CVE-2019-11037

NameCVE-2019-11037
DescriptionIn PHP imagick extension in versions between 3.3.0 and 3.4.4, writing to an array of values in ImagickKernel::fromMatrix() function did not check that the address will be within the allocated array. This could lead to out of bounds write to memory if the function is called with the data controlled by untrusted party.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh (attack range: remote)
Debian Bugs928420

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php-imagick (PTS)jessie3.2.0~rc1-1fixed
stretch3.4.3~rc2-2vulnerable
buster, sid3.4.3-4.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php-imagicksource(unstable)3.4.3-4.1high928420
php-imagicksourcejessie(not affected)

Notes

[jessie] - php-imagick <not-affected> (vulnerable code is not present)
https://bugs.php.net/bug.php?id=77791
https://github.com/mkoppanen/imagick/commits/bugfix_77791

Search for package or bug name: Reporting problems