CVE-2019-11038

NameCVE-2019-11038
DescriptionWhen using the gdImageCreateFromXbm() function in the GD Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1817-1, DSA-4529-1
Debian Bugs929821

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libgd2 (PTS)buster2.2.5-5.2fixed
bullseye2.3.0-2fixed
bookworm, sid, trixie2.3.3-9fixed
php7.3 (PTS)buster7.3.31-1~deb10u1fixed
buster (security)7.3.31-1~deb10u5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libgd2sourcejessie2.1.0-5+deb8u13DLA-1817-1
libgd2sourcestretch2.2.4-2+deb9u5
libgd2source(unstable)2.2.5-5.2low929821
php5source(unstable)(unfixed)unimportant
php7.0sourcestretch7.0.33-0+deb9u5DSA-4529-1
php7.0source(unstable)(unfixed)unimportant
php7.3source(unstable)7.3.6-1unimportant

Notes

Fixed in 7.1.30, 7.2.19, 7.3.6
PHP Bug: https://bugs.php.net/bug.php?id=77973
https://github.com/libgd/libgd/issues/501
https://github.com/libgd/libgd/commit/e13a342c079aeb73e31dfa19eaca119761bac3f3

Search for package or bug name: Reporting problems