CVE-2018-1000222

EUVD-2018-1892
Libgd version 2.2.5 contains a Double Free Vulnerability vulnerability in gdImageBmpPtr Function that can result in Remote Code Execution . This attack appear to be exploitable via Specially Crafted Jpeg Image can trigger double free. This vulnerability appears to have been fixed in after commit ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 79%
Affected Products (NVD)
VendorProductVersion
libgdlibgd
2.2.5
canonicalubuntu_linux
14.04
canonicalubuntu_linux
16.04
canonicalubuntu_linux
18.04
debiandebian_linux
8.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libgd2
bookworm
2.3.3-9
fixed
bullseye
2.3.0-2
fixed
sid
2.3.3-12
fixed
trixie
2.3.3-12
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libgd2
bionic
Fixed 2.2.5-4ubuntu0.2
released
trusty
Fixed 2.1.0-3ubuntu0.10
released
xenial
Fixed 2.1.1-4ubuntu0.16.04.10
released
php5
bionic
dne
trusty
not-affected
xenial
dne
php7.0
bionic
dne
trusty
dne
xenial
not-affected
php7.1
bionic
dne
trusty
dne
xenial
dne
Common Weakness Enumeration
References
https://github.com/libgd/libgd/issues/447
https://lists.debian.org/debian-lts-announce/2019/01/msg00028.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CZ2QADQTKRHTGB2AHD7J4QQNDLBEMM6/
https://security.gentoo.org/glsa/201903-18
https://usn.ubuntu.com/3755-1/
https://github.com/libgd/libgd/issues/447
https://lists.debian.org/debian-lts-announce/2019/01/msg00028.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CZ2QADQTKRHTGB2AHD7J4QQNDLBEMM6/
https://security.gentoo.org/glsa/201903-18
https://usn.ubuntu.com/3755-1/