CVE-2016-6911 Libgd CVE debrief

Who should care

Administrators and developers who ship or embed libgd, especially products that accept or process untrusted TIFF images. Systems running libgd 2.2.3 or earlier are in scope based on the NVD CPE range.

Technical summary

NVD identifies CWE-125 (out-of-bounds read) and maps the affected range to libgd versions through 2.2.3. The issue is tied to TIFF image parsing in dynamicGetbuf. The practical impact described in the record is denial of service.

Defensive priority

Medium. This is a denial-of-service issue rather than a code-execution finding, but it affects image parsing of untrusted content and should be remediated in any exposed service or application.

Recommended defensive actions

• Upgrade libgd to 2.2.4 or later.
• Inventory products and services that bundle or dynamically link against libgd.
• Treat untrusted TIFF uploads or image feeds as potentially crash-inducing until the library is updated.
• Use the libgd changelog, commit, and vendor advisories to confirm the fix is present in your deployed build.

Evidence notes

The NVD record describes a crafted-TIFF-triggered out-of-bounds read in dynamicGetbuf and assigns CWE-125 with a medium CVSS score. The NVD CPE range marks libgd versions up to 2.2.3 as vulnerable. The supplied references include the libgd changelog, a patch commit, a pull request, and a Debian security advisory, all consistent with a fix in libgd 2.2.4.

Official resources