Wednesday, May 11, 2016

PHP Security Issue: libgd CVE-2016-3074

A PHP security issue that affects previous versions of PHP was recently announced. A signedness vulnerability (CVE-2016-3074) exists in libgd 2.1.1, which may result in a heap overflow when processing compressed gd2 data.

[Update: 2016/05/11]

We want to let you know that the Bitnami Team worked on updating all the native installers, virtual machines and the cloud providers images of all the affected applications and all of them are already available. We will continue working on updating the Bitnami Cloud Hosting base image.

If for any reason you are not able to update your application, follow the instructions below:

  • Deactivate the following PHP functions (imagecreatefromgd2, imagecreatefromgd2part, imagegd2) in the php.ini file.
disable_functions = imagecreatefromgd2, imagecreatefromgd2part, imagegd2

  • In Windows systems, the gd extension can be deactivated easily. Comment out this line in the php.ini file:

More information about the fixed version can be found on the GD Graphics GitHub page:

Do you have questions about the security issue? Post to our community forum, and we will be happy to help you.

[Update: 2016/05/12]

The Bitnami Cloud Hosting base image was released today so all of the new servers launched using our platform will include the latest security update.