CVE-2009-3546

Name of the Vulnerable Software and Affected Versions gd versions 2.0.28 through 2.0.33 gd-progs versions 2.0.28 through 2.0.33 gd-devel versions 2.0.28 through 2.0.33 PHP versions 5.2.11 and 5.3.x before 5.3.1

Description The issue is related to the gdGetColors function in gd gd.c, which does not properly verify a certain colorsTotal structure member. This might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file. The vulnerability can be exploited remotely and may lead to disruption of confidentiality, integrity, and availability of protected information.

Recommendations For gd versions 2.0.28 through 2.0.33, consider updating to a version later than 2.0.33 or applying a patch if available. For gd-progs versions 2.0.28 through 2.0.33, consider updating to a version later than 2.0.33 or applying a patch if available. For gd-devel versions 2.0.28 through 2.0.33, consider updating to a version later than 2.0.33 or applying a patch if available. For PHP versions 5.2.11 and 5.3.x before 5.3.1, consider updating to version 5.3.1 or later. As a temporary workaround, consider restricting access to the gdGetColors function until a patch is available.