CVE-2014-5120

Publication date 23 August 2014

Last updated 24 July 2024

Ubuntu priority

gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x before 5.5.16 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to overwrite arbitrary files via crafted input to an application that calls the (1) imagegd, (2) imagegd2, (3) imagegif, (4) imagejpeg, (5) imagepng, (6) imagewbmp, or (7) imagewebp function.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
libgd2	14.04 LTS trusty	Not affected
	12.04 LTS precise	Not affected
	10.04 LTS lucid	Not affected
php5	14.04 LTS trusty	Not affected
	12.04 LTS precise	Not affected
	10.04 LTS lucid	Not affected

How can I get the fixes?
What do statuses mean?

Notes

jdstrand

per Debian, php-specific

seth-arnold

Not affected, already fixed via gdIOCtx.patch

References

MITRE
NVD
Launchpad
Debian

Other references

https://bugs.php.net/bug.php?id=67730
https://bugs.php.net/patch-display.php?bug_id=67730&patch=gd-null-injection&revision=latest
http://php.net/ChangeLog-5.php
https://www.cve.org/CVERecord?id=CVE-2014-5120