CVE-2016-1903

The gdImageRotateInterpolated function in ext/gd/libgd/gd_interpolation.c in PHP before 5.5.31, 5.6.x before 5.6.17, and 7.x before 7.0.2 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and application crash) via a large bgd_color argument to the imagerotate function.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 93%
Affected Products (NVD)
VendorProductVersion
phpphp
𝑥
≤ 5.5.30
phpphp
5.6.0:alpha1
phpphp
5.6.0:alpha2
phpphp
5.6.0:alpha3
phpphp
5.6.0:alpha4
phpphp
5.6.0:alpha5
phpphp
5.6.0:beta1
phpphp
5.6.0:beta2
phpphp
5.6.0:beta3
phpphp
5.6.0:beta4
phpphp
5.6.1
phpphp
5.6.2
phpphp
5.6.3
phpphp
5.6.4
phpphp
5.6.5
phpphp
5.6.6
phpphp
5.6.7
phpphp
5.6.8
phpphp
5.6.9
phpphp
5.6.10
phpphp
5.6.11
phpphp
5.6.12
phpphp
5.6.13
phpphp
5.6.14
phpphp
5.6.15
phpphp
5.6.16
phpphp
7.0.0
phpphp
7.0.1
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libgd2
precise
not-affected
trusty
not-affected
wily
not-affected
xenial
not-affected
php5
precise
not-affected
trusty
Fixed 5.5.9+dfsg-1ubuntu4.16
released
vivid
ignored
wily
Fixed 5.6.11+dfsg-1ubuntu3.2
released
xenial
dne
php7.0
precise
dne
trusty
dne
vivid
dne
wily
dne
xenial
not-affected
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
php55
Amazon Linux 1
0:5.5.31-1.111.amzn1
fixed
php55-bcmath
Amazon Linux 1
0:5.5.31-1.111.amzn1
fixed
php55-cli
Amazon Linux 1
0:5.5.31-1.111.amzn1
fixed
php55-common
Amazon Linux 1
0:5.5.31-1.111.amzn1
fixed
php55-dba
Amazon Linux 1
0:5.5.31-1.111.amzn1
fixed
php55-debuginfo
Amazon Linux 1
0:5.5.31-1.111.amzn1
fixed
php55-devel
Amazon Linux 1
0:5.5.31-1.111.amzn1
fixed
php55-embedded
Amazon Linux 1
0:5.5.31-1.111.amzn1
fixed
php55-enchant
Amazon Linux 1
0:5.5.31-1.111.amzn1
fixed
php55-fpm
Amazon Linux 1
0:5.5.31-1.111.amzn1
fixed
php55-gd
Amazon Linux 1
0:5.5.31-1.111.amzn1
fixed
php55-gmp
Amazon Linux 1
0:5.5.31-1.111.amzn1
fixed
php55-imap
Amazon Linux 1
0:5.5.31-1.111.amzn1
fixed
php55-intl
Amazon Linux 1
0:5.5.31-1.111.amzn1
fixed
php55-ldap
Amazon Linux 1
0:5.5.31-1.111.amzn1
fixed
php55-mbstring
Amazon Linux 1
0:5.5.31-1.111.amzn1
fixed
php55-mcrypt
Amazon Linux 1
0:5.5.31-1.111.amzn1
fixed
php55-mssql
Amazon Linux 1
0:5.5.31-1.111.amzn1
fixed
php55-mysqlnd
Amazon Linux 1
0:5.5.31-1.111.amzn1
fixed
php55-odbc
Amazon Linux 1
0:5.5.31-1.111.amzn1
fixed
php55-opcache
Amazon Linux 1
0:5.5.31-1.111.amzn1
fixed
php55-pdo
Amazon Linux 1
0:5.5.31-1.111.amzn1
fixed
php55-pgsql
Amazon Linux 1
0:5.5.31-1.111.amzn1
fixed
php55-process
Amazon Linux 1
0:5.5.31-1.111.amzn1
fixed
php55-pspell
Amazon Linux 1
0:5.5.31-1.111.amzn1
fixed
php55-recode
Amazon Linux 1
0:5.5.31-1.111.amzn1
fixed
php55-snmp
Amazon Linux 1
0:5.5.31-1.111.amzn1
fixed
php55-soap
Amazon Linux 1
0:5.5.31-1.111.amzn1
fixed
php55-tidy
Amazon Linux 1
0:5.5.31-1.111.amzn1
fixed
php55-xml
Amazon Linux 1
0:5.5.31-1.111.amzn1
fixed
php55-xmlrpc
Amazon Linux 1
0:5.5.31-1.111.amzn1
fixed
php56
Amazon Linux 1
0:5.6.17-1.120.amzn1
fixed
php56-bcmath
Amazon Linux 1
0:5.6.17-1.120.amzn1
fixed
php56-cli
Amazon Linux 1
0:5.6.17-1.120.amzn1
fixed
php56-common
Amazon Linux 1
0:5.6.17-1.120.amzn1
fixed
php56-dba
Amazon Linux 1
0:5.6.17-1.120.amzn1
fixed
php56-dbg
Amazon Linux 1
0:5.6.17-1.120.amzn1
fixed
php56-debuginfo
Amazon Linux 1
0:5.6.17-1.120.amzn1
fixed
php56-devel
Amazon Linux 1
0:5.6.17-1.120.amzn1
fixed
php56-embedded
Amazon Linux 1
0:5.6.17-1.120.amzn1
fixed
php56-enchant
Amazon Linux 1
0:5.6.17-1.120.amzn1
fixed
php56-fpm
Amazon Linux 1
0:5.6.17-1.120.amzn1
fixed
php56-gd
Amazon Linux 1
0:5.6.17-1.120.amzn1
fixed
php56-gmp
Amazon Linux 1
0:5.6.17-1.120.amzn1
fixed
php56-imap
Amazon Linux 1
0:5.6.17-1.120.amzn1
fixed
php56-intl
Amazon Linux 1
0:5.6.17-1.120.amzn1
fixed
php56-ldap
Amazon Linux 1
0:5.6.17-1.120.amzn1
fixed
php56-mbstring
Amazon Linux 1
0:5.6.17-1.120.amzn1
fixed
php56-mcrypt
Amazon Linux 1
0:5.6.17-1.120.amzn1
fixed
php56-mssql
Amazon Linux 1
0:5.6.17-1.120.amzn1
fixed
php56-mysqlnd
Amazon Linux 1
0:5.6.17-1.120.amzn1
fixed
php56-odbc
Amazon Linux 1
0:5.6.17-1.120.amzn1
fixed
php56-opcache
Amazon Linux 1
0:5.6.17-1.120.amzn1
fixed
php56-pdo
Amazon Linux 1
0:5.6.17-1.120.amzn1
fixed
php56-pgsql
Amazon Linux 1
0:5.6.17-1.120.amzn1
fixed
php56-process
Amazon Linux 1
0:5.6.17-1.120.amzn1
fixed
php56-pspell
Amazon Linux 1
0:5.6.17-1.120.amzn1
fixed
php56-recode
Amazon Linux 1
0:5.6.17-1.120.amzn1
fixed
php56-snmp
Amazon Linux 1
0:5.6.17-1.120.amzn1
fixed
php56-soap
Amazon Linux 1
0:5.6.17-1.120.amzn1
fixed
php56-tidy
Amazon Linux 1
0:5.6.17-1.120.amzn1
fixed
php56-xml
Amazon Linux 1
0:5.6.17-1.120.amzn1
fixed
php56-xmlrpc
Amazon Linux 1
0:5.6.17-1.120.amzn1
fixed
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-updates/2016-01/msg00099.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00037.html
http://rhn.redhat.com/errata/RHSA-2016-2750.html
http://www.openwall.com/lists/oss-security/2016/01/14/8
http://www.php.net/ChangeLog-5.php
http://www.php.net/ChangeLog-7.php
http://www.securityfocus.com/bid/79916
http://www.securitytracker.com/id/1034608
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.461720
http://www.ubuntu.com/usn/USN-2952-1
http://www.ubuntu.com/usn/USN-2952-2
https://bugs.php.net/bug.php?id=70976
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731
http://lists.opensuse.org/opensuse-updates/2016-01/msg00099.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00037.html
http://rhn.redhat.com/errata/RHSA-2016-2750.html
http://www.openwall.com/lists/oss-security/2016/01/14/8
http://www.php.net/ChangeLog-5.php
http://www.php.net/ChangeLog-7.php
http://www.securityfocus.com/bid/79916
http://www.securitytracker.com/id/1034608
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.461720
http://www.ubuntu.com/usn/USN-2952-1
http://www.ubuntu.com/usn/USN-2952-2
https://bugs.php.net/bug.php?id=70976
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731