CVE-2018-5711
libgd2 - security update
5.5
MEDIUM
CVSS 3.1
EPSS 10.3%
Description
gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1, has an integer signedness error that leads to an infinite loop via a crafted GIF file, as demonstrated by a call to the imagecreatefromgif or imagecreatefromstring PHP function. This is related to GetCode_ and gdImageCreateFromGifCtx.
How to fix CVE-2018-5711
To remediate CVE-2018-5711, upgrade the affected package to a fixed version below.
- —upgrade to 2.2.5-r2 or later
- —upgrade to 5.6.33-r0 or later
- —upgrade to 2.2.5-4.1 or later
- —upgrade to 2.0.36~rc1~dfsg-6.1+deb7u11 or later
Is CVE-2018-5711 being exploited?
Moderate — EPSS is 10.3%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (4)
- from 0, < 2.2.5-r2
- from 0, < 5.6.33-r0
- from 0, < 2.2.5-4.1
- from 0, < 2.0.36~rc1~dfsg-6.1+deb7u11
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.5 | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |