CVE-2019-11038

NameCVE-2019-11038
DescriptionWhen using the gdImageCreateFromXbm() function in the GD Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1817-1, DSA-4529-1
NVD severitymedium
Debian Bugs929821

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libgd2 (PTS)jessie2.1.0-5+deb8u11vulnerable
jessie (security)2.1.0-5+deb8u13fixed
stretch2.2.4-2+deb9u5fixed
stretch (security)2.2.4-2+deb9u4vulnerable
buster, bullseye, sid2.2.5-5.2fixed
php5 (PTS)jessie5.6.33+dfsg-0+deb8u1vulnerable
jessie (security)5.6.40+dfsg-0+deb8u7vulnerable
php7.0 (PTS)stretch7.0.33-0+deb9u3vulnerable
stretch (security)7.0.33-0+deb9u6fixed
php7.3 (PTS)buster, buster (security)7.3.11-1~deb10u1fixed
bullseye, sid7.3.12-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libgd2source(unstable)2.2.5-5.2low929821
libgd2sourcejessie2.1.0-5+deb8u13DLA-1817-1
libgd2sourcestretch2.2.4-2+deb9u5
php5source(unstable)(unfixed)unimportant
php7.0source(unstable)(unfixed)unimportant
php7.0sourcestretch7.0.33-0+deb9u5DSA-4529-1
php7.3source(unstable)7.3.6-1unimportant

Notes

Fixed in 7.1.30, 7.2.19, 7.3.6
PHP Bug: https://bugs.php.net/bug.php?id=77973
https://github.com/libgd/libgd/issues/501
https://github.com/libgd/libgd/commit/e13a342c079aeb73e31dfa19eaca119761bac3f3

Search for package or bug name: Reporting problems