url
https://libgd.github.io/release-2.2.3.html

LibGD 2.2.3 release
Vendor Advisory

CVEs referencing this url
http://www.ubuntu.com/usn/USN-3060-1

USN-3060-1: GD library vulnerabilities | Ubuntu security notices

CVEs referencing this url
http://www.securityfocus.com/bid/91520

libgd 'src/gd_tga.c' Heap Buffer Overflow Vulnerability
Third Party Advisory;VDB Entry
http://lists.opensuse.org/opensuse-updates/2016-09/msg00078.html

openSUSE-SU-2016:2363-1: moderate: Security update for gd
Third Party Advisory

CVEs referencing this url

Products affected by CVE-2016-6132

Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Libgd » Libgd
Versions up to, including, (<=) 2.2.2
cpe:2.3:a:libgd:libgd:*:*:*:*:*:*:*:*
Matching versions
Opensuse » Leap » Version: 42.1
cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2016-6132

Exploit prediction scoring system (EPSS) score for CVE-2016-6132

CVSS scores for CVE-2016-6132

CWE ids for CVE-2016-6132

References for CVE-2016-6132

Products affected by CVE-2016-6132