CVE-2019-6978 – CVE-2019-6978 is a double-free vulnerability in... (How to Fix)

Q: What is the severity of CVE-2019-6978?

CVE-2019-6978 has a CVSS score of 9.8 (CRITICAL). CVE-2019-6978 is a double-free vulnerability in LibGD graphics library that allows attackers to execute arbitrary code or cause denial of service by processing specially crafted image files. It affects applications using vulnerable LibGD versions for image processing. PHP applications are not affected as noted in the CVE description.

📋 TL;DR

CVE-2019-6978 is a double-free vulnerability in LibGD graphics library that allows attackers to execute arbitrary code or cause denial of service by processing specially crafted image files. It affects applications using vulnerable LibGD versions for image processing. PHP applications are not affected as noted in the CVE description.

💻 Affected Systems

Products:

LibGD (GD Graphics Library)
Applications using LibGD for image processing

Versions: LibGD 2.2.5 and possibly earlier versions

Operating Systems: Linux, Unix-like systems, Windows

Default Config Vulnerable: ⚠️ Yes

Notes: PHP is explicitly noted as unaffected. Applications must use LibGD's gdImage*Ptr() functions for GIF, JPEG, or WBMP processing to be vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash causing denial of service, potentially leading to service disruption.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, potentially just application instability.

🌐 Internet-Facing: HIGH - Attackers can exploit by uploading malicious images to web applications using LibGD.

🏢 Internal Only: MEDIUM - Requires user interaction or malicious internal actor to trigger via image processing.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires processing a malicious image file through vulnerable functions. Public proof-of-concept exists in GitHub issues.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: LibGD 2.2.6 or later

Vendor Advisory: https://access.redhat.com/errata/RHSA-2019:2722

Restart Required: Yes

Instructions:

1. Update LibGD to version 2.2.6 or later. 2. Rebuild applications linked against LibGD. 3. Restart affected services. 4. For Linux distributions, use package manager: 'sudo apt update && sudo apt upgrade libgd3' (Debian/Ubuntu) or 'sudo yum update libgd' (RHEL/CentOS).

🔧 Temporary Workarounds

Disable vulnerable image formats

all

Configure applications to disable processing of GIF, JPEG, or WBMP formats if not required.

Application-specific configuration changes

Input validation and sanitization

all

Implement strict validation of image files before processing with LibGD.

Implement file type verification, size limits, and magic byte checking

🧯 If You Can't Patch

Implement network segmentation to isolate vulnerable systems from untrusted networks
Deploy web application firewall (WAF) with rules to block malicious image uploads

🔍 How to Verify

Check if Vulnerable:

Check LibGD version: 'gdlib-config --version' or 'dpkg -l | grep libgd' or 'rpm -qa | grep libgd'. If version is 2.2.5 or earlier, system is vulnerable.

Check Version:

gdlib-config --version 2>/dev/null || dpkg -l | grep libgd | awk '{print $3}' || rpm -qa | grep libgd | cut -d'-' -f2-

Verify Fix Applied:

Verify LibGD version is 2.2.6 or later using same commands. Test image processing functionality remains operational.

📡 Detection & Monitoring

Log Indicators:

Application crashes with segmentation faults
Memory corruption errors in application logs
Failed image processing operations

Network Indicators:

Unusual image upload patterns
Multiple failed image processing requests

SIEM Query:

source="application.logs" AND ("segmentation fault" OR "double free" OR "corrupted") AND process="*gd*"

📊 Metadata

CVE ID: CVE-2019-6978

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-415

Published: January 28, 2019

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00025.html
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00031.html
https://access.redhat.com/errata/RHSA-2019:2722
https://github.com/libgd/libgd/commit/553702980ae89c83f2d6e254d62cf82e204956d0 Patch,Third Party Advisory
https://github.com/libgd/libgd/issues/492 Patch,Third Party Advisory
https://github.com/php/php-src/commit/089f7c0bc28d399b0420aa6ef058e4c1c120b2ae Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/01/msg00028.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CZ2QADQTKRHTGB2AHD7J4QQNDLBEMM6/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3WRUPZVT2MWFUEMVGTRAGDOBHLNMGK5R/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEYUUOW75YD3DENIPYMO263E6NL2NFHI/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TTXSLRZI5BCQT3H5KALG3DHUWUMNPDX2/
https://security.gentoo.org/glsa/201903-18 Third Party Advisory
https://usn.ubuntu.com/3900-1/ Third Party Advisory
https://www.debian.org/security/2019/dsa-4384 Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00025.html
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00031.html
https://access.redhat.com/errata/RHSA-2019:2722
https://github.com/libgd/libgd/commit/553702980ae89c83f2d6e254d62cf82e204956d0 Patch,Third Party Advisory
https://github.com/libgd/libgd/issues/492 Patch,Third Party Advisory
https://github.com/php/php-src/commit/089f7c0bc28d399b0420aa6ef058e4c1c120b2ae Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/01/msg00028.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CZ2QADQTKRHTGB2AHD7J4QQNDLBEMM6/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3WRUPZVT2MWFUEMVGTRAGDOBHLNMGK5R/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEYUUOW75YD3DENIPYMO263E6NL2NFHI/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TTXSLRZI5BCQT3H5KALG3DHUWUMNPDX2/
https://security.gentoo.org/glsa/201903-18 Third Party Advisory
https://usn.ubuntu.com/3900-1/ Third Party Advisory
https://www.debian.org/security/2019/dsa-4384 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-6978, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Libgd by Libgd

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable vulnerable image formats

Input validation and sanitization

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities