GD Graphics Library gdImage*Ptr() Functions Double Free Vulnerability [CVE-2019-6978]

CVE number – CVE-2019-6978

A vulnerability in GD Graphics Library (libgd) could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. The vulnerability is due to a double-free condition that exists in the gdImage*Ptr() functions, as defined in the gd_gif_out.cgd_jpeg.c, and gd_wbmp.c source code files of the affected software. An attacker could exploit the vulnerability by sending crafted image data that submits malicious input to the targeted system. A successful exploit could trigger a double-free condition, which could result in a complete system compromise.Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available.The libgd project has confirmed the vulnerability, and software updates are available.

Analysis

  • To exploit this vulnerability, the attacker must send a crafted image data to the targeted system, making exploitation more difficult in environments that restrict network access from untrusted sources.

Safeguards

  • Administrators are advised to apply the appropriate updates.Administrators are advised to allow only trusted users to have network access.Administrators can help protect affected systems from external attacks by using a solid firewall strategy.Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.Administrators are advised to monitor affected systems.

Vendor Announcements

  • The libgd project has released an issue report at the following link: Issue 492

Fixed Software

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: