CVE-2019-11038

NameCVE-2019-11038
DescriptionWhen using the gdImageCreateFromXbm() function in the GD Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1817-1
NVD severitymedium (attack range: remote)
Debian Bugs929821

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libgd2 (PTS)jessie2.1.0-5+deb8u11vulnerable
jessie (security)2.1.0-5+deb8u13fixed
stretch (security), stretch2.2.4-2+deb9u4vulnerable
bullseye, sid, buster2.2.5-5.2fixed
php5 (PTS)jessie5.6.33+dfsg-0+deb8u1vulnerable
jessie (security)5.6.40+dfsg-0+deb8u5vulnerable
php7.0 (PTS)stretch (security), stretch7.0.33-0+deb9u3vulnerable
php7.3 (PTS)buster7.3.4-2vulnerable
bullseye, sid7.3.8-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libgd2source(unstable)2.2.5-5.2low929821
libgd2sourcejessie2.1.0-5+deb8u13mediumDLA-1817-1
php5source(unstable)(unfixed)unimportant
php7.0source(unstable)(unfixed)unimportant
php7.3source(unstable)7.3.6-1unimportant

Notes

[stretch] - libgd2 <no-dsa> (Minor issue)
Fixed in 7.1.30, 7.2.19, 7.3.6
PHP Bug: https://bugs.php.net/bug.php?id=77973
https://github.com/libgd/libgd/issues/501

Search for package or bug name: Reporting problems