Varsleak

**Name of the Vulnerable Software and Affected Versions** libgd2 versions prior to 2.2.5 **Description** The issue is related to a double free vulnerability in the gdImagePngPtr function. This vulnerability can be exploited by remote attackers to cause a denial of service, specifically through vectors related to a palette with no colors. **Recommendations** For versions prior to 2.2.5, update to version 2.2.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the gdImagePngPtr function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Asuswrt-Merlin firmware versions for ASUS devices (affected versions not specified) **Description** The issue is caused by a stack-based buffer overflow in the ASUS Discovery.c component of the Asuswrt-Merlin firmware, specifically when handling device information with the strcat function. This can allow a remote attacker to execute arbitrary code by providing long device information that is mishandled during the strcat operation to a device list. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PHP versions prior to 5.6.31 **Description** The issue is related to flaws in the deserialization mechanism of the PHP programming language interpreter. It may allow a remote attacker to cause a denial of service by injecting XML for deserialization, potentially crashing the PHP interpreter due to an invalid free for an empty boolean element. **Recommendations** For PHP versions prior to 5.6.31, update to version 5.6.31 or later to resolve the issue. As a temporary workaround, consider restricting the deserialization of boolean parameters to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GD Graphics Library versions through 2.2.5 **Description** The issue is related to a heap-based buffer over-read in the `tiffWriter` function in `gd tiff.c`. This can allow a remote attacker to access confidential data and cause a denial of service using a specially crafted file in GD or GD2 formats. The vendor notes that the GD and GD2 formats are documented as obsolete and should only be used for development and testing purposes. **Recommendations** For versions through 2.2.5, consider disabling the `tiffWriter` function in `gd tiff.c` as a temporary workaround to minimize the risk of exploitation. Restrict access to files in GD and GD2 formats to prevent potential attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.