Multiple integer overflows in libgd in PHP before 5.2.4 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large (1) srcW or (2) srcH value to the (a) gdImageCopyResized function, or a large (3) sy (height) or (4) sx (width) value to the (b) gdImageCreate or the (c) gdImageCreateTrueColor function.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Php | Php | * | 5.2.3 (including) |
| Red Hat Enterprise Linux 2.1 | RedHat | php-0:4.1.2-2.19 | * |
| Red Hat Enterprise Linux 3 | RedHat | php-0:4.3.2-43.ent | * |
| Red Hat Enterprise Linux 4 | RedHat | php-0:4.3.9-3.22.9 | * |
| Red Hat Enterprise Linux 5 | RedHat | php-0:5.1.6-15.el5 | * |
| Red Hat Web Application Stack for RHEL 4 | RedHat | php-0:5.1.6-3.el4s1.8 | * |
| Libgd2 | Ubuntu | dapper | * |
| Libgd2 | Ubuntu | edgy | * |
| Libgd2 | Ubuntu | feisty | * |
| Libgd2 | Ubuntu | gutsy | * |
| Libgd2 | Ubuntu | upstream | * |
| Php5 | Ubuntu | dapper | * |
| Php5 | Ubuntu | edgy | * |
| Php5 | Ubuntu | feisty | * |
| Php5 | Ubuntu | gutsy | * |
| Php5 | Ubuntu | upstream | * |